SMI Modules in Wireshark

The purpose of SMI modules is to make use of Wireshark’s protocol-agnostic approach and detect packets by their content rather than by their layer three protocols (protocols like TCP and UDP). The SMI module is located in the Wireshark/plugins/sme directory.

Usage:

The SMIs are generally used as follows: <cr> This will parse all packets that have the type smi_type. This will include any pcap files left on your system. This file list could be used to build a packet-capture adapter filter by doing something like this: capture filter show ‘pcap’; capture filter list > s_pptp_smi.txt to see exactly what packets are corresponding to your SMI request.

We put the file list into a pcap file so that we could extract the individual packets that make up the SMIs. This is because we don’t want to analyze every single packet that matched our filter, as this would be prohibitively time-consuming. To see our packet-capture adapter filter in action, put your pcap file somewhere on your local machine, and then try out the capture filter show ‘pptp_smi’ (which should be located in the directory where you saved your pcap). After you’ve done this, run Wireshark on that same machine and look at its status window.

 

SMI (MIB and PIB) Paths:

Let’s begin by taking a look at the Wireshark GUI. The main window displays the packets in your capture file. If you are not seeing any packets yet, then click on the Capture, next to your computer’s name at the top of the interface and select “Start.” Now let’s take a quick look at some of these folders: MSS, and Mobile Control Contexts. This is where you will find control protocol messages sent by mobile devices such as SMS, MMS, or IM so that Wireshark can display them correctly when capturing them over Bluetooth or Wi-Fi. 

• SESSION: Captures TCP connections from between machines or networks. 
• TCP and ICMP: In this folder, you can find information about TCP and ICMP packets. 
• DUMP: Information that has been formatted in an ASCII format to be read by humans can be found in this folder.
• Decode As Raw PDUs (Protocol Data Units): This option is selected by default, and it makes sure that Wireshark decodes protocols and MAC addresses.  
• IPv4 Stream Format: This is a format used by IPv4 network devices such as computers, switches, and routers to communicate with each other. This is the default file type if you have no reason to change it. By default, this file type will decode the format of packets in the capture file.
• IPv6 Stream Format: This is a format used by IPv6 network devices such as computers, switches, and routers to communicate with each other.
• ARP Stream Format: This is a format used for ARP (Address Resolution Protocol) network packets. 
• RARP Stream Format: This is also known as RAW ARP, and it is a format used for RARP (Routing and Routing Protocols) packets. 
• Ethernet Stream Format: This is a stream format used by Ethernet broadcast frames from MAC layer networks to upper layer protocols.

Countermeasures: 

• Packet Pushers Network Team has developed a number of other tools for performing analysis that also uses SMI modules. These tools include Wireshark SMI module documentation:
• Wireshark SMI Module wiki page: * – “-–– Filter based on entire packet contents. Specify a filter based on the entire packet contents (including encapsulated headers).
  This filter can be used after you have filtered out the actual protocols you are interested in, to get an overall idea of what is going on in your encoding and decoding. Note that if you use this filter there will be no output present in an unmodified capture file.

Conclusion: 

The SMI module is a nice way to show the state of your encoding and decoding. For instance, if you are trying to decode a video file or something else that has some kind of encoding overhead.