4057 lines
168 KiB
Plaintext
4057 lines
168 KiB
Plaintext
Frequently Asked Questions (FAQ) for the UCD/Net-SNMP package
|
|
=============================================================
|
|
FAQ Author: Dave Shield
|
|
Net-SNMP Version: 5.8
|
|
Net-SNMP/UCD-SNMP Project Leader: Wes Hardaker
|
|
Email: net-snmp-coders@lists.sourceforge.net
|
|
|
|
TABLE OF CONTENTS
|
|
=================
|
|
|
|
TABLE OF CONTENTS
|
|
GENERAL
|
|
What is it?
|
|
Where can I get it?
|
|
What documentation is available?
|
|
Are there binaries available?
|
|
What's the difference between UCD-SNMP and Net-SNMP?
|
|
What operating systems does it run on?
|
|
What happens if mine isn't listed?
|
|
Does it run on Windows?
|
|
How do I find out about new releases?
|
|
How can I find out what other people are doing?
|
|
How do I submit a patch or bug report?
|
|
Can I reuse the code in my commercial application?
|
|
What's the difference between SNMPv1, SNMPv2 and SNMPv3?
|
|
What's the difference between SNMPv2 and SNMPv2c?
|
|
Which versions of SNMP are supported in this package?
|
|
Can I use SNMPv1 requests with an SNMPv2 MIB (or vice versa)?
|
|
How can I monitor my system with SNMP?
|
|
Where can I find more information about network management?
|
|
What ports does SNMP use?
|
|
Is Net-SNMP thread safe?
|
|
APPLICATIONS
|
|
How do I add a MIB?
|
|
How do I add a MIB to the tools?
|
|
Why can't I see anything from the agent?
|
|
Why doesn't the agent respond?
|
|
I can see the system group, but nothing else. Why?
|
|
Why can't I see values in the <ENTERPRISE> tree?
|
|
The agent worked for a while, then stopped responding. Why?
|
|
Requesting an object fails with "Unknown Object Identifier" Why?
|
|
Why do I get "noSuchName" when asking for "sysUpTime" (or similar)?
|
|
Why do I sometimes get "End of MIB" when walking a tree, and sometimes not?
|
|
How do I use SNMPv3?
|
|
Why can't I set any variables in the MIB?
|
|
Variables seem to disappear when I try to set them. Why?
|
|
Why can't I change sysLocation (or sysContact)?
|
|
I get an error when trying to set a negative value - why?
|
|
I get an error when trying to query a string-indexed table value - why?
|
|
How should I specify string-indexed table values?
|
|
How do I send traps and notifications?
|
|
How do I receive traps and notifications?
|
|
How do I receive SNMPv1 traps?
|
|
Why don't I receive incoming traps?
|
|
My traphandler script doesn't work when run like this - why not?
|
|
How can the agent receive traps and notifications?
|
|
How big can an SNMP request (or reply) be?
|
|
How can I monitor my systems (disk, memory, etc)?
|
|
Applications complain about entries in your example 'snmp.conf' file. Why?
|
|
OK, what should I put in snmp.conf?
|
|
How do I specify IPv6 addresses in tools command line arguments?
|
|
PERL
|
|
What is the purpose of the Perl SNMP module?
|
|
Where can I get the Perl SNMP package?
|
|
How do I install the Perl SNMP modules?
|
|
But compiling this fails! Why?
|
|
Compiling the Perl module works OK, but 'make test' fails. Why?
|
|
Why can't mib2c (or tkmib) locate SNMP.pm?
|
|
Why can't mib2c (or tkmib) load SNMP.so?
|
|
Why can't tkmib locate Tk.pm?
|
|
Why does your RPM complain about missing Perl modules?
|
|
I've got a problem with the Net-SNMP module. Can you help?
|
|
MIBS
|
|
Where can I find a MIB compiler?
|
|
Why aren't my MIB files being read in?
|
|
Where should I put my MIB files?
|
|
What does "Cannot find module (XXX-MIB)" mean?
|
|
I'm getting answers, but they're all numbers. Why?
|
|
What does "unlinked OID" mean?
|
|
The parser doesn't handle comments properly. Why not?
|
|
How can I get more information about problems with MIB files?
|
|
What's this about "too many imported symbols"?
|
|
Do I actually need the MIB files?
|
|
AGENT
|
|
What MIBs are supported?
|
|
What protocols are supported?
|
|
How do I configure the agent?
|
|
How do I remove a MIB from the agent?
|
|
I've installed a new MIB file. Why can't I query it?
|
|
How do I add a MIB to the agent?
|
|
What's the difference between 'exec', 'sh', 'extend' and 'pass'?
|
|
What's the difference between AgentX, SMUX and proxied SNMP?
|
|
What is the purpose of 'dlmod'?
|
|
Which should I use?
|
|
Can I use AgentX when running under Windows?
|
|
How can I run AgentX with a different socket address?
|
|
How can I turn off SMUX support?
|
|
How can I combine two copies of the 'mib2' tree from separate subagents?
|
|
What traps are sent by the agent?
|
|
Where are these traps sent to?
|
|
How can I send a particular trap to selected destinations?
|
|
When I run the agent it runs and then quits without staying around. Why?
|
|
After a while the agent stops responding, and starts eating CPU time. Why?
|
|
How can I stop other people getting at my agent?
|
|
How can I listen on just one particular interface?
|
|
The agent is complaining about 'snmpd.conf'. Where is this?
|
|
Why does the agent complain about 'no access control information'?
|
|
How do I configure access control?
|
|
How do I configure SNMPv3 users?
|
|
The 'createUser' line disappears when I start the agent. Why?
|
|
What's the difference between /var/lib/snmp and /usr/share/snmp?
|
|
My new agent is ignoring the old snmpd.conf file. Why?
|
|
Where should the snmpd.conf file go?
|
|
Why am I getting "Connection refused"?
|
|
Why can't I see values in the UCDavis 'extensible' or 'disk' trees?
|
|
Why can't I see values in the UCDavis 'memory' or 'vmstat' tree?
|
|
What do the CPU statistics mean - is this the load average?
|
|
How do I get percentage CPU utilization using ssCpuRawIdle?
|
|
What about multi-processor systems?
|
|
The speed/type of my network interfaces is wrong - how can I fix it?
|
|
The interface statistics for my subinterfaces are all zero - why?
|
|
Does the agent support the RMON-MIB?
|
|
What does "klread: bad address" mean?
|
|
What does "nlist err: wombat not found" (or similar) mean?
|
|
What does "Can't open /dev/kmem" mean?
|
|
The system uptime (sysUpTime) returned is wrong!
|
|
Can the agent run multi-threaded?
|
|
Can I use AgentX (or an embedded SNMP agent) in a threaded application?
|
|
COMPILING
|
|
How do I control the environment used to compile the software?
|
|
How do I control the environment used to compile the software under Windows?
|
|
Why does the compilation complain about missing libraries?
|
|
How can I reduce the memory footprint?
|
|
How can I reduce the installation footprint or speed up compilation?
|
|
How can I compile the project for use on an embedded system?
|
|
How can I compile the project to use static linking?
|
|
Why does 'make test' skip various tests?
|
|
Why does 'make test' complain about a pid file?
|
|
CODING
|
|
How do I write C code to integrate with the agent?
|
|
How does the agent fetch the value of a MIB variable from the system?
|
|
Mib2c complains about a missing "mib reference" - what does this mean?
|
|
Mib2c complains about not having a "valid OID" - what does this mean?
|
|
Why doesn't mib2c like the MIB file I'm giving it?
|
|
Mib2c ignores my MIB and generates a pair of 'mib-2' code files. Why?
|
|
What's the difference between the various mib2c configuration files?
|
|
Which mib2c configuration file should I use?
|
|
How can I have mib2c generate code for both scalars and tables?
|
|
Are there any examples, or documentation for developing MIB modules?
|
|
Where should I put the files produced by 'mib2c'?
|
|
Why doesn't my new MIB module report anything?
|
|
Why does the iterator call my get_{first,next} routines so often?
|
|
How can I get the agent to generate a trap (or inform)?
|
|
How can I get an AgentX sub-agent to generate a trap (or inform)?
|
|
How can I get the agent to send an SNMPv1 (or SNMPv2c) trap?
|
|
How can I get the agent to include varbinds with an SNMPv1 trap?
|
|
How can I get the agent to send an SNMPv1 enterprise-specific trap?
|
|
How can I get the agent to send an SNMPv3 trap (or inform)?
|
|
Why does calling 'send_v2trap' generate an SNMPv1 trap (or vice versa)?
|
|
How can I register a MIB module in a different (SNMPv3) context?
|
|
MISC
|
|
What ASN.1 parser is used?
|
|
What is the Official Slogan of the net-snmp-coders list?
|
|
|
|
|
|
GENERAL
|
|
=======
|
|
|
|
What is it?
|
|
----------
|
|
|
|
- Various tools relating to the Simple Network Management Protocol
|
|
including:
|
|
|
|
* An extensible agent
|
|
* An SNMP library
|
|
* tools to request or set information from SNMP agents
|
|
* tools to generate and handle SNMP traps
|
|
* a version of the unix 'netstat' command using SNMP
|
|
* a graphical Perl/Tk/SNMP based mib browser
|
|
|
|
This package is originally based on the Carnegie Mellon University
|
|
SNMP implementation (version 2.1.2.1), but has developed significantly
|
|
since then.
|
|
|
|
|
|
|
|
Where can I get it?
|
|
------------------
|
|
|
|
Download:
|
|
- http://www.net-snmp.org/download/
|
|
Web page:
|
|
- http://www.net-snmp.org/
|
|
Sourceforge Project page:
|
|
- http://www.net-snmp.org/project/
|
|
Mirrors (note that sourceforge download servers are mirrored themselves):
|
|
- Greece: ftp://ftp.ntua.gr/pub/net/snmp/net-snmp/
|
|
|
|
|
|
What documentation is available?
|
|
-------------------------------
|
|
|
|
This FAQ (!)
|
|
README and individual READMEs for various platforms
|
|
README.thread (discusses threading issues)
|
|
INSTALL
|
|
PORTING
|
|
EXAMPLE.conf
|
|
man pages for the individual tools, files and the API
|
|
A guide for extending the agent
|
|
Tutorials for both ucd-snmp v4 and net-snmp v5
|
|
at http://www.net-snmp.org/tutorial/
|
|
and http://www.net-snmp.org/tutorial-5/ respectively
|
|
|
|
Most of this documentation (plus archives of the mailing lists)
|
|
is also available on our web page:
|
|
|
|
http://www.net-snmp.org/
|
|
|
|
There is also a Wiki (including a community-maintained version
|
|
of this FAQ) at
|
|
|
|
http://www.net-snmp.org/wiki/
|
|
|
|
|
|
|
|
Are there binaries available?
|
|
----------------------------
|
|
|
|
There are binaries for some versions/systems available under
|
|
the "net-snmp binaries" package on the SourceForge "Files"
|
|
page, which is linked to from the main project download web
|
|
page at http://www.net-snmp.org/download.html.
|
|
|
|
These binaries are also available on the project FTP site,
|
|
with a link on the same web page.
|
|
|
|
|
|
|
|
What's the difference between UCD-SNMP and Net-SNMP?
|
|
---------------------------------------------------
|
|
|
|
Not a great deal, really.
|
|
Although the project originally started at UC Davis (hence the name),
|
|
and it has always been based there, most of the contributors have had
|
|
little or no connection with this institution.
|
|
|
|
The move to SourceForge was intended to provide a more flexible
|
|
environment for the project, and to distribute the administrative
|
|
workload more evenly. The change of name simply reflects this move,
|
|
which was the last remaining link with UC Davis.
|
|
|
|
The 4.2.x line saw the last releases made using the ucd-snmp name,
|
|
and all releases on this line have been been bug-fixes only. Release
|
|
5.0 was the first version released under the Net-SNMP name, and all
|
|
further development is being done on the 5.x code base. The 4.2.x
|
|
code line is now effectively closed down, as are the older 5.x branches.
|
|
|
|
Much of the work done for the various 5.x releases has involved
|
|
some fairly significant changes to the code - in particular the
|
|
architecture of the agent. However attempts have been made to retain
|
|
backwards compatibility as much as possible, and most code written
|
|
for earlier releases should continue to work. The most visible
|
|
change from the 4.2.x UCD suite to the 5.x Net-SNMP releases was a
|
|
restructuring of the header file organisation - not least a change
|
|
from <ucd-snmp/xxx.h> to <net-snmp/yyy.h>.
|
|
|
|
But given the maturity of the Net-SNMP code, this should be less
|
|
of a consideration for most current SNMP development projects.
|
|
|
|
|
|
|
|
What operating systems does it run on?
|
|
-------------------------------------
|
|
|
|
Both the applications and the agent have been reported as running
|
|
(at least in part) on the following operating systems:
|
|
|
|
* Linux (kernels 2.6 to 1.3)
|
|
* Solaris/SPARC (11 to 2.3), Solaris/Intel (10, 9) -- see
|
|
README.solaris
|
|
* HP-UX (11.31 to 9.01) -- see README.hpux11
|
|
* Mac OS X (10.5 to 10.1) -- see README.osX
|
|
* NetBSD (2.0 to 1.0)
|
|
* FreeBSD (7.0 to 2.2)
|
|
* OpenBSD (4.0 to 2.6)
|
|
* BSDi (4.0.1 to 2.1)
|
|
* AIX (6.1, 5.3, 5.2, 5.1, 4.3.3, 4.1.5, 3.2.5) -- see README.aix
|
|
* IRIX (6.5 to 5.1)
|
|
* OSF (4.0, 3.2 and Tru64 Unix 5.1B) -- see README.tru64
|
|
* SunOS 4 (4.1.4 to 4.1.2)
|
|
* Ultrix (4.5 to 4.2)
|
|
* Dynix/PTX 4.4
|
|
* QNX 6.2.1A
|
|
|
|
We have also been informed about a port to the Stratus VOS.
|
|
See http://ftp.stratus.com/vos/network/network.html for details.
|
|
|
|
See the next question but one for the status of Windows support.
|
|
|
|
Certain systems fail to compile particular portions of the agent.
|
|
These can usually be persuaded to compile (at the loss of some
|
|
functionality) by omitting the modules affected.
|
|
See the next question for more details.
|
|
|
|
Also note that the presence of a particular configuration in this
|
|
list does not imply a perfect or complete implementation. This
|
|
is simply what various people have reported as seeming to work.
|
|
(Or more frequently, the configurations where people have reported
|
|
problems that we think we've subsequently fixed!)
|
|
|
|
|
|
|
|
What happens if mine isn't listed?
|
|
---------------------------------
|
|
|
|
It's probably worth trying to compile it anyway. Unless your
|
|
system is significantly different to the supported configurations,
|
|
most of the code (library, applications and the agent infrastructure)
|
|
should probably compile with little or no difficulty. The most
|
|
likely source of problems will be MIB modules within the agent,
|
|
as this tends to be where the most system-specific code is found.
|
|
|
|
If only a few modules fail to compile, try removing them from
|
|
the agent by running "configure --with-out-mib-module=xxx,yyy",
|
|
and re-compiling. If a large number of modules fail, then it
|
|
might be easier to start from a relatively bare system, using
|
|
"configure --enable-mini-agent --with-defaults". Then if this
|
|
minimal agent compiles and runs successfully, try adding each of
|
|
the missing mibgroups individually using the configure option
|
|
'--with-mib-module'.
|
|
|
|
If configure fails with "invalid configuration" messages, or
|
|
you get completely stuck, contact the coders list for advice.
|
|
Similarly, if you manage to get this working on a new system,
|
|
please let us know of any code changes that you needed to make,
|
|
together with details of the hardware you're using, and what
|
|
versions of the operating system you've tried it on. The entry
|
|
'host' in the file 'config.status' should show this information.
|
|
Oh, and congratulations!
|
|
|
|
|
|
|
|
Does it run on Windows?
|
|
----------------------
|
|
|
|
The suite should compile and run on Win32 platforms, including
|
|
the library, command-line tools and the basic agent framework.
|
|
Note that the agent now includes support for the MIB-II module,
|
|
but this requires Microsoft's Core Platform SDK. Instructions
|
|
for how to install this are given in README.win32.
|
|
|
|
Pre-compiled binaries are available from the project web site.
|
|
|
|
As of v5.4, the Net-SNMP agent is able to load the Windows SNMP
|
|
service extension DLLs by using the Net-SNMP winExtDLL extension.
|
|
|
|
Some other Net-SNMP MIB modules, including the UCD pass-through
|
|
extensions, do not currently work under Windows. Volunteers to assist
|
|
with these missing modules are likely to welcomed with open arms :-)
|
|
|
|
Further details of Windows support (currently Visual C++, MinGW
|
|
and Cygnus cygwin32) is available in the file README.win32.
|
|
|
|
|
|
|
|
How do I find out about new releases?
|
|
------------------------------------
|
|
|
|
There is a mailing list for these announcements
|
|
|
|
net-snmp-announce@lists.sourceforge.net
|
|
|
|
To be added to (or removed from) this list, visit
|
|
http://www.net-snmp.org/lists/net-snmp-announce/
|
|
Or you can send a message to the address
|
|
net-snmp-announce-request@lists.sourceforge.net
|
|
with a subject line of 'subscribe' (or 'unsubscribe' as appropriate).
|
|
|
|
Advance notice of upcoming releases are also made on the
|
|
net-snmp-users list (for "release candidates") for a week
|
|
or two before the full release, and on the net-snmp-coders
|
|
list (for "pre-releases") during the period prior to this.
|
|
|
|
Major code revisions may be announced more widely, but these
|
|
lists are the most reliable way to keep in touch with the
|
|
status of the package.
|
|
|
|
Patches to fix known problems are also made available via the web site:
|
|
|
|
http://www.net-snmp.org/patches/
|
|
|
|
|
|
|
|
How can I find out what other people are doing?
|
|
----------------------------------------------
|
|
|
|
There is a general purpose discussion list
|
|
|
|
net-snmp-users@lists.sourceforge.net
|
|
|
|
To be added to (or removed from) this list, visit
|
|
http://www.net-snmp.org/lists/net-snmp-users/
|
|
Or you can send a message to the address
|
|
net-snmp-users-request@lists.sourceforge.net
|
|
with a subject line of 'subscribe' (or 'unsubscribe' as appropriate).
|
|
|
|
To find out what the developers are doing, and to help them
|
|
out, please read the PORTING file enclosed with the package.
