Difference between revisions of "Snmp"
From Linuxintro
imported>ThorstenStaerk |
imported>ThorstenStaerk |
||
| Line 1: | Line 1: | ||
SNMP allows you to monitor hardware. To do this, there are objects that will be monitored: computers, network switches, storages and so on. These are called agents. They communicate with a "manager" which displays their status. The agents can be queried for their status by a get/set request/response. Or they can alert about a critical status by initiating a communication, this is called a "trap". | SNMP allows you to monitor hardware. To do this, there are objects that will be monitored: computers, network switches, storages and so on. These are called agents. They communicate with a "manager" which displays their status. The agents can be queried for their status by a get/set request/response. Or they can alert about a critical status by initiating a communication, this is called a "trap". | ||
| + | |||
| + | * let's see if the snmp port is open | ||
| + | tweedleburg:~ # lsof -i |grep snmp | ||
| + | * it is not. So let's start the snmp daemon: | ||
| + | tweedleburg:~ # /etc/init.d/snmpd start | ||
| + | redirecting to systemctl start snmpd.service | ||
| + | tweedleburg:~ # lsof -i |grep snmp | ||
| + | snmpd 9531 root 7u IPv4 405253 0t0 UDP *:snmp | ||
| + | snmpd 9531 root 8u IPv4 405255 0t0 TCP localhost:smux (LISTEN) | ||
| + | * Now the port is open. Let's confirm this with nmap: | ||
| + | tweedleburg:~ # nmap localhost -p 161 | ||
| + | |||
| + | Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-22 11:33 CET | ||
| + | Nmap scan report for localhost (127.0.0.1) | ||
| + | Host is up (0.000027s latency). | ||
| + | PORT STATE SERVICE | ||
| + | 161/tcp closed snmp | ||
| + | |||
| + | Nmap done: 1 IP address (1 host up) scanned in 1.08 seconds | ||
| + | * it seems closed. That is a common mistake, SNMP communication happens over UDP, not TCP. Check it like that: | ||
| + | tweedleburg:~ # nmap -sU localhost | ||
| + | |||
| + | Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-22 11:33 CET | ||
| + | Nmap scan report for localhost (127.0.0.1) | ||
| + | Host is up (0.0000070s latency). | ||
| + | Not shown: 996 closed ports | ||
| + | PORT STATE SERVICE | ||
| + | 123/udp open ntp | ||
| + | 161/udp open snmp | ||
| + | 631/udp open|filtered ipp | ||
| + | 5353/udp open|filtered zeroconf | ||
| + | |||
| + | Nmap done: 1 IP address (1 host up) scanned in 3.55 seconds | ||
| + | * let's confirm with telnet there is no TCP port open on 161: | ||
| + | tweedleburg:~ # telnet localhost 161 | ||
| + | Trying ::1... | ||
| + | telnet: connect to address ::1: Connection refused | ||
| + | Trying 127.0.0.1... | ||
| + | telnet: connect to address 127.0.0.1: Connection refused | ||
= Trying to build an SNMP prototype = | = Trying to build an SNMP prototype = | ||
Latest revision as of 10:45, 22 January 2015
SNMP allows you to monitor hardware. To do this, there are objects that will be monitored: computers, network switches, storages and so on. These are called agents. They communicate with a "manager" which displays their status. The agents can be queried for their status by a get/set request/response. Or they can alert about a critical status by initiating a communication, this is called a "trap".
- let's see if the snmp port is open
tweedleburg:~ # lsof -i |grep snmp
- it is not. So let's start the snmp daemon:
tweedleburg:~ # /etc/init.d/snmpd start redirecting to systemctl start snmpd.service tweedleburg:~ # lsof -i |grep snmp snmpd 9531 root 7u IPv4 405253 0t0 UDP *:snmp snmpd 9531 root 8u IPv4 405255 0t0 TCP localhost:smux (LISTEN)
- Now the port is open. Let's confirm this with nmap:
tweedleburg:~ # nmap localhost -p 161 Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-22 11:33 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.000027s latency). PORT STATE SERVICE 161/tcp closed snmp Nmap done: 1 IP address (1 host up) scanned in 1.08 seconds
- it seems closed. That is a common mistake, SNMP communication happens over UDP, not TCP. Check it like that:
tweedleburg:~ # nmap -sU localhost Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-22 11:33 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.0000070s latency). Not shown: 996 closed ports PORT STATE SERVICE 123/udp open ntp 161/udp open snmp 631/udp open|filtered ipp 5353/udp open|filtered zeroconf Nmap done: 1 IP address (1 host up) scanned in 3.55 seconds
- let's confirm with telnet there is no TCP port open on 161:
tweedleburg:~ # telnet localhost 161 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused
Trying to build an SNMP prototype
SUSE Linux:
yast -i nagios apache2 /etc/init.d/nagios start /etc/init.d/apache2 start
Remember your login nagiosadmin:nagiosadmin and point your browser to http://127.0.0.1/nagios
/etc/init.d/snmptrapd tail -f /var/log/net-snmpd.log snmptrap -v 2c -c public localhost "" NET-SNMP-EXAMPLES-MIB::netSnmpExampleHeartbeatNotification netSnmpExampleHeartbeatRate i 42
No access configuration - dropping trap.
So it seems I have to
cat /etc/snmp/snmptrapd.conf disableAuthorization yes traphandle default /bin/snmppl
/etc/init.d/snmptrapd restart cat /bin/snmppl #!/bin/bash date >>/tmp/dates
2014-05-06
Ok, the following command
snmptrap -v 2c -c public hostname "" NET-SNMP-EXAMPLES-MIB::netSnmpExampleHeartbeatNotification netSnmpExampleHeartbeatRate i 42
works and I can see on hostname
hostname:~ # tcpdump port 162 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 12:09:02.418760 IP source.domain.45398 > hostname.domain.snmptrap: V2Trap(77) system.sysUpTime.0=60543145 S:1.1.4.1.0=[|snmp]
But I cannot receive it with netcAt. And it does not work on localhost.
Using this command I can sniff and display the snmp trap:
tcpdump -A port 162 -l | hexdump -C
or this command:
netcat -u -l 162 | hexdump -C
