Thursday, January 22, 2009

A Quick SNMP Primer

Just a quick disclaimer to go with my quick primer: I'm relatively new to SNMP myself. This article doesn't aim or claim to be comprehensive. It's just meant to help you get started.

SNMP is the Simple Network Management Protocol. It has been said that not only is it not simple, but it's usually used for monitoring more than managing devices. I don't fully agree with this sentiment. It does have some weirdness, but once you get over that it's not so bad.

Structure of Management Information

Before we get into practical usage, we need to talk theory. SNMP partly describes a network protocol, but it also describes an organizational structure. This structure is called the Structure of Management Information, or SMI for short. This is a tree that branches out into various nodes called Object Identidiers, or OIDs. Each level of this tree has its own set of numbers for each node. At the moment, we're only concerned with a specific path in this tree, sometimes referred to as MIB-II, or the Management Information Base. The OID for this node is 1.3.6.1.2.1.

This node is actually the root of where our queries are performed. In fact, a lot of times this OID is just printed as mib-2. The nodes underneath this are what we will be querying.

Some of the nodes that we're interested in here are system (1), interfaces (2), at (3), ip (4) and so on. For example, the OID that describes a system is mib-2.system.sysDescr.0. The long name for this is .iso.org.dod.internet.mgmt.mib-2.system.sysDescr.0, and the numerical notation for this is .1.3.6.1.2.1.1.1.0. On my Linux box, this is often the output of the "uname -a" command.

If you need some time to digest this part, go for it. I think this is the biggest thing to overcome with SNMP. When you're ready, come back for the next part.

SNMP Versions

There are three main versions of SNMP that you will run into: 1, 2c and 3. Version 2c is the community version of version 2, and while it does provide a little extra information, it isn't much of an improvement over version 1.

These two versions use passwords called community strings to provide access. There is a read-only community used for monitoring (reading values from the device), and a read/write community used for management (setting values on the device). The most common default community string for read-only access is "public". The most common default community string for read/write access is "private".

Most SNMP-enabled devices have these as their defaults, and as we all know, most sysadmins are still too lazy to change the defaults. Fortunately, the Net-SNMP package in Linux has a little bit better default configuration. It is set to only listen to requests from the local machine. Even better, the Net-SNMP server isn't installed by default on most Linux distributions, so don't worry about your system being vulnerable like that out of the box.

SNMP version 3 introduced the concept of usernames and passwords, rather than just communities. But versions 1, 2c and 3 all suffer from one major shortcoming: they send their authentication and their data in the clear. Fortunately, version 3 also supports encryption for either authentication or data transfer or both.

Setting Up SNMP

Installation is easy, but there are a couple of different packages that you want. On RHEL5 and Fedora 10:

yum install net-snmp net-snmp-utils

On Ubuntu:

apt-get install snmpd snmp

For those of you who are interested, net-snmp == snmpd and net-snmp-utils == snmp.

Once you have it installed, go ahead and blow away the configuration file:

mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.orig

The default configuration is a lot to deal with. We're going to keep it simple. Create a new /etc/snmp/snmpd.conf file with the following line:

rocommunity yourcommunitystring

...where yourcommunitystring is, of course, whatever community string you want to use. This is really all the configuration you need for versions 1 and 2c, though you can add more if you like.

If you want version 3 instead, the configuration is a little different. There are actually two files to edit here, and the second one probably doesn't exist by default. First, edit the /etc/snmp/snmpd.conf file and add the following line:

rouser username

...where username is of course the username that you want to use. You'll also need to set up a password. Of course, we would never want to use a plaintext password if we didn't want to. Depending on your version of Net-SNMP, we have a few options available to us. We can use either MD5 or SHA for authentication, and DES (or AES in more recent versions) for data transfer. I'm going to assume that you want to use SHA and DES. Create if necessary and edit the /var/net-snmp/snmpd.conf file and add the following line:

createUser username SHA password1 DES password2

...where username is of course the username that you specified in the /etc/snmp/snmpd.conf file, password1 is your SHA password and password2 is your DES password. I know it seems kind of scary to leave passwords out in the open in plain text files like this, but don't worry; as soon as SNMP starts up, it will rewrite this file and encrypt the passwords. I should also note that this is the only time you will ever edit this file by hand, and the createUser line is the only line that you will ever add to it.

