SNMP Packet Analysis

Tran Phuoc Nguyen

pn.tran2012@gmail.com

SNMP packet trace using Wireshark

Ethernet Frame

Example of SNMP message

Basic Encoding Rules

Used to transmit data between systems that native encoding is
different
Type
Length
Value

also called encoding Type-Length-Value

Basic Encoding Rules : Data Type

Example of Ethernet Encoding

00 00

00

00

A3 E0 53

16

00

A0

24

70

C2 B7 08

00 45

00

00 10

00

45

1A 03

00

00

1E

11

72

8B

C0 09

C8 02 C0 09

00 20

C8 04

04

00

00

A1 00

31

7E

18

30

27

02

01 00

04

00 30

06

70

75

62

6C 69

63

A0

1A

02

02

0F

A4

02 01

00

00 40

02

01

00

30

0E

30

0C

06

08

2B

06

01

02

01 01

03

00 50

00

05

00

00

0A

00

7E

Example of Ethernet Encoding

00 00

00

00

43

E0 53

16

00

A0

24

70

C2 B7 08

00 10

00

45

1A 03

00 20

C8 04

04

00 30

06

70

00 40

02

00 50

00

00 45

00

00

00

1E

11

72

8B

C0 09

C8 02 C0 09

00

00

A1 00

31

7E

18

30

27

02

01 00

04

75

62

6C 69

63

A0

1A

02

02

0F

A4

02 01

00

01

00

30

0E

30

0C

06

08

2B

06

01

02

01 01

03

05

00

00

0A

00

7E

Ethernet Header (14 bytes) + FCS (4 bytes)

Example of Ethernet Encoding

00 00

00

00

43

E0 53

16

00

A0

24

70

C2 B7 08

00 10

00

45

1A 03

00 20

C8 04

04

00 30

06

70

00 40

02

00 50

00

00 45

00

00

00

1E

11

72

8B

C0 09

C8 02 C0 09

00

00

A1 00

31

7E

18

30

27

02

01 00

04

75

62

6C 69

63

A0

1A

02

02

0F

A4

02 01

00

01

00

30

0E

30

0C

06

08

2B

06

01

02

01 01

03

05

00

00

0A

00

7E

Ethernet Header (14 bytes.) + FCS (4 bytes)

IP Header (20 bytes)
9

Example of Ethernet Encoding

00 00

00

00

43

E0 53

16

00

A0

24

70

C2 B7 08

00 10

00

45

1A 03

00 20

C8 04

04

00 30

06

70

00 40

02

00 50

00

00

00

1E

11

72

8B

C0 09

C8 02 C0 09

00

00

A1 00

31

7E

18

30

27

02

01 00

04

75

62

6C 69

63

A0

1A

02

02

0F

A4

02 01

00

01

00

30

0E

30

0C

06

08

2B

06

01

02

01 01

03

05

00

00

0A

00

7E

Ethernet Header (14 bytes.) + FCS (4 bytes)

IP Header (20 bytes)
UDP Header (8 bytes)

00 45

00

SNMP Data

10

Sequence

30

27

27 = 39 octets

11

Sequence
Integer

30

27
02

27 = 39 octets
01

00

12

Sequence
Header

30

27

27 = 39 octets

Integer

02

01

00

String

04

06

70

75

62

6C

69

63

13

Sequence
Header

30

27

27 = 39 octets

Integer

02

01

00

String

04

06

70

75

62

6C

69

63

Sequence

A0

A0 = 1010 0000 (Get Request)

1A

1A = 26 octets

PDU

14

Sequence
Header

30

27

27 = 39 octets

Integer

02

01

00

String

04

06

70

75

62

6C

69

63

Sequence

A0

A0 = 1010 0000 (Get Request)

1A

PDU

1A = 26 octets
A4

Request ID =
4004

Integer

02

02

0F

Integer

02

01

00

Error status : 0

Integer

02

01

00

Error index : 0

15

Sequence
Header

30

27

27 = 39 octets

Integer

02

01

00

String

04

06

70

75

62

6C

69

63

Sequence

A0

A0 = 1010 0000 (Get Request)

1A

PDU

1A = 26 octets
Request ID =
4004

Integer

02

02

0F

Integer

02

01

00

Error statut : 0

Integer

02

01

00

Error index : 0

Sequence

Sequence
Objet

Null

30

A4

0E

30

0E = 14 octets

0C
06

05

OC = 12 octets
08

00

2B

06

01

02

01

01

03

00

1.3
.

6.

1.

2.

1.

1.

3.

0
16

13612113

Interface
2

1
UIT
0

ISO
1

STD
0

2
2

ORG
3

Directory
1

2
3
4

5
DoD
6

Syst
1

Internet
1
2
3
4

Mgmt
2
Experim.
3
Private
4

1-sysDescr
2-sysObjectID
3-sysUpTime
4-sysContact
5-sysName
6-sysLocation

Addr. Trans.
3
MIB I
1

IP
4

ICMP
5
TCP
6
UDP
7
EGP
8
17

SysUpTime
Description type d'un objet (MIB II)
OBJECT_TYPE MACRO =
BEGIN
TYPE NOTATION =
"SYNTAX" type (TYPE ObjectSyntax)
"ACCESS" Access
"STATUS" Status
VALUE NOTATION = value (VALUE ObjectName)
DESCRIPTION value (description DisplayString)
|empty
Access ="read_only"|"write_only"|"not_accessible"
Status
="mandatory"|"optional"|"obsolete"|"deprecated"
DisplayString=OCTET STRING SIZE (0255)
END

Description de l'objet
SysUpTime
SysUpTime OBJECT_TYPE
Syntax TimeTicks
Access read_only
Status mandatory
Description "The Time (in
hundredhs of a second) since
the network management
portion of a system was last
reinitialized"
={system 3}

18