Skip to main content
Barracuda MSP Partner Toolkit

How to Capture, Parse and Troubleshoot SNMP traps using Wireshark

This article describes how to verify the Managed Workplace is parsing traps properly as they are received by the system it is installed on. Unlike iReasoning's trap receiver, it is not necessary to stop the MWExpertSystem while troubleshooting when using Wireshark, which is useful when solving long-term or intermittent issues. 

Since the wincap driver grabs packets as soon as they hit a port, before a software firewall can block them, Wireshark can monitor traffic on port 162 while MWExpertSystem is running. 

To enable Wireshark monitoring, follow the steps below:

  1. Install Wireshark- including the installer's WinPcap driver
  2. Start Wireshark and take note of which interface(s) are active (sending and receiving traffic)

    clipboard_e0241695bacdbb4a3a427d0bb413810dc.png

  3. There are two ways to perform the next step. 
    1. If you are going to be capturing for a short period of time, for example, while you are on the phone, then enter the following capture filter: port 162 and select the two interfaces. Click the blue shark fin on the top right to start capturing

      clipboard_e4fb84e733770b631960895b62bf0b38c.png

    2. If you want a long term capture, start up the capture using tshark.exe from the command line instead, making sure to specify an output file and stop condition. Information about the command line options is available here.
      An example of this would be:

      clipboard_e335f48ce0b1c1528e2728d99394d1434.png


       where the -i flags indicate which interface to capture, -a indicated the stop condition 10mb of capture) and -w is the output file. You can use `-a duration:600` instead to stop after 10 minutes (duration is in seconds)
  4. Once you've captured the data, you will see the list of received UDP packets. Selecting a packet will give you additional information if you expand the Simple Network Management Protocol tree. This information includes the SNMP version, the community string, the enterprise OIDs and variable bindings:

    clipboard_e74d6061db0fb68b34e095c3237941fa6.png

  5. You will notice that most values are either Integers or OctetStrings. The string balues are displayed in hexidecimal by default, but you can see a pageview of the string values in the bottom pane, or you can rick clock on the value and Copy > as Printatble Text

    clipboard_e3872d9c5986621f139e0df006a65705a.png

  6. This will let you paste the textual value which you can use to help create or verify monitoring rules. For example:

    clipboard_ea04ad2f817bb85831aa1314618380881.png

  • Was this article helpful?