Tony Mitchell wrote:
<Does anybody know ALL the conditions that cause an SNMP packet to be
<reported as "Malformed"
No, I don't know all the conditions.
I noticed that there were some packets in the PROTOS SNMP test-suite captures (http://www.ethereal.com/sample/) that Ethereal indicated as [Malformed Packet: SNMP].
I don't know if all these packets really are malformed, but they might be.
I tried with another sniffer and it indicated strange results for the packets I checked,
but it didn't indicate it as clear as Ethereal in most cases. Sometimes it showed length as zero
and just some rubbish data, but in some cases "packet to small", "incorrect Object ID" or similar.
I will try with some other sniffers tomorrow to see what they say.
Below is one example from Ethereal:
Frame 15321 (100 bytes on wire, 100 bytes captured)
Ethernet II, Src: 00:20:af:1b:07:fa, Dst: 00:e0:29:68:8b:fb
Internet Protocol, Src Addr: 192.168.0.2 (192.168.0.2), Dst Addr: 192.168.0.1 (192.168.0.1)
User Datagram Protocol, Src Port: 1044 (1044), Dst Port: 162 (162)
Simple Network Management Protocol
Version: 1
Community: public
PDU type: TRAP-V1
Enterprise: 1.3.6.1.4.1.4.1.2.21
Agent address: 127.0.0.1
Trap type: ENTERPRISE SPECIFIC
Specific trap type: 0 (0)
Timestamp: 15320
Object identifier 1: 1.3.6.1.2.1.2.1.0
[Malformed Packet: SNMP]
0000 00 e0 29 68 8b fb 00 20 af 1b 07 fa 08 00 45 00 ..)h... ......E.
0010 00 56 4f c9 00 00 40 11 a9 7a c0 a8 00 02 c0 a8 .VO...@..z......
0020 00 01 04 14 00 a2 00 42 98 e9 30 38 02 01 00 04 .......B..08....
0030 06 70 75 62 6c 69 63 a4 2b 06 09 2b 06 01 04 01 .public.+..+....
0040 04 01 02 15 40 04 7f 00 00 01 02 01 06 02 01 00 ....@...........
0050 43 02 3b d8 30 0e 30 0c 06 08 2b 06 01 02 01 02 C.;.0.0...+.....
0060 01 00 43 00
The problem occurs for the last two octets:
0x43 means TimeTicks I think and 0x00 means length 0.
I don't think that 0 is a valid length for TimeTicks.
INTEGER/Integer32 0x02
OCTET STRING/BITS 0x04
NULL 0x05
OBJECT IDENTIFIER 0x06
IpAddress 0x40
NetworkAddress 0x40
Counter/Counter32 0x41
Unsigned32 0x42
Gauge/Gauge32 0x42
TimeTicks 0x43
Opaque 0x44
Counter64 0x46
Could you send a capture of the packet you got "Malformed packet" for, so we can see the hex data also?
Regards,
Martin