TechOverflow Logo
TechOverflow

How to capture & decode SNMP traffic using tcpdump

Using the following command, you can capture & decode SNMP traffic going in and out of a specific interface (enp3s0 in this example):

tcpdump -v -i enp3s0 'udp port 161'

This works by just filtering for UDP packets on port 161 - the SNMP port. The -v flag tells tcpdump to decode the traffic in real time.

Example output:

01:28:27.915505 IP (tos 0x0, ttl 64, id 28865, offset 0, flags [DF], proto UDP (17), length 151)
    10.9.2.199.snmp > 10.9.2.15.47669:  { SNMPv3 { F=a } { USM B=1 T=608 U="admin" } { ScopedPDU E=_80_00_6a_92_03_44_a5_6e_43_5e_4c C="" { GetResponse(33) R=1015374419  105.1.1.1.5.1.2=1 } } } 
01:28:27.915646 IP (tos 0x0, ttl 64, id 38290, offset 0, flags [DF], proto UDP (17), length 150)
    10.9.2.15.47669 > 10.9.2.199.snmp:  { SNMPv3 { F=ar } { USM B=1 T=608 U="admin" } { ScopedPDU E=_80_00_6a_92_03_44_a5_6e_43_5e_4c C="" { GetNextRequest(32) R=1015374420  105.1.1.1.5.1.2 } } }