Add MIB files to Wireshark SNMP decoder

From CT3

Wireshark’s SNMP decoder uses the Net-SNMP library for OID-to-name mappings. Net-SNMP is easily extended with additional MIB files, allowing you to decode SNMP traffic that uses vendor-specific MIBs. However, Wireshark ignores Net-SNMP configuration files and uses its own set of configuration parameters, making the whole process a bit more complex.

The following text contains describes the installation process for Fedora 11 Linux distribution. The Net-SNMP wiki contains similar instructions for other UNIX distributions.

Identifying the need for additional MIB files

Whenever Wireshark encounters a SNMP OID that cannot be resolved into a MIB variable, it displays the partially resolved name (for example, enterprises.9.9.41.2.0.1) and marks the packet as partially unresolved (default color: light blue). Furthermore, the values of the SNMP variables are displayed as binary data, as Wireshark cannot correctly determine the object type.

SNMP packet with unknown MIB variables

If you want to resolve and properly display the MIB variables, you have to download the MIB files and configure Wireshark to use them.

Identifying the MIB

After identifying the OID string you want to decode, you have to download the MIB containing the OID definition. You can use vendor-specific tools (for example, SNMP object navigator from Cisco) or third-party solutions (for example, ByteSphere’s MIB repository). Cisco’s SNMP object navigator identifies the OID 1.3.6.1.4.1.9.9.41.2.0.1 as part of the CISCO-SYSLOG-MIB.

Decoding the OID in Cisco's SNMP object navigator

Downloading the MIB

You can download the target MIB from third-party repository (ByteSphere) or from the vendor.

When using Cisco’s SNMP object navigator, you can clicking on the MIB to display MIB definition and the prerequisites MIBs. The download links can be used to download individual MIB files:

Cisco SYSLOG MIB definition

You have to download all MIBs in the list as your target MIB might import objects from numerous other MIBs. Some of the common MIBs are already included in the Net-SNMP distribution.

Download the MIBs a directory on your workstation. MIB names are not highly relevant; Net-SNMP is able to locate the required MIBs regardless of the actual file names.

It’s best to store the MIB files into the Net-SNMP’s default MIB directory, which is easily identified with the net-snmp-config program:

# net-snmp-config --default-mibdirs
/root/.snmp/mibs:/usr/share/snmp/mibs

After you’ve downloaded the MIBs test the OID-to-name translation with the snmptranslate program, specifying the target MIB in the –m option. If you’ve skipped one or more MIBs in the list, you’ll get error messages similar to this one:

# snmptranslate -m CISCO-SYSLOG-MIB 1.3.6.1.4.1.9.9.41.2.0.1
No log handling enabled - turning on stderr logging
Cannot find module (CISCO-SMI): At line 54 in /usr/share/snmp/mibs/CISCO-SYSLOG-MIB.txt
Did not find 'ciscoMgmt' in module #-1 (/usr/share/snmp/mibs/CISCO-SYSLOG-MIB.txt)
Unlinked OID in CISCO-SYSLOG-MIB: ciscoSyslogMIB ::= { ciscoMgmt 41 }
Undefined identifier: ciscoMgmt near line 59 of /usr/share/snmp/mibs/CISCO-SYSLOG-MIB.txt

When all the required MIBs have been downloaded into the MIB directory, the OID-to-name translation succeeds:

# snmptranslate -m CISCO-SYSLOG-MIB 1.3.6.1.4.1.9.9.41.2.0.1
CISCO-SYSLOG-MIB::clogMessageGenerated

Configuring Wireshark

Wireshark 1.1.2 uses the Preferences dialog box to configure numerous parameters, including name resolution. The Name resolution tab contains two SNMP-related parameters: the list of MIB directories and the list of MIBs that have to be loaded:

Changing Wireshark name resolution preferences

Add the directory containing the MIB definitions to the SMI paths parameter. Add all the required MIBs to the SMI modules parameters. The changed parameters take effect after Wireshark is restarted.

If you fail to add a prerequisite MIB to the SMI modules parameters, Wireshark might crash during the initialization process.

The SMI paths and SMI modules values are stored in the smi_paths and smi_modules files in the Wireshark configuration directory (~/.wireshark on Linux). As an emergency measure you can edit the files manually, but it’s best to change their contents through Wireshark configuration screens.

Wireshark runs as the root user when capturing network traffic and reads its configuration from the ~root/.wireshark directory.

Sample contents of these two files are shown in the following printouts:

smi_paths file

# This file is automatically generated, DO NOT MODIFY.
"/usr/share/snmp/mibs"

smi_modules file

# This file is automatically generated, DO NOT MODIFY.
"IP-MIB"
"IF-MIB"
"TCP-MIB"
"UDP-MIB"
"SNMPv2-MIB"
"RFC1213-MIB"
"IPV6-ICMP-MIB"
"IPV6-MIB"
"SNMP-COMMUNITY-MIB"
"SNMP-FRAMEWORK-MIB"
"SNMP-MPD-MIB"
"SNMP-NOTIFICATION-MIB"
"SNMP-PROXY-MIB"
"SNMP-TARGET-MIB"
"SNMP-USER-BASED-SM-MIB"
"SNMP-USM-DH-OBJECTS-MIB"
"SNMP-VIEW-BASED-ACM-MIB"
"CISCO-SMI-MIB"
"CISCO-SYSLOG-MIB"

Test the additional Wireshark MIBs

Restart the Wireshark, open a capture file containing SNMP traffic with SNMP variables from the newly-installed MIBs. Inspect the packets and verify the name resolution correctness. Detailed display of packet contents should include variable names from the MIB as well as properly decoded values.