Re: PDU Type - SNMP

This is a discussion on Re: PDU Type - SNMP ; I didn't say it was at the start of the SNMP message - I said it was the PDU type. Here is the actual data from the SNMP packet. I believe the PDU type is at byte position 14 (line ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Re: PDU Type

  1. Re: PDU Type

    I didn't say it was at the start of the SNMP message - I said it was the PDU
    type. Here is the actual data from the SNMP packet. I believe the PDU type
    is at byte position 14 (line 2 byte 1)

    30 2A 02 01 00 04 06 70 75 62 6C 69 63
    A4 1D 06 07 2B 06 01 04 01 96 26 40 04
    C0 A8 01 C4 02 01 06 02 01 01 43 04 02
    30 DC 78 30 00

    What I believe to be true:
    Bytes Desc
    1-2 Header
    3-5 Version
    6-13 Community
    14-15 PDU Type
    16-24 Enterprise
    25-30 Agent address
    31-33 Trap type
    34-36 Specific trap type
    37-42 Timestamp

    Am I wrong?

    "Shripathi Kamath" wrote in message
    news:vibl02atlr86d7@corp.supernews.com...
    >
    > "Brian Patterson" wrote in message
    > newsikVa.2390$Ho3.831@sccrnsc03...
    > > I'm attempting to decode the PDU type. The actual data is "A4 1D".

    When
    > I
    > > decode the type is "4" which equates to a OctetString. But the data

    that
    > > follows is obviously not the ASCII representation of anything having to

    do
    > > with "TRAP-V1". Could someone provide some insight?
    > >
    > >
    > >

    >
    > Can you please post the entire data in the SNMP message? What you are
    > showing above is a two octet fragment, typically not seen at the start of

    an
    > SNMP message. Neither is it the start of an OCTET STRING, which would

    start
    > with 04 not A4.
    >
    > --
    > Shripathi Kamath
    > NETAPHOR SOFTWARE INC.
    > http://www.netaphor.com
    >
    >




  2. Re: PDU Type


    "Brian Patterson" wrote in message
    news:VOkVa.3670$YN5.5449@sccrnsc01...
    > I didn't say it was at the start of the SNMP message


    No you did not. Which is why I said that it did not look like it was the
    start of it. The problem I had was not knowing which part of the message it
    was, given that you had put forth two octets, and claimed the lower nibble
    to be an OctetString.

    > - I said it was the PDU type.


    And then you claimed that the 4 was the OCTET STRING type, which was the
    confusing part.


    > Here is the actual data from the SNMP packet. I believe the PDU type
    > is at byte position 14 (line 2 byte 1)
    >
    > 30 2A 02 01 00 04 06 70 75 62 6C 69 63
    > A4 1D 06 07 2B 06 01 04 01 96 26 40 04
    > C0 A8 01 C4 02 01 06 02 01 01 43 04 02
    > 30 DC 78 30 00
    >
    > What I believe to be true:
    > Bytes Desc
    > 1-2 Header
    > 3-5 Version 02 01 00 -> Version 1
    > 6-13 Community 04 06 70 75 62 6C 69 63 ->
    > 14-15 PDU Type


    A4 1D is the syntax and length of the PDU

    A4 = 0x80 | 0x20 | 0x04 -> V1 Trap PDU

    1d is the length.

    06 07 2B 06 01 04 01 96 26 is the enterprise OID (syntax = 6, length = 7, 2B
    06 01 04 01 96 26 the data)

    40 04 C0 A8 01 C4 is the agent address (syntax = 40, length = 04, C0 A8 01
    C4 the data)

    02 01 06 is the generic trap type (syntax = 02, len = 01, data = 06)

    02 01 01 is the specific trap type (syntax = 02, len = 01, data = 01)

    43 04 02 30 DC 78 is the timestamp (syntax = 43, length = 04, data = 02 30
    DC 78

    30 00 is the empty variable binding list

    > Am I wrong?
    >


    Only in interpretation perhaps. The above is a annotated packet dump

    HTH,

    --
    Shripathi Kamath
    NETAPHOR SOFTWARE INC.
    http://www.netaphor.com


    > "Shripathi Kamath" wrote in message
    > news:vibl02atlr86d7@corp.supernews.com...
    > >
    > > "Brian Patterson" wrote in

    message
    > > newsikVa.2390$Ho3.831@sccrnsc03...
    > > > I'm attempting to decode the PDU type. The actual data is "A4 1D".

