Вы находитесь на странице: 1из 34

SNMP Sniffer Manual

3636 Westown Parkway Suite 101 West Des Moines, IA 50266 Main: (888) 235-3443 Fax: (515) 226-3462 http://www.icon-labs.com
Copyright 201, All rights reserved.

2001 Icon Laboratories, Inc. All Rights Reserved

Version 2.1

SNMP Sniffer User Manual


Copyright Information

Icon Laboratories, Inc.

This manual is copyrighted and all rights are reserved by Icon Laboratories, Inc. No part of this publication may be reproduced, transmitted, stored in a retrieval system, modified, or translated into any language or computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual or otherwise without written permission by Icon Laboratories, Inc. Copyright 2002 by Icon Laboratories, Inc. All Rights Reserved Revision: B Publication Date: October 2001

Trademarks
All product names and services identified throughout this manual are trademarks or registered trademarks of their respective companies. They are used throughout this manual in editorial fashion only. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with the manual.

Disclaimer
Icon Laboratories makes a genuine attempt to ensure the accuracy and quality of the content described herein; however, Icon Laboratories makes no warranty, express or implied, with respect to the quality, reliability, accuracy, or freedom from error of this document or the products it describes. Icon Laboratories makes no representation or warranty with respect to the contents hereof and specifically disclaims any implied warranties of fitness for any particular purpose. Icon Laboratories disclaims all liability for any direct, indirect, incidental or consequential, special or exemplary damages resulting from the use of the information in this document or from the use of any products described in this document. Mention of any product or organization does not constitute an endorsement by Icon Laboratories of that product or corporation. Data used in examples and labs is intended to be fictional even if actual data is used or accessed. Any resemblance to, or use of real persons or organizations should be treated as entirely coincidental. www.icon-labs.com 1

Icon Laboratories, Inc. Copyright notices for software that is distributed with the SNMP Sniffer are given in the following files: wpcapCpwrt.txt and netSnmpCpwrt.txt. These files are installed along with the application.

www.icon-labs.com

End-User License Agreement Icon Laboratories, Inc. SNMP Sniffer

Icon Laboratories, Inc.

IMPORTANT! READ CAREFULLY: This License Agreement (License) is a legal agreement between you and Icon Laboratories, Inc. The right to use the Software is granted only on the condition that you agree to the following License. If You do not agree to the terms of the License, then Icon Laboratories, Inc. and its Grantors are unwilling to license the Software to You, in which case You may return the package within 30 days and Your purchase price will be refunded. HOWEVER, BY INSTALLING, COPYING OR USING THE SOFTWARE YOU INDICATE YOUR ACCEPTANCE OF THESE TERMS AND CONDITIONS. 1. DEFINITIONS: You and Your means the entity purchasing, opening and using this package. Software means computer programming code contained on the accompanying media and in the form (object or source) and format provided, and all full or partial copies of same, whether provided by Icon Laboratories or copies made by You as permitted under this License. Documentation means the related user materials furnished with the Software, and all full or partial copies of same, that describe its operational characteristics or matters related to its installation or use, whether provided in published written material, on magnetic media or communicated by electronic means. Program is a general term meaning the Software and its associated Documentation collectively. Programs may contain or be derived from materials of third party authors (Grantor) from whom Icon Laboratories has obtained marketing rights. Grantors are listed in the Documentation and are intended beneficiaries of this License. Authorized Unit means the host computer or target microprocessor which the Software per its Documentation, is intended to operate on and upon which You install and use the Software. 2. GRANT OF LICENSE: Subject to Your prompt payment of quoted fees, Icon Laboratories hereby grants You the following non-exclusive, non-transferable rights and licenses: To install and use one copy of the Software on any Authorized Unit owned or leased by You for Your internal business purposes on one Authorized Unit at a time by a single user. Copy the Software to make an archive copy for use as a back-up, provided that the primary and back-up copy may not be used concurrently. Use the Documentation, and make a reasonable number of printed copies from Documentation provided in electronic form, as is solely necessary in connection with Your permitted internal use of the Software. ICON LABORATORIES RESERVES ALL RIGHTS NOT EXPRESSLY

www.icon-labs.com

GRANTED TO YOU HEREUNDER. Additional printed hard copies of Documentation may be purchased. 3.

Icon Laboratories, Inc.

RESTRICTIONS, OWNERSHIP: The Program is protected by copyright laws and international treaty. Ownership rights and intellectual property rights in the Program shall remain at all times in Icon Laboratories and/or its Grantors. The Program is licensed, not sold. You may not: (i) modify the Program, translate reverse engineer, decompile, disassemble (except to the extent applicable laws specifically prohibit such restriction) or attempt to derive the source code of Software provided to You in object code form, create derivative works of the Program or let any third party do any of the foregoing; or (ii) copy the Program other than as specified above; or (iii) sublicense, rent, lease, timeshare, grant a security interest in, transfer possession of the Program or otherwise assign or delegate this License or any of Your rights or duties hereunder. You agree to use Your best efforts to protect the Program from unauthorized reproduction, disclosure or use. TERMS AND TERMINATION: The License is effective until terminated. You may terminate Your License at any time. Your rights under this License will terminate automatically without notice from Icon Laboratories if You fail to comply with any terms of this License. Upon termination for any reason You shall return or, with Icon Laboratories permission, destroy all Program copies in Your possession or under Your control and certify to Icon Laboratories in writing that You have compiled with this requirement. LIMITED WARRANTY: Icon Laboratories warrants, for Your sole benefit, that for a period of thirty (30) days from the date of delivery to You (the Warranty Period) that, (a) the media containing the Program is free from defects under normal use, if You properly installed it; and, (b) that the Software, if unmodified and operated as directed, will substantially perform as described in its Documentation. EXCEPT FOR THE FOREGOING LIMITED WARRANTY THE PROGRAM IS PROVIDED AS IS, AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ICON LABORATORIES AND ITS GRANTORS DISCLAIM ALL OTHER WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING OR USAGE IN TRADE. You assume full responsibility for the selection of the Software to achieve Your intended purpose, for the proper installation and use of the Software and verifying the results obtained from Your use and for all other matters under Your control. Icon Laboratories does not warrant that the quality or performance of Software will meet Your requirements or that the operation of Software will be or can be made interrupted or error free. Some jurisdictions do not allow the limitation or exclusion of implied warranties or how long an implied warranty may last, so the above limitations may not apply to You. This Warranty gives You specific legal rights and You may have other rights which vary from jurisdiction to jurisdiction. LIMITATION OF REMEDIES: Your exclusive remedy and Icon Laboratories sole liability for any defective media or failure of Software to conform to its Documentation You report to Icon Laboratories in writing during the Warranty period, Icon Laboratories will, at its option and expense, either: (a) replace defective media: or, (b) use commercially reasonable efforts to correct

4.

5.

6.

7.

www.icon-labs.com

Icon Laboratories, Inc.


non-conforming Software or replace it with a functionally equivalent program, or, (c) if Icon Laboratories determines the foregoing remedies are impractical, accept return of the Program, terminate this License and refund the amount You paid Icon Laboratories for the Program copies so returned. At the end of this Warranty Period all such liability shall terminate. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL ICON LABORATORIES OR ITS GRANTORS BE LIABLE FOR ANY SPECIAL, INDIRECT, PUNITIVE, EXEMPLARY, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING ANY LOST PROFITS OR LOST SAVINGS ARISING FROM THE USER, OR INABILITY TO USE OR ACHIEVE ANY PARTICULAR RESULTS FROM USE OF THE PROGRAM EVEN IF ICON LABORATORIES HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF ANY REMEDY HEREIN SHALL HAVE PROVEN INEFFECTIVE. In no case shall the total cumulative liability of Icon Laboratories or its Grantor(s) to You for all damages, losses and causes of action, regardless of legal theory, exceed the amount You paid Icon Laboratories under this License for the right to use the Program in question. 8. 9. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages to this limitation and exclusion may not apply to You. USE OF PURCHASER'S NAME: You agree that Icon Laboratories may use Your Company's name and may disclose that You are a licensee of Icon Laboratories products in Icon Laboratories' advertising, press, promotion and similar public disclosures with respect to the Program. However, such advertising, promotion or similar public disclosures shall not indicate that You, in any way, endorse Icon Laboratories products without Your prior written permission.

10. GENERAL: You acknowledge that You have read this License, understand it and agree to be bound by its terms. You further agree that it constitutes the entire agreement between You and Icon Laboratories and supersedes in their entirety any and all oral or written agreements previously existing between You and Icon Laboratories with respect to the subject matter. THE ACCEPTANCE OF ANY PURCHASE ORDER PLACED BY YOU IS EXPRESSLY MADE CONDITIONAL ON YOUE ASSENT TO THE TERMS SET FORTH HEREIN, AND NOT THOSE IN YOUR PURCHASE ORDER. If any part of this License is held invalid by, or in conflict with, any law having jurisdiction over this License, that provision of the License shall be enforced to the maximum extent permissible so as to effect the intent of the parties and the remaining provisions shall remain in full force and effect. This License shall be governed by and construed in accordance with Iowa law (except for conflict of law provisions), as applied to contracts entered into and to be performed entirely within Iowa between Iowa residents. Venue for disputes hereunder shall be in applicable state or federal courts in Iowa. U.S.A. and You and Icon Laboratories consent to the exclusive jurisdiction and venue of such courts. The application the United Nations Convention of Contracts for the International Sale of Goods is expressly excluded. This Agreement may only be modified in writing signed by an authorized officer of Icon Laboratories. If You have any questions concerning this License or desire to contact Icon Laboratories for any reason, please write: Icon Laboratories, Inc., 3636 Westown Parkway, West Des Moines, IA 50266, telefax (515) 226-3462, email: support@icon-labs.com.

www.icon-labs.com

Contents

Icon Laboratories, Inc.

Introduction........................................................................................................................ 7 Features.............................................................................................................................. 7

Packet display features .................................................................................7 Packet display and filtering options..............................................................7 MIB Options.................................................................................................8 Choose LAN Adapter...................................................................................8 Capture Limits..............................................................................................8 Statistics .......................................................................................................8
System Requirements....................................................................................................... 10

Hardware requirements ..............................................................................10 Software requirements................................................................................10 Operating System requirements .................................................................10 Network requirements ................................................................................10
Installing the Software ..................................................................................................... 11

How to install the SNMP Sniffer................................................................11


Using the SNMP Sniffer .................................................................................................. 14

Starting the Application and Using the Menu Options...............................14 GUI Packet Window ..................................................................................17 Capturing Packets.......................................................................................19 Choose LAN Adapter.................................................................................20 Capture Limits............................................................................................20 Statistics .....................................................................................................22 Filtering ......................................................................................................23 Display Options..........................................................................................24 Choosing and Loading MIBs......................................................................25
Questions and Answers .................................................................................................... 27

What is the SNMP Sniffer? ........................................................................27 What platforms are supported?...................................................................27 What software is required to run the SNMP Sniffer?.................................27 What packet information does the SNMP Sniffer give to the user? ...........27 How is this packet information displayed?.................................................27 How do I selectively view specific SNMP packets? ..................................28 What other packet display options are available?.......................................28 What management information base (MIB) is used as the target of the SNMP commands? .....................................................................................28 Can I save a list of packets and view it later?.............................................28 What if the SNMP Sniffer doesnt capture ALL of the SNMP Packets I am expecting it to capture?...............................................................................29 What if no packets are being captured (and/or displayed)?........................29 Why cant I change the way packet information is displayed after Ive stopped my packet capture session? ...........................................................30 Why arent the OIDs resolved, even when Ive checked that option?........30
www.icon-labs.com 6

Icon Laboratories, Inc.

Why are there missing packet numbers in the Packet View? .....................30 When I tried to open a past capture session, why do I get an "Unexpected File Format" error? .....................................................................................30 What is the purpose of the Capture Limits dialog box? .............................31

Introduction
Thank you for using this version of the SNMP Sniffer from Icon Laboratories, Inc. The SNMP Sniffer is a promiscuous SNMP packet capture application. It filters all SNMP traffic visible to it and displays captured SNMP packets in real time. It uses the WinPcap packet capture utility. Winpcap is the adaptation of libpcap that works on the Windows operating system.

Features
The SNMP Sniffer captures SNMP packets, decodes them, and displays them on the screen in an easy-to-read format. The application has the following capabilities:

Packet display features


Packets are displayed as they are captured (i.e. in real time). Each packet captured is given a packet number and is displayed along with host information concerning the source and destination of the packet. The time of the packet capture is also displayed. Each SNMP packet is parsed, and the values contained within the SNMP data fields are given. These fields include version, community, PDU type, request ID, error status, and error index. Information about each packet's VarBinds (variable bindings) is displayed in a separate part of the window. This accommodates packets with multiple VarBinds. SNMP version 1 trap packets do not contain the same fields as other SNMP packets. The field values of v1 trap packets are listed in a separate part of the window. A separate part of the window displays the entire SNMP packet, minus header information, in hexadecimal form.

Packet display and filtering options


www.icon-labs.com 7

Icon Laboratories, Inc.

Display options allow the user to utilize IP-to-DNS conversion, resolve OIDs (object identifiers), display time in AM/PM format, and show/hide the gridlines on the display. The user may choose to only capture packets from/to a certain IP address. Filtering may also be done on port, community, OID value, SNMP version or PDU type. Packet display and filter options can be modified in the Options menu.

MIB Options
MIBs may be used to resolve OIDs (object identifiers) for captured packets. MIBs must be loaded before they are used to resolve OIDs. Sample MIBs are supplied with the application. You may also load other MIBs. You may load all of the MIBs in a certain path or specific MIBs in a path. In order to load different MIBs, you must unload MIBs that are already loaded.

Choose LAN Adapter


If you have more than one LAN adapter on your machine, you can use this dialog box to choose which adapter is used to capture SNMP packets. Please check the User's Manual or the Choose LAN Adapter dialog box if you are unsure which adapter has the WinPcap driver installed on it.

Capture Limits
You can use this dialog box to set upper limits on the number of packets to capture and the amount of system memory available to the SNMP Sniffer. This option lets you leave a packet capture session running for hours or days without worrying about using too much system memory.

Statistics
When a packet capture session is begun, a dialog box displays the elapsed time of the current capture and the number of
8

www.icon-labs.com

Icon Laboratories, Inc.

SNMP packets accepted by the filter. Other basic packet capture statistics may be displayed after a capture session has been stopped. A new packet capture session may be started from the toolbar or the "Capture" menu. Statistics are available in the capture menu.

www.icon-labs.com

Icon Laboratories, Inc.

System Requirements
Hardware requirements
Minimum 133 MHz Pentium PC 16 MB or more of RAM 10-MB hard-disk space CD-ROM drive or access to a CD-ROM over a computer network VGA display adapter or Higher-resolution display adapter Network Adapter card Connection to an ethernet LAN

Software requirements
WinPcap packet capture driver. (This is packaged with the software).

Operating System requirements


Windows 98/ME or Windows 2000/NT 4.0 platforms.

Network requirements
The minimum requirement is a connection to an Ethernet LAN.

www.icon-labs.com

10

Installing the Software

Icon Laboratories, Inc.

The SNMP Sniffer is compatible with Windows 98/ME/NT/2000. Installation includes the WinPcap packet capture driver. Please delete any other instances of WinPcap that are already present on your system before beginning the installation process. It is necessary to have Administrator privileges in order to install SNMP Sniffer on Windows NT and Windows 2000. The primary installed components are the Winpcap packet capture driver, libsnmp.dll (for decoding of packets), and the SNMP Sniffer application. See the Questions and Answers section for more information about the WinPcap software. How to install the SNMP Sniffer From the CD-ROM: Follow these steps to install the SNMP Sniffer from the CD-ROM. 1. Quit any active Microsoft Windows programs. 2. Insert the product CD-ROM into a drive. The install screen will appear automatically. If the install screen does not appear after a few seconds, select Run from the Start menu and enter drive: setup.exe, where drive is the letter of the CD-ROM drive into which you loaded the product CD. 3. Follow the prompts that appear on your screen. 4. An icon will appear on your desktop. 5. An entry will be placed on the START PROGRAMS menu.

www.icon-labs.com

11

Glossary of SNMP Terms

Icon Laboratories, Inc.

