SNMP in Wireshark

The Internet Architecture Board (IAB) defined the Simple Network Management Protocol (SNMP) as an application-layer protocol for transmitting management data between network devices in RFC1157. It belongs to the TCP/IP (Transmission Control Protocol/Internet Protocol) protocol family. One of the extensively used network protocols for managing and watching over network components is SNMP. The majority of network components of professional qualifications include an integrated SNMP agent. To connect with the network monitoring tools or network management system, these agents must be activated and set up (NMS). UDP is frequently used by SNMP as its transport protocol. 161 (SNMP) and 162 are well-known UDP ports for SNMP traffic (SNMP TRAP). Additionally, it is compatible with TCP, Ethernet, IPX, and other protocols. The ILMI (Integrated Local Management Interface) protocol used by ATMs is SNMP.

SNMP Protocol Versions:

SNMP version 1: Developed in the 1980s, this is the standard version of SNMP. It is regarded as the least reliable choice. Low-level security is supported by SNMP v1, which transfers data “clearly” without encryption. The type of data that can be returned is constrained by the fact that this version was created to handle 32-bit counters.

SNMPv2: Developed in the 1990s, SNMPv2 is an update to version 1 that boosts security and performance but does not employ encryption. Additionally, it included a choice for 64-bit counters to accommodate larger interfaces and additional ways for Getbulkrequest to retrieve greater amounts of data (e.g., 10Gb).

The most recent version, SNMP v3, leverages the capability of the base protocol with the addition of cryptographic security to improve data privacy and authenticity capabilities. This offers a more improved variation of the protocol that is best suited to secure device access and optimize performance.

SNMP Basic Components:

• Managed devices and resources-These are the hardware and network components within an organization’s network that need to be controlled and watched, from printers and desktops to resources like routers and switches. Managed devices have SNMP nodes that can be set up to connect them to other network elements.
• SNMP Agent- An application that is bundled inside the network element is the agent. When the agent is enabled, it can gather the device’s management information database locally and whenever required by the SNMP manager, the agent makes that information available.
• SNMP Manager- A manager or management system is a separate entity that is in charge of interacting with network devices that have SNMP agents installed. Typically, one or more network management systems are run on this machine.
• Management Information Base (MIB)- Each SNMP agent has a database of data outlining the monitored device parameters. The SNMP manager uses this database to ask the agent for particular information, which is then translated for the Network Management System (NMS) as necessary. Management Information Base (MIB) is the name of this frequently used shared database between the Agent and the Manager.

SNMP Fundamental Commands:

The following are the basic commands of SNMP-

• The GET operation is a request delivered to the managed device by the management. It is used to obtain one or more values from the controlled device. 
• GET NEXT: This is a similar operation to GET. The key distinction is that the GET NEXT action returns the value of the next OID in the MIB tree.
• GET BULK: This procedure is used to retrieve enormous amounts of data from a MIB table.
• Managers use this SET command to change or assign the value of the Managed device.
• TRAPS: In contrast to the instructions mentioned above, which are started by the SNMP Manager, TRAPS are started by the Agents. The Agent sends a signal to the SNMP Manager when an event occurs.
• The TRAP command is similar to INFORM, but INFORM also contains confirmation that the message was received from the SNMP manager.
• RESPONSE: This command is used to transmit the value(s) or signal of responses to SNMP Manager-directed operations.

SNMP Configuration Types:

There are two different SNMP Configuration Types: Read-only and read-write community strings are used by SNMP to exchange data. Both of them can be set up to allow public access or to forbid unauthorized alterations.

• Read: Any software or hardware capable of speaking SNMP can read the read strings.
• Read-Write: The read-write SNMP string enables the setting or manipulation of values, such as the settings of a device.

Display SNMP in Wireshark:

Following are the steps to display SNMP in Wireshark

• Perform an SNMP walk from an SNMP client. 
• Open Wireshark and select Edit → Preferences from the menu, then Name Resolution –> Appearance.
• Choose MIB and PIB (SMI) routes.

SNMP Enterprise Specific Trap Type in Wireshark:

This table is used by Wireshark to map certain trap values to user-defined descriptors in a Trap PDU. The packet details specific-trap elements, and the description is displayed. This is a user table consisting of the following fields:

• Enterprise OID: The object identifier for the trap-generating item.
• Trap ID: An integer identifying the unique trap code.
• Description: Details of the description are to be included in the packet.

Captured Traffic on Wireshark: