(Icon Laboratories) SNMP Sniffer User Manual

8/13/2019 (Icon Laboratories) SNMP Sniffer User Manual

1/34

2001 Ic on La b ora to ries, Inc . All Rights Reserved Version 2.1

SNMP Sniffer

Manual

3636 Westown Parkway

Suite 101

West Des Moines, IA 50266

Main: (888) 235-3443Fax: (515) 226-3462

http://www.icon-labs.comCopyright 201, All rights reserved.
http://www.icon-labs.com/


2/34


3/34

Ic on La b orato r ies, Inc .

www. icon- labs .com 2

Copyright notices for software that is distributed with the SNMP Sniffer aregiven in the following files:wpcapCpwr t . t x t and netSnm pCp w rt . txt .These

files are installed along with the application.


4/34



End-User License Agreement Icon Laboratories, Inc.SNMP Sniffer

IMPORTANT! READ CAREFULLY: This License Agreement (License) is a legalagreement between you and Icon Laboratories, Inc. The right to use the Softwareis granted only on the condition that you agree to the following License. If You donot agree to the terms of the License, then Icon Laboratories, Inc. and its Grantorsare unwilling to license the Software to You, in which case You may return thepackage within 30 days and Your purchase price will be refunded. HOWEVER, BYINSTALLING, COPYING OR USING THE SOFTWARE YOU INDICATE YOUR

ACCEPTANCE OF THESE TERMS AND CONDITIONS.

1. DEFINITIONS:You and Your means the entity purchasing, opening and using thispackage.

Software means computer programming code contained on theaccompanying media and in the form (object or source) and format provided,and all full or partial copies of same, whether provided by Icon Laboratoriesor copies made by You as permitted under this License.

Documentation means the related user materials furnished with theSoftware, and all full or partial copies of same, that describe its operationalcharacteristics or matters related to its installation or use, whether providedin published written material, on magnetic media or communicated byelectronic means.

Program is a general term meaning the Software and its associatedDocumentation collectively. Programs may contain or be derived frommaterials of third party authors (Grantor) from whom Icon Laboratories hasobtained marketing rights. Grantors are listed in the Documentation and areintended beneficiaries of this License.

Authorized Unit means the host computer or target microprocessor whichthe Software per its Documentation, is intended to operate on and uponwhich You install and use the Software.

2. GRANT OF LICENSE: Subject to Your prompt payment of quoted fees, IconLaboratories hereby grants You the following non-exclusive, non-transferablerights and licenses:

To install and use one copy of the Software on any Authorized Unit owned or

leased by You for Your internal business purposes on one Authorized Unit ata time by a single user.

Copy the Software to make an archive copy for use as a back-up, providedthat the primary and back-up copy may not be used concurrently.

Use the Documentation, and make a reasonable number of printed copiesfrom Documentation provided in electronic form, as is solely necessary inconnection with Your permitted internal use of the Software.

ICON LABORATORIES RESERVES ALL RIGHTS NOT EXPRESSLY


5/34



GRANTED TO YOU HEREUNDER. Additional printed hard copies ofDocumentation may be purchased.

3. RESTRICTIONS, OWNERSHIP:The Program is protected by copyright lawsand international treaty. Ownership rights and intellectual property rights inthe Program shall remain at all times in Icon Laboratories and/or itsGrantors. The Program is licensed, not sold. You may not: (i) modify theProgram, translate reverse engineer, decompile, disassemble (except to theextent applicable laws specifically prohibit such restriction) or attempt toderive the source code of Software provided to You in object code form, createderivative works of the Program or let any third party do any of the foregoing;

or (ii) copy the Program other than as specified above; or (iii) sublicense, rent,lease, timeshare, grant a security interest in, transfer possession of theProgram or otherwise assign or delegate this License or any of Your rights orduties hereunder. You agree to use Your best efforts to protect the Programfrom unauthorized reproduction, disclosure or use.

4. TERMS AND TERMINATION:The License is effective until terminated. Youmay terminate Your License at any time. Your rights under this License willterminate automatically without notice from Icon Laboratories if You fail tocomply with any terms of this License. Upon termination for any reason Youshall return or, with Icon Laboratories permission, destroy all Programcopies in Your possession or under Your control and certify to IconLaboratories in writing that You have compiled with this requirement.