GUI Graphical User Interface: An interface for issuing commands to a computer utilizing a pointing device, such as a mouse, that manipulates and activates graphical images on a monitor. IP Internet Protocol: The network layer for the TCP/IP protocol suite widely used on Ethernet networks. MIB Management Information Base: A structured collection of all the managed objects maintained by a device. Managed objects are structured in the form of a hierarchical tree. MIBs are specifications containing definitions of management information so that networked systems can be remotely monitored, configured, and controlled. OID Object identifier: Generally an implementation-specific integer or pointer that uniquely identifies an object. PDU Protocol Data Unit: A message contains administrative information and an SNMP. The PDU type identifies the type of the message. The contents of a PDU are control fields, which are dependent on the message type, and an array of pairs. The first element of each pair is used to identify management information and the second element is used to specify the value of management information. Packet A short block of data transmitted in a packet switching network. Sniffer A tool that monitors packets on a TCP/IP network.

www.icon-labs.com

12

Icon Laboratories, Inc.

SNMP Simple Network Management Protocol: The Internet standard protocol, defined in STD 15, RFC 1157, developed to manage nodes on an IP network. The SNMP-based management approach is defined by a collection of documents. These documents define a management framework consisting of four major components: a management protocol a definition of management information and events a core set of management information and events a mechanism and approach to manage the use of the protocol including security and access control The operations in SNMP are limited to retrieving the value of management information, modifying the value of management information, and reporting an event. VarBind Variable bindings are a list of object identifier -- value pairs that specify the managed objects to either collect or modify.

www.icon-labs.com

13

Icon Laboratories, Inc.

Using the SNMP Sniffer


Starting the Application and Using the Menu Options
A shortcut to the SNMP Sniffer should be added to your desktop during the installation process. If not, you can access the application by clicking the Start button and highlighting the Programs menu. Then highlight the Icon Labs menu followed by the SNMP Sniffer option. Click on SNMP Sniffer selection. The SNMP Sniffer information window will appear followed by the main screen.

Main Screen

File menu:

www.icon-labs.com

14

Icon Laboratories, Inc.

Capture menu:

Begin: start a new packet capture session Stop: stop the current packet capture session (if one is executing) Choose LAN Adapter: select the network adapter to use for packet captures Capture Limits: set limits on number of packets to capture and the amount of system memory available to the application Statistics: view capture data Number of TCP/IP packets seen Total number of SNMP Packets captured SNMP Packets filtered by PDU Type or Version Number of packets dropped by Kernel

Options menu:

View and modify filter specifications for future captures


www.icon-labs.com 15

Icon Laboratories, Inc.

Modify display features for future captures Select MIB paths, load locations, and display loaded MIBs View menu: Allows the option to view or hide the toolbar and status bar.

Help menu: Used to define elements of the application and provide contact information.

www.icon-labs.com

16

Icon Laboratories, Inc.

GUI Packet Window


How the screen is laid out: Packet # - Assigned by the application Time - Using the hh:mm:ss format Destination - Destination IP address Source - Source IP addresses Version - SNMP version of the packet Community - Details to whom access to the packet is available PDU Type - The different types of SNMP packets Req-ID - SNMP agent request ID number err status/gen trap - Generic trap field applies to SNMP trap packets; error status field applies to all remaining packets err idx/spec trap - Specific trap field applies to SNMP trap packets; error index field applies to all remaining packets

GUI Packet window

In the VarBinds view, the VarBind name and value are tied to the highlighted packet in the upper half portion of the screen.

www.icon-labs.com

17

Icon Laboratories, Inc.

Version 1 trap packets have a slightly different format than other SNMP packets. The V1 trap view displays three of the fields for this type of packet: V1 Trap - Enterprise Agent-address Trap Time-stamp

V1 trap view and Packet Hex view

In the Hex view, the hex data is tied to the highlighted packet in the upper half portion of the screen. In this view, the SNMP data is shown in hexadecimal format. Only the SNMP packet is shown -no header information is included.

www.icon-labs.com

18

Icon Laboratories, Inc.

Capturing Packets
A packet capture can be started in three different ways: 1. Select Begin from the Capture pull down menu. 2. Select the "green light icon from the toolbar. 3. Type CTRL+B from the keyboard.

Green light icon

Once started, the status bar will display both the time spent capturing the packets and the number of SNMP packets captured. Most toolbar buttons and menu options are disabled during a capture session. To stop the packet capture, select "Stop" from the Capture pulldown menu OR select the "red light" icon from the toolbar. The

toolbar button will be enabled when a capture is started.


"Red light" icon

www.icon-labs.com

19

Icon Laboratories, Inc.

Choose LAN Adapter


This window allows you to change that adapter that the application uses to capture packets. All network adapters on the current system are shown in a list box. The adapter that is currently being used is shown below the list box. Once you select the adapter that you will be using on your system, you can click "Save as Default" to make this the default adapter to use for future packet capture sessions.

NOTE: Although all network adapters are displayed, an adapter can capture packets ONLY if it has WinPcap installed on it. If you are not sure which adapter has WinPcap installed on it, you should select one of the adapters listed and then start a packet capture session. Then stop the packet capture and look at the packet capture statistics to see if any packets are being captured. If "Total Packets Seen" equals zero, then you should select a different adapter.

Capture Limits
You can use this dialog box to set upper limits on the number of packets to capture and on the amount of system memory available to the SNMP Sniffer. These options are useful if you want to leave the application running unattended for hours, days, or more. Limiting the number of packets to capture makes it easier to
www.icon-labs.com 20

Icon Laboratories, Inc.

capture and view ONLY the packets you want. As packets are captured, the application allocates memory for the packets. In tests, the Windows Task Manager revealed that the amount of memory required is about 6-8 KB per packet. This is added to the approximately 7 MB required by the application

when it is launched. Limiting a capture by memory usage is a safeguard for your system. The SNMP Sniffer deallocates memory whenever the current packet display is cleared. This can be done in 3 ways: 1. By clicking "New" in the File menu or on the toolbar. 2. By clicking "Open" and opening a previously saved capture session. 3. By clicking "Start capture" in the Capture menu or on the toolbar. Memory is also deallocated when you exit the application. In Windows, memory that is deallocated is marked as available for use, but the memory usage (i.e. "working set") of the corresponding application is NOT reduced. This can be observed using the Windows Task Manager. Windows gives memory priority to applications that are visible on the desktop. An easy way to reduce the memory usage of any process is to minimize the process's window. Even though the SNMP Sniffer deallocates memory as it goes along, this is not revealed in the working set value. The limit on memory usage is based on the working set, NOT on the amount of memory allocated by the application.
www.icon-labs.com 21

Icon Laboratories, Inc.

Statistics
The following data may be viewed for a packet capture: Total number of TCP/IP packets seen. SNMP packets captured by the basic packet filter. This is a count of all SNMP packets that also satisfy IP address and port number filtering options. SNMP Packets filtered according to SNMP packet filter options. This is a count of packets that, in addition to satisfying the basic packet filter, also satisfy SNMP-specific filtering options. Number of SNMP packets dropped by kernel.

To view this data, select Statistics from the Capture menu. To view the filtering specifications for the current capture, select 'Filters' from the 'Options' menu.

www.icon-labs.com

22

Icon Laboratories, Inc.

Filtering
Filter specifications can be viewed or adjusted by selecting Filters from the Options menu. The following fields may be adjusted: IP Source Address IP Destination Address Port Number Community OID SNMP Packet Version PDU Type

To show how the filtering options affect the current packet filter, click Apply. To save your settings for future Capture Sessions, click Save as Default. Once the desired options are selected,
www.icon-labs.com 23

Icon Laboratories, Inc.

click OK. Your options will be saved and the dialog box will close.

Display Options
The display can be modified so that the information desired is displayed.

To save your settings for future capture sessions, click Save as Default. To set the display options, check the boxes desired for the next capture and click on ok.

www.icon-labs.com

24

Icon Laboratories, Inc.

Choosing and Loading MIBs

MIB Options

MIBs may be used to resolve OIDs for captured packets. MIBs must be loaded before they are used to resolve OIDs. Common MIBs are supplied with the application (located in <Install Dir>\MIBs\Standard). Additional MIBs may be loaded as desired by including their location in the MIB Path or loading them specifically.
www.icon-labs.com 25

Icon Laboratories, Inc.

Note: All MIBs included by a MIB that is being loaded must be present in the MIB Path. RECOMMENDATION: It is recommended that additional MIBs you wish to load (and any MIBs they include) are placed into the <Install Dir>\MIBs\User directory and that "Load all MIBs" is chosen. This builds a more complete MIB tree that contains standard SNMP OIDs. You may also unload unnecessary MIBs that are already loaded.

www.icon-labs.com

26

Icon Laboratories, Inc.

