SNMP: Simple Network Management Protocol

layer 7 SNMP

Introduction
Preparation
snmpDecode
Conclusion

Introduction

This tutorial discusses the plugin snmpDecode.

Preparation

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:

t2build -e -y


Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied

Then compile the core (tranalyzer2) and the following plugins:

t2build tranalyzer2 basicFlow snmpDecode txtSink


...
BUILD SUCCESSFUL

If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

mkdir ~/data ~/results

The sample PCAP used in this tutorial can be downloaded here: snmp.pcap.

Please save it in your ~/data folder.

Now you are all set for analyzing FTP traffic!

snmpDecode

Let’s look at the plugin configuration first:

snmpDecode

vi src/snmpDecode.h

...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */

#define SNMP_STRLEN 64 // max length for string

/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */

/*        No env / runtime configuration flags available for snmpDecode       */

/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...

Run t2 on the supplied pcap.

t2 -s -r ~/data/snmp.pcap -w ~/results


================================================================================
Tranalyzer 0.9.1 (Anteater), Cobra. PID: 54802, Prio: 0, SID: 666
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.9.1
    02: snmpDecode, 0.9.1
    03: txtSink, 0.9.1
[INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K)
[INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K)
Processing file: /home/user/data/snmp.pcap
Link layer type: Ethernet [EN10MB/1]
Snapshot length: 65535 (65.53 K)
Dump start: 1258482072.450230000 sec (Tue 17 Nov 2009 18:21:12 GMT)
Dump stop : 1258482072.450846000 sec (Tue 17 Nov 2009 18:21:12 GMT)
Total dump duration: 0.000616000 sec
Finished processing. Elapsed time: 0.000094038 sec
Finished unloading flow memory. Time: 0.000120835 sec
Percentage completed: 100.00%
Number of processed packets: 2
Number of processed bytes: 177
Number of raw bytes: 177
Number of pcap bytes: 233
Number of IPv4 packets: 2 [100.00%]
Number of A packets: 1 [50.00%]
Number of B packets: 1 [50.00%]
Number of A bytes: 87 [49.15%]
Number of B bytes: 90 [50.85%]
<A packet load>: 87.00
<B packet load>: 90.00
--------------------------------------------------------------------------------
snmpDecode: Aggregated snmpStat=0x01
snmpDecode: Number of SNMP packets: 2 [100.00%]
snmpDecode: Number of SNMP GetRequest packets: 1 [50.00%]
snmpDecode: Number of SNMP GetResponse packets: 1 [50.00%]
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, avg: 3.00
Number of UDP packets: 2 [100.00%]
Number of UDP bytes: 177 [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed      flows: 2
Number of processed IPv4 flows: 2 [100.00%]
Number of processed A    flows: 1 [50.00%]
Number of processed B    flows: 1 [50.00%]
Number of request        flows: 1 [50.00%]
Number of reply          flows: 1 [50.00%]
Total   A/B    flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed A+B packets/A+B flows: 1.00
Number of processed A   packets/A   flows: 1.00
Number of processed   B packets/  B flows: 1.00
Number of processed total packets/s: 3246.75 (3.25 K)
Number of processed A+B   packets/s: 3246.75 (3.25 K)
Number of processed A     packets/s: 1623.38 (1.62 K)
Number of processed   B   packets/s: 1623.38 (1.62 K)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<Number of processed flows/s>: 3246.75 (3.25 K)
<Bandwidth>: 2298701 b/s (2.30 Mb/s)
<Raw bandwidth>: 2298701 b/s (2.30 Mb/s)
Max number of flows in memory: 2 [0.00%]
Memory usage: 0.03 GB [0.05%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows

So the aggregated snmpStat currently has only one bit which states, there is SNMP.

tawk -V snmpStat=0x01


The snmpStat column with value 0x01 is to be interpreted as follows:

   bit | snmpStat | Description
   =============================================================================
     0 | 0x01     | Flow is SNMP

Here you see the flow file info. Later we will decode all binary info.

tcol ~/results/snmp_flows.txt %dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto snmpStat snmpVer snmpCommunity snmpUser snmpMsgT snmpNumReq_Next_Resp_Set_Trap1_Bulk_Info_Trap2_Rep A 1 0x0400000000004000 1258482072.450230000 1258482072.450230000 0.000000000 1 3 eth:ipv4:udp 00:16:cb:8c:ea:27 00:19:b9:f7:4b:02 0x0800 10.10.1.159 04 “Private network” 51217 10.10.3.109 04 “Private network” 161 17 0x01 1 “public” “” 0x0001 1_0_0_0_0_0_0_0_0 B 1 0x0400000000004001 1258482072.450846000 1258482072.450846000 0.000000000 1 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:8c:ea:27 0x0800 10.10.3.109 04 “Private network” 161 10.10.1.159 04 “Private network” 51217 17 0x01 1 “public” “” 0x0004 0_0_1_0_0_0_0_0_0

And in the packet file.

tcol ~/results/snmp_flows.txt %pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc vlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto snmpVersion snmpCommunity snmpUser snmpType l7Content 1 1 0x0400000000004000 1258482072.450230000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:udp 00:16:cb:8c:ea:27 00:19:b9:f7:4b:02 0x0800 10.10.1.159 04 Private network 51217 10.10.3.109 04 Private network 161 17 1 public 0xa0 0+…..public….5c.……0.0..+……….. 2 1 0x0400000000004001 1258482072.450846000 0.000000000 0.000616000 0.000000000 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:8c:ea:27 0x0800 10.10.3.109 04 Private network 161 10.10.1.159 04 Private network 51217 17 1 public 0xa2 0……public.!..5c.……0.0..+………A.

Conclusion

Don’t forget to reset the plugin configuration for the next tutorial.

t2conf snmpDecode --reset && t2build snmpDecode

Have fun analyzing SNMP traffic!

SNMP: Simple Network Management Protocol

Contents

Introduction

Preparation

snmpDecode

Conclusion