Resolving SNMP OIDs in packet captures

How to convert SNMP OIDs in packet captures to human readable names ?

A common problem while analyzing SNMP traffic is resolving OIDs to names.

We don’t want to see this :

Showing raw SNMP OIDs in the packet list
Showing raw SNMP OIDs in the packet list

We want to see this :

Showing human readable names in the packet list
Showing human readable names in the packet list

The venerable Wireshark‘s own resolution capabilities work fine for many simple cases. With Wireshark, you can list the modules you need and have it load them upon startup. But what if you want to load thousands of MIBs ? What if you want to deal with badly written MIBs, MIBs with incorrect module names, MIBs with dependencies ?  We might be able to help you.

We make two products, Unbrowse SNMP and Unsniff Network Analyzer. Unbrowse SNMP is a full fledged SNMP tool that can compile almost anything you throw at it. It then persists the properties of each OID in a very efficient format on disk. The Unbrowse Scripting API provides a number of ways to get at this data. The other product, Unsniff is the actual SNMP packet analyzer. We have integrated both these products in such a way that Unsniff will use the OID information already available via Unbrowse.

To use this feature : (Requires latest versions of Unbrowse SNMP and Unsniff Network Analyzer)

  1. Download and Install Unbrowse SNMP
  2. Press Crtl+M and select all the MIB files you want to add
  3. Alternately, Download a precompiled package (we have one containing all the Cisco MIBs)
  4. Done

Unsniff will automatically detect if the Unbrowse SNMP name resolution facility is installed and will then proceed to resolve all OIDs to the maximum extent it can.

Resolving OIDs where ever they are found
Resolving OIDs where ever they are found

The advantages :

  • Leverage Unbrowse SNMP’s very flexible compiler
  • OIDs of thousands of modules are instantly available for resolution
  • Has no impact on Unsniff’s startup time
  • High speed resolution with low memory overhead
  • Scriptable via Ruby

Author: Vivek Rajagopalan

Vivek Rajagopalan is the a lead developer for Trisul Network Analytics. Prior products were Unsniff Network Analyzer and Unbrowse SNMP. Loves working with packets , very high speed networks, and helping track down the bad guys on the internet.