Technical Tip: How to decrypt SNMPv3 packets

1. Start packet capture in Network -> Packet Capture.
2. Stop packet capture and download the file.
3. Open the downloaded PCAP file on Wireshark.
4. Gather the required parameters for decryption
   a) Engine ID:
   View the SNMP header to get the Engine ID.

          b) Username.
          c) Authentication model (Authentication Algorithm).
          d) Password (Password set for Authentication).
          e) Privacy protocol (Encryption Algorithm).
          f) Privacy password (Password set for Encryption).

In FortiGate GUI:  go to System -> SNMP -> SNMPv3,  edit the required entry and view the details.

Note:

The password will be encrypted if an unknown reset/change the same.

In FortiGate CLI:

show full-configuration system snmp user

Sample output:

config system snmp user

    edit "smpv3" <----- Username.

        set status enable

        set trap-status enable

        set trap-lport 162

        set trap-rport 162

        set queries enable

        set query-port 161

        set notify-hosts 10.170.7.232

        set source-ip 0.0.0.0

        set source-ipv6 ::

        set ha-direct disable

        set events cpu-high

        set mib-view ''

        set security-level auth-priv

        set auth-proto sha <----- Authentication model.

        set auth-pwd ENC <----- Password will be encrypted, if unknown reset the same.

        set priv-proto aes <----- Privacy protocol.

        set priv-pwd ENC <----- Password will be encrypted, if unknown reset the same.

    next

end

1. In Wireshark, Go to Edit -> Preferences -> Protocols.

     2. Select SNMP from the protocol list.

     3. Edit Users Table.

     4. Select '+' on bottom left corner to add a new entry.

     5. Enter the parameters collected into respective fields, and Select 'OK' to save.

Sample output before decryption:

Sample output after decryption: