VOOZH about

URL: https://www.geeksforgeeks.org/ethical-hacking/object-identifiers-in-wireshark/

⇱ Object Identifiers in Wireshark - GeeksforGeeks

  • Courses
  • Tutorials
  • Interview Prep

Object Identifiers in Wireshark

Last Updated : 23 Jul, 2025

Object Identifiers (OIDs) are used by several ASN.1 protocol to specifically identify specific items of data. They are constantly used as an extension method, allowing the description of new object identifiers (and their corresponding values) without altering the base standard. Although Wireshark is familiar with many OIDs and the syntax of the values that go with them, the extensibility means that other values might be encountered. The user can specify the name and syntax of Object Identifiers that Wireshark is unaware of using this table, which is used by Wireshark (for example, a privately defined X.400 extension). Additionally, it enables the user to change the syntax and name of Object Identifiers that Wireshark is already apprehensive of (To exemplify, changing “id-at-countryName” to just “c”).

This table is the user table that consists of the following fields:

  • OID: The OID is an Object Identifier as a string, for example, “2.5.4.6.”
  • Name: The name that Wireshark should display when the Object Identifier is broken down, such as, (“c”);
  • Syntax: The syntax here implies the value associated with the Object Identifier. This must be one of the syntaxes that Wireshark already knows about (To exemplify, “Printable String”).

DOF Object Identifiers:

Protocol field name: dof.oid

FIELD NAMEDESCRIPTIONTYPE
dof.attribute.attribute AttributeUnsigned integer (1 byte) 
dof.attribute.data DataByte sequence 
dof.attribute.header HeaderUnsigned integer (1 byte) 
dof.attribute.id IDUnsigned integer (1 byte) 
dof.attribute.length LengthUnsigned integer (1 byte) 
dof.attribute.oid OIDByte sequence 
dof.oid.attribute AttributeUnsigned integer (1 byte) 
dof.oid.attribute-data Attribute Data Byte sequence 
dof.oid.class ClassUnsigned integer (4 bytes) 
dof.oid.data DataByte sequence 
dof.oid.header HeaderUnsigned integer (1 byte) 
dof.oid.header_zero 

DOF Violation: Type.4: 

Header bit mandated 0. 

Label
dof.oid.length LengthUnsigned integer (1 byte) 

Steps To View a Decoded OID Using Wireshark:

Install the 32-bit edition of Wireshark. Create a list of the OID's MIB file names as follows:

  • Copy every MIB file to a Linux computer.
  • Execute the next command:
[user]@ubuntu:/tmp/mib$ ls -l total 2380
[user]@ubuntu:/tmp/mib$ grep “DEFINITIONS 
::= BEGIN" *.mib | awk -F”:” '{print $2}' 
| awk '{print $1}'.
  • The next step is to make a product MIB folder under the following path:
 C:\Program Files (x86)\Wireshark\
 snmp\mibs\.
  • Copy the MIB files to the following path:
C:\Program Files (x86)\Wireshark\
snmp\mibs\[product mib folder].
  • Launch Wireshark and select Edit → Preferences → Name Resolution from the menu. Select the checkboxes to Enable OID resolution and Suppress SMI errors, then restart Wireshark by clicking OK.
  • Relaunch Wireshark, then select Edit → Preferences → Name Resolution.
  • Choose Edit. Then enter the location where your MIB files are stored (To exemplify, C:\Program Files (x86)\Wireshark\snmp\mibs\\[product mib folder]). Click OK.
  • Enter all the MIB names in the SMI (MIB and PIB) modules area by clicking Edit… adjacent to that field. Click OK.
  • Access an SNMP packet capture file. The OIDs are now shown as decoded.
👁 Object Identifiers
 

Conclusion:

The string representation is used for Object Identifiers for their unique identification. The SNMP dissector is working properly. SNMPv3 packets that have been encrypted can be decrypted if set correctly.

Comment