5. LIMITED WARRANTY: Icon Laboratories warrants, for Your sole benefit, thatfor a period of thirty (30)days from the date of delivery to You (the Warranty

Period) that, (a) the media containing the Program is free from defects undernormal use, if You properly installed it; and, (b) that the Software, ifunmodified and operated as directed, will substantially perform as describedin its Documentation. EXCEPT FOR THE FOREGOING LIMITED WARRANTYTHE PROGRAM IS PROVIDED AS IS, AND TO THE MAXIMUM EXTENTPERMITTED BY APPLICABLE LAW, ICON LABORATORIES AND ITSGRANTORS DISCLAIM ALL OTHER WARRANTIES, EITHER EXPRESS ORIMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OFMERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE,NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING ORUSAGE IN TRADE. You assume full responsibility for the selection of theSoftware to achieve Your intended purpose, for the proper installation anduse of the Software and verifying the results obtained from Your use and forall other matters under Your control. Icon Laboratories does not warrant thatthe quality or performance of Software will meet Your requirements or thatthe operation of Software will be or can be made interrupted or error free.

6. Some jurisdictions do not allow the limitation or exclusion of impliedwarranties or how long an implied warranty may last, so the abovelimitations may not apply to You. This Warranty gives You specific legalrights and You may have other rights which vary from jurisdiction tojurisdiction.

7. LIMITATION OF REMEDIES: Your exclusive remedy and Icon Laboratoriessole liability for any defective media or failure of Software to conform to itsDocumentation You report to Icon Laboratories in writing during theWarranty period, Icon Laboratories will, at its option and expense, either: (a)replace defective media: or, (b) use commercially reasonable efforts to correct


6/34



non-conforming Software or replace it with a functionally equivalent program,or, (c) if Icon Laboratories determines the foregoing remedies are impractical,accept return of the Program, terminate this License and refund the amountYou paid Icon Laboratories for the Program copies so returned. At the end ofthis Warranty Period all such liability shall terminate. TO THE MAXIMUMEXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL ICONLABORATORIES OR ITS GRANTORS BE LIABLE FOR ANY SPECIAL,INDIRECT, PUNITIVE, EXEMPLARY, INCIDENTAL OR CONSEQUENTIALDAMAGES, INCLUDING ANY LOST PROFITS OR LOST SAVINGS ARISINGFROM THE USER, OR INABILITY TO USE OR ACHIEVE ANY PARTICULARRESULTS FROM USE OF THE PROGRAM EVEN IF ICON LABORATORIES

HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF ANYREMEDY HEREIN SHALL HAVE PROVEN INEFFECTIVE. In no case shall thetotal cumulative liability of Icon Laboratories or its Grantor(s) to You for alldamages, losses and causes of action, regardless of legal theory, exceed theamount You paid Icon Laboratories under this License for the right to use theProgram in question.

8. Some jurisdictions do not allow the exclusion or limitation of incidental orconsequential damages to this limitation and exclusion may not apply to You.

9. USE OF PURCHASER'S NAME: You agree that Icon Laboratories may useYour Company's name and may disclose that You are a licensee of IconLaboratories products in Icon Laboratories' advertising, press, promotion andsimilar public disclosures with respect to the Program. However, suchadvertising, promotion or similar public disclosures shall not indicate thatYou, in any way, endorse Icon Laboratories products without Your prior

written permission.

10. GENERAL: You acknowledge that You have read this License, understand itand agree to be bound by its terms. You further agree that it constitutes theentire agreement between You and Icon Laboratories and supersedes in theirentirety any and all oral or written agreements previously existing betweenYou and Icon Laboratories with respect to the subject matter. THEACCEPTANCE OF ANY PURCHASE ORDER PLACED BY YOU IS EXPRESSLYMADE CONDITIONAL ON YOUE ASSENT TO THE TERMS SET FORTHHEREIN, AND NOT THOSE IN YOUR PURCHASE ORDER. If any part of thisLicense is held invalid by, or in conflict with, any law having jurisdiction overthis License, that provision of the License shall be enforced to the maximumextent permissible so as to effect the intent of the parties and the remainingprovisions shall remain in full force and effect. This License shall be governedby and construed in accordance with Iowa law (except for conflict of lawprovisions), as applied to contracts entered into and to be performed entirely

within Iowa between Iowa residents. Venue for disputes hereunder shall be inapplicable state or federal courts in Iowa. U.S.A. and You and IconLaboratories consent to the exclusive jurisdiction and venue of such courts.The application the United Nations Convention of Contracts for theInternational Sale of Goods is expressly excluded. This Agreement may onlybe modified in writing signed by an authorized officer of Icon Laboratories.

