# snmp.cnf # snmp conformation file # $Id$ #.PDU SMUX-PDUs #.NO_EMIT GetNextRequest-PDU GetResponse-PDU SetRequest-PDU GetRequest-PDU Gauge32 NotificationName SnmpEngineID #.TYPE_RENAME #.FIELD_RENAME Messagev2u/datav2u/plaintext v2u_plaintext BulkPDU/request-id bulkPDU_request-id #.FN_PARS PDUs VAL_PTR = &pdu_type #.FN_BODY PDUs gint pdu_type; %(DEFAULT_BODY)s if (check_col(pinfo->cinfo, COL_INFO)) col_add_str(pinfo->cinfo, COL_INFO, val_to_str(pdu_type, snmp_PDUs_vals,"Unknown PDU type (%%u)")); #.FN_BODY PDUs/get-request gint8 class; gboolean pc, ind_field; gint32 tag; guint32 len1; if(!implicit_tag){ /* XXX asn2wrs can not yet handle tagged assignment yes so this * XXX is some conformance file magic to work around that bug */ offset = get_ber_identifier(tvb, offset, &class, &pc, &tag); offset = get_ber_length(tree, tvb, offset, &len1, &ind_field); } offset = dissect_snmp_PDU(TRUE, tvb, offset, pinfo, tree, hf_index); #.FN_BODY PDUs/get-next-request gint8 class; gboolean pc, ind_field; gint32 tag; guint32 len1; if(!implicit_tag){ /* XXX asn2wrs can not yet handle tagged assignment yes so this * XXX is some conformance file magic to work around that bug */ offset = get_ber_identifier(tvb, offset, &class, &pc, &tag); offset = get_ber_length(tree, tvb, offset, &len1, &ind_field); } offset = dissect_snmp_PDU(TRUE, tvb, offset, pinfo, tree, hf_index); #.FN_BODY PDUs/get-response gint8 class; gboolean pc, ind_field; gint32 tag; guint32 len1; if(!implicit_tag){ /* XXX asn2wrs can not yet handle tagged assignment yes so this * XXX is some conformance file magic to work around that bug */ offset = get_ber_identifier(tvb, offset, &class, &pc, &tag); offset = get_ber_length(tree, tvb, offset, &len1, &ind_field); } offset = dissect_snmp_PDU(TRUE, tvb, offset, pinfo, tree, hf_index); #.FN_BODY PDUs/set-request gint8 class; gboolean pc, ind_field; gint32 tag; guint32 len1; if(!implicit_tag){ /* XXX asn2wrs can not yet handle tagged assignment yes so this * XXX is some conformance file magic to work around that bug */ offset = get_ber_identifier(tvb, offset, &class, &pc, &tag); offset = get_ber_length(tree, tvb, offset, &len1, &ind_field); } offset = dissect_snmp_PDU(TRUE, tvb, offset, pinfo, tree, hf_index); #.FN_BODY PDUs/trap gint8 class; gboolean pc, ind_field; gint32 tag; guint32 len1; if(!implicit_tag){ /* XXX asn2wrs can not yet handle tagged assignment yes so this * XXX is some conformance file magic to work around that bug */ offset = get_ber_identifier(tvb, offset, &class, &pc, &tag); offset = get_ber_length(tree, tvb, offset, &len1, &ind_field); } offset = dissect_snmp_Trap_PDU(TRUE, tvb, offset, pinfo, tree, hf_index); #.FN_BODY PDUs/getBulkRequest gint8 class; gboolean pc, ind_field; gint32 tag; guint32 len1; if(!implicit_tag){ /* XXX asn2wrs can not yet handle tagged assignment yes so this * XXX is some conformance file magic to work around that bug */ offset = get_ber_identifier(tvb, offset, &class, &pc, &tag); offset = get_ber_length(tree, tvb, offset, &len1, &ind_field); } offset = dissect_snmp_GetBulkRequest_PDU(TRUE, tvb, offset, pinfo, tree, hf_index); #.FN_BODY PDUs/informRequest gint8 class; gboolean pc, ind_field; gint32 tag; guint32 len1; if(!implicit_tag){ /* XXX asn2wrs can not yet handle tagged assignment yes so this * XXX is some conformance file magic to work around that bug */ offset = get_ber_identifier(tvb, offset, &class, &pc, &tag); offset = get_ber_length(tree, tvb, offset, &len1, &ind_field); } offset = dissect_snmp_InformRequest_PDU(TRUE, tvb, offset, pinfo, tree, hf_index); #.FN_BODY PDUs/sNMPv2-Trap gint8 class; gboolean pc, ind_field; gint32 tag; guint32 len1; if(!implicit_tag){ /* XXX asn2wrs can not yet handle tagged assignment yes so this * XXX is some conformance file magic to work around that bug */ offset = get_ber_identifier(tvb, offset, &class, &pc, &tag); offset = get_ber_length(tree, tvb, offset, &len1, &ind_field); } offset = dissect_snmp_SNMPv2_Trap_PDU(TRUE, tvb, offset, pinfo, tree, hf_index); #.FN_BODY PDUs/report gint8 class; gboolean pc, ind_field; gint32 tag; guint32 len1; if(!implicit_tag){ /* XXX asn2wrs can not yet handle tagged assignment yes so this * XXX is some conformance file magic to work around that bug */ offset = get_ber_identifier(tvb, offset, &class, &pc, &tag); offset = get_ber_length(tree, tvb, offset, &len1, &ind_field); } offset = dissect_snmp_Report_PDU(TRUE, tvb, offset, pinfo, tree, hf_index); #.FN_PARS HeaderData/msgSecurityModel VAL_PTR = &MsgSecurityModel #.FN_PARS UsmSecurityParameters/msgAuthoritativeEngineBoots VAL_PTR = &usm_p.boots #.FN_PARS UsmSecurityParameters/msgAuthoritativeEngineTime VAL_PTR = &usm_p.time #.FN_BODY UsmSecurityParameters/msgAuthoritativeEngineID tvbuff_t *parameter_tvb = NULL; offset = dissect_ber_octet_string(implicit_tag, pinfo, tree, tvb, offset, hf_index, &usm_p.engine_tvb); if (parameter_tvb) { proto_tree* engine_tree = proto_item_add_subtree(get_ber_last_created_item(),ett_engineid); dissect_snmp_engineid(engine_tree, usm_p.engine_tvb, 0, tvb_length_remaining(usm_p.engine_tvb,0)); } #.FN_PARS UsmSecurityParameters/msgUserName VAL_PTR = &usm_p.user_tvb #.FN_BODY UsmSecurityParameters/msgAuthenticationParameters offset = dissect_ber_octet_string(FALSE, pinfo, tree, tvb, offset, hf_index, &usm_p.auth_tvb); if (usm_p.auth_tvb) { usm_p.auth_item = get_ber_last_created_item(); usm_p.auth_offset = offset_from_real_beginning(usm_p.auth_tvb,0); } #.FN_PARS UsmSecurityParameters/msgPrivacyParameters VAL_PTR = &usm_p.priv_tvb #.FN_BODY ScopedPduData/encryptedPDU tvbuff_t* crypt_tvb; offset = dissect_ber_octet_string(FALSE, pinfo, tree, tvb, offset, hf_snmp_encryptedPDU, &crypt_tvb); if( usm_p.encrypted && crypt_tvb && usm_p.user_assoc && usm_p.user_assoc->user.privProtocol ) { const gchar* error = NULL; proto_tree* encryptedpdu_tree = proto_item_add_subtree(get_ber_last_created_item(),ett_encryptedPDU); tvbuff_t* cleartext_tvb = usm_p.user_assoc->user.privProtocol(&usm_p, crypt_tvb, &error ); if (! cleartext_tvb) { proto_item* cause = proto_tree_add_text(encryptedpdu_tree, cleartext_tvb, 0, -1, "Failed to decrypt encryptedPDU: %%s", error); expert_add_info_format(pinfo, cause, PI_MALFORMED, PI_WARN, "Failed to decrypt encryptedPDU: %%s", error); return offset; } else { proto_item* decrypted_item; proto_tree* decrypted_tree; if (! check_ScopedPdu(cleartext_tvb)) { proto_item* cause = proto_tree_add_text(encryptedpdu_tree, cleartext_tvb, 0, -1, "Decrypted data not formated as expected, wrong key?"); expert_add_info_format(pinfo, cause, PI_MALFORMED, PI_WARN, "Decrypted data not formated as expected"); return offset; } add_new_data_source(pinfo, cleartext_tvb, "Decrypted ScopedPDU"); tvb_set_child_real_data_tvbuff(tvb, cleartext_tvb); decrypted_item = proto_tree_add_item(encryptedpdu_tree, hf_snmp_decryptedPDU,cleartext_tvb,0,-1,FALSE); decrypted_tree = proto_item_add_subtree(decrypted_item,ett_decrypted); dissect_snmp_ScopedPDU(FALSE, cleartext_tvb, 0, pinfo, decrypted_tree, -1); } } #.FN_BODY SNMPv3Message/msgSecurityParameters switch(MsgSecurityModel){ case SNMP_SEC_USM: /* 3 */ offset = dissect_snmp_UsmSecurityParameters(FALSE, tvb, offset+2, pinfo, tree, -1); usm_p.user_assoc = get_user_assoc(usm_p.engine_tvb, usm_p.user_tvb); break; case SNMP_SEC_ANY: /* 0 */ case SNMP_SEC_V1: /* 1 */ case SNMP_SEC_V2C: /* 2 */ default: %(DEFAULT_BODY)s break; } #.FN_FTR SNMPv3Message if( usm_p.authenticated && usm_p.user_assoc && usm_p.user_assoc->user.authModel ) { const gchar* error = NULL; proto_item* authen_item; proto_tree* authen_tree = proto_item_add_subtree(usm_p.auth_item,ett_authParameters); guint8* calc_auth; guint calc_auth_len; usm_p.authOK = usm_p.user_assoc->user.authModel->authenticate( &usm_p, &calc_auth, &calc_auth_len, &error ); if (error) { authen_item = proto_tree_add_text(authen_tree,tvb,0,0,"Error while