Navigation bar main page lyberty.com key to sysmbols

SNMP

[tech: networking]
[ ehs-ehn-ehm-pee ]

What is SNMP?

SNMP stands for the Simple Network Management Protocol. At its heart, SNMP is a set of rules that allows a computer to get statistics from another computer across the Internet.

Computers keep track of various statistics that measure what they're doing. For example, routers can keep track of the number of bytes, packets, and errors that were transmitted and received on each interface (port). Web servers might keep a tally of the number of hits they have received. Other kinds of equipment has configuration information that's available through SNMP.

Each of these pieces of information (packet statistics, page hits, configuration) is kept in a database described by a Management Information Base (a MIB in SNMP parlance.) There are a many different MIBs, describing many different aspects of a computer's operation.

The various values that can be retrieved from a MIB are called MIB variables. These variables are defined in the MIB for a device. Each MIB variable is named by an Object Identifier (OID), which usually has a name in the form of numbers separated by periods ("."), like this: 1.3.6.1.xxxx.x.x.x.x...

For example, the MIB-II (pronounced, "MIB two") has a variable that indicates the number of interfaces (ports) in a router. It's called the "ifNumber", and its OID is 1.3.6.1.2.1.2.1.0

Network monitoring tools will query a device for the MIB variables and display the results. When a device receives a SNMP Get-Request for this ifNumber OID, it will respond with the count of interfaces.

Note: The trailing ".0" in the example above is technically part of the OID. Although you will often see OIDs written without it, some tools require that it be present wherever you enter an OID.

What is the 'Read-only Community String'?

The SNMP Read-Only Community String is like a password. It is sent along with each SNMP Get-Request and allows (or denies) access to device. Most network vendors ship their equipment with a default password of "public". (This is the so-called "default public community string".) Many network administrators will change the community string to keep intruders from getting information about the network setup. This is a good idea. Even if it's only read-access, SNMP can divulge a lot of information about the network that could be used to compromise it.

If there's a "read only community string", you might expect that there is a "Write community string". You'd be correct. There is also a SNMP Set-Request, which is a command to set certain SNMP MIB variables (e.g., certain OIDs) to a specified value. These writes are protected by the write community string (which should never be set to 'public'!). Many SNMP-speaking devices also have IP address filters that ignore requests (read and write) unless the source address is on an access list.

There's also a SNMP Trap, which is an unsolicited message from a device to an SNMP console (for example, InterMapper) that the device is in an interesting state. Traps might indicate power-up or link-up/down conditions temperatures exceeding certain thresholds, high traffice, etc. Traps provide an immediate notification for an event that might only be discovered during occasional polling.

Why can't I get SNMP information from a device?

Network montioring tools require that SNMP be available and configured to display traffic information. The most common cause of not being able to see traffic is that you haven't entered the SNMP Read-only community string. (This is like a password that controls whether another computer can retrieve SNMP information.)

In order of simplest to most complex, here is a list of reasons that InterMapper might not get SNMP information from a device:

  • Wrong DNS name/IP address (not likely, but we have to mention it)
  • No connectivity. Can you ping the device from InterMapper?
  • No SNMP agent on the device. Many devices or computers have optional SNMP capabilities that must be installed separately.
  • In a custom probe, have you specified the OID properly? (See the OID Format FAQ for details.)
  • Wrong Community string (have you tried 'public' ?)
  • Access lists: does the equipment only allow SNMP access from certain addresses?
  • Firewalls: does a firewall block the SNMP port between your Mac and the equipment?
  • Bugs in the SNMP agent on the equipment. InterMapper uses SNMP Get-Next-Requests in several places. We've seen certain equipment that fails when queried this way.

If you're sure that you've checked all these things and you still can't get SNMP information, please get back to us at intermapper@dartware.com. We may have some tricks up our sleeves. (Or we may wind up learning something!)

Back to top

How can InterMapper query a particular MIB variable?

There are two kinds of MIB variables: scalar values and table entries. Scalars have a single value, such as the interface number shown above. For example, the ifNumber MIB variable of a router is a single number that represents the total number of its interfaces (ports). Table values, on the other hand, provide the same pieces of information for different items, such as the traffic for each of a router's ports, or information about each of the TCP connections in a device.

InterMapper can read and display both scalar variables and table variables in its custom SNMP probes.

Scalar values must have a ".0" suffix in their OIDs. For example, the OID for ifNumber in MIB-II is often written as "1.3.6.1.2.1.2.1". In custom probe files, it should be represented as "1.3.6.1.2.1.2.1.0". (This ".0" is technically part of the OID - it's convenient not to write it, though.)

Table variables are generally suffixed with the index of the row. (This isn't always true: see the note below). For example, the Cicso Environment Monitoring MIB defines two variables for the input air temperature and input voltage as the first rows in each of these tables:

ciscoEnvMonTemperatureStatusValue 1.3.6.1.4.1.9.9.13.1.3.1.3

ciscoEnvMonVoltageStatusValue 1.3.6.1.4.1.9.9.13.1.2.1.3

If you add a suffix ".1" to each of these, you'll get the value of the first row; add ".2" to as a suffix, you'll get the second row, etc.

Do all tables have an index?

As noted above, some tables don't have a separate index column. These rows are named (e.g., their OIDs are specified by) data in the row. For example, the OID for tcpConnState row, the status of a particular TCP connection is "1.3.6.1.2.1.6.13.1.1". Its index is the source and destination IP address and port (all four values) which are appended to the tcpConnState OID. Thus, the full OID for the state of a TCP connection from 9.8.7.6 port 543 to 123.45.67.89 port 8765 would be:

1.3.6.1.2.1.6.13.1.1.9.8.7.6.543.123.45.67.89.8765

Back to top

Where can I read more information about SNMP?

Here's a great site to start learning about MIBs and all the cool things you can do with them:

http://www.snmpworld.com/

Another is:

http://netman.cit.buffalo.edu/

A periodic newsletter, The Simple Times, is online at:

http://www.simple-times.org/

A great site pointing to various snmp products:

http://www.simpleweb.org/

What about SNMP attacks?

For a common vulnerability, see the CERT Advisory CA-2002-03.

A typical Vendor Statement.

See also net-snmp .

How do I interpret an unknown enterprise number?

Q: My error log file shows the following lines: 

14/02 15:13:07  TRAP  CITRIX1::  coldStart
14/02 15:13:07  TRAP  CITRIX1::  linkUp, ifIndex = 1
14/02 15:13:07  TRAP  CITRIX1::  linkUp, ifIndex = 16777219
14/02 15:14:07  TRAP  CITRIX1::  1.3.6.1.4.1.3845.3.1.1 (8)  { <no variables> }

Can you tell me what that SNMP ID is? (1.3.6.1.4.1.3845.3.1.1 (8))

A: The "1.3.6.1.4.1..." prefix of the OID indicates that the trap is from a private enterprise MIB. You can find out what enterprise by downloading the Enterprise Numbers RFC from:

ftp://ftp.isi.edu/in-notes/iana/assignments/enterprise-numbers

Reading through the file indicates this: 

    3845  Citrix Systems         Keith Turnbull            keitht@citrix.com
You should contact the Citrix company (or read their MIB) to find out the exact interpretation of the trap's OID.

Back to top

Is there a way to scan a network for all SNMP devices?

InterMapper will do a very good job of finding SNMP-speaking devices if you know the devices' SNMP Read-only Community string. Detailed instructions for scanning a subnet are available from the network scanning page. Be sure to set the default SNMP Read-only Community String as shown in the SNMP Preferences.

However, InterMapper may not be able to find a device for any of these reasons.

Back to top
Links:
InterMapper