If You have any questions concerning this License or desire to contact IconLaboratories for any reason, please write: Icon Laboratories, Inc., 3636Westown Parkway, West Des Moines, IA 50266, telefax (515) 226-3462,

email: [email protected].
mailto:[email protected]


7/34



ContentsIntroduction........................................................................................................................7Features..............................................................................................................................7

Packet display features .................................................................................7

Packet display and filtering options..............................................................7

MIB Options.................................................................................................8

Choose LAN Adapter...................................................................................8

Capture Limits..............................................................................................8Statistics .......................................................................................................8

System Requirements.......................................................................................................10

Hardware requirements ..............................................................................10

Software requirements................................................................................10

Operating System requirements .................................................................10

Network requirements .......... .......... .......... ........... .......... ........... .......... ........ 10Installing the Software .....................................................................................................11

How to install the SNMP Sniffer................................................................11Using the SNMP Sniffer ..................................................................................................14

Starting the Application and Using the Menu Options...............................14

GUI Packet Window ..................................................................................17

Capturing Packets.......................................................................................19

Choose LAN Adapter.................................................................................20

Capture Limits............................................................................................20Statistics .....................................................................................................22

Filtering......................................................................................................23

Display Options..........................................................................................24

Choosing and Loading MIBs......................................................................25Questions and Answers....................................................................................................27

What is the SNMP Sniffer?........................................................................27

What platforms are supported?...................................................................27

What software is required to run the SNMP Sniffer?.................................27

What packet information does the SNMP Sniffer give to the user? ...........27

How is this packet information displayed?.................................................27

How do I selectively view specific SNMP packets? ..................................28

What other packet display options are available?.......................................28

What management information base (MIB) is used as the target of theSNMP commands?.....................................................................................28

Can I save a list of packets and view it later?.............................................28

What if the SNMP Sniffer doesnt capture ALL of the SNMP Packets I am

expecting it to capture?...............................................................................29

What if no packets are being captured (and/or displayed)?............. .......... .29

Why cant I change the way packet information is displayed after Ive

stopped my packet capture session? ......... .......... ........................................30

Why arent the OIDs resolved, even when Ive checked that option?........30


8/34



Why are there missing packet numbers in the Packet View?............ ......... 30

When I tried to open a past capture session, why do I get an "Unexpected

File Format" error?.....................................................................................30

What is the purpose of the Capture Limits dialog box? .............................31

IntroductionThank you for using this version of the SNMP Sniffer from Icon

Laboratories, Inc. The SNMP Sniffer is a promiscuous SNMP packet

capture application. It filters all SNMP traffic visible to it and

displays captured SNMP packets in real time. It uses the WinPcap

packet capture utility. Winpcap is the adaptation of libpcap that

works on the Windows operating system.

FeaturesThe SNMP Sniffer captures SNMP packets, decodes them, and

displays them on the screen in an easy-to-read format. The

application has the following capabilities:

Pa c ke t d isp lay fea tures

Packets are displayed as they are captured (i.e. in real time).

Each packet captured is given a packet number and is

displayed along with host information c oncerning the source

and destination of the packet. The time of the packet capture

is also displayed.

Each SNMP packet is parsed, and the values contained within

the SNMP data fields are given. These fields include version,

community, PDU type, request ID, error status, and error index.

Information about each packet's VarBinds (variable bindings) is

displayed in a separate part of the window. Thisac commodates packets with multiple VarBinds.

SNMP version 1 trap packets do not contain the same fields as

other SNMP packets. The field values of v1 trap packets are

listed in a separate part of the window.

A separate part of the window displays the entire SNMP

packet, minus header information, in hexadecimal form.

Pa c ke t d isp lay a nd fi lte ring o p t ions


9/34



Display options allow the user to utilize IP-to-DNS conversion,

resolve OIDs (object identifiers), display time in AM/PM format,

and show/hide the gridlines on the display.

The user may choose to only capture packets from/to a

certain IP address. Filtering may also be done on port,

community, OID value, SNMP version or PDU type.

Packet display and filter options can be modified in the

Options menu.

M IB Op t ions

MIBs may be used to resolve OIDs (object identifiers) for

captured pac kets. MIBs must be loaded before they are used

to resolve OIDs.

Sample MIBs are supplied with the application. You may also

load other MIBs. You may load a ll of the MIBs in a certain path

or specific MIBs in a path.

In order to load different MIBs, you must unload MIBs that are

already loaded.

Choo se LAN Ad ap te r

If you have more than one LAN adapter on your machine, you

can use this dialog box to choose which adapter is used to

capture SNMP packets.

Please check the User's Manual or the Choose LAN Adapterdialog box if you are unsure which adapter has the WinPcap

driver installed on it.

Ca p ture Limi ts

You can use this dialog box to set upper limits on the number

of pac kets to capture and the amount of system memory

available to the SNMP Sniffer. This option lets you leave a packet capture session running for

hours or days without worrying about using too much system

memory.

Sta tistic s

When a packet capture session is begun, a dialog box displays

the elapsed time of the current capture and the number of


10/34



SNMP packets accepted by the filter.

Other basic pac ket capture statistics may be displayed after a

capture session has been stopped.

A new pac ket capture session may be started from the toolbar

or the "Capture" menu. Statistics are available in the capture

menu.


11/34



System Requirements

Hardw are req u irem ents

Minimum

133 MHz Pentium PC

16 MB or more of RAM

10-MB hard-disk space

CD-ROM drive or access to a C D-ROM over a computer

network

VGA display adapter or Higher-resolution display adapter

Network Adapter card

Connection to an ethernet LAN

Softwa re req uirem en ts

WinPcap packet capture driver. (This is packaged with the

software).

Op erat ing System req ui rem ents

Windows 98/ME or Windows 2000/NT 4.0 platforms.

Netwo rk req u irem ents

The minimum requirement is a connection to an Ethernet LAN.


12/34



Installing the SoftwareThe SNMP Sniffer is compatible with Windows 98/ME/NT/2000.

Installation includes the WinPcappacket capture driver. Please

delete any other instances of WinPcapthat are a lready present

on your system before beginning the installation process.

It is necessary to have Administrator privileges in order to install

SNMP Sniffer on Windows NT and Windows 2000.

The primary installed components are the Winp cappacket

capture driver, libsnm p .dl l(for dec oding of packets), and the

SNMP Sniffer application.

See the Questions and Answers section for more information about

the WinPcapsoftware.

How to insta ll the SNMP Sniffer

From the CD-ROM:

Follow these steps to install the SNMP Sniffer from the CD-ROM.

1. Quit any active Microsoft Windows programs.

2. Insert the product CD-ROM into a drive.

The install screen will appear automatically. If the install

screen does not appear after a few seconds, select Run

from the Start menu and enter drive: setup.exe, where

drive is the letter of the CD-ROM drive into which you

loaded the product CD.

3. Follow the prompts that appear on your screen.

4. An icon will appear on your desktop.

5. An entry will be placed on the START PROGRAMS menu.


13/34



Glossary of SNMP Terms

GUI

Graphical User Interface: An interface for issuing commands to a

computer utilizing a pointing device, such as a mouse, that

manipulates and ac tivates graphical images on a monitor.

IPInternet Protocol: The network layer for the TCP/IP protoc ol suite

widely used on Ethernet networks.

MIB

Management Information Base: A structured collec tion of a ll the

managed objects maintained by a device. Managed objects

are structured in the form of a hierarchica l tree. MIBs are

specifications containing definitions of management information

so that networked systems can be remotely monitored,

configured, and controlled.

OIDObject identifier: Generally an implementation-specific integer or

pointer that uniquely identifies an object.

PDU

Protocol Data Unit: A message contains administrative

information and an SNMP. The PDU type identifies the type of

the message. The contents of a PDU are control fields, which are

dependent on the message type, and an array of pairs. The first

element of each pair is used to identify management

information and the second element is used to specify the value

of management information.

PacketA short block of data transmitted in a packet switching network.

Sniffer

A tool that monitors packets on a TCP/IP network.


14/34



SNMP

Simple Network Management Protocol: The Internet standard

protocol, defined in STD 15, RFC 1157, developed to manage

nodes on an IP network. The SNMP-based management

approach is defined by a collec tion of documents. These

documents define a management framework consisting of four

major components: a management protocol

a definition of management information and events

a core set of management information and events

a mechanism and approach to manage the use of the

protocol including security and ac cess control

The operations in SNMP are limited to retrieving the value of

management information, modifying the value of management

information, and reporting an event.

VarBind

Variable bindings are a list of object identifier -- value pairs that

specify the managed objects to either collect or modify.


15/34



Using the SNMP Sniffer

Start ing the A pp lica t ion and Using the M enu Op t ions

A shortcut to the SNMP Sniffer should be added to your desktop

during the installation process. If not, you can access theapplication by clicking the Start button and highlighting the

Programs menu. Then highlight the Icon Labs menu followed

by the SNMP Sniffer option. Click on SNMP Sniffer selec tion.

The SNMP Sniffer information window will appear followed by the

main screen.

Main Screen

File menu:


16/34



Capture menu:

Begin: start a new packet capture session

Stop: stop the current packet capture session (if one is

executing)

Choose LAN Adapter: select the network adapter to use

for packet captures

Capture Limits: set limits on number of packets to c apture

and the amount of system memory available to the

application

Statistics: view capture data

Number of TCP/IP packets seen

Total number of SNMP Packets captured

SNMP Packets filtered by PDU Type or Version

Number of packets dropped by Kernel

Options menu:

View and modify filter specifications for future captures


17/34



Modify display features for future captures

Select MIB paths, load locations, and display loaded MIBs

View menu: Allows the option to view or hide the toolbar and

status bar.

Help menu: Used to define elements of the application and

provide contact information.


18/34



GUI Pa c ke t Windo w

How the screen is laid out:

Packet # - Assigned by the application

Time - Using the hh:mm:ss format

Destination - Destination IP address

Source - Source IP addresses

Version - SNMP version of the packet

Community - Details to whom access to the pac ket is

available

PDU Type - The different types of SNMP packets

Req-ID - SNMP agent request ID number

err status/gen trap - Generic trap field applies to SNMP

trap packets; error status field applies to all remaining

packets

err idx/spec trap - Specific trap field applies to SNMP

trap packets; error index field applies to all remaining

packets

GUI Packet window

In the VarBinds view, the VarBind name and value are tied to the

highlighted packet in the upper half portion of the screen.


19/34



Version 1 trap packets have a slightly different format than otherSNMP packets. The V1 trap view displays three of the fields for this

type of packet:

V1 Trap - Enterprise

Agent-address

Trap Time-stamp

V1 trap view and Packet Hex view

In the Hex view, the hex data is tied to the highlighted packet in

the upper half portion of the screen. In this view, the SNMP data is

shown in hexadecimal format. Only the SNMP packet is shown --

no header information is included.


20/34



Ca p turing Pac ke ts

A packet capture can be started in three different ways:

1. Selec t Begin from the Capture pull down menu.

2. Select the "green light icon from the toolbar.

3. Type CTRL+B from the keyboard.

Green light icon

Once started, the status bar will display both the time spent

capturing the packets and the number of SNMP packets

captured. Most toolbar buttons and menu options are disabledduring a capture session.

To stop the packet capture, select "Stop" from the Capture pull-

down menu OR select the "red light" icon from the toolbar. The

toolbar button will be enabled when a c apture is started.

"Red light" icon


21/34


22/34



capture and view ONLY the packets you want.

As packets are captured, the application allocates memory for

the packets. In tests, the Windows Task Manager revealed that

the amount of memory required is about 6-8 KB per packet. This is

added to the approximately 7 MB required by the application

when it is launched. Limiting a capture by memory usage is a

safeguard for your system.

The SNMP Sniffer deallocates memory whenever the current

packet display is cleared. This can be done in 3 ways:

1. By clicking "New" in the File menu or on the toolbar.

2. By clicking "Open" and opening a previously saved capture

session.

3. By clicking "Start capture" in the Capture menu or on the

toolbar.

Memory is also deallocated when you exit the application.

In Windows, memory that is deallocated is marked as available for

use, but the memory usage (i.e. "working set") of the

corresponding application is NOT reduced. This can be observedusing the Windows Task Manager. Windows gives memory priority

to applications that are visible on the desktop. An easy way to

reduce the memory usage of any process is to minimize the

process's window. Even though the SNMP Sniffer deallocates

memory as it goes along, this is not revealed in the working set

value. The limit on memory usage is based on the working set,

NOT on the amount of memory allocated by the application.


23/34



Sta tistic s

The following data may be viewed for a packet capture:

Total number of TCP/IP packets seen.

SNMP packets captured by the basic packet filter. This is

a count of all SNMP packets that also satisfy IP address

and port number filtering options.

SNMP Packets filtered according to SNMP packet filter

options. This is a count of packets that, in addition to

satisfying the basic packet filter, also satisfy SNMP-specific

filtering options.

Number of SNMP pac kets dropped by kernel.

To view this data, select Statistics from the Capture menu. To

view the filtering specifications for the current capture, select

'Filters' from the 'Options' menu.


24/34


25/34



click OK. Your options will be saved and the dialog box will close.

Disp lay O p t ion s

The display can be modified so that the information desired is

displayed.

To save your settings for future capture sessions, click Save as

Default.

To set the display options, check the boxes desired for the nextcapture and c lick on ok.


26/34


27/34



Note : All MIBs inc lud ed b y a MIB tha t is b eing loa d ed m ust b e

p resent in the M IB Pa th.

RECOMMENDATION: It is recommended that additional MIBs you

wish to load (and any MIBs they include) are plac ed into the

\ MIBs\ User directory and that "Load all MIBs" is

chosen. This builds a more complete MIB tree that contains

standard SNMP OIDs.

You may also unload unnecessary MIBs that are already loaded.


28/34



Questions and Answers

What is the SNMP Sniffer?

The SNMP Sniffer is an application that captures SNMP packets on

a network node and then displays the packets in a graphica l userinterface (GUI) format. Both capture and display occur in real

time. The SNMP Sniffer uses the WinPcap packet capture driver to

examine all known packets and capture specific packets based

upon options chosen by the user.

What platforms are supported?

The SNMP Sniffer supports Windows 98/Me and NT/2000. Other

platforms could be supported in the future, based upon demand.

Please contact Icon Laboratories, Inc., if you are interested in using

the SNMP Sniffer on a different platform.

What software is required to run the SNMP Sniffer?

The application requires the WinPcap packet capture driver. This is

installed during the normal setup process. For more information on

the WinPcap architecture, see the WinPcap driver web page(http : / / netgroup -serv.po l ito . it / WinPc ap ).There is also a WinPcap

FAQ at that site.

What packet information does the SNMP Sniffer give to the user?

The application displays a variety of information about SNMP

packets: arrival time, IP destination address, IP source address,SNMP packet version, community, request ID, error index, error

status, PDU type, VarBind information, trap information, and a

hexadecimal display of the packet.

How is this packet information displayed?

Packets are displayed in a list format, while field data within a
http://netgroup-serv.polito.it/WinPcap)http://netgroup-serv.polito.it/WinPcap)


29/34



packet is displayed in columns. Since one SNMP pac ket may

contain multiple VarBinds, a separate list displays VarBind

information. Trap packets for version 1 traps contain different fields

from other SNMP packets, so these fields are displayed in a third

view. These three views are stacked vertically in the display. The

packet view is given the most space, but the user may adjust the

amount of space allocated to each view.

How do I selectively view specific SNMP packets?

In the default case, the SNMP Sniffer uses a packet filter that

captures all SNMP pac kets on the typical SNMP message and trap

ports (161 and 162, respec tively). However, the user may narrow

the focus of this filter by spec ifying IP source or destination address,

port number, OID, SNMP packet version, or PDU type.

What other packet display options are available?

The user has the following options for the display:

IP addresses may be resolved to domain names. Object identifiers (OIDs) may be c onverted into name format.

Time may be displayed in 24-hour or am/pm format.

