Re: PDU Type

Printable View

10-02-2007, 07:31 PM
unix

Re: PDU Type

I didn't say it was at the start of the SNMP message - I said it was the PDU
type. Here is the actual data from the SNMP packet. I believe the PDU type
is at byte position 14 (line 2 byte 1)

30 2A 02 01 00 04 06 70 75 62 6C 69 63
A4 1D 06 07 2B 06 01 04 01 96 26 40 04
C0 A8 01 C4 02 01 06 02 01 01 43 04 02
30 DC 78 30 00

What I believe to be true:
Bytes Desc
1-2 Header
3-5 Version
6-13 Community
14-15 PDU Type
16-24 Enterprise
25-30 Agent address
31-33 Trap type
34-36 Specific trap type
37-42 Timestamp

Am I wrong?

"Shripathi Kamath" <shripathikamath@hotmail.com> wrote in message
news:vibl02atlr86d7@corp.supernews.com...[color=blue]
>
> "Brian Patterson" <NObriandpatterson@SPAMmchsiGOAWAY.com> wrote in message
> news:pikVa.2390$Ho3.831@sccrnsc03...[color=green]
> > I'm attempting to decode the PDU type. The actual data is "A4 1D".[/color][/color]
When[color=blue]
> I[color=green]
> > decode the type is "4" which equates to a OctetString. But the data[/color][/color]
that[color=blue][color=green]
> > follows is obviously not the ASCII representation of anything having to[/color][/color]
do[color=blue][color=green]
> > with "TRAP-V1". Could someone provide some insight?
> >
> >
> >[/color]
>
> Can you please post the entire data in the SNMP message? What you are
> showing above is a two octet fragment, typically not seen at the start of[/color]
an[color=blue]
> SNMP message. Neither is it the start of an OCTET STRING, which would[/color]
start[color=blue]
> with 04 not A4.
>
> --
> Shripathi Kamath
> NETAPHOR SOFTWARE INC.
> [url]http://www.netaphor.com[/url]
>
>[/color]
10-02-2007, 07:31 PM
unix

Re: PDU Type

"Brian Patterson" <NObriandpatterson@SPAMmchsiGOAWAY.com> wrote in message
news:VOkVa.3670$YN5.5449@sccrnsc01...[color=blue]
> I didn't say it was at the start of the SNMP message[/color]

No you did not. Which is why I said that it did not look like it was the
start of it. The problem I had was not knowing which part of the message it
was, given that you had put forth two octets, and claimed the lower nibble
to be an OctetString.
[color=blue]
> - I said it was the PDU type.[/color]

And then you claimed that the 4 was the OCTET STRING type, which was the
confusing part.

[color=blue]
> Here is the actual data from the SNMP packet. I believe the PDU type
> is at byte position 14 (line 2 byte 1)
>
> 30 2A 02 01 00 04 06 70 75 62 6C 69 63
> A4 1D 06 07 2B 06 01 04 01 96 26 40 04
> C0 A8 01 C4 02 01 06 02 01 01 43 04 02
> 30 DC 78 30 00
>
> What I believe to be true:
> Bytes Desc
> 1-2 Header
> 3-5 Version 02 01 00 -> Version 1
> 6-13 Community 04 06 70 75 62 6C 69 63 ->
> 14-15 PDU Type[/color]

A4 1D is the syntax and length of the PDU

A4 = 0x80 | 0x20 | 0x04 -> V1 Trap PDU

1d is the length.