|
|
|
|
There is also a #net-snmp IRC channel set up on the freenode.net
|
|
chat system. You can connect to this via chat.freenode.net.
|
|
See http://www.freenode.net/ for more information on getting
|
|
started with IRC.
|
|
Several core developers hang out on this channel on a fairly
|
|
regular basis.
|
|
|
|
|
|
|
|
How do I submit a patch or bug report?
|
|
-------------------------------------
|
|
|
|
The best way to submit a bug report is via the bug database through
|
|
the interface found at
|
|
http://www.net-snmp.org/bugs/
|
|
Be sure to include the version of the package that you've been working
|
|
with, the output of the command 'uname -a', the precise configuration
|
|
or command that triggers the problem and a copy of any output produced.
|
|
|
|
Questions about using the package should be directed at the
|
|
net-snmp-users@lists.sourceforge.net mailing list. Note that this
|
|
mailing list is relatively busy, and the people answering these
|
|
questions are doing so out of the goodness of their hearts, and in
|
|
addition to their main employment. Please note the following:
|
|
|
|
- use plain text mail, rather than HTML
|
|
- don't resend questions more than once
|
|
(even if no-one answered immediately)
|
|
- include full details of exact commands and error messages
|
|
("I've tried everything, and it doesn't work" isn't much use!)
|
|
- do *NOT* send messages to -users and -coders mailing lists
|
|
(most developers read both anyway)
|
|
- don't mail the developers privately - keep everything on the list
|
|
|
|
We can't promise to be able to solve all problems, but we'll
|
|
certainly try and help. But remember that this is basically an
|
|
unsupported package. It's Open Source, so if you need something
|
|
fixing badly enough, fundamentally it's up to you to do the work.
|
|
|
|
All patches should be submitted to the patch manager at
|
|
http://www.net-snmp.org/patches/
|
|
If possible, submit a bug report describing the patch as well
|
|
(referencing it by its patch number) since the patch manager
|
|
doesn't contain a decent description field.
|
|
|
|
The best way to submit patch (diff) information is by checking out
|
|
the current code from the development git trunk, making your changes
|
|
and then running "git diff" or "git format-patch" after you're done.
|
|
|
|
(Please see http://www.net-snmp.org/wiki/index.php/Git for further
|
|
information on using git with the Net-SNMP project)
|
|
|
|
If you're working from a source code distribution, and comparing old
|
|
and new versions of a code file, use "diff -u OLDFILE NEWFILE"
|
|
|
|
|
|
|
|
Can I reuse the code in my commercial application?
|
|
-------------------------------------------------
|
|
|
|
The details of the COPYRIGHTs on the package can be found in the COPYING
|
|
file. You should have your lawyer read this file if you wish to use the
|
|
code in your commercial application. We will not summarize here what is
|
|
in the file, as we're not lawyers and are unqualified to do so.
|
|
|
|
|
|
|
|
What's the difference between SNMPv1, SNMPv2 and SNMPv3?
|
|
-------------------------------------------------------
|
|
What's the difference between SNMPv2 and SNMPv2c?
|
|
------------------------------------------------
|
|
|
|
A full description is probably beyond the scope of this FAQ.
|
|
Very briefly, the original protocol and admin framework was
|
|
described in RFCs 1155-1157, and is now known as SNMPv1.
|
|
|
|
Practical experience showed up various problems and deficiencies
|
|
with this, and a number of revised frameworks were developed to try
|
|
and address these problems. Unfortunately, it proved difficult to
|
|
achieve any sort of agreement - particularly over the details of
|
|
the administrative framework to use.
|
|
|
|
There was less disagreement over the proposed changes to the
|
|
protocol operations. These included:
|
|
* increasing the range of errors that could be reported
|
|
* introducing "exception values"
|
|
(so a single missing value didn't affect
|
|
the other varbinds in the same request)
|
|
* a new GETBULK operation
|
|
(a supercharged GETNEXT)
|
|
* new notification PDUs
|
|
(closer in structure to the other request PDUs)
|
|
|
|
Strictly speaking, it's this revised protocol (originally defined
|
|
in RFC 1905, and most recently in RFC 3416) that is "SNMPv2".
|
|
|
|
The only framework based on this protocol that saw a significant
|
|
level of use was "Community-based SNMPv2" or "SNMPv2c" (defined
|
|
in RFC 1901). This retained the same administrative framework
|
|
as SNMPv1 (with all of the accompanying limitations), but using
|
|
the new protocol operations.
|
|
|
|
More recently, a new administrative framework has been developed,
|
|
building on the various competing SNMPv2 proposals, and using the
|
|
same SNMPv2 protocol operations. This is SNMPv3, which is defined
|
|
in RFCs 3411-3418. It addresses some of the deficiencies of the
|
|
community-based versions, including significant improvements to
|
|
the security of SNMP requests (like it finally has some!).
|
|
SNMPv3 is now a full IETF standard protocol.
|
|
|
|
Strictly speaking, SNMPv3 just defines a fairly abstract framework,
|
|
based around the idea of "Security Models" and "Access Control Models".
|
|
It's this combination of SNMPv3 plus accompanying models that actually
|
|
provides a working SNMP system.
|
|
However, the only models in common use are the "User-based Security
|
|
Model" (RFC 3414) and the "View-based Access Control Model" (RFC 3415).
|
|
So "SNMPv3" is frequently used to mean the combination of the basic
|
|
SNMPv3 framework with these two particular models.
|
|
This is also sometimes described as "SNMPv3/USM".
|
|
|
|
|
|
So in brief:
|
|
- SNMPv2c updated the protocol operations
|
|
but left the administrative framework unchanged.
|
|
- SNMPv3 updated the administrative framework
|
|
but left the protocol operations unchanged.
|
|
|
|
|
|
|
|
Which versions of SNMP are supported in this package?
|
|
----------------------------------------------------
|
|
|
|
This package currently supports the original SNMPv1 (RFC 1157),
|
|
Community-based SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418).
|
|
The agent will respond to requests using any of these protocols,
|
|
and all the tools take a command-line option to determine which
|
|
version to use.
|
|
|
|
Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452)
|
|
was dropped with the 4.0 release of the UCD-snmp package.
|
|
|
|
|
|
|
|
Can I use SNMPv1 requests with an SNMPv2 MIB (or vice versa)?
|
|
------------------------------------------------------------
|
|
|
|
Yes.
|
|
|
|
The syntax used to specify a MIB file (better referred
|
|
to as SMIv1 or SMIv2) is purely concerned with how to define
|
|
the characteristics of various management objects. This is
|
|
(almost) completely unrelated to the versions of the protocol
|
|
used to operate on these values. So it is quite reasonable to
|
|
use SNMPv1 requests on objects defined using SMIv2, or SNMPv2
|
|
(or SNMPv3) requests on objects defined using SMIv1.
|
|
|
|
The one exception is objects of syntax Counter64, which are
|
|
only accessible using SNMPv2 or higher. SNMPv1 requests will
|
|
either treat such objects as an error, or skip them completely.
|
|
|
|
Note that SMIv1 is effectively obsolete, and all new MIBs
|
|
should be written using SMIv2.
|
|
|
|
|
|
|
|
How can I monitor my system with SNMP?
|
|
-------------------------------------
|
|
|
|
There are two main methods of using SNMP for monitoring. One is to regularly
|
|
query the SNMP agent for information of interest, graphing these values and/or
|
|
saving them for later analysis. That's not really the focus of the Net-SNMP
|
|
project - our tools are more low-level, single-shot commands. For this sort
|
|
of high-level management, you're really looking at a management console
|
|
application (such as Nagios or OpenNMS), or a data logging application
|
|
(such as RRDtool, or one of its front-ends - MRTG, Cacti, etc).
|
|
|
|
The other approach is to configure the SNMP agent to monitor the relevant
|
|
information itself, and issue an alert when the values pass suitable limits.
|
|
See the section ACTIVE MONITORING in the snmpd.conf(5) man page for details.
|
|
|
|
Note that this entry makes no reference as to _what_ you should monitor, or
|
|
what values might be significant. That's because it is impossible to provide
|
|
a universal answer to these questions. The information to monitor, and the
|
|
normal operating values will ultimately depend on your local environment.
|
|
SNMP is simply a tool to _help_ you manage your systems - it isn't a magic
|
|
panacea - you still have to think for yourself!
|
|
|
|
|
|
|
|
Where can I find more information about network management?
|
|
----------------------------------------------------------
|
|
|
|
There are a number of sites with network management information on
|
|
the World Wide Web. Some of the most useful are
|
|
|
|
http://www.simpleweb.org/
|
|
http://www.snmplink.org/
|
|
http://www.mibdepot.com/
|
|
|
|
The SNMP Usenet newsgroup is now mostly defunct, but although the
|
|
FAQ hasn't been updated for a while, it still contains a large
|
|
amount of useful information relating to SNMP, including books,
|
|
software, other sites, how to get an enterprise number, etc, etc.
|
|
This is available from
|
|
|
|
ftp://rtfm.mit.edu/pub/usenet/comp.protocols.snmp/
|
|
|
|
or via any of the Web sites above.
|
|
|
|
|
|
|
|
What ports does SNMP use?
|
|
------------------------
|
|
|
|
There are three main network ports (and one named socket), which are
|
|
typically used by SNMP. These are:
|
|
|
|
- UDP port 161 - SNMP requests (GET* and SET)
|
|
- UDP port 162 - SNMP notifications (Traps/Informs)
|
|
- TCP port 705 - AgentX
|
|
- /var/agentx/master - AgentX
|
|
|
|
However, these are simply the default "well-known" ports for these purposes,
|
|
and it is perfectly possible to accept requests on other ports.
|
|
|
|
|
|
|
|
Is Net-SNMP thread safe?
|
|
-----------------------
|
|
|
|
Strictly speaking, no. However, it is possible to use the library within
|
|
a multi-threaded management application. This is covered in detail in
|
|
the file README.thread (shipped with the standard distribution), but can
|
|
be summarised as follows:
|
|
|
|
- Call 'snmp_sess_init()' prior to activating any threads.
|
|
This reads in and parses MIB information (which isn't thread-safe)
|
|
as well as preparing a session structure for subsequent use.
|
|
|
|
- Open an SNMP session using 'snmp_sess_open()' which returns an
|
|
opaque session handle, which is essentially independent of any
|
|
other sessions (regardless of thread).
|
|
|
|
- Resource locking is not handled within the library, and is the
|
|
responsibility of the main application.
|
|
|
|
The Net-SNMP agent has not been designed for multi-threaded use. It
|
|
should be safe to use the agent library to embed a subagent within a
|
|
threaded application as long as *all* SNMP-related activity (including
|
|
generating traps, and parsing MIBs) is handled within a single thread.
|
|
|
|
The command-line tools shipped as part of the Net-SNMP distribution
|
|
are simple single-threaded applications, and are not designed for
|
|
multi-threaded use. Adapting these to a threaded model is left as
|
|
an exercise for the student.
|
|
The same holds true for the notification receiver (snmptrapd).
|
|
|
|
Unfortunately, the SNMPv3 support was added about the same time as
|
|
the thread support and since they occurred in parallel the SNMPv3
|
|
support was never checked for multi-threading correctness. It is
|
|
most likely that it is not thread-safe at this time.
|
|
|
|
|
|
APPLICATIONS
|
|
============
|
|
|
|
How do I add a MIB?
|
|
------------------
|
|
|
|
This is actually two separate questions, depending on whether you
|
|
are referring to the tools, or the agent (or both).
|
|
See the next question or the next section respectively.
|
|
|
|
|
|
|
|
How do I add a MIB to the tools?
|
|
-------------------------------
|
|
|
|
Adding a MIB to the client-side tools has two main effects:
|
|
|
|
- it allows you to refer to MIB objects by name
|
|
(rather than having to use the numeric OIDs)
|
|
- it allows the results to be displayed in a more immediately
|
|
meaningful fashion. Not just giving the object names, but
|
|
also showing named enumeration values, and interpreting table
|
|
indexes properly (particularly for string and OID index values).
|
|
|
|
There are two steps required to add a new MIB file to the tools.
|
|
Firstly, copy the MIB file into the appropriate location:
|
|
|
|
cp MY-MIB.txt /usr/share/snmp/mibs
|
|
(which makes it available to everyone on the system)
|
|
or
|
|
mkdir $HOME/.snmp
|
|
mkdir $HOME/.snmp/mibs
|
|
cp MY-MIB.txt $HOME/.snmp/mibs
|
|
(which makes it available to you only)
|
|
|
|
Note that the location of the shared MIB directory may be different
|
|
from that given here - see the FAQ entry "Where should I put my MIB
|
|
files?" for more information.
|
|
|
|
|
|
Secondly, tell the tools to load this MIB:
|
|
|
|
snmpwalk -m +MY-MIB .....
|
|
(load it for this command only)
|
|
or
|
|
export MIBS=+MY-MIB
|
|
(load it for this session only)
|
|
or
|
|
echo "mibs +MY-MIB" >> $HOME/.snmp/snmp.conf
|
|
(load it every time)
|
|
|
|
Note that the value for this variable is the name of the MIB
|
|
module, *not* the name of the MIB file. These are typically the
|
|
same (apart from the .txt suffix), but if in doubt, check the contents
|
|
of the file. The value to use is the token immediately before the
|
|
word DEFINITIONS at the start of the file.
|
|
|
|
Or use the special value "all" to have the tools load all available
|
|
MIBs (which may slow them down, particularly if you have a large
|
|
number of MIB files.
|
|
|
|
Note that you need *both* steps.
|
|
|
|
|
|
Adding a MIB in this way does *not* mean that the agent will
|
|
automatically return values from this MIB. The agent needs to be
|
|
explicitly extended to support the new MIB objects, which typically
|
|
involves writing new code.
|
|
See the AGENT section for details.
|
|
|
|
Most of the tools (apart from 'snmptable') will work quite happily
|
|
without any MIB files at all - although the results won't be displayed
|
|
in quite the same way. Similarly, the agent doesn't need MIB files
|
|
either (other than to handle MIB object names in the configuration file).
|
|
|
|
|
|
|
|
Why can't I see anything from the agent?
|
|
---------------------------------------
|
|
|
|
Fundamentally, there are two basic reasons why a request may go
|
|
unanswered. Either the management application does not like the
|
|
request (so never sends it), or the agent does not like the request
|
|
(so never responds). The simplest way to distinguish between the
|
|
two is to run the command with the command-line option '-d'.
|
|
|
|
If this doesn't display a hex dump of the raw outgoing packet, then
|
|
it's the client side which is dropping the request. Hopefully you
|
|
should also see an error message, to help identify what's wrong.
|
|
|
|
If this displays one or more outgoing dumps (but nothing coming back),
|
|
then the request is failing at the agent end. See the next entry for
|
|
more details.
|
|
|
|
|
|
There are three further possibilities to consider:
|
|
|
|
One is that the agent may return a response to the original query,
|
|
but the management application may not like this response, and refuse
|
|
to display it. This is relatively unusual, and typically indicates
|
|
a flaw with the remote agent. (I hope you're not contemplating the
|
|
suggestion that the Net-SNMP command-line tools might contain bugs!)
|
|
|
|
The typical symptoms of this would be that the '-d' option would
|
|
display a sequence of sending and received packet dumps, with the
|
|
same contents each time. Ask on the mailing list for advice.
|
|
|
|
|
|
Alternatively, the agent may simply not support the MIB objects being
|
|
requested. This is most commonly seen when using the "snmpwalk" tool
|
|
(particularly with SNMPv1).
|
|
|
|
The symptoms here would be that '-d' would show two pairs of raw
|
|
packet dumps - one a GETNEXT request (A1 in the sending packet),
|
|
followed by a GET request (A0). Repeating the same request with the
|
|
"snmpgetnext" command-line tool should show the information (if any)
|
|
that the agent returned, which was then discarded by snmpwalk as
|
|
irrelevant.
|
|
|
|
Note that this is how snmpwalk was designed to work. It is not an error.
|
|
|
|
|
|
Finally, it may be that the agent is simply taking too long to respond.
|
|
The easiest way to test for this is to add the command-line options
|
|
"-t 60 -r 0", which will send a single request (with no repetitions)
|
|
and wait for a minute before giving up. This ought to be long enough
|
|
for all but the most-overloaded agent, or inefficient MIB module!
|
|
|
|
If this turns out to be the cause, then ask on the mailing list for
|
|
advice on options for improving the performance.
|
|
|
|
|
|
|
|
Why doesn't the agent respond?
|
|
-----------------------------
|
|
|
|
Assuming that the tests outlined in the previous entry indicate that
|
|
the problem lies with the agent not responding, the obvious question
|
|
is "why not".
|
|
|
|
Again, there are two basic possibilities - either the agent never
|
|
sees the request, or it receives it but is unwilling (or unable) to
|
|
process it. If the remote system is running the Net-SNMP agent,
|
|
then the easiest way to distinguish between these two cases is to
|
|
shut down the agent, and re-start it manually using the options
|
|
-f -Le -d
|
|
Then send the same query as before. This should display raw dumps of
|
|
packets seen (or sent) by the agent, just as with the client side in
|
|
the previous entry.
|
|
|
|
|
|
If the agent does not display anything, then it is simply not receiving
|
|
the requests. This may be because they are being blocked by network
|
|
or local firewall settings ('iptables -L'), or the agent may not be
|
|
listening on the expected interfaces ('netstat -a').
|
|
|
|
This is most commonly encountered when running queries from a remote
|
|
host, particularly if the same request succeeds when run on the same
|
|
system as the agent itself.
|
|
|
|
|
|
If the agent displays a dump of the incoming request, but nothing going
|
|
out, then the most likely cause is access control settings. See the
|
|
relevant entries in the AGENT section for details. Note that if the agent
|
|
receives an SNMPv1 or SNMPv2c request with a unknown community string,
|
|
then it will not return an error response - the request is simply discarded.
|
|
|
|
Another possibility is that the request may be rejected by settings in
|
|
/etc/hosts.{allow,deny}. Again, '-d' will display an incoming packet
|
|
dump but no corresponding outgoing response. However in this situation,
|
|
the agent should also log a message that the request is being refused.
|
|
|
|
|
|
Running the agent with '-d' can also help identify situations where the
|
|
agent *is* responding to the request, but only after a long delay. This
|
|
would be indicated by a series of incoming packet dumps (showing various
|
|
retries from the client side), followed by several outgoing dumps - possibly
|
|
long after the client tool has given up in disgust.
|
|
See the entry
|
|
The agent worked for a while, then stopped responding. Why?