    > When
    > > I
    > > > decode the type is "4" which equates to a OctetString. But the data

    > that
    > > > follows is obviously not the ASCII representation of anything having

    to
    > do
    > > > with "TRAP-V1". Could someone provide some insight?
    > > >
    > > >
    > > >

    > >
    > > Can you please post the entire data in the SNMP message? What you are
    > > showing above is a two octet fragment, typically not seen at the start

    of
    > an
    > > SNMP message. Neither is it the start of an OCTET STRING, which would

    > start
    > > with 04 not A4.
    > >
    > > --
    > > Shripathi Kamath
    > > NETAPHOR SOFTWARE INC.
    > > http://www.netaphor.com
    > >
    > >

    >
    >




  3. Re: PDU Type

    I am extremely confused now - how I am supposed to know that:
    A4 = 0x80 | 0x20 | 0x04

    Is this not an OctetString? Egad.
    Brian Patterson

    "Shripathi Kamath" wrote in message
    news:vibp78eohmvo7f@corp.supernews.com...
    >
    > "Brian Patterson" wrote in message
    > news:VOkVa.3670$YN5.5449@sccrnsc01...
    > > I didn't say it was at the start of the SNMP message

    >
    > No you did not. Which is why I said that it did not look like it was the
    > start of it. The problem I had was not knowing which part of the message

    it
    > was, given that you had put forth two octets, and claimed the lower nibble
    > to be an OctetString.
    >
    > > - I said it was the PDU type.

    >
    > And then you claimed that the 4 was the OCTET STRING type, which was the
    > confusing part.
    >
    >
    > > Here is the actual data from the SNMP packet. I believe the PDU type
    > > is at byte position 14 (line 2 byte 1)
    > >
    > > 30 2A 02 01 00 04 06 70 75 62 6C 69 63
    > > A4 1D 06 07 2B 06 01 04 01 96 26 40 04
    > > C0 A8 01 C4 02 01 06 02 01 01 43 04 02
    > > 30 DC 78 30 00
    > >
    > > What I believe to be true:
    > > Bytes Desc
    > > 1-2 Header
    > > 3-5 Version 02 01 00 -> Version 1
    > > 6-13 Community 04 06 70 75 62 6C 69 63 ->
    > > 14-15 PDU Type

    >
    > A4 1D is the syntax and length of the PDU
    >
    > A4 = 0x80 | 0x20 | 0x04 -> V1 Trap PDU
    >
    > 1d is the length.
    >
    > 06 07 2B 06 01 04 01 96 26 is the enterprise OID (syntax = 6, length = 7,

    2B
    > 06 01 04 01 96 26 the data)
    >
    > 40 04 C0 A8 01 C4 is the agent address (syntax = 40, length = 04, C0 A8 01
    > C4 the data)
    >
    > 02 01 06 is the generic trap type (syntax = 02, len = 01, data = 06)
    >
    > 02 01 01 is the specific trap type (syntax = 02, len = 01, data = 01)
    >
    > 43 04 02 30 DC 78 is the timestamp (syntax = 43, length = 04, data = 02 30
    > DC 78
    >
    > 30 00 is the empty variable binding list
    >
    > > Am I wrong?
    > >

    >
    > Only in interpretation perhaps. The above is a annotated packet dump
    >
    > HTH,
    >
    > --
    > Shripathi Kamath
    > NETAPHOR SOFTWARE INC.
    > http://www.netaphor.com
    >
    >
    > > "Shripathi Kamath" wrote in message
    > > news:vibl02atlr86d7@corp.supernews.com...
    > > >
    > > > "Brian Patterson" wrote in

    > message
    > > > newsikVa.2390$Ho3.831@sccrnsc03...
    > > > > I'm attempting to decode the PDU type. The actual data is "A4 1D".

    > > When
    > > > I
    > > > > decode the type is "4" which equates to a OctetString. But the data

    > > that
    > > > > follows is obviously not the ASCII representation of anything having

    > to
    > > do
    > > > > with "TRAP-V1". Could someone provide some insight?
    > > > >
    > > > >
    > > > >
    > > >
    > > > Can you please post the entire data in the SNMP message? What you are
    > > > showing above is a two octet fragment, typically not seen at the start

    > of
    > > an
    > > > SNMP message. Neither is it the start of an OCTET STRING, which would

    > > start
    > > > with 04 not A4.
    > > >
    > > > --
    > > > Shripathi Kamath
    > > > NETAPHOR SOFTWARE INC.
    > > > http://www.netaphor.com
    > > >
    > > >

    > >
    > >

    >
    >




  4. Re: PDU Type

    In article ,
    NObriandpatterson@SPAMmchsiGOAWAY.com says...
    > I am extremely confused now - how I am supposed to know that:
    > A4 = 0x80 | 0x20 | 0x04
    >
    > Is this not an OctetString? Egad.


