snmp packet analysis

SNMP Packet Analysis

Tran Phuoc Nguyenpn.tran2012@gmail.com

1

2

SNMP packet trace using Wireshark

3

Ethernet Frame

4

Example of SNMP message

5

Basic Encoding Rules• Used to transmit data between systems that native encoding is

different– Type– Length– Value

also called encoding Type-Length-Value

6

Basic Encoding Rules : Data Type

7

Example of Ethernet Encoding

00 00 00 00 A3 E0 53 16 00 A0 24 70 C2 B7 08 00 45 00

00 10 00 45 1A 03 00 00 1E 11 72 8B C0 09 C8 02 C0 09

00 20 C8 04 04 00 00 A1 00 31 7E 18 30 27 02 01 00 04

00 30 06 70 75 62 6C 69 63 A0 1A 02 02 0F A4 02 01 00

00 40 02 01 00 30 0E 30 0C 06 08 2B 06 01 02 01 01 03

00 50 00 05 00 00 0A 00 7E

8

Example of Ethernet Encoding

00 00 00 00 43 E0 53 16 00 A0 24 70 C2 B7 08 00 45 00

00 10 00 45 1A 03 00 00 1E 11 72 8B C0 09 C8 02 C0 09

00 20 C8 04 04 00 00 A1 00 31 7E 18 30 27 02 01 00 04

00 30 06 70 75 62 6C 69 63 A0 1A 02 02 0F A4 02 01 00

00 40 02 01 00 30 0E 30 0C 06 08 2B 06 01 02 01 01 03

00 50 00 05 00 00 0A 00 7E

Ethernet Header (14 bytes) + FCS (4 bytes)

9

Example of Ethernet Encoding

00 00 00 00 43 E0 53 16 00 A0 24 70 C2 B7 08 00 45 00

00 10 00 45 1A 03 00 00 1E 11 72 8B C0 09 C8 02 C0 09

00 20 C8 04 04 00 00 A1 00 31 7E 18 30 27 02 01 00 04

00 30 06 70 75 62 6C 69 63 A0 1A 02 02 0F A4 02 01 00

00 40 02 01 00 30 0E 30 0C 06 08 2B 06 01 02 01 01 03

00 50 00 05 00 00 0A 00 7E

Ethernet Header (14 bytes.) + FCS (4 bytes)IP Header (20 bytes)

10

Example of Ethernet Encoding

00 00 00 00 43 E0 53 16 00 A0 24 70 C2 B7 08 00 45 00

00 10 00 45 1A 03 00 00 1E 11 72 8B C0 09 C8 02 C0 09

00 20 C8 04 04 00 00 A1 00 31 7E 18 30 27 02 01 00 04

00 30 06 70 75 62 6C 69 63 A0 1A 02 02 0F A4 02 01 00

00 40 02 01 00 30 0E 30 0C 06 08 2B 06 01 02 01 01 03

00 50 00 05 00 00 0A 00 7E

Ethernet Header (14 bytes.) + FCS (4 bytes)IP Header (20 bytes)UDP Header (8 bytes)

SNMP Data

11

Sequence 30 27 27 = 39 octets

12

Sequence 30 27 27 = 39 octets

Integer 02 01 : 00

13

Sequence 30 27 27 = 39 octets

Integer 02 01 : 00

String 04 06 : 70 75 62 6C 69 63

P U B L I C

Header

14

Sequence 30 27 27 = 39 octets

Integer 02 01 : 00

String 04 06 : 70 75 62 6C 69 63

P U B L I C

Sequence A0 A0 = 1010 0000 (Get

Request)

1A 1A = 26 octets

PDU

Header

15

Sequence 30 27 27 = 39 octets

Integer 02 01 : 00

String 04 06 : 70 75 62 6C 69 63

P U B L I C

Sequence A0 A0 = 1010 0000 (Get

Request)

1A 1A = 26 octets

Integer 02 02 : 0F A4 Request ID = 4004

Integer 02 01 : 00 Error status : 0

Integer 02 01 : 00 Error index : 0

PDU

Header

16

Sequence 30 27 27 = 39 octets

Integer 02 01 : 00

String 04 06 : 70 75 62 6C 69 63

P U B L I C

Sequence A0 A0 = 1010 0000 (Get

Request)

1A 1A = 26 octets

Integer 02 02 : 0F A4 Request ID = 4004

Integer 02 01 : 00 Error statut : 0

Integer 02 01 : 00 Error index : 0

Sequence 30 0E 0E = 14 octets

Sequence 30 0C OC = 12 octets

Objet 06 08 : 2B 06 01 02 01 01 03 00

1.3. 6. 1. 2. 1. 1. 3. 0

Null 05 00

PDU

Header

17

1-sysDescr2-sysObjectID3-sysUpTime4-sysContact5-sysName6-sysLocation

1 – 3 – 6 – 1 – 2 – 1 – 1 – 3

Addr. Trans.3

Syst1

Interface2

IP4

ICMP5

TCP6

UDP7

EGP8

MIB I1

2

Directory1

Mgmt2

Experim.3

Private4

Internet1

2

3

4

1

2

3

4

5

DoD6

STD0

ORG3

2

1

UIT0

ISO1

2

18

SysUpTimeDescription type d'un objet (MIB II) Description de l'objet

SysUpTime

OBJECT_TYPE MACRO =BEGINTYPE NOTATION =

"SYNTAX" type (TYPE ObjectSyntax)"ACCESS" Access"STATUS" Status

VALUE NOTATION = value (VALUE ObjectName)DESCRIPTION value (description DisplayString) |emptyAccess ="read_only"|"write_only"|"not_accessible"Status ="mandatory"|"optional"|"obsolete"|"deprecated"DisplayString=OCTET STRING SIZE (0…255)END

SysUpTime OBJECT_TYPESyntax TimeTicksAccess read_onlyStatus mandatoryDescription "The Time (in hundredhs of a second) since the network management portion of a system was last reinitialized"={system 3}