|
|
later in this section.
|
|
|
|
|
|
|
|
I can see the system group, but nothing else. Why?
|
|
--------------------------------------------------
|
|
|
|
This is almost definitely due to the access configuration of the agent.
|
|
Many pre-configured systems (such as most Linux distributions) will only
|
|
allow access to the system group by default, and need to be configured
|
|
to enable more general access.
|
|
|
|
The easiest way to test this is to try a GETNEXT request on one of
|
|
the other standard groups
|
|
e.g.
|
|
snmpgetnext ..... interfaces
|
|
|
|
If the agent responds with "hrSystemUptime.0" or "end of MIB", then it
|
|
is clearly configured in this way. See the entries on access control
|
|
in the AGENT section for more information.
|
|
|
|
|
|
|
|
Why can't I see values in the <ENTERPRISE> tree?
|
|
-----------------------------------------------
|
|
|
|
If you can see most of the standard information (not just the system and
|
|
hrSystem groups), but not in the vendor-specific 'enterprises' tree, then
|
|
once again there are several possible causes.
|
|
|
|
Firstly, it's possible that the agent does not implement this particular
|
|
enterprise tree. Remember that adding a MIB to the client tools does
|
|
*not* automatically add support for these object to the agent. See the
|
|
AGENT section for more information.
|
|
|
|
|
|
Alternatively, it may be that the agent does implement some or all of this
|
|
enterprise tree, but the access control settings are configured to block
|
|
access to it.
|
|
|
|
The simplest way to checks whether the agent implements a given portion
|
|
of the OID tree is to run
|
|
|
|
snmpwalk .... nsModuleName
|
|
|
|
and look for index values that fall in the area of interest.
|
|
(Always assuming that you have access to this particular section
|
|
of the Net-SNMP enterprise tree, of course!)
|
|
|
|
Checking the access control settings can be done by examining the tables
|
|
vacmAccessTable and vacmViewTreeFamilyTable. Note that these are used
|
|
to configure access control for *all* versions of SNMP - not just SNMPv3.
|
|
|
|
|
|
The third possibility is that simply isn't any information in the specified
|
|
tree. For example, several of the tables in the UCDavis enterprise tree
|
|
(such as prTable, extTable, dskTable and fileTable) require explicit
|
|
configuration in the snmpd.conf file. If you query this particular tables
|
|
without the necessary configuration entries, then they will be empty.
|
|
|
|
|
|
Finally, if you can't see anything from *any* enterprise-specific tree,
|
|
then this may be down to how you are asking for the information. By
|
|
default, if "snmpwalk" is run without an explicitly starting OID, then
|
|
it will display the contents of the 'mib-2' tree, containing most of the
|
|
IETF-standard management information supported by the agent.
|
|
|
|
When the agent reaches the end of this tree, it will return the first
|
|
enterprise-specific value, 'snmpwalk' will recognise that this marks the
|
|
end of the (implicit) requested tree, and stop. No enterprise-specific
|
|
information will be displayed.
|
|
|
|
To walk the whole tree, and see *all* the information that the
|
|
agent supports, specify a starting point of '.iso' or '.1'.
|
|
To walk a specific enterprise subtree, specify the root of this tree
|
|
as the starting point - e.g:
|
|
|
|
snmpwalk -v1 -c public localhost UCD-SNMP-MIB::ucdavis
|
|
|
|
There is more information about particular UCD-specific subtrees in
|
|
the AGENT section.
|
|
|
|
|
|
|
|
The agent worked for a while, then stopped responding. Why?
|
|
-----------------------------------------------------------
|
|
|
|
There are three basic possibilities:
|
|
- the agent has crashed
|
|
- it is hanging
|
|
- it is temporarily overloaded
|
|
|
|
Detecting whether the agent has crashed should be fairly straighforward.
|
|
If you can reliably reproduce this crash (e.g. by sending a particular
|
|
SNMP request), then contact the coders list for advice.
|
|
It's the other two cases that are probably more significant.
|
|
|
|
To tell the difference between these two, try leaving the agent
|
|
undisturbed for a while, and then probe it using a single 'snmpget'
|
|
request, specifying a longer timeout (e.g. '-t 120'). If it now
|
|
responds, then something was probably sending requests (including
|
|
duplicate retries) faster than the agent could process them, and it
|
|
was building up a backlog. Try adjusting the timeout period and retry
|
|
frequency of these client requests, or look at improving the efficiency
|
|
of the implementation of the relevant MIB objects.
|
|
|
|
If the agent remains unresponsive (particularly if the load on the
|
|
system is steadily climbing), then it's probably hanging, and all
|
|
you can really do is restart the agent. If you can identify what
|
|
causes this to happen, then contact the coders list for advice.
|
|
|
|
|
|
|
|
Requesting an object fails with "Unknown Object Identifier" Why?
|
|
----------------------------------------------------------------
|
|
|
|
If a general snmpwalk shows a particular entry, but asking for it more
|
|
specifically gives a "sub-identifier not found:" or "Unknown Object
|
|
Identifier" error, then that's a problem with the tool, rather than
|
|
the agent.
|
|
|
|
Firstly, make sure that you're asking for the object by the right name.
|
|
Object descriptors are case-sensitive, so asking for 'sysuptime' will
|
|
not be recognised, but 'sysUpTime' will.
|
|
|
|
Alternatively, the object may be defined in a MIB that hasn't been
|
|
loaded. Try loading in all the MIB files:
|
|
|
|
snmpget -m ALL -v1 -c public localhost sysUpTime.0
|
|
|
|
or specify the name of the appropriate MIB explicitly:
|
|
|
|
snmpget -v1 -c public myhost SNMPv2-MIB::sysUpTime.0
|
|
|
|
Note that this uses the name of the *module*, not the name of the file.
|
|
However, if 'snmpwalk' displays the object by name, this is unlikely to
|
|
be the cause, and you should look closely at the exact object name you
|
|
are using. In particular, see the next entry.
|
|
|
|
|
|
|
|
Why do I get "noSuchName" when asking for "sysUpTime" (or similar)?
|
|
------------------------------------------------------------------
|
|
|
|
Assuming that you do have access to this object, the most likely cause
|
|
is forgetting the instance subidentifier.
|
|
|
|
If you try walking the 'system' group (or any other part of the MIB tree),
|
|
you should notice that all of the results have a number after the object
|
|
name. This is the "instance subidentifier" of that particular MIB instance.
|
|
|
|
For values in tables (such as the sysORTable), this acts as an index into
|
|
the table - a very familiar concept. But *all* SNMP values will display an
|
|
instance number, whether or not they are part of a table. For non-table
|
|
objects ("scalars"), this instance subidentifier will always be '0',
|
|
and it *must* be included when making a GET request.
|
|
|
|
Compare the following:
|
|
|
|
$ snmpget -v1 -c public localhost sysUpTime
|
|
Error in packet
|
|
Reason: (noSuchName) There is no such variable name in this MIB.
|
|
This name doesn't exist: system.sysUpTime
|
|
|
|
$ snmpget -v1 -c public localhost sysUpTime.0
|
|
system.sysUpTime.0 = Timeticks: (69189271) 8 days, 0:11:32.71
|
|
|
|
This is a little less obscure when using SNMPv2c or v3 requests:
|
|
|
|
$ snmpget -v 2c -c public localhost sysUpTime
|
|
system.sysUpTime = No Such Instance currently exists
|
|
|
|
|
|
|
|
Why do I sometimes get "End of MIB" when walking a tree, and sometimes not?
|
|
--------------------------------------------------------------------------
|
|
|
|
This depends on which MIB modules are supported by the agent you are
|
|
querying and exactly what you're asking for.
|
|
|
|
Note that a tree is walked by repeatedly asking for "the next entry" until
|
|
all the values under that tree have been retrieved. However, the agent has
|
|
no idea that this is what's happening - all it sees is a request for "the
|
|
next entry after X".
|
|
|
|
If the object X happens to be the last entry in a sub-tree, the agent will
|
|
provide the next object supported (as requested) even though this will be
|
|
in a different subtree. It's up to the querying tool to recognise that
|
|
this last result lies outside the area of interest, and simply discard it.
|
|
|
|
If the object X happens to be the last entry supported by the agent, it
|
|
doesn't have another object to provide, so returns an "end of MIB"
|
|
indication. The Net-SNMP tools report this with the message above.
|
|
|
|
But in either case, the actual information provided will be the same.
|
|
|
|
|
|
|
|
How do I use SNMPv3?
|
|
-------------------
|
|
|
|
The simplest form of SNMPv3 request is unauthenticated and unencrypted
|
|
(noAuthNoPriv). It simply requires a user name, and would look something
|
|
like:
|
|
|
|
snmpget -v 3 -l noAuthNoPriv -u dave localhost sysUpTime.0
|
|
|
|
However this approach foregoes the security protection which is the
|
|
main advantage of using SNMPv3 (and the agent must also be explicitly
|
|
configured to allow unauthenticated requests from that user).
|
|
|
|
The most common form of SNMPv3 request is authenticated but not encrypted
|
|
(authNoPriv). This specifies the pass phrase to authenticate with:
|
|
|
|
snmpget -v 3 -l authNoPriv -u dave -A "Open the Door"
|
|
localhost sysUpTime.0
|
|
|
|
A fully secure (i.e. encrypted) request (authPriv) would also specify
|
|
the privacy pass phrase:
|
|
|
|
snmpget -v 3 -l authPriv -u dave -A "Open the Door"
|
|
-X "Bet you can't see me" localhost sysUpTime.0
|
|
|
|
In practise, most of these would probably be set via configuration
|
|
directives in a personal $HOME/.snmp/snmp.conf file (note, *not* the
|
|
agent's snmpd.conf file).
|
|
The equivalent settings for the third example would be:
|
|
|
|
defSecurityName dave
|
|
defSecurityLevel authPriv
|
|
defAuthPassphrase "Open the Door"
|
|
defPrivPassphrase "Bet you can't see me"
|
|
|
|
If the AuthPassphrase and the PrivPassphrase are the same, then you
|
|
can use the single setting
|
|
defPassphrase "Open the Door and see me"
|
|
instead.
|
|
|
|
See the AGENT section for how to configure the agent for SNMPv3 access.
|
|
|
|
|
|
|
|
Why can't I set any variables in the MIB?
|
|
----------------------------------------
|
|
|
|
There are three possible reasons for this:
|
|
|
|
Many MIB objects are defined as "read-only" and inherently cannot be
|
|
changed via SET requests. Attempts to do so will typically be rejected
|
|
by the 'snmpset' command without ever being sent to the agent.
|
|
|
|
Of those objects that can in principle be changed, the agent may not
|
|
include the code necessary to support SET requests. (GET and GETNEXT
|
|
are much easier to handle - particularly for objects relating to the
|
|
internals of the underlying operating system).
|
|
|
|
Even if SET support has been implemented, the agent may not be configured
|
|
to allow write access to this object.
|
|
|
|
Ready-installed distributions (such as those shipped with Linux) tend
|
|
to be configured with read-only access to part of the mib tree (typically
|
|
just the system group) and no write access at all.
|
|
|
|
To change this, you will need to set up the agent's access control
|
|
configuration. See the AGENT section for more details.
|
|
|
|
Note that neither the community string "public" nor "private" can be
|
|
used to set variables in a typical default configuration.
|
|
|
|
|
|
|
|
Variables seem to disappear when I try to set them. Why?
|
|
--------------------------------------------------------
|
|
|
|
This is actually the same as the previous question - it just isn't
|
|
particularly obvious, particularly when using SNMPv1. A typical
|
|
example of this effect would be
|
|
|
|
$ snmpget -v1 -c public localhost sysLocation.0
|
|
sysLocation.0 = somewhere nearby
|
|
|
|
$ snmpset -v1 -c public localhost sysLocation.0 s "right here"
|
|
Error in packet.
|
|
Reason: (noSuchName) There is no such variable name in this MIB.
|
|
This name doesn't exist: sysLocation.0
|
|
|
|
Trying the same request using SNMPv2 or above is somewhat more informative:
|
|
|
|
$ snmpset -v 2c -c public localhost sysLocation.0 s "right here"
|
|
Error in packet.
|
|
Reason: notWritable
|
|
|
|
The SNMPv1 error 'noSuchName' actually means:
|
|
|
|
"You can't do that to this variable"
|
|
|
|
rather than "this variable doesn't exist".
|
|
It may be the case that it doesn't exist at all. It may exist but you
|
|
don't have access to it (although different administrative credentials
|
|
might be accepted). Or it may exist, but you simply can't perform that
|
|
particular operation (e.g. changing it).
|
|
Similarly, the SNMPv2 error 'notWritable' means "not writable in this
|
|
particular case" rather than "not writable under any circumstances".
|
|
|
|
If you are sure that the object is both defined as writable, and has been
|
|
implemented as such, then you probably need to look at the agent access
|
|
control. See the AGENT section for more details.
|
|
But see the next entry first.
|
|
|
|
|
|
|
|
Why can't I change sysLocation (or sysContact)?
|
|
----------------------------------------------
|
|
|
|
There is one final possibility to consider for why a SET request might
|
|
be rejected.
|
|
|
|
The values for certain MIB objects (including 'sysLocation' and 'sysContact')
|
|
can be configured via the snmpd.conf file. If this is done, then these
|
|
particular objects become read-only, and cannot be updated via SET commands,
|
|
even if the access control settings would otherwise allow it.
|
|
|
|
This may seem perverse, but there is good reason for it. If there is a
|
|
configuration setting for one of these objects, then that value will be
|
|
used whenever the agent re-starts. If the object was allowed to be updated
|
|
using SET, this new value would be forgotten the next time the agent was
|
|
re-started.
|
|
|
|
Hence the Net-SNMP agent rejects such requests if there's a value configured
|
|
via the 'snmpd.conf' file. If there isn't such a config setting, then the
|
|
write request will succeed (assuming suitable access control settings), and
|
|
the new value will be retained the next time the agent restarts.
|
|
|
|
|
|
|
|
I get an error when trying to set a negative value - why?
|
|
--------------------------------------------------------
|
|
|
|
This is a different problem. What's happening here is that the
|
|
routine that parses the arguments to the 'snmpset' command is seeing
|
|
the '-' of the new value, and treating it as a command-line option.
|
|
This normally generates an error (since digits typically aren't valid
|
|
command line options).
|
|
|
|
The easiest way to solve this is include the "end-of-option"
|
|
indicator '--' in the command line, somewhere before the new value
|
|
(but after all of the options, obviously). For example:
|
|
|
|
snmpset -v 2c -c public localhost -- versionRestartAgent.0 i -1
|
|
|
|
(This command will still fail, since -1 isn't an acceptable value for
|
|
this particular object, but that's not the point here!)
|
|
|
|
|
|
|
|
I get an error when trying to query a string-indexed table value - why?
|
|
----------------------------------------------------------------------
|
|
|
|
The Net-SNMP library will normally try to interpret string-based
|
|
index values, and display them in a meaningful manner:
|
|
|
|
$ snmpgetnext .... vacmGroupName
|
|
vacmGroupName.3."dave" = theWorkers
|
|
|
|
The command-line tools will also accept string-valued indexes within
|
|
an OID, and convert them into the appropriate numeric form before
|
|
sending an SNMP request. However the Unix shell will typically
|
|
swallow the quotes around the string index value, before the SNMP
|
|
tools can get a chance to interpret them.
|
|
|
|
The answer is to escape the quotes, to protect them from the shell,
|
|
and allow them to be passed through to the OID parser:
|
|
|
|
snmpget .... vacmGroupName.3.\"dave\"
|
|
or
|
|
snmpget .... 'vacmGroupName.3."dave"'
|
|
|
|
|
|
Another alternative is to avoid trying to specify the index value as
|
|
a string, and provide the numeric subidentifiers directly:
|
|
|
|
snmpget .... vacmGroupName.3.4.100.97.118.101
|
|
|
|
(where '3' indicates SNMPv3, '4' is the length of the string index,
|
|
followed by the ASCII values of the individual characters).
|
|
|
|
The command-line option '-Ob' will display the results of querying
|
|
a string-indexed table in this format:
|
|
|
|
$ snmpgetnext -Ob .... vacmGroupName
|
|
vacmGroupName.3.4.100.97.118.101 = theWorkers
|
|
|
|
|
|
|
|
How should I specify string-indexed table values?
|
|
------------------------------------------------
|
|
|
|
There's one other aspect of string-indexed tables that can cause
|
|
problems - the difference between implicit- and explicit-length
|
|
strings, and how to represent these when making an SNMP query.
|
|
|
|
The most common style of string index uses an explicit length,
|
|
followed by the individual ASCII character values:
|
|
|
|
"dave" = 4.'d'.'a'.'v'.'e'
|
|
|
|
(as shown in the previous entry).
|
|
|
|
However if the string index is defined in the MIB file as IMPLIED
|
|
(or if it has a fixed length, such as a physical ethernet address),
|
|
then the length subidentifier is omitted, and the index simply
|
|
consists of the character values:
|
|
|
|
"dave" = 'd'.'a'.'v'.'e'
|
|
|
|
Note that IMPLIED index objects can only appear as the *last* index
|
|
for a table.
|
|
|
|
The Net-SNMP library uses double quotes (i.e. "dave) to indicate an
|
|
explicit length string index value, and single quotes (i.e. 'dave')
|
|
to indicate an implicit length one. If you use the wrong style of
|
|
quotes, then the resulting OID will be incorrect, and you'll get
|
|
confusing results to your query.
|
|
|
|
|
|
|
|
How do I send traps and notifications?
|
|
---------------------------------------
|
|
|
|
Traps and notifications can be sent using the command 'snmptrap'.
|
|
The following examples generate the generic trap 'warmStart(1)' and a
|
|
(dummy) enterprise specific trap '99' respectively:
|
|
|
|
snmptrap -v 1 -c public localhost "" "" 1 0 ""
|
|
snmptrap -v 1 -c public localhost "" "" 6 99 ""
|
|
|
|
The empty parameters "" will use suitable defaults for the relevant
|
|
values (enterprise OID, address of sender and current sysUptime).
|
|
|
|
An SNMPv2 or SNMPv3 notification (either trap or inform) takes
|
|
the OID of the trap to send:
|
|
|
|
snmptrap -v 2c -c public localhost "" UCD-SNMP-MIB::ucdStart
|
|
snmptrap -v 2c -c public localhost "" .1.3.6.1.4.1.2021.251.1
|
|
|
|
(These two are equivalent ways of specifying the same trap). Again,
|
|
the empty parameter "" will use a suitable default for the relevant
|
|
value (sysUptime).
|
|
|
|
Any of these commands can be followed by one or more varbinds,
|
|
using the same (OID/type/value) syntax as for 'snmpset':
|
|
|
|
snmptrap -v 2c -c public localhost "" ucdStart sysContact.0 s "Dave"
|
|
|
|
Generating traps from within the agent, or other applications, is
|
|
covered in the AGENT and CODING sections.
|
|
|
|
You should also read the snmptrap tutorial at
|
|
http://www.net-snmp.org/wiki/index.php/TUT:snmptrap
|
|
which will help you understand everything you need to know about traps.
|
|
|
|
|
|
|
|
How do I receive traps and notifications?
|
|
----------------------------------------
|
|
|
|
Handling incoming traps is the job of a "notification receiver".
|
|
The Net-SNMP suite include the tool 'snmptrapd' to act in this role.
|
|
This can log traps to a file or via the syslog mechanism, forward them
|
|
to another notification receiver and/or invoke a specified command
|
|
whenever a particular notification is received.
|
|
|
|
Logging notifications would be done by starting snmptrapd as:
|
|
snmptrapd -Ls 7 (log to syslog using 'LOCAL7')
|
|
or
|
|
snmptrapd -f -Lo (log to standard output)
|
|
|
|
Invoking a command to process a received notification uses one or
|
|
more 'traphandle' directives in the configuration file 'snmptrapd.conf'.
|
|
A typical configuration might look something like:
|
|
|
|
traphandle .1.3.6.1.6.3.1.5.1 /path/to/page_me up
|
|
traphandle .1.3.6.1.4.1.2021.251.1 /path/to/page_me up
|
|
traphandle .1.3.6.1.4.1.2021.251.2 /path/to/page_me down
|
|
traphandle default /path/to/log_it
|
|
|
|
where 'page_me' and 'log_it' are the commands to be run.
|
|
|
|
Forwarding notifications to another receiver would be done using
|
|
similar 'snmptrapd.conf' directives:
|
|
|
|
forward .1.3.6.1.4.1.8072.4.0.3 10.0.0.1
|
|
forward default 10.0.0.2
|
|
|
|
There's a tutorial with more details on the web site at
|
|
http://www.net-snmp.org/wiki/index.php/TUT:snmptrap
|
|
|
|
|
|
|
|
How do I receive SNMPv1 traps?
|
|
-----------------------------
|
|
|
|
Directives in the 'snmptrapd.conf' file use the (SNMPv2) snmpTrapOID
|
|
value to identify individual notifications. This applies to *all*
|
|
versions of SNMP - including SNMPv1 traps. See the co-existence spec
|
|
(RFC 2576) for details of mapping SNMPv1 traps to SNMPv2 OIDs.
|
|
|
|
Note that the first traphandle directive in the previous entry uses
|
|
the OID corresponding to the SNMPv1 'coldStart' trap.
|
|
|
|
|
|
|
|
Why don't I receive incoming traps?
|
|
----------------------------------
|
|
|
|
Starting with net-snmp 5.3, snmptrapd will no longer automatically
|
|
accept all incoming traps. It must be configured with authorized
|
|
SNMPv1/v2c community strings and/or SNMPv3 users. Non-authorized
|
|
traps/informs will be dropped.
|
|
Please refer to the snmptrapd.conf(5) manual page for details.
|
|
|
|
|
|
|
|
My traphandler script doesn't work when run like this - why not?
|
|
---------------------------------------------------------------
|
|
|
|
If a traphandler script works fine when run manually from the
|
|
command line, but fails or generates an error when triggered by
|
|
an incoming notification, then there are two likely causes.
|
|
|
|
Firstly, the interactive shell environment may not be precisely
|
|
the same as that for programs executed by the snmptrapd daemon.
|
|
In particular, it's quite possible that the PATH environmental
|
|
variable may not include all the additional directories that are
|
|
commonly set up for a personal login configuration. To avoid this
|
|
problem (particularly for traphandler shell scripts), it's worth
|
|
giving the full path to all programs used within the script.
|
|
|
|
Secondly, the snmptrapd daemon may not always recognise the
|
|
appropriate interpreter to use for a particular trap handler.
|
|
If this is the case, then you can specify this interpreter
|
|
explicitly as part of the trap handle directive:
|
|
|
|
traphandle default /usr/bin/perl /usr/bin/log_it
|
|
|
|
In this case, it's almost certain that you'll also
|
|
need to give the full path to the traphandle script (as shown)
|
|
|
|
|
|
|
|
How can the agent receive traps and notifications?
|
|
-------------------------------------------------
|
|
|
|
It can't.
|
|
|
|
The primary purpose of an SNMP agent is to handle requests for
|
|
information from management applications. In SNMP terminology,
|
|
it acts as a "command responder".
|
|
|
|
It may also issue traps to report significant events or conditions
|
|
("notification generator"). But responding to such notifications
|
|
is a significantly different role, and this is handled by a separate
|
|
application ('snmptrapd'). Note that it is perfectly possible (even
|
|
normal) for both agent and trap receiver to run on the same host.
|
|
|
|
|
|
|
|
How big can an SNMP request (or reply) be?
|
|
-----------------------------------------
|
|
|
|
The protocol definition specifies a "minimum maximum" packet size
|
|
(484 bytes for UDP), which all systems must support, but does not
|
|
attempt to define an upper bound for this maximum size. This is left
|
|
to each individual implementation.
|
|
|
|
The UCD software used a fixed size buffer of 1472 bytes to hold the
|
|
encoded packet, so all requests and responses had to fit within this.
|
|
The Net-SNMP releases handle packet buffers rather differently, and
|
|
are not subject to the same fixed restrictions.
|
|
|
|
|
|
|
|
How can I monitor my systems (disk, memory, etc)?
|
|
------------------------------------------------
|
|
|
|
In general, the Net-SNMP suite consists of relatively low-level
|
|
tools, and there is nothing included that is designed for high-level,
|
|
long-term monitoring of trends in network traffic, disk or memory
|
|
usage, etc.
|
|
|
|
There are a number of packages available that are designed for this
|
|
purpose. Two of the most widely used are MRTG (http://www.mrtg.org/)
|
|
and RRDtool (http://oss.oetiker.ch/rrdtool/). There are also several
|
|
frontends built on top of RRDtool, including Cacti (http://www.cacti.net/)
|
|
and Cricket (http://cricket.sourceforge.net/). There are details of
|
|
how to set up Cricket to monitor some of the UCD extensions at
|
|
http://www.afn.org/~jam/software/cricket/
|
|
|
|
We have also set up a page that describes in detail how MRTG
|
|
can be set up to monitor disk, memory and cpu activity at
|
|
http://www.net-snmp.org/tutorial-5/mrtg/index.html
|
|
|
|
There is also a web-based network configuration system "Net-Policy",
|
|
based upon SNMP. This is not strictly connected to the Net-SNMP project,
|
|
but a number of the core developers are also involved with that system.
|
|
See http://net-policy.sourceforge.net for more details.
|
|
|
|
|
|
|
|
Applications complain about entries in your example 'snmp.conf' file. Why?
|
|
--------------------------------------------------------------------------
|
|
|
|
There *is* no example 'snmp.conf' shipped with the standard distribution.
|
|
|
|
The configuration file 'EXAMPLE.conf' is designed as a config for
|
|
the agent, and should be installed as 'snmpd.conf' (note the 'd').
|
|
The file 'snmp.conf' is intended for general configuration options,
|
|
applicable to all applications (via the SNMP library).
|
|
Rename (or merge) the 'snmp.conf' file to 'snmpd.conf', and this
|
|
should fix the problem.
|
|
|
|
See the AGENT section or the 'snmpd.conf(5)' man page for more information
|
|
about what should go in this file.
|
|
|
|
|
|
|
|
OK, what should I put in snmp.conf?
|
|
----------------------------------
|
|
|
|
This is used to set common configuration values for most of the
|
|
applications, to avoid having to specify them every time. Examples
|
|
are the SNMPv3 settings mentioned above, defaults for which MIBs to
|
|
load and where from (see the second entry in this section),
|
|
and the default SNMP version, port and (if appropriate) community
|
|
string to use.
|
|
|
|
Some of these (such as MIB information), might be best put in a
|
|
shared snmp.conf file (typically /usr/share/snmp/snmp.conf or
|
|
/etc/snmp/snmp.conf) to apply to all users of the system. Others
|
|
(particularly the SNMPv3 security settings), are more likely to refer
|
|
to a particular user, and should probably go in a personal snmp.conf
|
|
file (typically $HOME/.snmp/snmp.conf).
|
|
|
|
See 'snmpget -H' and/or the snmp.conf(5) man page for more details.
|
|
|
|
You can also use the "snmpconf" command to help you generate your
|
|
snmp.conf configuration file (just run it and answer its questions).
|
|
|
|
|
|
|
|
How do I specify IPv6 addresses in tools command line arguments?
|
|
---------------------------------------------------------------
|
|
|
|
IPv6 addresses pose a particular problem for the Net-SNMP command
|
|
line tools, which parse host names into pieces. In particular, normally
|
|
if you specify a simple host name, it assumes you want UDP in IPv4 on
|
|
port 161. By default, these two commands are actually the same:
|
|
|
|
snmpget 127.0.0.1 sysUpTime.0
|
|
snmpget udp:127.0.0.1:161 sysUpTime.0
|
|
|
|
However, for IPv6 this causes a problem because IPv6 addresses also use
|
|
a colon to separate addressing parts. Thus you need to enclose the address
|
|
in square brackets ( [ and ] ).
|
|
Because most shells use these brackets too, you also likely need to quote it:
|
|
|
|
snmpget 'udp6:[::1]:161' sysUpTime.0
|
|
|
|
|
|
|
|
PERL
|
|
====
|
|
|
|
What is the purpose of the Perl SNMP module?
|
|
-------------------------------------------
|
|
|
|
Short, comprehensive (but ultimately unhelpful) anwer - to provide a
|
|
perl interface for SNMP operations.
|
|
|
|
Longer, incomplete (but more useful) answer - there are probably two
|
|
main uses for the Perl SNMP module. The first is for developing client
|
|
management applications, using perl to send SNMP requests, and manipulating
|
|
or displaying the results. As such, this is a straight alternative to
|
|
various other SNMP toolkits currently available (for both perl and other
|
|
programming languages).
|
|
|
|
The second is as a means for extending the functionality of the Net-SNMP
|
|
agent, by implementing new MIB modules. This is an alternative to the
|
|
other script-based extension mechanisms, but is more tightly bound to the
|
|
Net-SNMP agent (and hence more efficient), while still avoiding the need
|
|
to write C code.
|
|
|
|
It is also possible to use the perl SNMP module in the snmpd.conf file,
|
|
or to process incoming notifications, but the above are probably the
|
|
two primary uses.
|
|
|
|
|
|
|
|
Where can I get the Perl SNMP package?
|
|
-------------------------------------
|
|
|
|
Joe Marzot's excellent Perl 'SNMP' module, is included in the Net-SNMP
|
|
source releases. It can be found located in the perl/SNMP subdirectory
|
|
of the source tree. This is accompanied by a number of Perl modules
|
|
grouped together under the NetSNMP namespace.
|
|
|
|
The basic SNMP module (though not the NetSNMP additions), can also
|
|
be found at any Comprehensive Perl Archive Network (CPAN) mirror site,
|
|
under modules/by-module/SNMP. To find the CPAN site nearest you,
|
|
please see http://www.cpan.org/SITES.html.
|
|
|
|
These Perl modules need to be used in conjunction with a compatible
|
|
version of the Net-SNMP library. Consult the README file in the SNMP
|
|
Perl distribution to find out which version of the library it needs.
|
|
|
|
|
|
|
|
How do I install the Perl SNMP modules?
|
|
--------------------------------------
|
|
|
|
Assuming you have a reasonably new (and properly configured) Perl system,
|
|
this should be simply:
|
|
|
|
cd perl
|
|
perl Makefile.PL
|
|
(press RETURN when prompted for host and community)
|
|
make
|
|
make test
|
|
make install (probably as root)
|
|
|
|
|
|
It might be possible to install the basic module using
|
|
|
|
perl -MCPAN -e shell ; "install SNMP"
|
|
|
|
but this has not been reliably tested, and very much relies on
|
|
having the correct version of the Net-SNMP library.
|
|
|
|
There may also be appropriate pre-compiled versions of the Perl modules
|
|
available from the Net-SNMP project website, or your O/S vendor.
|
|
|
|
|
|
|
|
But compiling this fails! Why?
|
|
-----------------------------
|
|
|
|
The Perl module tends to delve quite deeply into the internals of the
|
|
main Net-SNMP library, and so is quite sensitive to changes within the
|
|
library. It's important to use the correct version of the module, that
|
|
corresponds to the version of the library you have installed. If you're
|
|
working with a Net-SNMP source distribution, the appropriate versions of
|
|
the Perl modules are shipped as part of the source code, but you *must*
|
|
have run "make install" on the main Net-SNMP distribution *first*.
|
|
|
|
If you're working with a ready-installed version of the library, make
|
|
sure you obtain a compatible version of the Perl module.
|
|
|
|
Note that the Perl modules will be compiled using the compiler
|
|
(and compiler settings) used for compiling the original perl binary,
|
|
*not* those used for compiling the Net-SNMP (or UCD) library.
|
|
If these are different (e.g. 'gcc' used for one and 'cc' for the other)
|
|
then this may well cause problems. It's much safer to use a consistent
|
|
environment for both. This issue is discussed in greater detail in
|
|
the README.solaris file.
|
|
|
|
Also note that the v5 Net-SNMP suite *must* be configured to provide
|
|
shared libraries in order for the Perl modules to work correctly. This
|
|
is not necessary with the v4 UCD-SNMP libraries.
|
|
|
|
|
|
|
|
Compiling the Perl module works OK, but 'make test' fails. Why?
|
|
--------------------------------------------------------------
|
|
|
|
That's difficult to answer in general.
|
|
Some of the Perl tests are rather picky, so this may simply be
|
|
some minor inconsistency between your precise setup, and the
|
|
expectations of the test environment.
|
|
|
|
Check that you are working with the Perl distribution that matches
|
|
the SNMP libraries (use the 'perl/SNMP' in preference to CPAN), and
|
|
that you have installed the main libraries successfully (uninstall
|
|
any old versions if you're having trouble).
|
|
|
|
If all this looks OK, and if most of the tests pass, then it's
|
|
probably safe to run 'make install' anyway. Probably.
|
|
|
|
|
|
|
|
Why can't mib2c (or tkmib) locate SNMP.pm?
|
|
-----------------------------------------
|
|
|
|
That's probably because the SNMP Perl module hasn't been installed.
|
|
It's not part of the standard Perl distribution, nor is it included
|
|
in the default Fedora Linux installation (for example).
|
|
You'll need to install it yourself.
|
|
|
|
See the second entry in this section.
|
|
|
|
|
|
|
|
Why can't mib2c (or tkmib) load SNMP.so?
|
|
---------------------------------------
|
|
|
|
This is probably the same problem. Either the SNMP module
|
|
hasn't been installed, or it's the wrong version. See the
|
|
previous questions.
|
|
|
|
|
|
|
|
Why can't tkmib locate Tk.pm?
|
|
----------------------------
|
|
|
|
Tk.pm is another Perl package that needs to be installed before tkmib
|
|
will run. It's also available on Perl CPAN. We suggest using version
|
|
"Tk800.011" or later. It can be installed by issuing the command:
|
|
|
|
perl -MCPAN -e shell ; "install Tk"
|
|
|
|
|
|
|
|
Why does your RPM complain about missing Perl modules?
|
|
-----------------------------------------------------
|
|
|
|
This has been particularly noted on RedHat 9, complaining about the
|
|
module "perl(Term::ReadKey)" - even if this is actually present (e.g.
|
|
having been installed directly from CPAN). In fact, this is not
|
|
specific to Perl modules - the same issue can potentially arise with
|
|
other RPM dependencies.
|
|
|
|
The problem is that the RPM mechanism keeps a local database of what
|
|
software packages have been installed, and checks this for any other
|
|
features that this RPM requires. If software is installed "manually"
|
|
rather than via rpm packages, then it will not appear in this database.
|
|
Attempting to install another RPM that rely on this functionality will
|
|
then complain about the "missing" package, because the RPM system doesn't
|
|
know that's it's actually available.
|
|
|
|
The ideal solution is to *always* install software using a consistent
|
|
mechanism (which may involve building RPMs locally, or looking for a
|
|
suitable pre-built version).
|
|
|
|
Failing this, it's possible to tell the "rpm" command to ignore such
|
|
dependencies, and install the package anyway. Try:
|
|
|
|
rpm -i --nodeps {package}
|
|
|
|
In this situation, it's then up to you to make sure that any other
|
|
necessary packages *are* actually present on the system.
|
|
|
|
|
|
|
|
I've got a problem with the Net-SNMP module. Can you help?
|
|
----------------------------------------------------------
|
|
|
|
Sorry, despite the similar-sounding name, the Net-SNMP (or Net::SNMP)
|
|
module is nothing to do with this package, or the NetSNMP modules.
|
|
Net::SNMP is a "pure-perl" implementation of SNMP support, developed
|
|
by David Town. The developers of the (C-based) Net-SNMP suite do
|
|
not have any significant experience in using this particular module,
|
|
and you'll probably be better off asking for help via CPAN or some
|
|
other perl-related forum.
|
|
|
|
|
|
|
|
MIBS
|
|
====
|
|
|
|
Where can I find a MIB compiler?
|
|
-------------------------------
|
|
|
|
That depends what you mean by a "MIB compiler". There are at least two
|
|
types of tool that are commonly referred to by this name.
|
|
|
|
The first is a tool to check MIB files for validity. With the Net-SNMP
|
|
software, this functionality is mostly integrated within the MIB parser,
|
|
and hence included in all the applications. The tool 'snmptranslate' is
|
|
probably the most appropriate for this purpose.
|
|
|
|
Note that the parser is fairly forgiving (see 'What ASN.1 parser is used'
|
|
below), so this should not be regarded as a stamp of approval. For a
|
|
more rigourous validation, use a tool such as 'smilint', or the on-line
|
|
interface at http://wwwsnmp.cs.utwente.nl/ietf/mibs/validate/
|
|
|
|
The second type of "MIB compiler" is one to turn a MIB specification
|
|
into C code, specifically one designed to aid agent implementation. The
|
|
command 'mib2c' is an example of such a tool for the Net-SNMP agent.
