Search code examples
wiresharksnmptshark

Exporting encrypted SNMPv3 traps to JSON with TShark


I have a pcap file with recordings of encrypted SNMPv3 traps from Wireshark (Version 3.2.2). For analyzing the traps, I want to export the protocol data to json using tshark.

tshark.exe -T ek -Y "snmp" -P -V -x -r input.pcap > output.json

Currently, I supply the infos to decrypt the packages via the "snmp_users" file in C:\Users\developer\AppData\Roaming\Wireshark.

# This file is automatically generated, DO NOT MODIFY.
,"snmp_user","SHA1","xxxxxx","AES","yyyyyyy"

Is it possible to supply the options via commandline?

I have tried:

tshark.exe -T ek -Y "snmp" -P -V -x -o "snmp.users_table.username:snmp_user" ...

But that causes an error:

tshark: -o flag "snmp.users_table.username:snmp_user" specifies unknown preference

Update 16.09.2020:
Option -Y used instead of -J:

-Y|--display-filter
Cause the specified filter (which uses the syntax of read/display filters, rather than that of capture filters) to be applied before printing a decoded form of packets or writing packets to a file.


Solution

  • You need to specify the option as a User Access Table or uat, with the specific table being the name of the file, namely snmp_users. So, for example:

    On Windows:

    tshark.exe -o "uat:snmp_users:\"\",\"snmp_user\",\"SHA1\",\"xxxxxx\",\"AES\",\"yyyyyyy\"" -T ek -J "snmp" -P -V -x -r input.pcap > output.json
    

    And on *nix:

    tshark -o 'uat:snmp_users:"","snmp_user","SHA1","xxxxxx","AES","yyyyyyy"' -T ek -J "snmp" -P -V -x -r input.pcap > output.json
    

    Unfortunately, the Wireshark documentation is currently lacking in describing the uat option. There is a Google Summer of Code project underway though, of which Wireshark is participating, so perhaps documentation will be improved here.