Skip to main content
Barracuda MSP Partner Toolkit

Capturing, Parsing, and Troubleshooting SNMP traps using Wireshark

This is something that can be useful when you want to verify that MW is parsing traps properly as they’re received by the system it’s installed on. Normally we’ve been doing this using iReasoning’s trap receiver, which means stopping mwexpert while we troubleshoot, which can be problematic for long-term/intermittent issues.

Since the winpcap driver grabs packets as soon as they hit a port (before even a software firewall can block them) Wireshark can monitor traffic on port 162 while MWExpertSystem is running.

To do this, you’d need to perform the following steps:

  1. Install Wireshark (including the installer’s WinPcap driver)
  2. Start it up. Take note of which interface(s) are active (sending/receiving traffic)
     

1.png


 

  1. There are two ways to perform the next step:
    1. If you’re going to be capturing for a short period (eg. while you’re on the phone) just enter the following capture filter: `port 162`, select the two interfaces, and hit the blue shark fin on the top right to start capturing:
       

2.png


 

    1. If you want a long term capture, start it up using tshark.exe from the command line instead, making sure to specify an output file and stop condition. Information about command line options is available here

      I’d recommend something like this (the -i flags indicate which interfaces to capture, -a is the stop condition (10mb of capture) and –w is the output file:

?

1

"C:\Program Files\Wireshark\tshark.exe" -i 3 -i 6 -f "port 162" -a filesize:10240 -w "C:\Temp\snmptraptrace.pcapng"

You could use -a duration:600 instead of -a filesize:10240 to stop after 10 minutes (duration is in seconds) instead of 10mb
 

  1. Once you’ve captured data, you’ll see the list of received UDP packets up to. Selecting one will give you additional information if you expand out the `Simple Network Management Protocol` tree.

This information includes the SNMP version, the community string, enterprise OIDs and variable bindings:
 

3.png



 

  1. You’ll notice that most values are either Integers or OctetStrings. The string values are displayed in hexadecimal by default, but you can see a preview of the string values in the bottom pane, or you can right click on the value and Copy -> …as Printable Text:
     

4.png



 

  1. This will let you paste the textual value, eg:
     

Job Status: Completed successfully

BeforeJob: run command "/raider/etc/runBeforeJob.sh 198 DC-1:Imaged.2016-04-19_02 9F2D6E1E-B756-672F-983F-1963708DC92B Backup Incremental"

Start Backup JobId 198, Job=DC-1:Imaged.2016-04-19_02.00.00.34

Created new Volume

which you can use to help create or verify monitoring rules.

 

 

  • Was this article helpful?