Decoding SNMPv3 encrypted traffic in Wireshark

January 7, 2016

Talking with fellows about SNMPv3 I hear often that its not that critical that SNMP is encrypted and that encryption makes debugging more complicated as they can’t see what is send over the network.I won’t talk about the need for encrypting SNMP as it is like SSH gets used instead of Telnet. This post shows how easy it is to decode SNMPv3 encrypted messages with Wireshark (if you know the secrets 🙂 ).  This is possible as SNMPv3 is a simple UDP protocol which encodes the packets with a shared secret and does not use forward secrecy like TLS does.

If you take a look on properly encrypted SNMPv3 traffic it looks like this.

snmpv3_encrypted

Now you just click on “Edit | Preferences”:

wireshark1

Search for “Protocols | SNMP” and click on “User Table | Edit”.

wireshark2

Click onto the “New” button:

wireshark3

 

Now enter your user name, select the authentication and encryption method and provide the 2 passwords. You don’t need to provide the Engine ID normally.

wireshark4

After clicking onto Ok multiple times the traffic looks like this:

snmpv3_decrypted

If you use one SNMP profile for multiple systems its nice that the values get stored in the Wireshark preferences.  Hope this takes some fear away from SNMPv3. 🙂

 

 

 

 

1 Comment »

RSS feed for comments on this post. TrackBack URI

  1. […] want to look at encrypted SNMPv3 packets (Wireshark is able to decrypt it, if provided the […]

    Pingback by Howto live-sniffer traffic on a remote Linux system with Wireshark | Robert Penz Blog — October 2, 2016 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 76 queries. 0.254 seconds.