What management information base (MIB) is used as the target of

the SNMP commands?

Generic MIBs are supplied with the application, and the user may

also specify a local or network path to use other MIBs. MIBs may

be specified in the "Options" menu, in the "MIB Options" dialog box.

Can I save a list of packets and view it later?


30/34



Any packet capture may be saved and reopened later. The suffix

.sft is given to the capture file when it is stored. Choose open

from the File menu and select the pac ket you would like to

reopen.

What if the SNMP Sniffer doesnt capture ALL of the SNMP Packets I

am expecting it to capture?

There are a couple reasons why a packet may not be captured:1. The packet never reached the node of the network that the

SNMP Sniffer was operating on. This is due to the network

topology. For instanc e, a switched network may isolate the

application from seeing the packet.

2. The filter may be excluding the packet. Go to Options/Filters

to see if the correct SNMP packet filter settings are being used.

3. One of the capture limits may have been exceeded. Click on

Capture Limits in the Capture menu to see if memory usage or

packet capture values have been exceeded.

What if no packets are being captured (and/or displayed)?

You can tell if any packets are being captured by looking at theCapture/Statistics dialog box after attempting a packet capture.

If the number of total packets seen is zero, then the packet

capture driver is not capturing any packets. First, go to the

"Choose LAN Adapter" dialog box and make sure that you have

selected the correct adapter to watch for packets. You can try

packet captures with other adapters on the list if you are not sure

which one you should use.

There might also be a problem with the WinPcap driver on

Windows NT/2000. The following description is from the WinPcap

FAQ:

At the moment, if you execute a WinPcap-based

application for the first time since the last reboot, you must

be administrator. At the first exec ution, the driver will be

dynamically installed in the system, and from that moment

every user will be able to use WinPcap to sniff the packets.

If neither of these methods solves your problem, please check the


31/34



latest FAQ on our web site. If your question isnt answered there,

you may contact Icon Laboratories, Inc., support team by

emailing us at [email protected].

Why cant I change the way packet information is displayed afterIve stopped my packet capture session?

Except for the appearance of gridlines, packet display information

must be set in the Options/Display Options dialog box BEFORE acapture is begun. When a packet capture session is started,

packet information is stored in the same format as it is displayed,

so the display cannot be modified after a capture is done.

Why arent the OIDs resolved, even when Ive checked that

option?

The MIB that you selected might not have been loaded c orrectly.

Try setting the MIB path again. If this doesn't work, please contact

Icon Laboratories at [email protected].

Why are there missing packet numbers in the Packet View?

Every time an SNMP packet meets the current requirements of the

WinPcap driver, the packet is given a unique Packet Number. The

driver filters packets based on pac ket header information. After

this, the application itself may apply another filter based on

information WITHIN the SNMP packet (e.g. version or PDU type).

Pac kets that already have pac ket numbers may be excluded in

this process, so some packet numbers would not be shown.

When I tried to open a past capture session, why do I get an

"Unexpected File Format" error?

If you get this error, it is because you are trying to open a capture

file that was saved in an earlier version of the SNMP Sniffer. Files

saved in SNMP Sniffer Version 1.x cannot be opened by later

versions of the application. Starting with Version 2.0, capture files

that are stored in one version of the SNMP Sniffer will be accessible

in future versions.
mailto:[email protected]:[email protected]


32/34



What is the purpose of the Capture Limits dialog box?

When the SNMP Sniffer captures and displays an SNMP packet, it

allocates a certain amount of memory for that packet. In tests,

the memory usage for the application turns out to be about 7 MB

upon initialization and an additional 6-8 KB per captured packet.

The Capture Limits dialog box exists for you to ensure that the

application will not use up too much memory on your machine. It

is a useful option if you would like to start a capture session and

then let it run unattended for hours, days, or even weeks.

As soon as the limit -- memory usage or number of packets -- is

reached, the capture is automatically stopped and the packets

are displayed. The status bar also displays the following statement:

"Capture Aborted because Capture Limit(s) Exceeded".

If your question has not been addressed here, please contact Icon

Laboratories at [email protected]. Other information and

recent FAQs may be accessed at their web site --

http://www.icon-labs.com.


33/34


34/34

Documents

(Icon Laboratories) SNMP Sniffer User Manual