NAM Custom Capture Filter configuration

Unanswered Question

I need to create a filter to capture SNMP writes. Does anyone know what data, mask, and offset bytes to use with snmp base?

I believe that I am looking for the third byte in the SNMP PDU to be 03 for SetRequest. The data should be 03? The offset should then be 3 (for third byte)? and the mask FF?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mchin345 Tue, 10/07/2008 - 13:22

There's actually a pretty easy solution...basically:

(1) Go to Setup->Monitor->Protocol Directory

(2) Create a new protocol at the TCP port 5190 called whatever they want

(3) Go to Capture->Settings and select the new protocol they created for their simple capture filter

In case you still want to use the custom filter, here is how to set up a filter for TCP source port 5190:

1. Go to Capture > Custom Filter > Capture Filters

2. Create a new capture filter, give it some name (e.g. tcp-port-5190)

3. Select TCP for Protocol

4. Enter "14 46" (w/out the quotation) for Data (0x1446 is the port number

5190 in hex)

5. For source port, enter "0" for Offset (for destination port, enter "2").

Select "tcp" for Base. (the src port is at offset 0 from the start of

the TCP header)

6. Click "Apply" to save your filter and select it when you start capture

NAM capture filters for SNMP probably can't be done. The problem is that you must create the filter useing the "SNMP UDP" packet type and then offset so many bytes within that SNMP packet to find the SNMP PDU Type byte.

This would work if it weren't for one of the fields in the SNMP PDU having varying lengths and therefore changing the offset for each length.

The SNMP Message Type field may be 8, 9, or 10 bytes in length. This makes it impossible to give an exact offset value to triger on for the SetRequest A3 value.

Actions

This Discussion