    Per my message regarding length encodings, the tag consists of multiple
    parts. The highest two bits indicating the tag class (application,
    universal, context, private), the next bit indicates constructed or
    primitive encoding, and the remaining bits identify the type with
    relation to the tag class.

    [Note: I mistakenly said in the other message that SNMP always uses
    primitive encoding, but I was spacing and confusing the issue of length
    encodings and fragmentation with that flag. The constructed encoding is
    used for structured types such as SEQUENCE. I haven't touched our ASN.1
    encoder/decoder library in a while and I've got too many things going on
    to think clearly sometimes. :P]

    The tags for the basic ASN.1 datatypes are defined in X.209. The other
    tags used by SNMP are defined in the protocol specs (e.g., RFC 1157,
    3416, 3413...). For example, in RFC 1157, Trap-PDU is defined as:

    Trap-PDU ::=
    [4]
    IMPLICIT SEQUENCE {
    ...
    }

    The above basically means it's a SEQUENCE encoding, but uses the
    context-specific flags, tag value 4, and it's constructed (if I recall
    correctly, the constructed flag comes from the fact that it's a sequence
    because sequence is always constructed...) Here is a summary of the
    flags and tags etc.:

    ASN.1 Tag Classes:

    UNIVERSAL 0x00
    APPLICATION 0x40
    CONTEXT 0x80
    PRIVATE 0xc0

    Encoding options:

    PRIMITIVE 0x00
    CONSTRUCTED 0x20

    ASN.1 Basic Datatypes:

    BOOLEAN 0x01 (not used by SNMP)
    INTEGER 0x02
    BIT STRING 0x03 (not used by SNMP)
    OCTET STRING 0x04
    NULL 0x05
    OBJECT IDENTIFIER 0x06
    SEQUENCE 0x30

    SNMP Basic Datatypes:

    IpAddress (APPLICATION | 0x00) == 0x40
    NetworkAddress (same as IpAddress)
    Counter/Counter32 (APPLICATION | 0x01) == 0x41
    Gauge/Gauge32 (APPLICATION | 0x02) == 0x42
    TimeTicks (APPLICATION | 0x03) == 0x43
    Opaque (APPLICATION | 0x04) == 0x44
    Counter64 (APPLICATION | 0x06) == 0x46
    Unsigned32 (APPLICATION | 0x07) == 0x47

    SNMP PDUs:

    Get (CONTEXT | CONSTRUCTED | 0x00) == 0xA0
    Get-Next (CONTEXT | CONSTRUCTED | 0x01) == 0xA1
    Response (CONTEXT | CONSTRUCTED | 0x02) == 0xA2
    Set (CONTEXT | CONSTRUCTED | 0x03) == 0xA3
    v1-trap (CONTEXT | CONSTRUCTED | 0x04) == 0xA4
    Get-Bulk (CONTEXT | CONSTRUCTED | 0x05) == 0xA5
    Inform-Request (CONTEXT | CONSTRUCTED | 0x06) == 0xA6
    v2-trap (CONTEXT | CONSTRUCTED | 0x07) == 0xA7
    Report (CONTEXT | CONSTRUCTED | 0x08) == 0xA8

    SNMPv2-PDU Exception:

    noSuchObject (CONTEXT | 0x00) == 0x80
    noSuchInstance (CONTEXT | 0x01) == 0x81
    endOfMibView (CONTEXT | 0x02) == 0x82

    By the way, you should be sure to test your decoder thoroughly for
    vulnerabilities. There's a free java-based test suite referenced by last
    year's CERT advisory that has something like 50,000 tests in it that you
    can download from:

    http://www.ee.oulu.fi/research/ouspg...ng/c06/snmpv1/

    More info:

    http://www.cert.org/advisories/CA-2002-03.html

    --
    Michael Kirkham
    Muonics
    http://www.muonics.com/

  5. Re: PDU Type

    "Brian Patterson" wrote in message news:...
    > I didn't say it was at the start of the SNMP message - I said it was the PDU
    > type. Here is the actual data from the SNMP packet. I believe the PDU type
    > is at byte position 14 (line 2 byte 1)
    >
    > 30 2A 02 01 00 04 06 70 75 62 6C 69 63
    > A4 1D 06 07 2B 06 01 04 01 96 26 40 04
    > C0 A8 01 C4 02 01 06 02 01 01 43 04 02
    > 30 DC 78 30 00
    >
    > What I believe to be true:
    > Bytes Desc
    > 1-2 Header
    > 3-5 Version
    > 6-13 Community
    > 14-15 PDU Type
    > 16-24 Enterprise
    > 25-30 Agent address
    > 31-33 Trap type
    > 34-36 Specific trap type
    > 37-42 Timestamp
    >
    > Am I wrong?


    the other details are correct except the Bytes 14-15.