|
|
See the CODING section for more information.
|
|
|
|
|
|
|
|
Why aren't my MIB files being read in?
|
|
-------------------------------------
|
|
|
|
There are two basic likely causes - either the library isn't attemping to
|
|
load these particular MIB files, or it's trying to load them but can't
|
|
locate them.
|
|
|
|
By default, the Net-SNMP library loads a specific subset of MIB files.
|
|
This list is set when the suite is first configured and compiled, and
|
|
basically corresponds to the list of modules that the agent supports.
|
|
(This is a simplification, but is a reasonable first approximation).
|
|
|
|
In order to load additional MIB files, it is necessary to add them to this
|
|
default list. See the FAQ entry "How do I add a MIB to the tools?" for
|
|
more information about how to do this.
|
|
|
|
|
|
Alternatively, the tools may be looking in the wrong place. The directory
|
|
where the library looks for MIB files is also set when the software is
|
|
first configured and compiled. If you put new MIB files in the wrong
|
|
location, then the library won't be able to find them (and will complain).
|
|
|
|
This problem may arise when switching from a vendor-supplied distribution
|
|
to one compiled from source (or vice versa).
|
|
See the next entry for more information.
|
|
|
|
|
|
|
|
Where should I put my MIB files?
|
|
-------------------------------
|
|
|
|
If you've compiled the package from source (or are using binaries
|
|
from the project website), then you should probably put new MIB
|
|
files in the directory /usr/local/share/snmp/mibs
|
|
|
|
If you are using vendor-supplied binaries, then the MIB files
|
|
may well be located somewhere else (e.g. /usr/share/snmp/mibs,
|
|
/opt/snmp/mibs, or /etc/sma/snmp/mibs). Have a look for where
|
|
existing MIB files are installed, and try adding your MIBs to
|
|
the same directory.
|
|
|
|
If you compiled the source yourself, but specified a different
|
|
--prefix value when running configure, then the location of the
|
|
MIB directory will be {prefix}/share/snmp/mibs.
|
|
|
|
If you're still not sure where to put your MIB files, try running
|
|
the command
|
|
|
|
snmpget -Dparse-mibs 2>&1 | grep directory
|
|
|
|
This will display the location(s) where the library is looking
|
|
for MIB files.
|
|
|
|
|
|
|
|
What does "Cannot find module (XXX-MIB)" mean?
|
|
---------------------------------------------
|
|
|
|
If this error is only generated for one or two modules, then it's
|
|
likely that the named modules are not being found - perhaps they're
|
|
not installed in the correct location, are not readable, or the
|
|
name being used is incorrect. See the previous entries and the entry
|
|
"How do I add a MIB to the tools?" for more details.
|
|
|
|
Note that the name reported is the name of the MIB *module*, which is
|
|
not necessarily the same as the name of the file.
|
|
|
|
|
|
If there are a large number of such errors, then it's more likely
|
|
that either the MIB files haven't been installed at all. If you are
|
|
compiling from source, then it is necessary to run "make install" in
|
|
order to set up the full run-time environment.
|
|
|
|
Otherwise, see the previous entry to check whether the MIBs are installed
|
|
in the correct location for the tools to find them.
|
|
|
|
|
|
|
|
I'm getting answers, but they're all numbers. Why?
|
|
-------------------------------------------------
|
|
|
|
This is related to the previous questions. Remember, the results that
|
|
you receive from an agent do not depend on which MIBs are loaded by the
|
|
client tools - purely on how the agent was compiled and configured.
|
|
|
|
Because the tools don't necessarily read in every MIB file they can find
|
|
(and the relevant MIB file may not be available anyway), it is quite
|
|
possible for results from an agent to refer to modules that have not
|
|
been loaded (particularly with GETNEXT requests, or when walking a tree).
|
|
|
|
The results will be reported correctly, but won't be translated to use
|
|
named identifiers (or display the values in the most appropriate manner).
|
|
To fix this, add the missing MIB files to the list of MIBs to be loaded.
|
|
See the previous entries and the entry "How do I add a MIB to the tools?"
|
|
for more information.
|
|
|
|
|
|
|
|
What does "unlinked OID" mean?
|
|
-----------------------------
|
|
|
|
This means that the library has been able to find the MIB module,
|
|
and parse the individual objects defined in it, but is having problems
|
|
linking them together into a consistent tree. In particular, it
|
|
can't find an object corresponding to the name within the braces
|
|
(i.e. the 'xxx' in '{xxx 99}').
|
|
|
|
This is probably due either to a typo in this name (remember that
|
|
names are case sensitive, so a reference to 'xxx' will *not* match
|
|
a definition of 'Xxx'), or else the name is defined in another MIB
|
|
file, and this dependency is missing from the IMPORT clause of this
|
|
MIB file.
|
|
|
|
|
|
|
|
The parser doesn't handle comments properly. Why not?
|
|
----------------------------------------------------
|
|
|
|
The way that comments are handled in a MIB file is subtly different
|
|
to the equivalent syntax in most typical programming languages, and
|
|
this difference can catch out the unwary. In particular, there are
|
|
two common situations which can lead to problems.
|
|
|
|
The first scenario is where the MIB designer has attempted to "comment
|
|
out" an unwanted line that already contains a comment:
|
|
|
|
-- broken ::= { myMIB 1 } -- This isn't working yet
|
|
|
|
The assumption here is that a comment continues to the end of the line.
|
|
Unfortunately, this is not correct. A comment will continue either to
|
|
the end of the line, *or* the next occurance of a pair of dashes.
|
|
|
|
Thus in this case, the definition of "broken" is commented out (as
|
|
intended) but the following text ("This isn't working yet") is treated
|
|
as an active part of the MIB, and will generate an error.
|
|
|
|
|
|
The second scenario is where a line of dashes has been used to mark
|
|
out separate parts of a MIB file. Depending on the exact number of
|
|
dashes used, this may still result in a syntactically valid MIB file,
|
|
but has a 1-in-4 possibility of triggering an error. This means that
|
|
this particular situation can be particularly difficult to spot!
|
|
|
|
|
|
Most of the Net-SNMP applications have a command-line option (-Pc) which
|
|
will work around this problem by treating the whole line as a comment.
|
|
But this is not strictly legal, and the offending MIB file should really
|
|
be corrected.
|
|
|
|
|
|
|
|
How can I get more information about problems with MIB files?
|
|
------------------------------------------------------------
|
|
|
|
The command 'snmptranslate' is used to translate between numeric
|
|
and symbolic forms of OIDs. It uses the same MIB parsing routines
|
|
as the commands that actually communicate with a network management
|
|
agent, but can be used standalone. As such, it is a useful tool
|
|
for identifying problems with reading in MIB files.
|
|
|
|
In particular, the following options may be useful in
|
|
identifying problems:
|
|
-Pw warns about conflicting symbols
|
|
-PW prints more verbose warnings about other problems as well
|
|
(in both cases, ignore the 'xmalloc' reports)
|
|
-T provides sub-options for various views of these entries
|
|
|
|
There are other '-P' options to control various aspects of MIB parsing.
|
|
See the 'snmptranslate(1)' and 'snmpcmd(1)' man pages for more details,
|
|
or the tutorial at
|
|
http://www.net-snmp.org/tutorial-5/commands/snmptranslate.html
|
|
|
|
For a more rigourous validation, use a tool such as 'smilint', or the
|
|
on-line interface at http://wwwsnmp.cs.utwente.nl/ietf/mibs/validate/
|
|
|
|
|
|
|
|
What's this about "too many imported symbols"?
|
|
---------------------------------------------
|
|
|
|
Any MIB file starts with an (optional) list of identifiers that
|
|
it "imports" from other files. The parser handles this using
|
|
a fixed size buffer to hold the import information.
|
|
There are two circumstances in which this can result in the
|
|
error message shown above.
|
|
|
|
Firstly, if the MIB file refers to an unusually large number
|
|
of external identifiers. Handling this case requires a (trivial)
|
|
patch to the parsing code. Contact the coders list for advice.
|
|
(This is extremely rare - the only example that
|
|
we've come across is the Cabletron Trap MIB).
|
|
|
|
Much more common is a syntax error in the IMPORTS clause of the
|
|
MIB file in question. In particular, check that this section ends
|
|
in a semicolon, before going on to the main MIB object definitions.
|
|
|
|
|
|
|
|
Do I actually need the MIB files?
|
|
--------------------------------
|
|
|
|
Probably not.
|
|
The MIB files play two main roles - they are used to translate
|
|
between numeric OIDs and the corresponding textual names, and
|
|
they define the structure and syntax of the relevant MIB objects.
|
|
|
|
This second role is perhaps best thought of in terms of a design
|
|
document. It's vital while developing an application (typically
|
|
the MIB module or handler within the agent), since it defines
|
|
what the application (MIB) must actually do. But once the code
|
|
has been written, the design document becomes redundent.
|
|
The agent then has the same information hardcoded into it
|
|
(literally!), and no longer needs the MIB file.
|
|
|
|
The translation task is not strictly necessary - SNMP will
|
|
operate fine without any MIB files at all, as long as you're
|
|
happy to work with numeric OIDs throughout, and know which MIB
|
|
objects you're interested in. But it's much easier to work with
|
|
the (hopefully) meaningful names, enumeration tags and the like,
|
|
and to view the description of a particular object.
|
|
This requires having the relevant MIB files installed and loaded.
|
|
|
|
|
|
Since the agent needs MIBs the least and some systems are memory
|
|
restricted, it is possible to completely disable loading these MIBs
|
|
as well as remove the code that does the parsing by using the
|
|
--disable-mib-loading flag to configure.
|
|
|
|
However, note that certain snmpd.conf tokens actually make use
|
|
of mib information so they won't be as easily usable.
|
|
|
|
|
|
|
|
AGENT
|
|
=====
|
|
|
|
What MIBs are supported?
|
|
-----------------------
|
|
|
|
The following MIBs are supported (at least in part and on some systems):
|
|
|
|
- MIB-2 General network statistics
|
|
(RFC 1213 and subsequent revisions)
|
|
- Host Resources (RFC 1514 and 2790)
|
|
- SNMPv3 framework (RFCs 2571-5, 3411-3418)
|
|
(including USM, VACM, Target
|
|
and Notification MIBs)
|
|
- DisMan Event and Schedule MIBs
|
|
- MTA-MIB (sendmail)
|
|
- private UCD/Net-SNMP agent extensions
|
|
(monitor specified processes and disks,
|
|
memory, CPU, load average, + extending
|
|
the agent using shell commands)
|
|
|
|
See README.agent-mibs for details.
|
|
|
|
Not all MIB modules are included by default on all systems. Some of
|
|
these may need to be explicitly requested when the software is first
|
|
configured and built, while others may not be available on all
|
|
architectures.
|
|
|
|
There are a few other MIB implementations distributed as part of the
|
|
source tarball, but these are basically unsupported and most of the
|
|
core developers have little or no experience with using them.
|
|
|
|
|
|
|
|
What protocols are supported?
|
|
----------------------------
|
|
|
|
The agent supports all three current versions of SNMP (v1, v2c and v3),
|
|
over both UDP and TCP transports, as well as acting as a SMUX (RFC 1227)
|
|
master agent, AgentX (RFC 2741) in both master and subagent roles, and
|
|
SNMP proxying.
|
|
|
|
|
|
|
|
How do I configure the agent?
|
|
----------------------------
|
|
|
|
That's a somewhat ambiguous question, as there are two very different
|
|
stages where it is possible to "configure" the agent.
|
|
|
|
Firstly, you can determine what capabilities and defaults are included
|
|
within the library and agent, at the time that the software is first
|
|
built. This uses suitable flags to the 'configure' script, before
|
|
compiling the source.
|
|
As far as the agent is concerned, the most significant option is
|
|
'--with-mib-modules' (or '--with-out-mib-modules') to control which
|
|
MIBs will be supported by the agent. See the next few entries for
|
|
details.
|
|
|
|
You can also control various aspects of the agent behaviour (and the
|
|
information it returns) at run time, via the 'snmpd.conf' configuration
|
|
file. Various aspects of this are touched on throughout this FAQ. Or
|
|
see the snmpd.conf(5) manual page for full details.
|
|
The "snmpconf" script can help in creating this config file.
|
|
Start off with 'snmpconf -g basic_setup' to get you going.
|
|
|
|
|
|
|
|
How do I remove a MIB from the agent?
|
|
------------------------------------
|
|
|
|
Deleting the text file for a MIB does not affect the agent (other than
|
|
to prevent it from recognising MIB object names in the config files).
|
|
It's necessary to tell the agent not to activate the relevant code that
|
|
actually implements these objects. There are three ways to do this:
|
|
|
|
1) re-run 'configure' to exclude the given MIB module(s) from the
|
|
build configuration, then recompile and reinstall:
|
|
|
|
./configure --with-out-mib-modules=path/to/unwanted ....
|
|
make
|
|
make install
|
|
|
|
This specifies the path to the module code file, relative to
|
|
the 'agent/mibgroup' directory. Clearly, this approach is
|
|
only possible if you are working with a source distribution.
|
|
|
|
2) disable the MIB at runtime
|
|
|
|
snmpd -I -unwanted
|
|
|
|
Note that this relies on knowing which modules are used to
|
|
implement the relevant MIB objects. If you're not sure,
|
|
you could try walking the 'nsModuleName' MIB object, which
|
|
indicates the module responsible for each particular range
|
|
of OIDs.
|
|
You can also check which MIB modules are loaded by getting
|
|
the agent to report them as they are initialised:
|
|
|
|
snmpd -Dmib_init -H
|
|
|
|
From this information, it should then be fairly obvious which
|
|
modules to disable.
|
|
|
|
3) use access control to exclude the mib from the view used to
|
|
query the agent:
|
|
|
|
view almostEverything included .1
|
|
view almostEverything excluded unwantedMib
|
|
|
|
rocommunity public default -V almostEverything
|
|
|
|
This approach can also be used with the full com2sec/group/access
|
|
configuration directives (e.g. with versions earlier than 5.3,
|
|
which don't support the above mechanism).
|
|
|
|
|
|
|
|
I've installed a new MIB file. Why can't I query it?
|
|
----------------------------------------------------
|
|
|
|
Installing a new MIB file will not magically enable the agent to know
|
|
what values to report for the objects defined in that MIB. It's
|
|
necessary to have some code which can provide the relevant information.
|
|
The next few entries, and the CODING section address this issue in more
|
|
detail.
|
|
|
|
|
|
|
|
How do I add a MIB to the agent?
|
|
-------------------------------
|
|
|
|
Adding a MIB essentially involves writing some code to implement the
|
|
objects defined in the new MIB. There are three basic approaches that
|
|
can be used to do this:
|
|
|
|
- The agent can invoke an external command or shell script to
|
|
return the necessary information. There are several possible
|
|
variations on this approach - see the next entry for details.
|
|
|
|
- The agent can pass the request off to another (sub-)agent,
|
|
which already implements the required MIB. Again, there are
|
|
several ways of doing this - including AgentX, SMUX and
|
|
proxied SNMP. See the next entry but one for details.
|
|
|
|
- You can write code to implement the new MIB objects, and
|
|
include this within the agent. This is most commonly C
|
|
(or C++) code, although the agent can also support MIB modules
|
|
implemented in perl.
|
|
See the next section (CODING) for more details.
|
|
|
|
Note that there is no visible difference between external commands,
|
|
subagents, and modules implemented within the main agent itself.
|
|
Tools querying the agent will see a single MIB structure.
|
|
|
|
|
|
|
|
What's the difference between 'exec', 'sh', 'extend' and 'pass'?
|
|
---------------------------------------------------------------
|
|
|
|
'exec' will run the specified command and return the exit status and
|
|
output. Any arguments are passed directly to the command, with no
|
|
special interpretation.
|
|
|
|
'sh' is similar, but invokes a shell to run the command line given.
|
|
This means that quoted arguments will be recognised as such, and also
|
|
allows redirection, and other similar shell interpretation. The results
|
|
are returned in exactly the same way.
|
|
|
|
'extend' is also similar, but provides a richer and more flexible MIB
|
|
framework - both for configuring the exact command to be run, and for
|
|
displaying the results.
|
|
|
|
None of these mechanisms require the command to have any knowledge of
|
|
SNMP, or the fact that they are being used in this manner. But the
|
|
output is returned in a fixed format, and it is up to the receiving
|
|
application to interpret this appropriately.
|
|
|
|
Note that the "relocatable" form of the 'exec' directive ('exec OID ....')
|
|
produces MIB output that is not strictly valid. For this reason, support
|
|
for this has been deprecated in favour of 'extend OID ...', which produces
|
|
well-formed MIB results (as well as providing fuller functionality).
|
|
The most recent releases of the agent don't include support for "relocatable
|
|
exec" by default. This needs to be explicitly included when the agent is
|
|
first compiled, by including the module 'ucd-snmp/extensible' instead of
|
|
'agent/extend'.
|
|
|
|
|
|
'pass' is a more general mechanism for implementing arbitrary MIB
|
|
objects. The specified command will be invoked for any request within
|
|
the named MIB subtree, and passed details of the requested OID. It
|
|
should return the information relevant to the requested OID.
|
|
|
|
'pass-persist' is similar, but the command will continue running
|
|
even after the initial request has been answered. These two mechanisms
|
|
can be used to implement a particular MIB, following the correct MIB
|
|
structure (as opposed to the fixed format of exec/sh/extend).
|
|
|
|
All of these mechanisms are described in the 'snmpd.conf(5)' man page,
|
|
in the section entitled "Extending Agent Functionality".
|
|
|
|
|
|
|
|
What's the difference between AgentX, SMUX and proxied SNMP?
|
|
-----------------------------------------------------------
|
|
|
|
All three are protocols that can be used to make two or more agents
|
|
appear as one to the querying application. In each case, one agent
|
|
takes the role of "master", and delegates requests to one of the others
|
|
as and where this is appropriate. The differences between them mainly
|
|
relate to how data is represented, and the mechanisms for communication
|
|
between master and subagents.
|
|
|
|
SMUX and proxy SNMP both essentially use the standard SNMP packet format.
|
|
The main difference is that a proxy SNMP subagent need not be aware that
|
|
it is acting in such a role. It typically listens on a non-standard port,
|
|
and simply receives requests as usual, forwarded from the master agent
|
|
(rather than directly). The main issue to be aware of is that such requests
|
|
will appear to come from the local host, and this may affect how the access
|
|
control mechanisms need to be set up.
|
|
|
|
SMUX uses a similar packet format, but the subagent "registers" with
|
|
the master agent, providing a suitable password. The Net-SNMP (and UCD)
|
|
agent includes the possibility of acting as a SMUX master agent, but the
|
|
suite does not include a subagent API. Note that support for SMUX is not
|
|
included by default, and needs to be explicitly enabled by running:
|
|
|
|
--with-mib-modules=smux
|
|
|
|
before re-compiling the agent.
|
|
See the file 'agent/mibgroup/README.smux' for details.
|
|
|
|
AgentX uses a more compact (and simpler) packet format, with a richer
|
|
range of administrative commands, and provides a more flexible and reliable
|
|
extension mechanism. The Net-SNMP agent can be used in both master and
|
|
subagent roles, and the agent library can also be used to embed an AgentX
|
|
subagent within another application.
|
|
See the file 'README.agentx' for details.
|
|
|
|
AgentX support is included by default, but needs to be explicitly
|
|
activated in the master agent. Do this by adding the line
|
|
|
|
master agentx
|
|
|
|
to the snmpd.conf file before starting the agent.
|
|
|
|
|
|
|
|
What is the purpose of 'dlmod'?
|
|
------------------------------
|
|
|
|
Most of the MIB information supplied by the Net-SNMP agent is provided
|
|
by C-coded implementation modules, and the choice of which modules to
|
|
include is usually made when the agent is first built. Adding new
|
|
MIB modules would therefore require re-compiling the agent. This is
|
|
not always convenient - particularly when working with a production
|
|
system, and/or pre-installed binaries.
|
|
|
|
Dynamically loaded modules are a means of including a MIB implementation
|
|
module within the main SNMP agent (or an AgentX subagent) without needing
|
|
to re-compile and re-link the agent binary. Instead, details of the
|
|
module(s) to load are specified in the configuration file, and the agent
|
|
locates the files listed, and merges them in at run time.
|
|
|
|
See http://www.net-snmp.org/tutorial-5/toolkit/dlmod/ for more information.
|
|
|
|
|
|
|
|
Which extension mechanism should I use?
|
|
--------------------------------------
|
|
|
|
That's not easy to answer in general.
|
|
|
|
If there's an existing agent that already implements the desired new
|
|
MIB, then it makes sense to re-use that, via whatever extension protocol
|
|
that agent might support. Note that the SMUX protocol has essentially
|
|
been superceded by AgentX, which provides a fuller and more reliable
|
|
mechanism than either SMUX or proxied SNMP. So ideally, this would
|
|
be the preferred extension approach.
|
|
But if the target subagent only supports SMUX or basic SNMP, then that
|
|
would dictate the extension protocol to use.
|
|
|
|
Implementing the module in C within the main agent (directly or via
|
|
dlmod) is probably the most efficient and reliable, closely followed
|
|
by embedded perl (or python) extensions. These have the advantage of
|
|
minimal overheads between the code implementing the MIB module, and
|
|
the agent framework, and no inter-process communication issues. But
|
|
this does assume that there's a suitable mechanism for retrieving the
|
|
necessary information.
|
|
|
|
If the new MIB is monitoring or managing some other subsystem, external
|
|
to the agent, then it may be necessary to embed a subagent within the
|
|
subsystem itself - particularly if there's no suitable public API to
|
|
retrieve the necessary information. In this case, AgentX is probably
|
|
the most appropriate way forward.
|
|
Alternatively, you could implement the missing public management API
|
|
for that subsystem, and develop a module within the main agent instead.
|
|
|
|
|
|
|
|
Can I use AgentX when running under Windows?
|
|
-------------------------------------------
|
|
|
|
Yes, but there are a couple of things to be aware of.
|
|
|
|
Firstly, by default the AgentX master listens on the Unix domain
|
|
socket '/var/agentx/master', which doesn't work under Windows.
|
|
You'll need to tell it to listen on a TCP port, either by using
|
|
the command-line option "-x localhost:705", or by adding the
|
|
directive "agentxSocket localhost:705" to the snmpd.conf file.
|
|
|
|
Secondly, be aware that the security of AgentX connectivity is not
|
|
particularly strong. The examples given here would allow any process
|
|
running on the local machine to register as an AgentX subagent. The
|
|
more obvious settings "-x 705" or "agentxSocket 705" would allow
|
|
a system *anywhere* on the network (or even from remote networks) to
|
|
register as an AgentX subagent. This could potentially be used to
|
|
hijack the agent, or provide false information.
|
|
|
|
|
|
|
|
How can I run AgentX with a different socket address?
|
|
----------------------------------------------------
|
|
|
|
There are two sides to an AgentX connection, and they need to
|
|
agree about which socket address to use. So if you want to use
|
|
a different socket, you need to configure both parties accordingly.
|
|
|
|
The socket that the Net-SNMP master agent uses to listen for AgentX
|
|
registrations (and send appropriate requests) can be specified using
|
|
the option '-x'.
|
|
The command
|
|
"snmpd -x tcp:localhost:705 ...."
|
|
would start the agent listening on the TCP port 705 for connections
|
|
from the local system.
|
|
The same effect can also be obtained by adding the line
|
|
agentxsocket localhost:705
|
|
to the file 'snmpd.conf'.
|
|
|
|
The same option can be used with the Net-SNMP agent when running in
|
|
This also holds when the Net-SNMP agent is running in
|
|
"subagent" mode, to specify the socket to register with (and receive
|
|
requests from).
|
|
So a subagent might connect to the master agent above (both running
|
|
on the same host), using:
|
|
"snmpd -X -x tcp:localhost:705 ...."
|
|
|
|
A subagent running embedded within some other application will
|
|
typically not understand the same command-line options, so would
|
|
need to set the same configuration programmatically:
|
|
|
|
netsnmp_ds_set_string(NETSNMP_DS_APPLICATION_ID,
|
|
NETSNMP_DS_AGENT_X_SOCKET, "tcp:localhost:705");
|
|
|
|
With the example subagent code from the Net-SNMP tutorial, this line
|
|
would be added immediately before the 'init_agent' call.
|
|
|
|
The same approach can also be used to listen on a different named
|
|
socket, using:
|
|
agentxsocket /tmp/agentx
|
|
agentxperms 770 770 myuser mygroup
|
|
or
|
|
snmpd -x /tmp/agentx ....
|
|
or
|
|
netsnmp_ds_set_string(NETSNMP_DS_APPLICATION_ID,
|
|
NETSNMP_DS_AGENT_X_SOCKET, "/tmp/agentx");
|
|
as appropriate.
|
|
|
|
|
|
|
|
How can I turn off SMUX support?
|
|
-------------------------------
|
|
|
|
Normally, you would use the command-line option '-I -{module}' to
|
|
disable the initialisation of a particular MIB module within the
|
|
agent. Unfortunately, it's not currently possible to turn off SMUX
|
|
support this way.
|
|
|
|
The safest approach is to run
|
|
configure --with-out-mib-modules=smux
|
|
and recompile the agent.
|
|
|
|
If this is not possible, an alternative workaround might be to have
|
|
the agent bind the SMUX socket to an invalid IP address, using a
|
|
snmpd.conf line such as:
|
|
|
|
smuxsocket 1.0.0.0
|
|
|
|
The agent may complain at startup, but it won't accept any incoming
|
|
SMUX requests.
|
|
|
|
If the agent complains about not recognising the "smuxsocket"
|
|
token, then you're out of luck. You'll either have to recompile
|
|
from source, or use local firewall rules to block connections
|
|
to port 199.
|
|
|
|
|
|
|
|
How can I combine two copies of the 'mib2' tree from separate subagents?
|
|
-----------------------------------------------------------------------
|
|
|
|
This is the purpose of the SNMPv3 'context' field. Register the MIB
|
|
module a second time in a non-default context (see the relevant entry
|
|
in the CODING section for details), and specify this context when
|
|
querying the agent. The MIB module can use this context information
|
|
to determine which set of information to report.
|
|
Or you could register two completely different handlers for the same
|
|
OID (using different contexts), and the agent will invoke the appropriate
|
|
code. This holds for both MIB modules implemented within the main agent,
|
|
or AgentX subagents - the same approach will work for both.
|
|
|
|
Contexts can also be used with proxied SNMP requests - just specify
|
|
the option '-Cn {context}' as part of the "proxy" entry. See the
|
|
'snmpd.conf(5)' man page for details.
|
|
|
|
It's currently not possible to support parallel MIB trees when using
|
|
SNMPv1 or SNMPv2c. In principle, it should be possible to use the
|
|
community string in a similar way, but this has not (yet) been implemented.
|
|
|
|
This mechanism is only available with the v5 Net-SNMP agent. The v4
|
|
UCD agent does not support contexts at all. Sorry about that.
|
|
|
|
Another way to handle this would be to tweak one of the subagents to
|
|
use a different set of (non-standard) OID assignments - perhaps by
|
|
relocating the whole of the subtree to another (private) OID. This
|
|
is not ideal, but should work with all configurations.
|
|
|
|
|
|
|
|
What traps are sent by the agent?
|
|
--------------------------------
|
|
|
|
The Net-SNMP agent sends a 'coldStart(0)' trap when it first starts up,
|
|
and an enterprise-specific trap 'nsNotifyShutdown' when it stops. It
|
|
generates an enterprise-specific trap 'nsNotifyRestart' (rather than
|
|
the standard 'coldStart(0)' or 'warmStart(1)' traps) on receiving a HUP
|
|
signal - typically after being re-configured. It can also be configured
|
|
to send an 'authenticationFailure(4)' trap when it receives an SNMPv1
|
|
(or SNMPv2c) request using an unknown community name.
|
|
|
|
The agent does not send 'linkUp' or 'linkDown' traps by default. It can
|
|
be configured to do this using the directive 'linkUpDownNotifications'.
|
|
See the 'snmpd.conf(5)' man page (under ACTIVE MONITORING) for details.
|
|
|
|
Similarly, it does not generate traps by default when one of the
|
|
monitored characteristics (disk usage, running processes, etc) enters or
|
|
leaves an error state. This can be configured using the 'defaultMonitors'
|
|
directive (again documented under ACTIVE MONITORING).
|
|
|
|
|
|
|
|
Where are these traps sent to?
|
|
-----------------------------
|
|
|
|
With all these alerts, the agent needs to be told where to send them,
|
|
specifying the type of notification (v1 or v2 trap, or v2 inform) and
|
|
the community name to use. This uses the snmpd.conf directives 'trapsink',
|
|
'trap2sink' and 'informsink' for the destination type, and 'trapcommunity'
|
|
for the community name. SNMPv3 destinations can be configured using the
|
|
directive 'trapsess'. See the 'snmpd.conf(5)' man page for details.
|
|
|
|
Note that the type of trap generated is totally determined by these
|
|
directives - irrespective of which API call was used to trigger sending
|
|
the trap. See the trap-related entries in the CODING section for details.
|
|
|
|
Note also that you typically only want *one* of the settings:
|
|
|
|
trapsink localhost
|
|
trap2sink localhost
|
|
informsink localhost
|
|
|
|
Including two (or all three) of these lines in the snmpd.conf file will
|
|
will result in multiple copies of every notifications being sent for
|
|
each call to 'send_easy_trap()' (or 'send_v2trap()').
|
|
This is probably not what was intended!
|
|
|
|
|
|
|
|
How can I send a particular trap to selected destinations?
|
|
----------------------------------------------------------
|
|
|
|
This is not currently possible. All notifications will be sent to
|
|
all configured destinations. The agent does not (currently) support
|
|
notification filtering.
|
|
|
|
There is a preliminary implementation of the snmpNotifyFilterTable
|
|
which is designed to allow this sort of selective trap direction.
|
|
However this is not currently active. (The tables are present and
|
|
can be manipulated and updated, but the information is not consulted)
|
|
Documentation on how to use this mechanism will appear once the
|
|
functionality is working properly.
|
|
|
|
|
|
|
|
When I run the agent it runs and then quits without staying around. Why?
|
|
-----------------------------------------------------------------------
|
|
|
|
Firstly, are you certain that this is what is happening?
|
|
|
|
The normal operation of the agent is to 'fork' itself into the background,
|
|
detaching itself from the controlling terminal so that it will continue
|
|
running even when you log out, and freeing the command line for subsequent
|
|
use. This looks at first sight as if the agent has died, but using 'ps'
|
|
to show all processes should reveal that the agent is still running.
|
|
|
|
To prevent this behaviour (such as when attempting to debug the agent),
|
|
you can start it with the '-f' flag. This suppresses the fork, and the
|
|
agent will run as a 'normal' command. It's also often useful to use the
|
|
'-Le' (or '-L') flag, to log messages to stderr.
|
|
|
|
On the other hand, if 'ps' shows that the agent is not running, then
|
|
this is an error, and probably show that something went wrong in
|
|
starting the agent up. Check the agent log file for any error messages,
|
|
or run it with '-f -Le' and see what it reports.
|
|
|
|
One possible cause might be an existing agent (or some other process)
|
|
that's already listening on the SNMP port. Trying to start a second
|
|
agent will fail with an error about "opening the specified endpoint".
|
|
|
|
If you're starting the agent as a non-root user, then this may also
|
|
fail with the very same error. By default, the agent (and trap handler)
|
|
will attempt to listen on the standard SNMP port 161 (or 162 for the
|
|
trap handler). These are defined as "privileged ports", and processes
|
|
will need to be running as root in order to open them.
|
|
|
|
One way to tackle this is to start the agent as root, but use the -u
|
|
option to switch to run as another user once the port has been opened.
|
|
Alternatively, you can specify a different port to use instead.
|
|
Anything greater than 1024 is available to non-root users. In this case,
|
|
you'll also need to specify the same port when issuing client commands.
|
|
|
|
|
|
|
|
After a while the agent stops responding, and starts eating CPU time. Why?
|
|
--------------------------------------------------------------------------
|
|
|
|
This is basically the same problem described in the APPLICATIONS
|
|
section, in the entry
|
|
The agent worked for a while, then stopped responding. Why?
|
|
|
|
See that entry for details.
|
|
|
|
|
|
|
|
How can I stop other people getting at my agent?
|
|
-----------------------------------------------
|
|
|
|
Firstly, are you concerned with read access or write access?
|
|
|
|
As far as changing things on the agent is concerned, there is relatively
|
|
little that can actually be altered (see the entry "Why can't I set
|
|
any variables in the MIB?" above).
|
|
|
|
If you are using the example config file, this is set up to allow
|
|
read access from your local network, and write access only from the
|
|
system itself (accessed as 'localhost'), both using the community name
|
|
specified. You will need to set appropriate values for both NETWORK
|
|
and COMMUNITY in this file before using it.
|
|
This mechanism can also be used to control access much more precisely.
|
|
(see the next few questions for details)
|
|
|
|
Other options include:
|
|
- Blocking access to port 161 from outside your organisation
|
|
(using filters on network routers)
|
|
- Using kernel-level network filtering on the system itself
|
|
(such as IPTables)
|
|
- Configuring TCP wrapper support ("--with-libwrap")
|
|
This uses the TCP 'libwrap' library (available separately)
|
|
to allow/deny access via /etc/hosts.{allow,deny}
|
|
|
|
For strict security you should use only SNMPv3, which is the secure
|
|
form of the protocol. However, note that the agent access control
|
|
mechanisms does not restrict SNMPv3 traffic by location - an SNMPv3
|
|
request will be accepted or rejected based purely on the user
|
|
authentication, irrespective of where it originated. Source-based
|
|
restrictions on SNMPv3 requests would need to use one of the "external"
|
|
mechanisms listed above.
|
|
|
|
|
|
|
|
How can I listen on just one particular interface?
|
|
-------------------------------------------------
|
|
|
|
Normally, the agent will bind to the specified port on all interfaces
|
|
on the system, and accept requests received from any of them. However,
|
|
if a particular port (or ports) is specified when the agent is first
|
|
started, then it will only listen for requests on these particular
|
|
ports.
|
|
For example:
|
|
snmpd 127.0.0.1:161
|
|
|
|
would listen (on the standard port) on the loopback interface only, and:
|
|
|
|
snmpd 10.0.0.1:6161
|
|
|
|
would listen on port 6161, on the (internal network) interface with
|
|
address 10.0.0.1. To listen on both of these interfaces (and no others)
|
|
provide a list of all the desired addresses:
|
|
|
|
snmpd 127.0.0.1:161 127.0.0.1:6161
|
|
|
|
The AgentX port option ('-x') works in much the same way.
|
|
|
|
|
|
|
|
The agent is complaining about 'snmpd.conf'. Where is this?
|
|
-----------------------------------------------------------
|
|
|
|
It doesn't exist in the distribution as shipped. You need to
|
|
create it to reflect your local requirement.
|
|
To get started, you can either just create this file manually,
|
|
or run snmpconf to help you create one. At the very least, you
|
|
will need some form of access control configuration, if the agent
|
|
is to be of any use whatsoever. This can be as simple as:
|
|
|
|
rocommunity public
|
|
|
|
See the snmpd.conf(5) manual page or relevant entries in this
|
|
FAQ for further details.
|
|
|
|
|
|
|
|
Why does the agent complain about 'no access control information'?
|
|
-----------------------------------------------------------------
|
|
|
|
Although an SNMP agent may support a wide range of management
|
|
information, it is not necessarily appropriate to report the whole
|
|
of this to every SNMP management station who asks for it. Some
|
|
information may be sensitive, and should restricted to authorized
|
|
administrators only. SNMP therefore includes mechanisms for
|
|
controlling who has access to what information - both in terms of
|
|
what can be seen, and (even more importantly) what can be changed.
|
|
|
|
By default, the Net-SNMP agent starts up with a completely empty
|
|
access control configuration. This means that *no* SNMP request
|
|
would be successful. It is necessary to explicitly configure
|
|
suitable access control settings, based on who should be granted
|
|
access in that particular environment.
|
|
|
|
If there are no access control entries configured (perhaps because
|
|
no snmpd.conf configuration file has been loaded, or it contains no
|
|
access control settings), then the agent will not respond to any
|
|
SNMP requests whatsoever. This is almost certainly not what was
|
|
intended, so the agent reports this situation.
|
|
|
|
See the next entry for how to configure access control settings.
|
|
|
|
|
|
|
|
How do I configure access control?
|
|
---------------------------------
|
|
|
|
The simplest way is to use the configure directives:
|
|
|
|
rocommunity public (for SNMPv1/2c)
|
|
rwcommunity private
|
|
or
|
|
rouser user1 (for SNMPv3)
|
|
rwuser user2
|
|
|
|
These specify the community names or security names to accept for
|
|
read-only and read-write access to the whole of the supported MIB tree.
