Why does WireShark say that SNMPv3 traps sent from cOS Core are "snmpV2-trap"?

Last modified on 8 Sep, 2020. Revision 3
The data portion of SNMPv3 and SNMPv2 traps are identical. Only the wrapping headers differ. Wireshark shows the data portion in the summary line.
Up to date for
Core 12.00.22
Core 13.00.01
WireShark 2.6.10
Status OK


Manually testing SNMP trap behavior using ucs-snmp

This can be tested on e.g. a Linux host:

$ snmptrap -v 2c -c public 192.168.0.101 '' 1.3.6.1.4.1.8072.2.3.0.1 1.3.6.1.4.1.8072.2.3.2.1 i 123456

$ snmptrap -v 3 -u ExampleSecurityName -l noAuthNoPriv 192.168.0.101 '' 1.3.6.1.4.1.8072.2.3.0.1 1.3.6.1.4.1.8072.2.3.2.1 i 123456

If you walk inside the packet data, you’ll see that the trap data itself is identical in both v2 and v3, but they’re wrapped in different headers (v2 vs v3).

SNMPv2 trap:

SNMPv3 trap

Note that the contained data is still identified as a “v2 trap”, it is unchanged.


Related articles