Questions and Answers


What is the SNMP Sniffer? The SNMP Sniffer is an application that captures SNMP packets on a network node and then displays the packets in a graphical user interface (GUI) format. Both capture and display occur in real time. The SNMP Sniffer uses the WinPcap packet capture driver to examine all known packets and capture specific packets based upon options chosen by the user. What platforms are supported? The SNMP Sniffer supports Windows 98/Me and NT/2000. Other platforms could be supported in the future, based upon demand. Please contact Icon Laboratories, Inc., if you are interested in using the SNMP Sniffer on a different platform. What software is required to run the SNMP Sniffer? The application requires the WinPcap packet capture driver. This is installed during the normal setup process. For more information on the WinPcap architecture, see the WinPcap driver web page (http://netgroup-serv.polito.it/WinPcap). There is also a WinPcap FAQ at that site. What packet information does the SNMP Sniffer give to the user? The application displays a variety of information about SNMP packets: arrival time, IP destination address, IP source address, SNMP packet version, community, request ID, error index, error status, PDU type, VarBind information, trap information, and a hexadecimal display of the packet. How is this packet information displayed? Packets are displayed in a list format, while field data within a
www.icon-labs.com 27

Icon Laboratories, Inc.

packet is displayed in columns. Since one SNMP packet may contain multiple VarBinds, a separate list displays VarBind information. Trap packets for version 1 traps contain different fields from other SNMP packets, so these fields are displayed in a third view. These three views are stacked vertically in the display. The packet view is given the most space, but the user may adjust the amount of space allocated to each view. How do I selectively view specific SNMP packets? In the default case, the SNMP Sniffer uses a packet filter that captures all SNMP packets on the typical SNMP message and trap ports (161 and 162, respectively). However, the user may narrow the focus of this filter by specifying IP source or destination address, port number, OID, SNMP packet version, or PDU type. What other packet display options are available? The user has the following options for the display: IP addresses may be resolved to domain names. Object identifiers (OIDs) may be converted into name format. Time may be displayed in 24-hour or am/pm format.

What management information base (MIB) is used as the target of the SNMP commands? Generic MIBs are supplied with the application, and the user may also specify a local or network path to use other MIBs. MIBs may be specified in the "Options" menu, in the "MIB Options" dialog box. Can I save a list of packets and view it later?

www.icon-labs.com

28

Icon Laboratories, Inc.

Any packet capture may be saved and reopened later. The suffix .sft is given to the capture file when it is stored. Choose open from the File menu and select the packet you would like to reopen. What if the SNMP Sniffer doesnt capture ALL of the SNMP Packets I am expecting it to capture? There are a couple reasons why a packet may not be captured: 1. The packet never reached the node of the network that the SNMP Sniffer was operating on. This is due to the network topology. For instance, a switched network may isolate the application from seeing the packet. 2. The filter may be excluding the packet. Go to Options/Filters to see if the correct SNMP packet filter settings are being used. 3. One of the capture limits may have been exceeded. Click on Capture Limits in the Capture menu to see if memory usage or packet capture values have been exceeded. What if no packets are being captured (and/or displayed)? You can tell if any packets are being captured by looking at the Capture/Statistics dialog box after attempting a packet capture. If the number of total packets seen is zero, then the packet capture driver is not capturing any packets. First, go to the "Choose LAN Adapter" dialog box and make sure that you have selected the correct adapter to watch for packets. You can try packet captures with other adapters on the list if you are not sure which one you should use. There might also be a problem with the WinPcap driver on Windows NT/2000. The following description is from the WinPcap FAQ: At the moment, if you execute a WinPcap-based application for the first time since the last reboot, you must be administrator. At the first execution, the driver will be dynamically installed in the system, and from that moment every user will be able to use WinPcap to sniff the packets. If neither of these methods solves your problem, please check the
www.icon-labs.com 29

Icon Laboratories, Inc.