|
|
(Obviously you should change these names to match your requirements -
|
|
which is a particularly good idea in the case of 'rwcommunity'!)
|
|
|
|
Note that you should *not* specify the same community name for both
|
|
rocommunity and rwcommunity directives. The rwcommunity setting
|
|
automatically provides read access, and having both lines (with the
|
|
same community name) may result in unexpected behaviour.
|
|
Only use both settings when specifying *different* community names.
|
|
The same holds true for rouser and rwuser.
|
|
|
|
The two community directives can be restricted to only allow requests
|
|
from particular sources, and all four can be restricted to a particular
|
|
subtrees or (from v5.3) a named view. See 'snmpd.conf(5)' for details.
|
|
|
|
|
|
|
|
How do I configure SNMPv3 users?
|
|
-------------------------------
|
|
|
|
There are three ways to configure SNMPv3 users:
|
|
|
|
1) Stop the agent, and add the line
|
|
|
|
createUser {myUser} MD5 {myPassword} DES
|
|
|
|
to the file /var/lib/snmp/snmpd.conf (where {myUser} and
|
|
{myPassword} are the appropriate values for username and password,
|
|
_without_ the braces!). Then re-start the snmpd agent.
|
|
|
|
2) Stop the agent, run the command
|
|
|
|
net-snmp-config --create-snmpv3-user
|
|
|
|
and follow the prompts given. This will create an entry
|
|
in the /var/lib/snmp/snmpd.conf file similar to the above.
|
|
Then re-start the snmpd agent.
|
|
|
|
3) Make sure the agent is running, and will respond to an SNMPv3
|
|
request (using an existing user with the desired authentication
|
|
and privacy protocols). Then use the 'snmpusm' command to clone
|
|
this template user, and change the password.
|
|
|
|
|
|
See the access control entries above and the file 'README.snmpv3'
|
|
for more details about how to use SNMPv3 users,
|
|
|
|
Note that simply having a 'rouser' or 'rwuser' line does *not*
|
|
automatically create the corresponding SNMPv3 user. You will need
|
|
the above 'createUser' line (or an equivalent 'usmUser') as well.
|
|
|
|
|
|
|
|
The 'createUser' line disappears when I start the agent. Why?
|
|
-------------------------------------------------------------
|
|
|
|
This is deliberate.
|
|
|
|
The agent removes the (human-readable) 'createUser' directive, and
|
|
replaces it with an equivalent 'usmUser' entry. This contains the
|
|
same information, but in a form that's only meaningful internally.
|
|
Not only is the passphrase no longer visible in the config file, it
|
|
has actually been converted to a key that is only valid on this
|
|
particular system. If someone stole the configuration file, they
|
|
could not use the information from the usmUser entry to access any
|
|
of your other agents (even if the usernames and passwords were the same).
|
|
|
|
|
|
|
|
What's the difference between /var/lib/snmp and /usr/share/snmp?
|
|
----------------------------------------------------------------
|
|
|
|
The /var/lib/snmp location is primarily used for information set
|
|
during the running of the agent, which needs to be persistent between
|
|
one run of the agent and the next. Apart from "createUser" (see
|
|
the previous entry), you shouldn't need to touch this file.
|
|
|
|
All other user-provided configuration should go in the traditional
|
|
location (typically /usr/share/snmp or /etc/snmp).
|
|
|
|
|
|
|
|
My new agent is ignoring the old snmpd.conf file. Why?
|
|
-----------------------------------------------------
|
|
|
|
The most likely explanation is that the new version of the agent is
|
|
looking in a different location than the previous one. This is commonly
|
|
experienced when replacing a ready-installed version (e.g. from a vendor
|
|
distribution), with the current release installed from the source.
|
|
|
|
Try moving the old config file to the new location, and restart the agent.
|
|
If you're not sure where this should go, see the next entry.
|
|
|
|
|
|
|
|
Where should the snmpd.conf file go?
|
|
-----------------------------------
|
|
|
|
The default location for this file with the basic distribution is
|
|
/usr/share/snmp/snmpd.conf (or PREFIX/share/snmp/snmpd.conf).
|
|
Ready-installed versions often look for the file as /etc/snmpd.conf,
|
|
or /etc/snmp/snmpd.conf.
|
|
|
|
If you are still not sure, try running the command
|
|
|
|
snmpd -f -Le -Dread_config 2>&1 | grep "config path"
|
|
|
|
The first line of output will display the list of locations where
|
|
the agent is looking for configuration information.
|
|
|
|
|
|
|
|
Why am I getting "Connection refused"?
|
|
-------------------------------------
|
|
|
|
This is actually nothing to do with the access control mechanism
|
|
(though that's an understandable mistake). This is the result of
|
|
the TCP wrapper mechanism using the files 'hosts.allow' and 'hosts.deny'
|
|
to control access to the service. Some distributions may come with
|
|
this enabled automatically - otherwise you need to explicitly activate
|
|
this by running
|
|
configure --with-libwrap
|
|
and recompiling the agent.
|
|
|
|
If TCP wrappers are enabled, and both hosts.allow and hosts.deny are
|
|
empty, then all requests will be rejected (with "Connection refused").
|
|
The simplest way to avoid this problem and allow incoming requests is
|
|
to add the line
|
|
|
|
snmpd: ALL
|
|
|
|
to the file /etc/hosts.allow. Be aware that doing this removes one
|
|
level of protection and allows anyone to try and query your agent.
|
|
The agent's own access control mechanisms can still be used to restrict
|
|
what - if anything - they can see.
|
|
|
|
If you do wish to use the TCP wrappers to restrict access, it's sensible
|
|
to have an explicit entry:
|
|
|
|
snmpd: ALL
|
|
|
|
in the file /etc/hosts.deny, which makes it crystal clear that access
|
|
to the SNMP agent has been denied. This mechanism can also be used to
|
|
restrict access to specific management hosts, using a hosts.deny entry
|
|
such as:
|
|
|
|
snmpd: ALL EXCEPT 127.
|
|
|
|
which will allow connections from localhost, and nothing else.
|
|
|
|
Note that personal firewalls, such as the Linux iptables mechanism,
|
|
may have a similar effect (though typically this won't be logged).
|
|
See the earlier entry
|
|
Requests always seem to timeout, and don't give me anything back. Why?
|
|
|
|
|
|
|
|
Why can't I see values in the UCDavis 'proc' or 'disk' trees?
|
|
------------------------------------------------------------------
|
|
|
|
Both these trees are designed to report precisely those things that
|
|
have been explicitly configured for monitoring. If there are no
|
|
relevant configuration entries in the snmpd.conf file, then these
|
|
tables will be empty. See the snmpd.conf manual page and the
|
|
EXAMPLE.conf file for details on configuring the agent.
|
|
|
|
Optionally, run snmpconf -g monitoring to help you set up this
|
|
section of the snmpd.conf file.
|
|
|
|
|
|
|
|
Why can't I see values in the UCDavis 'memory' or 'vmstat' trees?
|
|
----------------------------------------------------------------
|
|
|
|
These trees do not need any explicit configuration, and should
|
|
be present automatically.
|
|
|
|
However the C code necessary to implement these particular MIB
|
|
modules are not supported on all operating systems. These trees
|
|
will be omitted on any system for which there is no underlying
|
|
code. Currently, they are only supported on Linux, HP-UX (memory
|
|
only), Solaris, BSDi (vmstat on BSDi4 only), Dynix, FreeBSD, NetBSD
|
|
and OpenBSD.
|
|
If you want to help port it to other systems, let us know.
|
|
|
|
Note that these subtrees only report the current usage when
|
|
explicitly queried. They do *not* automatically generate traps
|
|
when the usage strays outside the configured bounds.
|
|
See the earlier FAQ entry
|
|
What traps are sent by the agent?
|
|
or the snmpd.conf section on active monitoring, for more information.
|
|
|
|
|
|
|
|
What do the CPU statistics mean - is this the load average?
|
|
----------------------------------------------------------
|
|
|
|
No. Unfortunately, the original definition of the various CPU
|
|
statistics was a little vague. It referred to a "percentage",
|
|
without specifying what period this should be calculated over.
|
|
It was therefore implemented slightly differently on different
|
|
architectures.
|
|
|
|
The 5.4 release has clarified the situation, and standardised on
|
|
calculating these percentages over a minute. The relevant MIB
|
|
descriptions have been updated to make the desired behaviour
|
|
more explicit.
|
|
|
|
The Net-SNMP agent also includes "raw counters", which can be used
|
|
to calculate the percentage usage over any desired period. This is
|
|
the "right" way to handle things in the SNMP model. The original
|
|
percentage objects have been deprecated, and may possibly be removed
|
|
in a future release of the agent.
|
|
|
|
Note that this is different from the Unix load average, which is
|
|
available via the loadTable, and is supported on all architectures.
|
|
|
|
|
|
|
|
How do I get percentage CPU utilization using ssCpuRawIdle?
|
|
-----------------------------------------------------------
|
|
|
|
This one of the "raw counters" mentioned in the previous entry.
|
|
You need to take two readings of this object and look at the
|
|
difference between them. That difference divided by the total
|
|
number of 'ticks' between the two readings (where one tick is
|
|
probably 0.01 seconds) will give you the percentage utilization
|
|
over that period.
|
|
|
|
|
|
|
|
What about multi-processor systems?
|
|
----------------------------------
|
|
|
|
The CPU objects (both percentages and raw counters) were designed to
|
|
monitor the overall CPU activity of a system, and typically reflect
|
|
whatever the underlying operating system reports for the (single)
|
|
CPU statistics information. How these are handled for a multi-CPU
|
|
system will differ from one O/S to another, and will need
|
|
to be investigated for each system individually.
|
|
|
|
The htProcessorTable was designed to handle monitoring multi-CPU
|
|
machines, but the Net-SNMP implementation has up to now treated
|
|
most systems (with the honourable exception of Solaris, and more
|
|
recently Linux) as implicitly single-CPU.
|
|
|
|
With the 5.4 release, there is now a cleaner framework for reporting
|
|
on multi-CPU equipment, and it is hoped that an increasing number
|
|
of systems will be able to report suitable processor information.
|
|
Also with the 5.4 release, for the first time the agent will report
|
|
the hrProcessorLoad value properly, which should provide some simple
|
|
per-CPU statistics.
|
|
|
|
|
|
|
|
The speed/type of my network interfaces is wrong - how can I fix it?
|
|
-------------------------------------------------------------------
|
|
|
|
Some operating systems will provide a mechanism for determining
|
|
the speed and type of network interfaces, but many do not. In such
|
|
cases, the agent attempts to guess the most appropriate values,
|
|
usually based on the name of the interface.
|
|
|
|
The snmpd.conf directive "interface" allows you to override these
|
|
guessed values, and provide alternative values for the name, type
|
|
and speed of a particular interface. This is particularly useful
|
|
for fast-ethernet, or dial-up interfaces, where the speed cannot be
|
|
guessed from the name.
|
|
|
|
See the snmpd.conf(5) man page for details.
|
|
|
|
|
|
|
|
The interface statistics for my subinterfaces are all zero - why?
|
|
----------------------------------------------------------------
|
|
|
|
Unfortunately, most kernels that support multiple logical
|
|
interfaces on a single physical interface, don't keep separate
|
|
statistics for each of these. They simply report the overall
|
|
statistics for the physical interface itself.
|
|
|
|
There's no easy way around this problem - the agent can only
|
|
report such information as is available. If the kernel doesn't
|
|
keep track of these figures, the agent can't report them.
|
|
|
|
Sorry!
|
|
|
|
|
|
|
|
Does the agent support the RMON-MIB?
|
|
-----------------------------------
|
|
|
|
Not really.
|
|
|
|
There is an "Rmon" code module included within the agent source
|
|
code tree, but this is best thought of as a template for the
|
|
RMON-MIB statistics groups, rather than a full implementation.
|
|
|
|
With most MIBs, the hardest part of implementing the MIB is often
|
|
getting hold of the data to report. This is definitely true of the
|
|
RMON-MIB, which relies on gathering (and analysing) a potentially
|
|
large quantity of network traffic. The Rmon code distributed with
|
|
the Net-SNMP agent code avoids this problem, by using random data.
|
|
|
|
Some of the functionality of the RMON-MIB, such as the alarm and
|
|
event groups, has since been superseded by the work of the DisMan
|
|
IETF working group. The Net-SNMP agent does implement these (more
|
|
general) MIB modules. But the statistics gathering aspects of
|
|
the RMON-MIB are not readily available.
|
|
|
|
Note too that none of the core developers have any significant
|
|
experience with this code, and the person who originally wrote it
|
|
is no longer active on the mailing lists. So there's no point in
|
|
asking on the lists whether these modules work or not. You've got
|
|
the source - how badly do you need this functionality?
|
|
|
|
|
|
|
|
What does "klread: bad address" mean?
|
|
-------------------------------------
|
|
|
|
This means that the agent was unable to extract some of the
|
|
necessary information from the kernel structures. This is
|
|
possibly due to:
|
|
- either looking in the wrong place for kernel information
|
|
(check the value of KERNEL_LOC)
|
|
- an error in the implementation of part of the MIB tree
|
|
for that architecture. Try and identify which
|
|
OID is generating the error, and contact the
|
|
list 'net-snmp-coders@lists.sourceforge.net'
|
|
Remember to tell us what architecture you have!
|
|
|
|
|
|
|
|
What does "nlist err: wombat not found" (or similar) mean?
|
|
----------------------------------------------------------
|
|
|
|
This means that the agent wasn't able to locate one of the
|
|
kernel structures it was looking for. This may or may not
|
|
be important - some systems provide alternative mechanisms
|
|
for obtaining the necessary information - Solaris, for example,
|
|
can produce a whole slew of such messages, but still provide
|
|
the correct information.
|
|
This error only occurs if you have used the flag
|
|
'--enable-debugging' as part of the initial configuration.
|
|
Reconfigure the agent with '--disable-debugging' and these
|
|
messages will disappear. (It won't fix the underlying problem,
|
|
but at least you won't be nagged about it).
|
|
|
|
|
|
|
|
What does "Can't open /dev/kmem" mean?
|
|
-------------------------------------
|
|
|
|
This device is normally restricted to just being accessible by root
|
|
(or possibly by a special group such as 'kmem' or 'sys'). The agent
|
|
must be able to read this device to obtain the necessary information
|
|
about the running system.
|
|
Check that the agent was started by root, and is running with UID 0
|
|
(or suitable GID if appropriate). The agent will normally continue
|
|
to run without this level of access permission, but won't be able to
|
|
report values for many of the variables (particularly those relating
|
|
to network statistics).
|
|
|
|
|
|
|
|
The system uptime (sysUpTime) returned is wrong!
|
|
-----------------------------------------------
|
|
|
|
Oh no it's not.
|
|
The defined meaning of 'sysUpTime' is
|
|
"the time ... since the *network management*
|
|
portion of the system was re-initialized."
|
|
|
|
In other words, when the snmp agent was started, not when the
|
|
system itself last booted. This latter information is available
|
|
in the Host Resources MIB as "hrSystemUpTime.0"
|
|
Note that even if the full Host Resources is not supported on
|
|
your system, it's worth configuring in the system portion using
|
|
|
|
'--with-mib-modules=host/hr_system'
|
|
|
|
and recompiling. This particular group is reasonably likely to work,
|
|
even if some of the other more architecture-specific groups don't.
|
|
|
|
|
|
|
|
Can the agent run multi-threaded?
|
|
--------------------------------
|
|
|
|
Short answer - no.
|
|
Longer answer - not easily.
|
|
|
|
Net-SNMP within a single thread of an threaded application is fine,
|
|
as long as *all* snmp code is kept within the same thread. This lets
|
|
you add SNMP support to an existing threaded application.
|
|
|
|
If you are concerned with the time taken for to process requests for
|
|
a particular agent, object or subtree, and you want the agent to
|
|
continue to respond to other requests in the meantime, there are
|
|
two options.
|
|
|
|
The first method is using AgentX sub-agents. If you have several
|
|
tables, each implemented by a separate subagent, then a single
|
|
request for entries from each of the tables will be processed
|
|
in parallel (and the agent will continue to respond to other
|
|
requests while it waits for the subagents to return the necessary
|
|
information). But a request for several objects from the same
|
|
table will be passed off to the relevant subagent, where it will
|
|
(normally) be processed serially.
|
|
|
|
The second method is to use delegated requests + IPC to another
|
|
process. If takes a long time to retrieve a value for a given object,
|
|
then the object handler could do whatever necessary to start or
|
|
communicate with another (non-SNMP) process/thread to actually
|
|
retrieve the value, and mark the request as delegated.
|
|
The main agent (or subagent) can then receive and process other
|
|
requests while waiting for the delegated request to finish.
|
|
Dealing with resource contention is all up to you.
|
|
|
|
All of this only applies to the GET family of requests. A SET
|
|
request will block until all pending GET requests have finished,
|
|
and then will not accept new requests until the SET is complete.
|
|
|
|
Adding full multi-thread support directly to the agent would be
|
|
nice. We just need someone with time/money to do/sponsor the work.
|
|
|
|
|
|
|
|
Can I use AgentX (or an embedded SNMP agent) in a threaded application?
|
|
-----------------------------------------------------------------------
|
|
|
|
With care.
|
|
|
|
As mentioned in the earlier "thread-safe" FAQ entry, the Net-SNMP
|
|
agent (including the AgentX subagent) has not been designed for
|
|
threaded operation. In particular, it makes use of various global
|
|
variables without attempting to protect them against simultaneous
|
|
use. This means that it is *NOT* safe to have SNMP or AgentX
|
|
related processing in two separate threads. This also applies to
|
|
handling GET (and SET) processing in one thread, and generating traps
|
|
in another. This is still vulnerable to the usual threading problems.
|
|
|
|
However, as long as *all* of the SNMP-related activity is limited
|
|
to the one thread, then there should be no reason why this cannot
|
|
safely communicate with other threads within the same application,
|
|
using private (thread-safe) mechanisms.
|
|
|
|
But in terms of the Net-SNMP-provided code, the agent (and AgentX
|
|
subagent) should *not* be regarded as thread-safe.
|
|
|
|
|
|
|
|
COMPILING
|
|
=========
|
|
|
|
How do I control the environment used to compile the software?