verifying Messsage authenticity: %s", error); PROTO_ITEM_SET_GENERATED(authen_item); expert_add_info_format( pinfo, authen_item, PI_MALFORMED, PI_ERROR, "Error while verifying Messsage authenticity: %s", error ); } else { int severity; gchar* fmt; authen_item = proto_tree_add_boolean(authen_tree, hf_snmp_msgAuthentication, tvb, 0, 0, usm_p.authOK); PROTO_ITEM_SET_GENERATED(authen_item); if (usm_p.authOK) { fmt = "SNMP Authentication OK"; severity = PI_CHAT; } else { gchar* calc_auth_str = bytestring_to_str(calc_auth,calc_auth_len,' '); proto_item_append_text(authen_item, " calcuated = %s", calc_auth_str); fmt = "SNMP Authentication Error"; severity = PI_WARN; } expert_add_info_format( pinfo, authen_item, PI_CHECKSUM, severity, fmt ); } } #.FN_PARS HeaderData/msgFlags VAL_PTR = ¶meter_tvb #.FN_BODY HeaderData/msgFlags tvbuff_t *parameter_tvb = NULL; %(DEFAULT_BODY)s if (parameter_tvb){ guint8 v3_flags = tvb_get_guint8(parameter_tvb, 0); proto_tree* flags_tree = proto_item_add_subtree(get_ber_last_created_item(),ett_msgFlags); proto_tree_add_item(flags_tree, hf_snmp_v3_flags_report, parameter_tvb, 0, 1, FALSE); proto_tree_add_item(flags_tree, hf_snmp_v3_flags_crypt, parameter_tvb, 0, 1, FALSE); proto_tree_add_item(flags_tree, hf_snmp_v3_flags_auth, parameter_tvb, 0, 1, FALSE); usm_p.encrypted = v3_flags & TH_CRYPT ? TRUE : FALSE; usm_p.authenticated = v3_flags & TH_AUTH ? TRUE : FALSE; } #.FN_BODY VarBind oid_tvb = NULL; value_tvb = NULL; %(DEFAULT_BODY)s if (oid_tvb && value_tvb) { next_tvb_add_string(&var_list, value_tvb, (snmp_var_in_tree) ? tree : NULL, variable_oid_dissector_table, oid_to_str(tvb_get_ptr(oid_tvb, 0, tvb_length(oid_tvb)), tvb_length(oid_tvb))); } #.FN_PARS ObjectName VAL_PTR = &oid_tvb #.FN_BODY String-value guint length; snmp_variable_decode(tvb, tree, pinfo, oid_tvb, offset, &length, &value_tvb); offset = offset + length; #.FN_BODY Integer-value guint length; snmp_variable_decode(tvb, tree, pinfo, oid_tvb, offset, &length, NULL); offset = offset + length; #.FN_BODY ObjectID-value guint length; snmp_variable_decode(tvb, tree, pinfo, oid_tvb, offset, &length, NULL); offset = offset + length; #.FN_BODY Empty guint length; snmp_variable_decode(tvb, tree, pinfo, oid_tvb, offset, &length, NULL); offset = offset + length; #.FN_BODY NetworkAddress/internet /* see http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1125 */ guint32 len; int cur_offset; cur_offset = get_ber_identifier(tvb, offset, NULL, NULL, NULL); get_ber_length(NULL, tvb, cur_offset, &len, NULL); switch (len) { case 4: offset = dissect_snmp_IpAddress(FALSE, tvb, offset, pinfo, tree, hf_snmp_internet); break; case 16: offset = dissect_snmp_IpAddressIpv6(FALSE, tvb, offset, pinfo, tree, hf_snmp_internet_ipv6); break; default: offset = dissect_snmp_IpAddressOther(FALSE, tvb, offset, pinfo, tree, hf_snmp_internet_other); break; } if (len != 4) { proto_item* pi = get_ber_last_created_item(); proto_tree* pt = proto_item_add_subtree(pi,ett_internet); /* * It might be possible to do so, although the dissector should probably still put * a complaint into the protocol tree ("not irritating Cisco by pointing out where * they're violating the standard" is not a project goal for Wireshark :-)). * -- Guy Harris */ pi = proto_tree_add_text(pt,tvb,cur_offset,len, "The host that generated this packet is violating" "the SNMP protocol definition and sends corrupt and invalid packets"); PROTO_ITEM_SET_GENERATED(pi); expert_add_info_format( pinfo, pi, PI_MALFORMED, PI_ERROR, "Corrupt and Invalid packet" ); } #.TYPE_ATTR Counter64 TYPE = FT_UINT64 DISPLAY = BASE_DEC STRINGS = NULL IpAddress TYPE = FT_IPv4 DISPLAY = BASE_NONE STRINGS = NULL Message/community TYPE = FT_STRING DISPLAY = BASE_HEX STRINGS = NULL HeaderData/msgSecurityModel TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = VALS(sec_models) UsmSecurityParameters/msgUserName TYPE = FT_STRING DISPLAY = BASE_HEX STRINGS = NULL #.END