Object Identifiers in Wireshark
Last Updated :
13 Nov, 2022
Object Identifiers (OIDs) are used by several ASN.1 protocol to specifically identify specific items of data. They are constantly used as an extension method, allowing the description of new object identifiers (and their corresponding values) without altering the base standard. Although Wireshark is familiar with many OIDs and the syntax of the values that go with them, the extensibility means that other values might be encountered. The user can specify the name and syntax of Object Identifiers that Wireshark is unaware of using this table, which is used by Wireshark (for example, a privately defined X.400 extension). Additionally, it enables the user to change the syntax and name of Object Identifiers that Wireshark is already apprehensive of (To exemplify, changing “id-at-countryName” to just “c”).
This table is the user table that consists of the following fields:
- OID: The OID is an Object Identifier as a string, for example, “2.5.4.6.”
- Name: The name that Wireshark should display when the Object Identifier is broken down, such as, (“c”);
- Syntax: The syntax here implies the value associated with the Object Identifier. This must be one of the syntaxes that Wireshark already knows about (To exemplify, “Printable String”).
DOF Object Identifiers:
Protocol field name: dof.oid
| FIELD NAME |
DESCRIPTION |
TYPE |
| dof.attribute.attribute |
Attribute |
Unsigned integer (1 byte) |
| dof.attribute.data |
Data |
Byte sequence |
| dof.attribute.header |
Header |
Unsigned integer (1 byte) |
| dof.attribute.id |
ID |
Unsigned integer (1 byte) |
| dof.attribute.length |
Length |
Unsigned integer (1 byte) |
| dof.attribute.oid |
OID |
Byte sequence |
| dof.oid.attribute |
Attribute |
Unsigned integer (1 byte) |
| dof.oid.attribute-data |
Attribute Data |
Byte sequence |
| dof.oid.class |
Class |
Unsigned integer (4 bytes) |
| dof.oid.data |
Data |
Byte sequence |
| dof.oid.header |
Header |
Unsigned integer (1 byte) |
| dof.oid.header_zero |
DOF Violation: Type.4:
Header bit mandated 0.
|
Label |
| dof.oid.length |
Length |
Unsigned integer (1 byte) |
Steps To View a Decoded OID Using Wireshark:
Install the 32-bit edition of Wireshark. Create a list of the OID’s MIB file names as follows:
- Copy every MIB file to a Linux computer.
- Execute the next command:
[user]@ubuntu:/tmp/mib$ ls -l total 2380
[user]@ubuntu:/tmp/mib$ grep “DEFINITIONS
::= BEGIN" *.mib | awk -F”:” '{print $2}'
| awk '{print $1}'.
- The next step is to make a product MIB folder under the following path:
C:\Program Files (x86)\Wireshark\
snmp\mibs\.
- Copy the MIB files to the following path:
C:\Program Files (x86)\Wireshark\
snmp\mibs\[product mib folder].
- Launch Wireshark and select Edit → Preferences → Name Resolution from the menu. Select the checkboxes to Enable OID resolution and Suppress SMI errors, then restart Wireshark by clicking OK.
- Relaunch Wireshark, then select Edit → Preferences → Name Resolution.
- Choose Edit. Then enter the location where your MIB files are stored (To exemplify, C:\Program Files (x86)\Wireshark\snmp\mibs\\[product mib folder]). Click OK.
- Enter all the MIB names in the SMI (MIB and PIB) modules area by clicking Edit… adjacent to that field. Click OK.
- Access an SNMP packet capture file. The OIDs are now shown as decoded.
Conclusion:
The string representation is used for Object Identifiers for their unique identification. The SNMP dissector is working properly. SNMPv3 packets that have been encrypted can be decrypted if set correctly.
Like Article
Suggest improvement
Share your thoughts in the comments
Please Login to comment...