Home > Network Management > SNMP version 3 – Wireshark (pcap) Capture

SNMP version 3 – Wireshark (pcap) Capture

April 2nd, 2013


Download this capture file:snmp_usm

OR: view it now via Cloudshark

SNMPv3 provides a secure environment for the management of systems covering the following:

  • Identification of SNMP entities to facilitate communication only between known SNMP entities – Each SNMP entity has an identifier called the SNMPEngineID, and SNMP communication is possible only if an SNMP entity knows the identity of its peer. Traps and Notifications are exceptions to this rule.
  • Support for security models – A security model may define the security policy within an administrative domain or an intranet. SNMPv3 contains the specifications for USM.
  • Definition of security goals where the goals of message authentication service include protection against the following.
    • Modification of Information – Protection against some unauthorized SNMP entity altering in-transit messages generated by an authorized principal.
    • Masquerade – Protection against attempting management operations not authorized for some principal by assuming the identity of another principal that has the appropriate authorizations.
    • Message Stream Modification – Protection against messages getting maliciously re-ordered, delayed, or replayed to effect unauthorized management operations.
    • Disclosure – Protection against eavesdropping on the exchanges between SNMP engines.
  • Specification for USM – USM consists of the general definition of the following communication mechanisms available.
    • Communication without authentication and privacy (NoAuthNoPriv).
    • Communication with authentication and without privacy (AuthNoPriv).
    • Communication with authentication and privacy (AuthPriv)

SNMPv3 Message Format:

  1. msgVersion – This field contains the SNMP message version. A value 0 is an SNMPv1 message, 1 is an SNMPv2c message, 2 is an SNMPv2 message, and 3 is an SNMPv3 message. The value of message version is used to choose between the different message processing models (SNMPv1, SNMPv2c, or SNMPv3) available in the SNMP engine/entity.
  2. msgID – This field contains the SNMP message identifier. This is the unique ID associated with the message. The msgID field is different from the reqID field available in the PDU. It is possible that a received PDU that is part of a message cannot be decoded due to security parameters between the SNMP entities. The msgID is used to relate the request with a response during a transaction.
  3. msgMaxSize – This field gives the maximum size of the message which the requesting SNMP entity can accept.
  4. msgFlags – This field contains the message security level. The bit 0 of msgFlags indicates whether a message is authenticated. The bit 1 indicates whether a message uses privacy. The bit 2 indicates whether a report PDU is expected for the message (in case the message is dropped or a response cannot be generated).
  5. msgSecurityModel – This field indicates the security model used to generate the message. It has a value of 3 when USM is used.
  6. msgEngineID – This field has the SNMPEngineID of the authoritative SNMP entity involved in the transaction. When a request PDU is generated from an SNMP engine, the remote peer (agent for Get request and manager for Trap request) is the authoritative SNMP entity.
  7. msgEngineBoots – This field indicates the number of times the authoritative SNMP entity has booted. This field is used in authenticated message to validate the timeliness of a message.
  8. msgEngineTime – This field indicates the time since the authoritative SNMP entity has been rebooted. This field is used in authenticated messages to validate the timeliness of a message.
  9. msgUserName – This field contains the principal who originated the request. The fields msgUserName and the msgEngineID are used to locate the security data associated with the message from the USM database. This security data is used to authenticate and process the message.
  10. msgSecurityParams – This field contains the security parameters that are security model dependent. It contains the authentication parameters and the privacy parameters for USM. For an AuthPriv message, the authentication parameter has the digest computed for the message using the authentication protocol applicable for the USM entry and the privacy parameter has the salt generated, while encrypting the message using the privacy protocol applicable to the USM entry.
  11. contextEngineID – Within an administrative domain, the contextEngineID uniquely identifies an SNMP entity that may realize an instance of a context with a particular contextName.
  12. contextName – A contextName is used to name a context. Each contextName must be unique within an SNMP entity.
  13. pdu – The SNMP PDU (Protocol Data Unit) is used for communication between the SNMP entities. PDU encapsulates the SNMP request ID, error status, variable bindings, and so on. There are different types of PDUs, such as GetRequest-PDU, GetNextRequest-PDU, GetBulkRequest-PDU, Response-PDU, SetRequest-PDU, Trap-PDU, InformRequest-PDU, SNMPv2-Trap-PDU, and Report-PDU. The exact format of the PDU depends on the type of the PDU.
Categories: Network Management Tags:
Comments are closed.