Wireshark-users: Re: [Wireshark-users] Malformed Packet - SNMP Trap
From: Patrick Klos <patrick@xxxxxxxx>
Date: Thu, 29 Aug 2013 21:47:25 -0400
Rexford Park wrote:
I've been working on an SNMP v2c Agent library for the Arduino platform and hit a bit of a roadblock. So far the library works fine on messages that are under 172 bytes long. Once the messages hit 172 bytes they aren't picked up by SNMP Managers and Wireshark lists them as Malformed Packets.

I'm hoping I can find someone here that is more familiar with SNMP and can help me figure out what exactly is wrong with the packet so that I can dig into my code and fix the issue. Is there a way to get Wireshark to tell me where the packet has failed?

Wireshark Output of a malformed trap:

0000   a8 20 66 28 f1 69 de ad be ef fe ee 08 00 45 00
0010   00 9e 00 03 40 00 80 11 e3 8e 0a 23 01 3d 0a 23
0020   01 3b 00 a1 00 a2 00 8a 75 15

Standard UDP/IP packet so far.

0020                                 30 80

According to BER rules, the basic SNMP encapsulation includes a tag, length and value. This tag is 0x30, which is a 'sequence'. The length of the value is 128 bytes, which is indeed 0x80 hex. But encoding the length in BER requires that values above 127 use a multi-byte form where the first byte has the high bit set (to indicate multi-byte encoding) and the low 7 bits indicate the length of the value. To encode the value of 128, you would encode it in 2 bytes as this:

   81 80

0020                                       02 01 01 04
0030   06 70 75 62 6c 69 63 a7 73 02 04 00 00 00 02 02
0040   01 00 02 01 00 30 65 30 10 06 08 2b 06 01 02 01
0050   01 03 00 43 04 00 00 09 c5 30 19 06 0a 2b 06 01
0060   06 03 01 01 04 01 00 06 0b 2b 06 01 04 01 82 99
0070   3b 01 00 01 30 10 06 0b 2b 06 01 04 01 82 99 3b
0080   01 01 01 02 01 16 30 24 06 0b 2b 06 01 04 01 82
0090   99 3b 01 01 02 04 15 31 32 33 34 35 36 37 38 39
00a0   30 31 32 33 34 35 36 37 38 39 30 31

Thanks

Other then that, the rest of the packet looks fine to me.

So, your Ardunino's SNMP library needs a little work on its BER encoding of lengths. (just change the '30 80' at the beginning of the SNMP data to '30 81 80' and the packet would be OK)

Good luck!  Let us know how you make out?

Patrick