Decrypt SNMP v2 using Wireshark

If your SNMP client is not reading the values from the LoadMaster correctly, you might need to troubleshoot the issue, or compare the values being sent.

Decrypting SNMP requires the use of a packet capture and the SNMP MIBS. SNMP should also be configured on the LoadMaster. More information can be seen here

Take a TCP dump on the LoadMaster, filtering on port 161. From an SNMP client preform a SNMP walk.

Open Wireshark and navigate to Edit -> Preferences. Then Appearance --> Name Resolution.

Prefrenceis_image1_.png

Select SMI (MIB and PIB) paths. Select Add new entry and navigate to folder containing the KEMP MIBs.

MIB_patch_image2_.png

Next, Edit SMI (MIB and PIB) modules. Add the exact names of each of the files contained in the MIB folder. 

Modules_image3_.png

Back on the Name Resolution menu. Check the box for Enable OID resolution and Suppress SMI errors.

OIDresolution_image4_.png

You must restart Wireshark for the changes to take effect.

Open the packet capture taken previously. You should now see an SNMP get request and SNMP response.

The example below shows decrypted SNMP response. If everything is working, you can see the value of the response.

2018-01-29_12_22_45-SNMP.pcap.png

 

Was this article helpful?

0 out of 0 found this helpful

Comments