1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
|
# snmp.cnf
# snmp conformation file
#.PDU
SMUX-PDUs
#.NO_EMIT
NotificationName
VarBind
#.TYPE_RENAME
Message/community Community
Trap-PDU/_untag/generic-trap GenericTrap
Trap-PDU/_untag/specific-trap SpecificTrap
#.FIELD_RENAME
Messagev2u/datav2u/plaintext v2u_plaintext
BulkPDU/request-id bulkPDU_request-id
#.FN_PARS PDUs
VAL_PTR = &pdu_type
#.FN_BODY PDUs
gint pdu_type=-1;
col_clear(actx->pinfo->cinfo, COL_INFO);
%(DEFAULT_BODY)s
if( (pdu_type!=-1) && snmp_PDUs_vals[pdu_type].strptr ){
col_prepend_fstr(actx->pinfo->cinfo, COL_INFO, "%%s", snmp_PDUs_vals[pdu_type].strptr);
}
#.END
#.FN_BODY Trap-PDU/_untag
generic_trap = 0;
enterprise_oid = NULL;
%(DEFAULT_BODY)s
#.FN_PARS Trap-PDU/_untag/generic-trap VAL_PTR = &generic_trap
#.FN_BODY Trap-PDU/_untag/specific-trap VAL_PTR = &specific_trap
guint specific_trap;
%(DEFAULT_BODY)s
if (generic_trap == 6) { /* enterprise specific */
const gchar *specific_str = snmp_lookup_specific_trap (specific_trap);
if (specific_str) {
proto_item_append_text(actx->created_item, " (%%s)", specific_str);
}
}
#.END
#.FN_PARS EnterpriseOID FN_VARIANT = _str VAL_PTR = &enterprise_oid
#.FN_BODY EnterpriseOID
const gchar* name;
%(DEFAULT_BODY)s
if (display_oid && enterprise_oid) {
name = oid_resolved_from_string(enterprise_oid);
if (name) {
col_append_fstr (actx->pinfo->cinfo, COL_INFO, " %%s", name);
}
}
#.END
#.FN_PARS HeaderData/msgSecurityModel
VAL_PTR = &MsgSecurityModel
#.FN_PARS UsmSecurityParameters/msgAuthoritativeEngineBoots
VAL_PTR = &usm_p.boots
#.FN_PARS UsmSecurityParameters/msgAuthoritativeEngineTime
VAL_PTR = &usm_p.time
#.FN_BODY UsmSecurityParameters/msgAuthoritativeEngineID
offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
&usm_p.engine_tvb);
if (usm_p.engine_tvb) {
proto_tree* engine_tree = proto_item_add_subtree(%(ACTX)s->created_item,ett_engineid);
dissect_snmp_engineid(engine_tree, usm_p.engine_tvb, 0, tvb_captured_length_remaining(usm_p.engine_tvb,0));
}
#.FN_BODY SnmpEngineID
tvbuff_t* param_tvb = NULL;
offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
¶m_tvb);
if (param_tvb) {
proto_tree* engine_tree = proto_item_add_subtree(%(ACTX)s->created_item,ett_engineid);
dissect_snmp_engineid(engine_tree, param_tvb, 0, tvb_captured_length_remaining(param_tvb,0));
}
#.FN_PARS UsmSecurityParameters/msgUserName
VAL_PTR = &usm_p.user_tvb
#.FN_BODY UsmSecurityParameters/msgAuthenticationParameters
offset = dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &usm_p.auth_tvb);
if (usm_p.auth_tvb) {
usm_p.auth_item = %(ACTX)s->created_item;
usm_p.auth_offset = tvb_offset_from_real_beginning(usm_p.auth_tvb);
}
#.FN_PARS UsmSecurityParameters/msgPrivacyParameters
VAL_PTR = &usm_p.priv_tvb
#.FN_BODY ScopedPduData/encryptedPDU
tvbuff_t* crypt_tvb;
offset = dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_snmp_encryptedPDU, &crypt_tvb);
if( usm_p.encrypted && crypt_tvb
&& usm_p.user_assoc
&& usm_p.user_assoc->user.privProtocol ) {
const gchar* error = NULL;
proto_tree* encryptedpdu_tree = proto_item_add_subtree(%(ACTX)s->created_item,ett_encryptedPDU);
tvbuff_t* cleartext_tvb = usm_p.user_assoc->user.privProtocol(&usm_p, crypt_tvb, &error );
if (! cleartext_tvb) {
proto_tree_add_expert_format(encryptedpdu_tree, actx->pinfo, &ei_snmp_failed_decrypted_data_pdu,
crypt_tvb, 0, -1, "Failed to decrypt encryptedPDU: %%s", error);
