[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 583
  • Last Modified:

SNMP Packet Breakdown

Hi All,

I'm writing some code to send and retreive data via SNMP requests over a socket.  I'm trying to break this down into data that can be read and stored.  Please note the value is in hex (eg: 48 = 0x30).

I know 0 is the beginning of the sequence.  

are 1 & 2 length because the 8th bit is flagged?

I'm lost in that part until 7 . . . which should start forming the community string . . . but why is the length 6 if it's an octet?

I'm after the [56] which is the data and is easy to look at visually, but I know the packets can change based on the varbindings and am trying to understand how to decode this so I can do this for all packets.

Any help greatly appreciated.


[0]	48	byte
		[1]	130	byte
		[2]	0	byte
		[3]	53	byte
		[4]	2	byte
		[5]	1	byte
		[6]	0	byte
		[7]	4	byte
		[8]	6	byte
		[9]	112	byte
		[10]	117	byte
		[11]	98	byte
		[12]	108	byte
		[13]	105	byte
		[14]	99	byte
		[15]	162	byte
		[16]	130	byte
		[17]	0	byte
		[18]	38	byte
		[19]	2	byte
		[20]	4	byte
		[21]	0	byte
		[22]	0	byte
		[23]	0	byte
		[24]	1	byte
		[25]	2	byte
		[26]	1	byte
		[27]	0	byte
		[28]	2	byte
		[29]	1	byte
		[30]	0	byte
		[31]	48	byte
		[32]	130	byte
		[33]	0	byte
		[34]	22	byte
		[35]	48	byte
		[36]	130	byte
		[37]	0	byte
		[38]	18	byte
		[39]	6	byte
		[40]	12	byte
		[41]	43	byte
		[42]	6	byte
		[43]	1	byte
		[44]	4	byte
		[45]	1	byte
		[46]	129	byte
		[47]	165	byte
		[48]	119	byte
		[49]	27	byte
		[50]	2	byte
		[51]	2	byte
		[52]	0	byte
		[53]	2	byte
		[54]	2	byte
		[55]	0	byte
		[56]	104	byte

Open in new window

0
Kyle Abrahams
Asked:
Kyle Abrahams
  • 2
  • 2
1 Solution
 
Infinity08Commented:
For questions like these, refer to the appropriate RFC. In this case, you want RFC 1157 : "A Simple Network Management Protocol (SNMP)" :

        http://www.ietf.org/rfc/rfc1157.txt

(specifically section 4)

ASN.1 BER encoding is used.

Your example would be decoded like this :

30   --> SEQUENCE TAG : Message
       82   --> length is encoded over 2 bytes :
       00 35  --> length : 0x0035 = 53 bytes

       02   --> INTEGER TAG (version)
              01   --> length : 0x01 = 1 byte
              00   --> value : 0x00 = 0

       04   --> OCTET STRING TAG (community)
              06   --> length : 0x06 = 6 bytes
              70 75 62 6C 69 63   --> value : 0x7075626C6963 = "public"

       A2   --> IMPLICIT SEQUENCE TAG [2] : GetResponse-PDU (data)
              82   --> length is encoded over 2 bytes :
              00 26   --> length : 0x0026 = 38

              02   --> INTEGER TAG : RequestID (request-id)
                     04   --> length : 0x04 = 4 bytes
                     00 00 00 01   --> value : 0x00000001 = 1

              02   --> INTEGER TAG : ErrorStatus (error-status)
                     01   --> length : 0x01 = 1 byte
                     00   --> value : 0x00 = 0 (noError)

              02   --> INTEGER TAG : ErrorIndex (error-index)
                     01   --> length : 0x01 = 1 byte
                     00   --> value : 0x00 = 0

              30   --> SEQUENCE TAG : VarBindList (variable-bindings)
                     82   --> length is encoded over 2 bytes :
                     00 16   --> length : 0x0016 = 22

                     30   --> SEQUENCE TAG : VarBind
                            82   --> length is encoded over 2 bytes :
                            00 12   --> length : 0x0012 = 18

                            06   --> OBJECT IDENTIFIER TAG : ObjectName (name)
                                   0C   --> length : 0x0C = 12 bytes
                                   2B 06 01 04 01 81 A5 77 1B 02 02 00   --> value : 1.3.6.1.4.1.21239.27.2.2.0

                            02   --> INTEGER TAG : ObjectSyntax (value)
                                   02   --> length : 0x02 = 2 bytes
                                   00 68   --> value : 0x0068 = 104

or shorter :

message {
    version = 0
    community = "public"
    data:getResponse {
        request-id = 1
        error-status = noError
        error-index = 0
        variable-bindings = {
            {
                name = 1.3.6.1.4.1.21239.27.2.2.0
                value = 104
            }
        }
    }
}
0
 
Kyle AbrahamsSenior .Net DeveloperAuthor Commented:
Any good tutorials on BER?  

I get glimpses of clarity but it's not all coming together yet.
0
 
sameer_dubeyCommented:
Community string is an OCTET STRING. Here each character is encoded in one octet. That's why the length is '6' - it means that the community string (or octet string) is encoded in 6 octets. Refer to Infinity08's parsing.

Yes, the packets can change based on variable bindings. Your best bet would be to use an ASN.1 parser. You could even write one yourself in C/C++.

You could even use netsnmp to do the parsing for you.

I hope it helps.
0
 
Infinity08Commented:
>> Any good tutorials on BER?

Here's a start : http://en.wikipedia.org/wiki/Basic_Encoding_Rules

Just remember that it's basically a TLV encoding (Type-Length-Value) :

1) Each item starts with the Type tag which is an integer value with a very specific meaning (for example 2 is an INTEGER, 4 an OCTET STRING, etc.).

2) Then the length, which is either a 1-byte integer value, or a multiple byte integer value preceded by 0x8z where z indicates the amount of bytes used. In both cases, the length is the size in bytes.

3) Finally, the actual data (value), encoded in the specified amount of bytes (given length), and whose format is determined by the specified type.
0
 
Kyle AbrahamsSenior .Net DeveloperAuthor Commented:
Thanks for the info.  Makes sense now.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now