06 07 2B 06 01 04 01 96 26 is the enterprise OID (syntax = 6, length = 7, 2B
06 01 04 01 96 26 the data)

40 04 C0 A8 01 C4 is the agent address (syntax = 40, length = 04, C0 A8 01
C4 the data)

02 01 06 is the generic trap type (syntax = 02, len = 01, data = 06)

02 01 01 is the specific trap type (syntax = 02, len = 01, data = 01)

43 04 02 30 DC 78 is the timestamp (syntax = 43, length = 04, data = 02 30
DC 78

30 00 is the empty variable binding list
[color=blue]
> Am I wrong?
>[/color]

Only in interpretation perhaps. The above is a annotated packet dump

HTH,

--
Shripathi Kamath
NETAPHOR SOFTWARE INC.
[url]http://www.netaphor.com[/url]

[color=blue]
> "Shripathi Kamath" <shripathikamath@hotmail.com> wrote in message
> news:vibl02atlr86d7@corp.supernews.com...[color=green]
> >
> > "Brian Patterson" <NObriandpatterson@SPAMmchsiGOAWAY.com> wrote in[/color][/color]
message[color=blue][color=green]
> > news:pikVa.2390$Ho3.831@sccrnsc03...[color=darkred]
> > > I'm attempting to decode the PDU type. The actual data is "A4 1D".[/color][/color]
> When[color=green]
> > I[color=darkred]
> > > decode the type is "4" which equates to a OctetString. But the data[/color][/color]
> that[color=green][color=darkred]
> > > follows is obviously not the ASCII representation of anything having[/color][/color][/color]
to[color=blue]
> do[color=green][color=darkred]
> > > with "TRAP-V1". Could someone provide some insight?
> > >
> > >
> > >[/color]
> >
> > Can you please post the entire data in the SNMP message? What you are
> > showing above is a two octet fragment, typically not seen at the start[/color][/color]
of[color=blue]
> an[color=green]
> > SNMP message. Neither is it the start of an OCTET STRING, which would[/color]
> start[color=green]
> > with 04 not A4.
> >
> > --
> > Shripathi Kamath
> > NETAPHOR SOFTWARE INC.
> > [url]http://www.netaphor.com[/url]
> >
> >[/color]
>
>[/color]
10-02-2007, 07:31 PM
unix

Re: PDU Type

I am extremely confused now - how I am supposed to know that:
A4 = 0x80 | 0x20 | 0x04

Is this not an OctetString? Egad.
Brian Patterson

"Shripathi Kamath" <shripathikamath@hotmail.com> wrote in message
news:vibp78eohmvo7f@corp.supernews.com...[color=blue]
>
> "Brian Patterson" <NObriandpatterson@SPAMmchsiGOAWAY.com> wrote in message
> news:VOkVa.3670$YN5.5449@sccrnsc01...[color=green]
> > I didn't say it was at the start of the SNMP message[/color]
>
> No you did not. Which is why I said that it did not look like it was the
> start of it. The problem I had was not knowing which part of the message[/color]
it[color=blue]
> was, given that you had put forth two octets, and claimed the lower nibble
> to be an OctetString.
>[color=green]
> > - I said it was the PDU type.[/color]
>
> And then you claimed that the 4 was the OCTET STRING type, which was the
> confusing part.
>
>[color=green]
> > Here is the actual data from the SNMP packet. I believe the PDU type
> > is at byte position 14 (line 2 byte 1)
> >
> > 30 2A 02 01 00 04 06 70 75 62 6C 69 63
> > A4 1D 06 07 2B 06 01 04 01 96 26 40 04
> > C0 A8 01 C4 02 01 06 02 01 01 43 04 02
> > 30 DC 78 30 00
> >
> > What I believe to be true:
> > Bytes Desc
> > 1-2 Header
> > 3-5 Version 02 01 00 -> Version 1
> > 6-13 Community 04 06 70 75 62 6C 69 63 ->
> > 14-15 PDU Type[/color]
>
> A4 1D is the syntax and length of the PDU
>
> A4 = 0x80 | 0x20 | 0x04 -> V1 Trap PDU
>
> 1d is the length.
>
> 06 07 2B 06 01 04 01 96 26 is the enterprise OID (syntax = 6, length = 7,[/color]
2B[color=blue]
> 06 01 04 01 96 26 the data)
>
> 40 04 C0 A8 01 C4 is the agent address (syntax = 40, length = 04, C0 A8 01
> C4 the data)
>
> 02 01 06 is the generic trap type (syntax = 02, len = 01, data = 06)
>
> 02 01 01 is the specific trap type (syntax = 02, len = 01, data = 01)
>
> 43 04 02 30 DC 78 is the timestamp (syntax = 43, length = 04, data = 02 30
> DC 78
>
> 30 00 is the empty variable binding list
>[color=green]
> > Am I wrong?
> >[/color]
>
> Only in interpretation perhaps. The above is a annotated packet dump
>
> HTH,
>
> --
> Shripathi Kamath
> NETAPHOR SOFTWARE INC.
> [url]http://www.netaphor.com[/url]
>
>[color=green]
> > "Shripathi Kamath" <shripathikamath@hotmail.com> wrote in message
> > news:vibl02atlr86d7@corp.supernews.com...[color=darkred]
> > >
> > > "Brian Patterson" <NObriandpatterson@SPAMmchsiGOAWAY.com> wrote in[/color][/color]
> message[color=green][color=darkred]
> > > news:pikVa.2390$Ho3.831@sccrnsc03...
> > > > I'm attempting to decode the PDU type. The actual data is "A4 1D".[/color]
> > When[color=darkred]
> > > I
> > > > decode the type is "4" which equates to a OctetString. But the data[/color]
> > that[color=darkred]
> > > > follows is obviously not the ASCII representation of anything having[/color][/color]
> to[color=green]
> > do[color=darkred]
> > > > with "TRAP-V1". Could someone provide some insight?
> > > >
> > > >
> > > >
> > >
> > > Can you please post the entire data in the SNMP message? What you are
> > > showing above is a two octet fragment, typically not seen at the start[/color][/color]
> of[color=green]
> > an[color=darkred]
> > > SNMP message. Neither is it the start of an OCTET STRING, which would[/color]
> > start[color=darkred]
> > > with 04 not A4.
> > >
> > > --
> > > Shripathi Kamath
> > > NETAPHOR SOFTWARE INC.
> > > [url]http://www.netaphor.com[/url]
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]
10-02-2007, 07:31 PM
unix