col_set_str(actx->pinfo->cinfo, COL_INFO, "encryptedPDU: Failed to decrypt");
return offset;
} else {
proto_item* decrypted_item;
proto_tree* decrypted_tree;
if (! check_ScopedPdu(cleartext_tvb)) {
proto_item* cause = proto_tree_add_text(encryptedpdu_tree, cleartext_tvb, 0, -1,
"Decrypted data not formatted as expected, wrong key?");
expert_add_info(actx->pinfo, cause, &ei_snmp_decrypted_data_bad_formatted);
col_set_str(actx->pinfo->cinfo, COL_INFO, "encryptedPDU: Decrypted data not formatted as expected");
return offset;
}
add_new_data_source(actx->pinfo, cleartext_tvb, "Decrypted ScopedPDU");
decrypted_item = proto_tree_add_item(encryptedpdu_tree, hf_snmp_decryptedPDU,cleartext_tvb,0,-1,ENC_NA);
decrypted_tree = proto_item_add_subtree(decrypted_item,ett_decrypted);
dissect_snmp_ScopedPDU(FALSE, cleartext_tvb, 0, actx, decrypted_tree, -1);
}
} else {
col_set_str(actx->pinfo->cinfo, COL_INFO, "encryptedPDU: privKey Unknown");
}
#.FN_BODY SNMPv3Message/msgSecurityParameters
switch(MsgSecurityModel){
case SNMP_SEC_USM: /* 3 */
offset = dissect_snmp_UsmSecurityParameters(FALSE, tvb, offset+2, actx, tree, -1);
usm_p.user_assoc = get_user_assoc(usm_p.engine_tvb, usm_p.user_tvb);
break;
case SNMP_SEC_ANY: /* 0 */
case SNMP_SEC_V1: /* 1 */
case SNMP_SEC_V2C: /* 2 */
default:
%(DEFAULT_BODY)s
break;
}
#.FN_FTR SNMPv3Message
if( usm_p.authenticated
&& usm_p.user_assoc
&& usm_p.user_assoc->user.authModel ) {
const gchar* error = NULL;
proto_item* authen_item;
proto_tree* authen_tree = proto_item_add_subtree(usm_p.auth_item,ett_authParameters);
guint8* calc_auth;
guint calc_auth_len;
usm_p.authOK = usm_p.user_assoc->user.authModel->authenticate( &usm_p, &calc_auth, &calc_auth_len, &error );
if (error) {
expert_add_info_format( actx->pinfo, usm_p.auth_item, &ei_snmp_verify_authentication_error, "Error while verifying Message authenticity: %s", error );
} else {
expert_field* expert;
authen_item = proto_tree_add_boolean(authen_tree, hf_snmp_msgAuthentication, tvb, 0, 0, usm_p.authOK);
PROTO_ITEM_SET_GENERATED(authen_item);
if (usm_p.authOK) {
expert = &ei_snmp_authentication_ok;
} else {
const gchar* calc_auth_str = bytestring_to_str(wmem_packet_scope(), calc_auth,calc_auth_len,' ');
proto_item_append_text(authen_item, " calculated = %s", calc_auth_str);
expert = &ei_snmp_authentication_error;
}
expert_add_info( actx->pinfo, authen_item, expert);
}
}
#.END
#.FN_BODY HeaderData/msgFlags VAL_PTR = ¶meter_tvb
tvbuff_t *parameter_tvb = NULL;
%(DEFAULT_BODY)s
if (parameter_tvb){
guint8 v3_flags = tvb_get_guint8(parameter_tvb, 0);
proto_tree* flags_tree = proto_item_add_subtree(%(ACTX)s->created_item,ett_msgFlags);
proto_tree_add_item(flags_tree, hf_snmp_v3_flags_report, parameter_tvb, 0, 1, ENC_BIG_ENDIAN);
proto_tree_add_item(flags_tree, hf_snmp_v3_flags_crypt, parameter_tvb, 0, 1, ENC_BIG_ENDIAN);
proto_tree_add_item(flags_tree, hf_snmp_v3_flags_auth, parameter_tvb, 0, 1, ENC_BIG_ENDIAN);
usm_p.encrypted = v3_flags & TH_CRYPT ? TRUE : FALSE;
usm_p.authenticated = v3_flags & TH_AUTH ? TRUE : FALSE;
}
#.TYPE_ATTR
NetworkAddress TYPE = FT_IPv4 DISPLAY = BASE_NONE STRINGS = NULL
Message/community TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
HeaderData/msgSecurityModel TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = VALS(sec_models)
UsmSecurityParameters/msgUserName TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
ScopedPDU/contextName TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
#.END
|