When you're ready to start the SNMP service, type in:

chkconfig snmpd on (RHEL/Fedora systems only)
/etc/init.d/snmpd start


Viewing SNMP Data

There are several commands available for viewing SNMP data, but I'll start you off with just the snmpwalk and snmpget commands for now. Once you get the hang of them, you can start exploring other commands. Usage does differ slightly between versions 1 and 2c, and version 3, but only in authentication.

If you added the rocommunity line to your /etc/snmp/snmpd.conf file, use the following command to take a look at your MIB-II tree:

snmpwalk -v 2c -c yourcommunitystring localhost | less

We're piping the output of the command to less because there can be a lot of information here. You've probably guessed that the -v option specifies the version (1 or 2c) and the -c option specifies the community string. The first line probably looks something like this:

SNMPv2-MIB::sysDescr.0 = Linux bourdain 2.6.24-22-generic #1 SMP Mon Nov 24 18:32:42 UTC 2008 i686 GNU/Linux

Let's make the names little more verbose. Hit 'q' to exit out of this, and try this command:

snmpwalk -v 2c -c yourcommunitystring -Of localhost | less

For your reference, that is a capital letter O, not the number zero. When you look at the output of this command, it probably looks more like this:

.iso.org.dod.internet.mgmt.mib-2.system.sysDescr.0 = Linux bourdain 2.6.24-22-generic #1 SMP Mon Nov 24 18:32:42 UTC 2008 i686 GNU/Linux

Hey, you want to really have some fun? Try out this command instead:

snmpwalk -v 2c -c yourcommunitystring -On localhost | less

Now you get the name in numerical format:

.1.3.6.1.2.1.1.1.0 = STRING: Linux bourdain 2.6.24-22-generic #1 SMP Mon Nov 24 18:32:42 UTC 2008 i686 GNU/Linux

The amusement never ends. Going back to the full naming format, you'll notice that the first set of lines is in the system node:

.iso.org.dod.internet.mgmt.mib-2.system...

If you scroll down a little, you'll find the interfaces node:

.iso.org.dod.internet.mgmt.mib-2.interfaces...

We can specify to walk only one of these nodes if we like. Since we're only looking at information under the mib-2 node, we can actually just refer to it by that one group name:

snmpwalk -v 2c -c yourcommunitystring -Of localhost system | less

Now you will only see information in the system group. If you know the exact location of a value that you want to look at, you can use the snmpget command to look at it. The syntax is almost identical to snmpwalk:

snmpget -v 2c -c yourcommunitystring -Of localhost system.sysDescr.0

Now that you know how to get information using community strings, let's switch back to SNMPv3. When we specify "-v 3", we must specify the -u option with a username, instead of the -c option. We also need to let it know what passwords we're using, and how to encrypt them. Your basic snmpwalk command will look something like this:

snmpwalk -v 3 -u username -a SHA -A password1 -x DES -X password2 -l authNoPriv localhost | less

If you were able to follow along okay when we set these passwords, then most of this line already makes sense to you. The big things to remember now are what options go with what values, and the security level.

The "-l" option can specify one of three levels: noAuthNoPriv, authNoPriv or authPriv. If for some unknown reason you decide not to use passwords, you would set this to noAuthNoPriv. Otherwise you would use authNoPriv for read-only access or authPriv for read/write access.

I'm not going to bore you with the output of this command, because you've already seen it. You can use -Of or -On to modify the output, you can specify a group, you can do pretty much whatever you were doing with v1 or v2. The only real difference is authentication. And yes, the snmpget command looks pretty much the same.

In fact, once you have a handle on these couple of commands, this would probably be a good time to check the man page for snmpcmd. There is not actually a command called snmpcmd, this page just shows you the options that are common to the whole suite of Net-SNMP commands.

Hopefully this gives you a good foundation for playing with SNMP on your Linux box. Of course, there are volumes written on the subject, and my little artcle doesn't even attempt to cover what they will. But hopefully they will get you over any initial fears about it and get you up and running.

2 comments:

  1. I have installed SNMP on Ubuntu, it’s really so easy. I am really happy to lean about SNMP which describes a network protocol as well as an organizational structure that is called the Structure of Management Information.

    ReplyDelete
  2. SNMP traps are very essential these days for managing the data. SNMPv1 and SNMPv2c, along with the associated Management Information Base (MIB) really encourages notification directed by trap. It works on the basic phenomenon that manager is responsible for agents and agents for the smaller objects.

    ReplyDelete

Comments for posts over 14 days are moderated