Re: PDU Type

In article <BIlVa.3122$Ho3.442@sccrnsc03>,
[email]NObriandpatterson@SPAMmchsiGOAWAY.com[/email] says...[color=blue]
> I am extremely confused now - how I am supposed to know that:
> A4 = 0x80 | 0x20 | 0x04
>
> Is this not an OctetString? Egad.[/color]

Per my message regarding length encodings, the tag consists of multiple
parts. The highest two bits indicating the tag class (application,
universal, context, private), the next bit indicates constructed or
primitive encoding, and the remaining bits identify the type with
relation to the tag class.

[Note: I mistakenly said in the other message that SNMP always uses
primitive encoding, but I was spacing and confusing the issue of length
encodings and fragmentation with that flag. The constructed encoding is
used for structured types such as SEQUENCE. I haven't touched our ASN.1
encoder/decoder library in a while and I've got too many things going on
to think clearly sometimes. :P]

The tags for the basic ASN.1 datatypes are defined in X.209. The other
tags used by SNMP are defined in the protocol specs (e.g., RFC 1157,
3416, 3413...). For example, in RFC 1157, Trap-PDU is defined as:

Trap-PDU ::=
[4]
IMPLICIT SEQUENCE {
...
}

The above basically means it's a SEQUENCE encoding, but uses the
context-specific flags, tag value 4, and it's constructed (if I recall
correctly, the constructed flag comes from the fact that it's a sequence
because sequence is always constructed...) Here is a summary of the
flags and tags etc.:

ASN.1 Tag Classes:

UNIVERSAL 0x00
APPLICATION 0x40
CONTEXT 0x80
PRIVATE 0xc0

Encoding options:

PRIMITIVE 0x00
CONSTRUCTED 0x20

ASN.1 Basic Datatypes:

BOOLEAN 0x01 (not used by SNMP)
INTEGER 0x02
BIT STRING 0x03 (not used by SNMP)
OCTET STRING 0x04
NULL 0x05
OBJECT IDENTIFIER 0x06
SEQUENCE 0x30

SNMP Basic Datatypes:

IpAddress (APPLICATION | 0x00) == 0x40
NetworkAddress (same as IpAddress)
Counter/Counter32 (APPLICATION | 0x01) == 0x41
Gauge/Gauge32 (APPLICATION | 0x02) == 0x42
TimeTicks (APPLICATION | 0x03) == 0x43
Opaque (APPLICATION | 0x04) == 0x44
Counter64 (APPLICATION | 0x06) == 0x46
Unsigned32 (APPLICATION | 0x07) == 0x47

SNMP PDUs:

Get (CONTEXT | CONSTRUCTED | 0x00) == 0xA0
Get-Next (CONTEXT | CONSTRUCTED | 0x01) == 0xA1
Response (CONTEXT | CONSTRUCTED | 0x02) == 0xA2
Set (CONTEXT | CONSTRUCTED | 0x03) == 0xA3
v1-trap (CONTEXT | CONSTRUCTED | 0x04) == 0xA4
Get-Bulk (CONTEXT | CONSTRUCTED | 0x05) == 0xA5
Inform-Request (CONTEXT | CONSTRUCTED | 0x06) == 0xA6
v2-trap (CONTEXT | CONSTRUCTED | 0x07) == 0xA7
Report (CONTEXT | CONSTRUCTED | 0x08) == 0xA8

SNMPv2-PDU Exception:

noSuchObject (CONTEXT | 0x00) == 0x80
noSuchInstance (CONTEXT | 0x01) == 0x81
endOfMibView (CONTEXT | 0x02) == 0x82

By the way, you should be sure to test your decoder thoroughly for
vulnerabilities. There's a free java-based test suite referenced by last
year's CERT advisory that has something like 50,000 tests in it that you
can download from:

[url]http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/[/url]

More info:

[url]http://www.cert.org/advisories/CA-2002-03.html[/url]

--
Michael Kirkham
Muonics
[url]http://www.muonics.com/[/url]
10-02-2007, 07:31 PM
unix

Re: PDU Type

"Brian Patterson" <NObriandpatterson@SPAMmchsiGOAWAY.com> wrote in message news:<VOkVa.3670$YN5.5449@sccrnsc01>...[color=blue]
> I didn't say it was at the start of the SNMP message - I said it was the PDU
> type. Here is the actual data from the SNMP packet. I believe the PDU type
> is at byte position 14 (line 2 byte 1)
>
> 30 2A 02 01 00 04 06 70 75 62 6C 69 63
> A4 1D 06 07 2B 06 01 04 01 96 26 40 04
> C0 A8 01 C4 02 01 06 02 01 01 43 04 02
> 30 DC 78 30 00
>
> What I believe to be true:
> Bytes Desc
> 1-2 Header
> 3-5 Version
> 6-13 Community
> 14-15 PDU Type
> 16-24 Enterprise
> 25-30 Agent address
> 31-33 Trap type
> 34-36 Specific trap type
> 37-42 Timestamp
>
> Am I wrong?[/color]

the other details are correct except the Bytes 14-15.

Bytes Desc
14 PDU Type ( for your case, itz a trap pdu)
15 Length of the remaining packets.( 16 to 44)

cheers,

Karthikeyan. N
10-02-2007, 07:31 PM
unix

Re: PDU Type

"Brian Patterson" <NObriandpatterson@SPAMmchsiGOAWAY.com> wrote in message
news:7ElVa.3348$o%2.3169@sccrnsc02...[color=blue]
> First sentence:
> "I'm attempting to decode the PDU type."
>
>[/color]

It has indeed been a pleasure trying to help you.

--
Shripathi Kamath

[color=blue][color=green][color=darkred]
> > > I didn't say it was at the start of the SNMP message[/color]
> >
> > No you did not. Which is why I said that it did not look like it was[/color][/color]
the[color=blue][color=green]
> > start of it. The problem I had was not knowing which part of the[/color][/color]
message[color=blue]
> it[color=green]
> > was, given that you had put forth two octets, and claimed the lower[/color][/color]
nibble[color=blue][color=green]
> > to be an OctetString.
> >[color=darkred]
> > > - I said it was the PDU type.[/color]
> >
> > And then you claimed that the 4 was the OCTET STRING type, which was the
> > confusing part.
> >
> >[color=darkred]
> > > Here is the actual data from the SNMP packet. I believe the PDU type
> > > is at byte position 14 (line 2 byte 1)
> > >
> > > 30 2A 02 01 00 04 06 70 75 62 6C 69 63
> > > A4 1D 06 07 2B 06 01 04 01 96 26 40 04
> > > C0 A8 01 C4 02 01 06 02 01 01 43 04 02
> > > 30 DC 78 30 00
> > >
> > > What I believe to be true:
> > > Bytes Desc
> > > 1-2 Header
> > > 3-5 Version 02 01 00 -> Version 1
> > > 6-13 Community 04 06 70 75 62 6C 69 63 ->
> > > 14-15 PDU Type[/color]
> >
> > A4 1D is the syntax and length of the PDU
> >
> > A4 = 0x80 | 0x20 | 0x04 -> V1 Trap PDU
> >
> > 1d is the length.
> >
> > 06 07 2B 06 01 04 01 96 26 is the enterprise OID (syntax = 6, length =[/color][/color]
7,[color=blue]
> 2B[color=green]
> > 06 01 04 01 96 26 the data)
> >
> > 40 04 C0 A8 01 C4 is the agent address (syntax = 40, length = 04, C0 A8[/color][/color]
01[color=blue][color=green]
> > C4 the data)
> >
> > 02 01 06 is the generic trap type (syntax = 02, len = 01, data = 06)
> >
> > 02 01 01 is the specific trap type (syntax = 02, len = 01, data = 01)
> >
> > 43 04 02 30 DC 78 is the timestamp (syntax = 43, length = 04, data = 02[/color][/color]
30[color=blue][color=green]
> > DC 78
> >
> > 30 00 is the empty variable binding list
> >[color=darkred]
> > > Am I wrong?
> > >[/color]
> >
> > Only in interpretation perhaps. The above is a annotated packet dump
> >
> > HTH,
> >
> > --
> > Shripathi Kamath
> > NETAPHOR SOFTWARE INC.
> > [url]http://www.netaphor.com[/url]
> >
> >[color=darkred]
> > > "Shripathi Kamath" <shripathikamath@hotmail.com> wrote in message
> > > news:vibl02atlr86d7@corp.supernews.com...
> > > >
> > > > "Brian Patterson" <NObriandpatterson@SPAMmchsiGOAWAY.com> wrote in[/color]
> > message[color=darkred]
> > > > news:pikVa.2390$Ho3.831@sccrnsc03...
> > > > > I'm attempting to decode the PDU type. The actual data is "A4[/color][/color][/color]
1D".[color=blue][color=green][color=darkred]
> > > When
> > > > I
> > > > > decode the type is "4" which equates to a OctetString. But the[/color][/color][/color]
data[color=blue][color=green][color=darkred]
> > > that
> > > > > follows is obviously not the ASCII representation of anything[/color][/color][/color]
having[color=blue][color=green]
> > to[color=darkred]
> > > do
> > > > > with "TRAP-V1". Could someone provide some insight?
> > > > >
> > > > >
> > > > >
> > > >
> > > > Can you please post the entire data in the SNMP message? What you[/color][/color][/color]
are[color=blue][color=green][color=darkred]
> > > > showing above is a two octet fragment, typically not seen at the[/color][/color][/color]
start[color=blue][color=green]
> > of[color=darkred]
> > > an
> > > > SNMP message. Neither is it the start of an OCTET STRING, which[/color][/color][/color]
would[color=blue][color=green][color=darkred]
> > > start
> > > > with 04 not A4.
> > > >
> > > > --
> > > > Shripathi Kamath
> > > > NETAPHOR SOFTWARE INC.
> > > > [url]http://www.netaphor.com[/url]
> > > >
> > > >
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]