new SNMP dissector shows convoluted tree
This issue was migrated from bug 1746 in our old bug tracker.
Original bug information:
Reporter: Thomas Anders
Status: RESOLVED FIXED
Product: Wireshark
Component: GTK+ UI
OS: All
Platform: All
Version: Git
Attachments:
sample_snmp_inform.pcap: sample capture file with single SNMP INFORM packet
Activity
Build Information: wireshark 0.99.7 (SVN Rev 22504)
Compiled with GTK+ 2.10.6, with GLib 2.12.4, with libpcap 0.9.4, with libz 1.2.3, with libpcre 6.7, with Net-SNMP 5.4.1, without ADNS, without Lua, with GnuTLS 1.4.4, with Gcrypt 1.2.3, without Kerberos, with PortAudio PortAudio V19-devel, without AirPcap.
Running on Linux 2.6.18.8-0.3-default, with libpcap version 0.9.4.
Built using gcc 4.1.2 20061115 (prerelease) (SUSE Linux).
The change to the asn2wrs generated SNMP dissector (around r18086) has introduced a major usability regression in the tree pane. I've attached a sample capture file with a single SNMP INFORM packet. Here's the compact dissection with the old dissector: Simple Network Management Protocol Version: 2C (1) Community: trapcomm PDU type: INFORM (6) Request Id: 0x28ae232e Error Status: NO ERROR (0) Error Index: 0 Object identifier 1: 1.3.6.1.2.1.1.3.0 (EXPRESSION-MIB::sysUpTimeInstance) Value: Timeticks: (123) 0:00:01.23 Object identifier 2: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0) Value: OID: RFC1213-MIB::sysDescr.0 Object identifier 3: 1.3.6.1.2.1.1.1.0 (RFC1213-MIB::sysDescr.0) Value: STRING: "test" Now compare to the complicated nested output of the new dissector: Simple Network Management Protocol version: v2c (1) community: trapcomm data: informRequest (6) informRequest request-id: 682500910 error-status: noError (0) error-index: 0 variable-bindings: 3 items Item name: 1.3.6.1.2.1.1.3.0 (DISMAN-EVENT-MIB::sysUpTimeInstance) valueType: value (0) value: simple (4294967295) value: simple (4294967295) application-wide: timeticks-value (3) timeticks-value: 123 Item name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0) valueType: value (0) value: simple (4294967295) simple: objectID-value (2) Value: OID: SNMPv2-MIB::sysDescr.0 Item name: 1.3.6.1.2.1.1.1.0 (SNMPv2-MIB::sysDescr.0) valueType: value (0) value: simple (4294967295) simple: string-value (1) Value: STRING: test The new format doesn't seem to provide any significant additional details, but one needs to expand a *lot* of items until one gets to the relevant information. E.g. to see the value (123) of the first varbind, one needs to expand nine (9!!) items compared to one (1) with the old dissector. Please also see Bug 1088 for a different regression (info pane).added uigtk versiondev labels
-
- Well using "expand subtrees" will expand all trees for you... - Going back to the "old" dissector is impossible as it used the old asn1 helpers which is depreceated. - The tree view is inherited from the way the BER dissector and asn2wrs work. Please feel free to hand code the SNMP dissector using BER helpers to produce an output more to your liking. -
Wait at least until I commit what I'm working on...
The tree is going to stay preety much that way but VarBind will be collapsed into a single item with the value filterable by oid-name(if registered) with type and name as children.
"IF-MIB.ifInOctets > 35000" will be a valid filter.
Patience... I need to round some corners and I'll be checking-in the rewritten snmp dissector.
-
I don't propose to go back to the old ASN.1 helper based implementation for exactly the reasons Anders mentioned. Also, I'm sorry if anyone got the feeling this is a request to adjust the dissector to my liking. I really think the current output is very hard to read even (or especially?) for occasional SNMP users.
I'm willing to contribute to improve it, but I need guidance how/where to adjust asn1/snmp/* to influence (simplify) the tree structure (after LEGO's changes). Are there other good examples where this has been done?
-
Is that realy worth?
We are talking about duplicating a lot of code from packet-ber and handwriting much code that otherwise would be generated for a purely cosmetic issue while adding no functionality.
I'm working on snmp with a similar goal that I did in the past with the diameter or radius dissectors: simplifying the code-base by making it more flexible while adding a feature that gives a real advantage (in this case being able to filter packets by a given var's value).
I personally believe that besides the "Item" items of the SEQUENCE OF VarBind (that in fact are apparently useless) the rest of the new tree conveys information about the structure of the Pdu and flattening it down, would hide structure information and give no real usability advantage.
Luis
-
Now it looks like: Simple Network Management Protocol version: v2c (1) community: trapcomm data: informRequest (6) informRequest request-id: 682500910 error-status: noError (0) error-index: 0 variable-bindings: 3 items SNMPv2-MIB::sysUpTime.0 (1.3.6.1.2.1.1.3.0): 123 Object Name: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0) Scalar Instance Index: 0 SNMPv2-MIB::sysUpTime: 123 SNMPv2-MIB::snmpTrapOID.0 (1.3.6.1.6.3.1.1.4.1.0): 1.3.6.1.2.1.1.1.0 (SNMPv2-MIB::sysDescr.0) Object Name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0) Scalar Instance Index: 0 SNMPv2-MIB::snmpTrapOID: 1.3.6.1.2.1.1.1.0 (SNMPv2-MIB::sysDescr.0) SNMPv2-MIB::sysDescr.0 (1.3.6.1.2.1.1.1.0): test Object Name: 1.3.6.1.2.1.1.1.0 (SNMPv2-MIB::sysDescr.0) Scalar Instance Index: 0 SNMPv2-MIB::sysDescr: test Which is a less convoluted... and trust me this is as good as it gets!