In order to filter all packets going to or from port 162, including fragments, a form of stateful filtering is necessary. There isn't a way to capture exactly SNMP traps, including fragmented ones, with *any* tool, using libpcap/WinPcap-style stateless filtering to filter out everything except for the SNMP traps that includes Wireshark. > 2) Is there some other way to capture exactly SNMP traps (UDP port 162) including fragmented ones with tshark avoiding having to install and start up wireshark? The TShark command in question is the TShark equivalent of capturing, in Wireshark, with a *capture* filter of "udp", and then, when the capture is finished, applying a display filter of "snmp". "-f" specifies a capture filter, not a display filter. > 1) Isn't the tshark command above the tshark equivalent of the same use case?
I only get one packet - it doesn't save all fragments. > tshark -r alludp.pcap -R snmp -w snmp.pcap > I therefore expected this to work for tshark 1.8.2 too: I've tried wireshark's version 1.8.2 and it works as described. > Wireshark now since rev 41216 saves all dependent packets too when one saves all packets according to the display filter. > Doesn't work if there are SNMP traps that are fragmented, because then we don't get all the fragments. On Dec 13, 2012, at 1:13 AM, Peter Valdemar Mørch wrote:
0 kommentar(er)
