Learn

What SNMP is What SNMP is used for Problems with SNMP

SNMP Simple Network Management Protocol SNMP is an application layer protocol that facilitates the exchange of management information between network devices It is a general purpose method to collect management information from a wide variety of devices SNMP works on the client/server model
3

SNMP is up to version 3, although it is not widely deployed There is still a lot of version 1 and 2 out there However as of early 2002 the IESG approved SNMP Version 3 as a full standard At the same time they moved versions 1 and 2 of SNMP to historical status

An SNMP managed network consists of three components

Managed devices Agents NMS Network Management Systems

A managed device is a network node that contains an SNMP agent

Managed devices collect and store management information and make that information available to NMSs using SNMP Managed devices can be routers, switches, hubs, computers, or printers An agent is a network management software module that resides in a managed device

An agent has local knowledge of management information and translates that information into a form compatible with SNMP An NMS executes applications that monitor and control managed devices NMSs provide the bulk of the processing and memory resources required for network management
7

NMSs are programs like OpenView from Hewlett-Packard

Another important part of the management structure is the method used to collect information in each device SNMP does not define what is collected, that is defined by MIBs So the other end of the transaction is the MIB Management Information Base

This contains the variables on which information has been collected by the device MIBs are precisely defined so that any management program that adheres to the standards can access the MIB on any device, regardless of who manufactured it

10

The structure of the MIB is laid out in an SNMP-related standard, RFC 1155 "Structure and Identification of Management Information for TCP/IP-based Internets," which defines how MIB information is organized and what data types are allowed and how resources within the MIB are represented and named
11

SNMP uses a method of fetch and store At its most basic level all SNMP does is go get a value from a variable stored in a MIB and store it for viewing by the management program

12

The SNMP commands include

get-request get-next-request get-bulk-request response set-request

inform-request
snmpv2-trap report
13

The communication architecture of SNMP consists of the three requests and one unsolicited information transmission To get information from an SNMP device the NMS or manager sends a get-request or getnext-request to an agent The requested information or an error message will be sent back in a response
14

If a manager wants to modify information on an agent, a set-request will be sent with a corresponding response to confirm or report an error The unsolicited message form is the trap This kind of message is usually sent by agents on start-up, on status change and in response to error conditions.
15

Traps are not only unsolicited but they are also unreliable in that they use UDP When used over TCP/IP, SNMP usually operates using UDP over ports 161 for SNMP and over port 162 for SNMP-traps

16

Lets look at some SNMP traffic Start Wireshark Open snmp.cap Examine the traffic

17

Managed devices are grouped together into communities Each device in a community must have the same community string sometimes called a community name to be able to communicate via SNMP The community string provides only a weak form of authentication to SNMP
18

Community strings can provide two types of access, read-only and read-write Read-only access allows only get commands, while read-write access allows both get and set commands

19

Almost all SNMP enabled devices use version 1 of the protocol Version 1 is very weak on security For example
Preventing IP spoofing is not possible There is no privacy or encryption There are no authentication methods other than

community strings are available

20

Bugs in numerous SNMP implementations were found by the Oulu University Secure Programming Group, and details were released on February 12th, 2002 These are not bugs in the SNMP version 1, but bugs in various implementation.

21

Many different tools will read and display SNMP data Here is a low cost method suggested by Avner Izhar in an article published by Network World I quote from the article
Many tools are available to allow SNMP

monitoring, most are commercial, but some are open source

22

 From the open source most are Linux based For the purpose of this blog post, I used an open

source command line tool, called snmptable which is a part of the net-snmp project that can be found at
http://www.net-snmp.org

Since this tool is command line based, its not very

friendly to observe and analyze, especially when you run it against a multi interface backbone switch
23

 The way around it is to redirect the output to a

text file, which can then be opened in excel and further analyzed The tool has many command line options, and you can explore them by executing it without any parameter It supports SNMP version 1, 2c and 3 It provides access to a table structure

24

 There are multiple tables that can be requested

using this application, and it can also be used to report what tables are supported by the device you are running it against This is done by running it with the following command line parameters
C:\usr\snmptable -v 2c -c my-snmp-comm -Os 192.168.254.1 sysORTable > tables.txt

25

 Once it returns, you can view the tables.txt file

and select which table you want to get info about In my case, I wanted to monitor the network and therefore used the ifTable The command line looked like that
C:\usr\snmptable -v 2c -c my-snmp-comm -Os 192.168.254.1 ifTable > ift1.txt

26

 The output file is a 24 column text file, not a

friendly sight to see, but with the assistance of excel, it becomes a useful piece of information It can tell you a lot about your network. In excel simply open it as a text delimited file, and set the separation character to space What are we looking for here

27

 Errors (ifInErrors and ifOutErrors) discards, heavy

users based on the in and out octets, heavy broadcasters based on the ifInNUcastPkts and ifOutNUcastPkts (the N stands for non ) When you identify an interface with higher then the normal count, try to verify what it is and where is it connected to

28

 Also, for errors, monitor this interface to see if the

errors increment, if they dont it might have been something that happened long ago and should not worry you

29

Troubleshooting with SNMP & Analyzing MIBs Louis A. Steinberg ISBN 0072124857 Internetworking with TCP/IP Vol. I: Principles, Protocols, and Architecture Douglas Comer ISBN 0130183806 TCP/IP Illustrated, Volume 1 : The Protocols W. Richard Stevens ISBN 0201633469
30

RFC 2570 Covers version 3 and refers back to version 2

31

What is SNMP What is a MIB What is an agent What is a NMS

32