I’ve been trying to get my head around the SNMP packet format for a while, but I’m still not sure I’ve got it. Here’s some observations I think I have correct, but I’m not sure about:
- Each packet is a set of nested data primitives of different types, consisting of a type, a length and some data.
- The first two parts of an OID are always
1.3and get encoded to a single byte. - Subsequent parts are encoded as one byte each if their numeric value is less than 128.
- OID parts larger than 127 are encoded into multiple bytes whose value is determined by the 7 least significant bits, with the most significant bit set to 1 for all but the last byte.
- Some data type IDs are official (integer, string, etc) but some are proprietary and device-specific.
The bit I really don’t understand is how the length of a particular value is encoded if the value is longer than 255 bytes. Using Wireshark, I discovered that for lengths under 256, the length field is 1 byte, but for lengths larger than 256 the field is split into multiple bytes. However, the encoding used in larger OID part numbers does not seem to apply.
I can’t find anything in the RFCs about this (there are about 30 of them anyway) to help me out.
Can someone clear this up for me, and verfiy that the observations I made above are correct?
SNMP is defined using a subset of ASN.1. There are a bunch of standards describing it; X.690 covers the basic binary encoding.