latest FAQ on our web site. If your question isnt answered there, you may contact Icon Laboratories, Inc., support team by emailing us at support@icon-labs.com. Why cant I change the way packet information is displayed after Ive stopped my packet capture session? Except for the appearance of gridlines, packet display information must be set in the Options/Display Options dialog box BEFORE a capture is begun. When a packet capture session is started, packet information is stored in the same format as it is displayed, so the display cannot be modified after a capture is done. Why arent the OIDs resolved, even when Ive checked that option? The MIB that you selected might not have been loaded correctly. Try setting the MIB path again. If this doesn't work, please contact Icon Laboratories at support@icon-labs.com. Why are there missing packet numbers in the Packet View? Every time an SNMP packet meets the current requirements of the WinPcap driver, the packet is given a unique Packet Number. The driver filters packets based on packet header information. After this, the application itself may apply another filter based on information WITHIN the SNMP packet (e.g. version or PDU type). Packets that already have packet numbers may be excluded in this process, so some packet numbers would not be shown. When I tried to open a past capture session, why do I get an "Unexpected File Format" error? If you get this error, it is because you are trying to open a capture file that was saved in an earlier version of the SNMP Sniffer. Files saved in SNMP Sniffer Version 1.x cannot be opened by later versions of the application. Starting with Version 2.0, capture files that are stored in one version of the SNMP Sniffer will be accessible in future versions.
www.icon-labs.com 30

Icon Laboratories, Inc.

What is the purpose of the Capture Limits dialog box? When the SNMP Sniffer captures and displays an SNMP packet, it allocates a certain amount of memory for that packet. In tests, the memory usage for the application turns out to be about 7 MB upon initialization and an additional 6-8 KB per captured packet. The Capture Limits dialog box exists for you to ensure that the application will not use up too much memory on your machine. It is a useful option if you would like to start a capture session and then let it run unattended for hours, days, or even weeks. As soon as the limit -- memory usage or number of packets -- is reached, the capture is automatically stopped and the packets are displayed. The status bar also displays the following statement: "Capture Aborted because Capture Limit(s) Exceeded". If your question has not been addressed here, please contact Icon Laboratories at support@icon-labs.com. Other information and recent FAQs may be accessed at their web site -http://www.icon-labs.com.

www.icon-labs.com

31

About Icon Laboratories

Icon Laboratories, Inc.

Icon Laboratories, Inc. provides a full set of network management tools and beginning-to-end development services to the growing embedded systems industry network management, telecommunications, industrial automation and consumer electronics. Founded in 1992, Icon Labs is headquartered in West Des Moines, Iowa. Move Faster with Icon Labs.

3636 Westown Pkwy. Suite 101 West Des Moines, Iowa 50266 Phone: 515-226-3443 Toll Free: 888-235-3443 Fax: 515-226-3462 Email: info@icon-labs.com www.icon-labs.com

Professional Services
Icon Laboratories, Inc. is a proven professional services provider in the embedded systems marketplace. Our solutions are at work everyday, from broadband Internet access devices to core network routers, from smart modems to optical cross-connects, and from the factory floor to the operating room. Today' competitive marketplace, shortened product life cycles, and rapidly advancing technology have created complex new challenges to building successful technology applications. Icon Labs combines embedded system expertise and proven engineering discipline to help you Move Faster!

SNMP Agent Tester


Are you spending lots of time ensuring the quality of your SNMP agents? The SNMP Agent Tester from Icon Labs can significantly reduce your development cycle helping you to get to market faster. Our tester is an easy to use tool that can exhaustively test your SNMP agent in minutes!
www.icon-labs.com 32

Icon Laboratories, Inc.

The tester allows the user to select a standard or enterprise MIB, or set of MIBs, to perform testing on. After the user specifies the agent to be tested, the connection is made and the tester automatically performs the required test. The level of logging required for offline analysis can be specified through the GUI. The tester will exercise an SNMP v1/v2c agent by issuing SET, GET and GETNEXT commands where appropriate. It will then perform various compare operations on the results and report back to the user.

SNMP IQ Application Builder


SNMP IQ Application Builder is the only RAD tool available for embedded SNMP agent development. SNMP IQ is both a visual IDE and code generator for automating a wide variety of SNMP development tasks. The SNMP IQ visual IDE is an environment for creating MIBs and specifying system behaviors. All MIB elements (MIB files, tables, table elements, scalars and traps) are easily created within the IDE. No direct editing of the ASN.1 MIB file is required. The MIB and behavioral specifications are used during code generation to create a central database within the embedded application along with the SNMP agent for managing the database. Public APIs are provided for setting and retrieving data values. With SNMP IQ, a complete SNMP agent can be up and running in minutes.

www.icon-labs.com

33