    Bytes Desc
    14 PDU Type ( for your case, itz a trap pdu)
    15 Length of the remaining packets.( 16 to 44)


    cheers,

    Karthikeyan. N

  6. Re: PDU Type


    "Brian Patterson" wrote in message
    news:7ElVa.3348$o%2.3169@sccrnsc02...
    > First sentence:
    > "I'm attempting to decode the PDU type."
    >
    >


    It has indeed been a pleasure trying to help you.

    --
    Shripathi Kamath


    > > > I didn't say it was at the start of the SNMP message

    > >
    > > No you did not. Which is why I said that it did not look like it was

    the
    > > start of it. The problem I had was not knowing which part of the

    message
    > it
    > > was, given that you had put forth two octets, and claimed the lower

    nibble
    > > to be an OctetString.
    > >
    > > > - I said it was the PDU type.

    > >
    > > And then you claimed that the 4 was the OCTET STRING type, which was the
    > > confusing part.
    > >
    > >
    > > > Here is the actual data from the SNMP packet. I believe the PDU type
    > > > is at byte position 14 (line 2 byte 1)
    > > >
    > > > 30 2A 02 01 00 04 06 70 75 62 6C 69 63
    > > > A4 1D 06 07 2B 06 01 04 01 96 26 40 04
    > > > C0 A8 01 C4 02 01 06 02 01 01 43 04 02
    > > > 30 DC 78 30 00
    > > >
    > > > What I believe to be true:
    > > > Bytes Desc
    > > > 1-2 Header
    > > > 3-5 Version 02 01 00 -> Version 1
    > > > 6-13 Community 04 06 70 75 62 6C 69 63 ->
    > > > 14-15 PDU Type

    > >
    > > A4 1D is the syntax and length of the PDU
    > >
    > > A4 = 0x80 | 0x20 | 0x04 -> V1 Trap PDU
    > >
    > > 1d is the length.
    > >
    > > 06 07 2B 06 01 04 01 96 26 is the enterprise OID (syntax = 6, length =

    7,
    > 2B
    > > 06 01 04 01 96 26 the data)
    > >
    > > 40 04 C0 A8 01 C4 is the agent address (syntax = 40, length = 04, C0 A8

    01
    > > C4 the data)
    > >
    > > 02 01 06 is the generic trap type (syntax = 02, len = 01, data = 06)
    > >
    > > 02 01 01 is the specific trap type (syntax = 02, len = 01, data = 01)
    > >
    > > 43 04 02 30 DC 78 is the timestamp (syntax = 43, length = 04, data = 02

    30
    > > DC 78
    > >
    > > 30 00 is the empty variable binding list
    > >
    > > > Am I wrong?
    > > >

    > >
    > > Only in interpretation perhaps. The above is a annotated packet dump
    > >
    > > HTH,
    > >
    > > --
    > > Shripathi Kamath
    > > NETAPHOR SOFTWARE INC.
    > > http://www.netaphor.com
    > >
    > >
    > > > "Shripathi Kamath" wrote in message
    > > > news:vibl02atlr86d7@corp.supernews.com...
    > > > >
    > > > > "Brian Patterson" wrote in

    > > message
    > > > > newsikVa.2390$Ho3.831@sccrnsc03...
    > > > > > I'm attempting to decode the PDU type. The actual data is "A4

    1D".
    > > > When
    > > > > I
    > > > > > decode the type is "4" which equates to a OctetString. But the

    data
    > > > that
    > > > > > follows is obviously not the ASCII representation of anything

    having
    > > to
    > > > do
    > > > > > with "TRAP-V1". Could someone provide some insight?
    > > > > >
    > > > > >
    > > > > >
    > > > >
    > > > > Can you please post the entire data in the SNMP message? What you

    are
    > > > > showing above is a two octet fragment, typically not seen at the

    start
    > > of
    > > > an
    > > > > SNMP message. Neither is it the start of an OCTET STRING, which

    would
    > > > start
    > > > > with 04 not A4.
    > > > >
    > > > > --
    > > > > Shripathi Kamath
    > > > > NETAPHOR SOFTWARE INC.
    > > > > http://www.netaphor.com
    > > > >
    > > > >
    > > >
    > > >

    > >
    > >

    >
    >




+ Reply to Thread