|
|
-------------------------------------------------------------
|
|
|
|
The basic mechanism for compiling the Net-SNMP project software is to
|
|
run "configure", followed by "make" (to compile it), "make test" (to
|
|
check that it's working properly) and then "make install" (to install
|
|
the files into the correct locations - which typicalyl needs to be done
|
|
as root.
|
|
|
|
The primary role of "configure" is to determines various aspects about
|
|
the system that the software is being compiled on. However there are
|
|
also a number of options to configure which can be used to control
|
|
various aspects of the compilation environment.
|
|
|
|
The most common options are "--with-mib-modules" and "--with-out-mib-modules"
|
|
which control the set of MIB module code files that are included within
|
|
the agent binary. Adding or removing these modules will affect what MIB
|
|
information the agent can return.
|
|
See the entry "How do I add a MIB to the agent?" for more details.
|
|
|
|
|
|
The configure script can also specify the compiler to use for compiling
|
|
the source code (e.g. "configure --with-cc=cc"), the flags passed to
|
|
this compiler (e.g. "configure --with-cflags=-g"), or to the linker
|
|
(e.g. "configure --with-ldflags=-Bstatic"), and various other aspects of
|
|
the build environment.
|
|
Run "configure --help" for a full list.
|
|
|
|
|
|
|
|
How do I control the environment used to compile the software under Windows?
|
|
---------------------------------------------------------------------------
|
|
|
|
If you are compiling the project within the MinGW or Cygwin environments,
|
|
then these use the same "configure" mechanism as Unix-based systems. See
|
|
the previous entry for more information.
|
|
|
|
If you are compiling the project from within Visual Studio, then this does
|
|
not use the standard configure mechanism. Instead, there is a separate
|
|
"Configure" script within the 'win32' directory. This can be used enable
|
|
or disable various aspects of the build environment, such as support for
|
|
encryption or IPv6.
|
|
Run "Configure --help" for more information
|
|
|
|
Note that this script does not include an equivalent of "--with-mib-modules"
|
|
for extending the MIB information supported by the agent. Instead, this
|
|
needs to be done by tweaking the build environment manually. See the file
|
|
README.win32 for more details of this, and various other aspects of building
|
|
the project on Windows systems.
|
|
|
|
|
|
|
|
Why does the compilation complain about missing libraries?
|
|
---------------------------------------------------------
|
|
|
|
This has been seen in a number of guises over the years - most commonly
|
|
on Linux systems (although the problem may also occur elsewhere). The
|
|
underlying problem is that typical installation may not always include
|
|
the full set of library links required for building the Net-SNMP software.
|
|
|
|
This problem can usually be fixed by installing the missing packages
|
|
(typically the development version of a package that is already there).
|
|
|
|
Examples of this that we have come across include:
|
|
|
|
-lelf elfutils-devel (later renamed to elfutils-libelf-devel)
|
|
-lbz2 bzip2-devel
|
|
-lselinux libselinux-devel
|
|
-lcrypto openssl/openssl-devel
|
|
-lbeecrypt libbeecrypt/beecrypt/beecrypt-devel.
|
|
|
|
These are the names of the RedHat/Fedora RPMs. Other distributions
|
|
or O/S's may use different names, but the basic idea should be the
|
|
same.
|
|
|
|
If the compilation is complaining about a missing .so file, then an
|
|
alternative quick fix is to add the missing symbolic link, using
|
|
something like:
|
|
ln -s libelf.so.1 /usr/lib/libelf.so
|
|
|
|
giving the appropriate generic library name from the error message,
|
|
and the correct number for whichever version of this library you
|
|
have installed.
|
|
|
|
If the compilation is complaining about a .la file, then you should
|
|
install the relevant development package, as listed above.
|
|
|
|
|
|
|
|
How can I reduce the memory footprint?
|
|
--------------------------------------
|
|
|
|
In order to reduce the memory footprint (for instance, to
|
|
embed the snmpd into a device), the following configure options
|
|
could be used.
|
|
|
|
'--disable-debugging'
|
|
This turns off the compilation of all debugging statements.
|
|
|
|
'--enable-mini-agent' '--with-out-mib-modules=examples/ucdDemoPublic'
|
|
This creates an agent with just the essential MIB modules included.
|
|
NOTE: If you need additional MIB modules, then simply add them
|
|
using the option '--with-mib-modules=...' but this will of course
|
|
increase the memory footprint.
|
|
|
|
'--with-transports=UDP'
|
|
This option specifies the transport domains to include.
|
|
For a simple standalone agent, just UDP should be sufficient.
|
|
(Although the 'disman' and 'agentx' modules may require the
|
|
Callback, TCP and/or Unix transport domains as well).
|
|
|
|
'--without-kmem-usage'
|
|
This can be used in order to omit the code that operates on the
|
|
/dev/kmem interface. Clearly, this option cannot be used when
|
|
one of the configured MIB modules depends on it.
|
|
|
|
'--with-mibdirs=' and '--with-mibs='
|
|
These options tell the agent not to load any MIB modules.
|
|
This doesn't affect the size of libraries or application
|
|
binaries, but will reduce the memory footprint during runtime.
|
|
|
|
'--disable-mib-loading'
|
|
This can be used in order to omit the code that loads and
|
|
parses the MIB files altogether. This will reduce both the
|
|
runtime memory footprint, and the binary sizes.
|
|
|
|
Once the agent (snmpd) has been linked, you might also try running
|
|
'strip snmpd' to remove un-necessary debug/symbol information.
|
|
|
|
|
|
|
|
How can I reduce the installation footprint or speed up compilation?
|
|
-------------------------------------------------------------------
|
|
|
|
The following configure options may also be useful:
|
|
|
|
--disable-agent Do not build the agent (snmpd).
|
|
--disable-applications Do not build the apps (snmpget, ...).
|
|
--disable-manuals Do not install the manuals.
|
|
--disable-scripts Do not install the scripts (mib2c, ...).
|
|
--disable-mibs Do not install the mib files.
|
|
--disable-mib-loading Do not include code that parses and
|
|
manipulates the mib files.
|
|
|
|
|
|
|
|
How can I compile the project for use on an embedded system?
|
|
-----------------------------------------------------------
|
|
|
|
Although this is definitely a Frequently Asked Question on the project
|
|
mailing lists, it hasn't really been a Frequently _Answered_ Question.
|
|
The basic problem is that none of the core development team have much
|
|
involvement or experience with embedded systems. And although we have
|
|
repeatedly put out a plea for implementation reports and advice, this
|
|
has not so far been particularly successful. So the first thing to say
|
|
is that the following suggestions should be treated with a greater than
|
|
usual level of suspicion.
|
|
|
|
The second thing to say is that compiling the Net-SNMP project for use
|
|
on an embedded system typically means compiling the *agent* (rather than
|
|
the trap receiver, or command-line tools). So that is what this entry
|
|
will concentrate on.
|
|
|
|
There are three main aspects to consider:
|
|
- how to compile the code,
|
|
- *what* code to compile, and
|
|
- how to install the resulting agent binary.
|
|
|
|
The Net-SNMP project uses the standard "configure" mechanism, so the
|
|
usual cross-compilation options are available - in particular "--host"
|
|
and "--target". It is also possible to specify the compiler and linker
|
|
to use ("--with-cc" and "--with-ld"), and any special flags to pass
|
|
to them ("--with-cflags" and "--with-ldflags"). There shouldn't be
|
|
anything particularly special about compiling the Net-SNMP code, so
|
|
see the documentation for your target environment for more information.
|
|
(And please let us know if there *is* anything special that should be
|
|
mentioned here!)
|
|
|
|
If the aim is simply to generate an SNMP agent to run on the target
|
|
system, it's probably not necessary to compile the command-line tools
|
|
or trap receiver. The configure option "--disable-applications" will
|
|
omit these elements. See the previous entry for other potentially
|
|
relevant useful options.
|
|
|
|
Unfortunately, the SNMP agent (and in particular, the code for individual
|
|
MIB modules) is the most system-specific part of the Net-SNMP software.
|
|
It may prove necessary to disable particular MIB modules if they do not
|
|
compile successfully, or attempt to use the wrong system-specific APIs.
|
|
This can be done using the configure option "--with-out-mib-modules".
|
|
Alternatively, the option "--enable-mini-agent" will omit all but the
|
|
core MIB module code. Additional modules can then be added individually
|
|
using "--with-mib-modules".
|
|
|
|
Further information about how to deal with problems with individual MIB
|
|
modules is reliant on suitable reports being forthcoming from the wider
|
|
Net-SNMP community. The ball is in your court!
|
|
|
|
Finally, installing the agent binary is _not_ simply a matter of copying
|
|
the "snmpd" file onto the target system. The agent typically relies on
|
|
a number of additional libraries (and possibly the presence of assorted
|
|
MIB files, unless this has been explicitly omitted). It is normally
|
|
necessary to run "make install", before copying the installed framework
|
|
to the target system.
|
|
|
|
If the install destination needs to be different to the eventual location
|
|
on the target system, this can be handled using the configure options
|
|
"--prefix" (for the target location) and "--with-install-prefix" (for the
|
|
temporary install location). Alternatively, this can be handled as part
|
|
of the install command:
|
|
make install prefix={target location} INSTALL_PREFIX={temp location}
|
|
|
|
Alternatively, if the agent is compiled with static linking (and no MIB
|
|
files), then it may be possible to simply copy the agent binary across to
|
|
the target system. See the next entry for details.
|
|
|
|
|
|
|
|
How can I compile the project to use static linking?
|
|
---------------------------------------------------
|
|
|
|
For totally static net-snmp executables, use
|
|
configure --with-ldflags=-Bstatic
|
|
|
|
To compile your application with static libraries (eg for easier
|
|
debugging), and to link to a non-installed build directory, try the
|
|
following Makefile fragment:
|
|
|
|
NETSNMPDIR=/usr/local/build/snmp/full-clean-cvs-V5-1-patches
|
|
NETSNMPCONFIG=$(NETSNMPDIR)/net-snmp-config
|
|
|
|
NETSNMPBASECFLAGS := $(shell $(NETSNMPCONFIG) --base-cflags)
|
|
NETSNMPINCLUDES := $(shell $(NETSNMPCONFIG) --build-includes $(NETSNMPDIR))
|
|
# base flags after build/src include, in case it has /usr/local/include
|
|
NETSNMPCFLAGS=$(NETSNMPINCLUDES) $(NETSNMPBASECFLAGS)
|
|
|
|
NETSNMPBASELIBS := $(shell $(NETSNMPCONFIG) --base-agent-libs)
|
|
NETSNMPEXTLIBS := $(shell $(NETSNMPCONFIG) --external-agent-libs)
|
|
NETSNMPLIBDIRS := $(shell $(NETSNMPCONFIG) --build-lib-dirs $(NETSNMPDIR))
|
|
NETSNMPLIBDEPS := $(shell $(NETSNMPCONFIG) --build-lib-deps $(NETSNMPDIR))
|
|
LIB_DEPS=$(NETSNMPLIBDEPS)
|
|
LIBS=$(NETSNMPLIBDIRS) -Wl,-Bstatic $(NETSNMPBASELIBS) -Wl,-Bdynamic $(NETSNMPEXTLIBS)
|
|
|
|
STRICT_FLAGS = -Wall -Wstrict-prototypes
|
|
CFLAGS=-I. $(NETSNMPCFLAGS) $(STRICT_FLAGS)
|
|
|
|
This replaces the standard Makefile section, which will used installed
|
|
libraries:
|
|
|
|
NETSNMPCONFIG=net-snmp-config
|
|
|
|
# uncomment this if you have GNU make
|
|
#NETSNMPCFLAGS := $(shell $(NETSNMPCONFIG) --base-cflags)
|
|
#NETSNMPLIBS := $(shell $(NETSNMPCONFIG) --agent-libs)
|
|
NETSNMPCFLAGS=`$(NETSNMPCONFIG) --base-cflags`
|
|
NETSNMPLIBS=`$(NETSNMPCONFIG) --agent-libs`
|
|
|
|
LIBS=$(NETSNMPLIBS)
|
|
|
|
|
|
|
|
Why does 'make test' skip various tests?
|
|
---------------------------------------
|
|
|
|
Some of the tests are only relevant to particular operating systems,
|
|
or rely on specific areas of functionality. The test framework will
|
|
check whether the relevant elements are available before running the
|
|
relevant tests, and will skip them if these modules have been omitted
|
|
from the build environment (or do not apply to the current system).
|
|
|
|
One example of this are the tests T053agentv1trap, T054agentv2ctrap,
|
|
T055agentv1mintrap, T056agentv2cmintrap and T113agentxtrap, which
|
|
rely upon functionality from the NET-SNMP-EXAMPLES-MIB implementation.
|
|
This module is not included in the default agent configuration, so the
|
|
test framework will skip these tests.
|
|
To include them, run
|
|
"configure --with-mib-modules=examples/example"
|
|
and re-compile.
|
|
|
|
|
|
|
|
Why does 'make test' complain about a pid file?
|
|
-----------------------------------------------
|
|
|
|
Typically it says something like:
|
|
|
|
cat: cannot open /tmp/snmp-test-1-8694/*pid*
|
|
|
|
It's trying to tell you the port is blocked - typically because
|
|
another copy of the agent is still running, left over from from a
|
|
previous testing run.
|
|
|
|
If you type 'ps -ef' you should notice an orphaned process like:
|
|
|
|
snmpd -d -r -U -P /tmp/snmp-test-5-27295/snmpd.pid...
|
|
|
|
Kill this process.
|
|
|
|
This could be happening for several reasons including:
|
|
|
|
1. You are trying to do concurrent runs of 'make test'.
|
|
|
|
2. On a slow machine, the agent might be taking too long to
|
|
start up. Try changing the value of the variable SNMP_SLEEP
|
|
in testing/RUNTESTS from 1 to something higher - say 3 or 5.
|
|
|
|
|
|
|
|
CODING
|
|
======
|
|
|
|
How do I write C code to integrate with the agent?
|
|
-------------------------------------------------
|
|
|
|
There are three main methods for integrating external C code
|
|
within the agent. The code can be compiled directly into the
|
|
agent itself, it can be loaded dynamically while the agent is
|
|
running, or it can be compiled into a separate application
|
|
(a "subagent") which communicates with the main master agent.
|
|
All three approaches have been touched on elsewhere within this FAQ.
|
|
|
|
As far as the module code is concerned, all three mechanisms
|
|
use exactly the same module API. So a module developed for use
|
|
directly within the agent, could also be included within a subagent,
|
|
or loaded dynamically with no (or minimal) code changes needed.
|
|
|
|
Most of this section is concerned with more detailed aspects
|
|
of developing such code - including the 'mib2c' tool, which can
|
|
handle generating a basic code framework for implementing a
|
|
given set of MIB objects.
|
|
|
|
|
|
|
|
How does the agent fetch the value of a MIB variable from the system?
|
|
--------------------------------------------------------------------
|
|
|
|
That's typically the hardest bit of implementing a new MIB module,
|
|
and is the one thing that 'mib2c' can't help with. It very much
|
|
depends on the MIB variable concerned (and often the underlying
|
|
operating system as well).
|
|
|
|
Relatively few MIB modules are completely self-contained, with all
|
|
the information held internally within the agent, and all updates
|
|
being done via SNMP requests. Such MIB modules can be implemented
|
|
fairly easily.
|
|
|
|
More commonly, the agent needs to provide an SNMP-based interface to
|
|
information held elsewhere, perhaps in the operating system kernel or
|
|
some other application. Handling this is much more complex - since
|
|
a lot depends on what mechanisms are provided for retrieving (and
|
|
possibly updating) this information. The mib2c tool can generate code
|
|
for processing SNMP requests, based on some internal cache of management
|
|
information, but it cannot help with populating this cache with the
|
|
underlying data. That is up to the MIB implementer.
|
|
|
|
See the existing MIB modules in the Net-SNMP source tree for various
|
|
examples of assorted approaches to this task.
|
|
|
|
|
|
|
|
Mib2c complains about a missing "mib reference" - what does this mean?
|
|
---------------------------------------------------------------------
|
|
|
|
This basically means that it hasn't loaded the MIB file containing
|
|
the definition of the MIB subtree you're trying to implement. This
|
|
might be because it hasn't been installed, the name is wrong, or
|
|
(most likely), because it isn't in the default list. See the MIBS
|
|
section for more details, or the next entry for suitable invocations
|
|
of 'mib2c'.
|
|
|
|
|
|
|
|
Mib2c complains about not having a "valid OID" - what does this mean?
|
|
---------------------------------------------------------------------
|
|
|
|
This probably means that you gave it the name of a MIB file (or
|
|
module), rather than the name of an object defined in that file.
|
|
Mib2c expects the name of a 'root' object, and will generate a
|
|
template for the sub-tree starting from there.
|
|
|
|
If you've got a file 'MY-MIB.txt', defining the MIB module
|
|
'MY-MIB' which contains a subtree based on the object 'myMib',
|
|
then you should invoke mib2c as
|
|
"mib2c .... myMib"
|
|
rather than
|
|
"mib2c .... MY-MIB.txt"
|
|
or "mib2c .... MY-MIB"
|
|
|
|
Note that you'll probably also have to add your MIB to the list of
|
|
MIBs that are loaded automatically, in order for mib2c to recognise
|
|
the name of this object. So the command would typically be
|
|
"MIBS=+MY-MIB mib2c .... myMib"
|
|
or "MIBS=ALL mib2c .... myMib"
|
|
|
|
|
|
|
|
Why doesn't mib2c like the MIB file I'm giving it?
|
|
-------------------------------------------------
|
|
|
|
This is most likely the same problem as the previous entry. Mib2c
|
|
takes the name of a MIB _object_, not the name of a file (or MIB
|
|
module). Try using the name of the MODULE-IDENTITY definition.
|
|
|
|
Another possibility is that the MIB may contain syntax errors.
|
|
Try running it through 'snmptranslate' or a dedicated SMI
|
|
validation tool (such as 'smilint' or the on-line interface at
|
|
http://wwwsnmp.cs.utwente.nl/ietf/mibs/validate/)
|
|
|
|
|
|
|
|
Mib2c ignores my MIB and generates a pair of 'mib-2' code files. Why?
|
|
---------------------------------------------------------------------
|
|
|
|
This is usually a sign of the same problem as the previous entries,
|
|
giving mib2c the name of the file containing the MIB (or of the MIB
|
|
itself), rather than an object within it.
|
|
|
|
Earlier versions of mib2c didn't detect this situation, and merrily
|
|
constructed a template for a default starting point of the mib-2 node.
|
|
|
|
More recent versions complain about not having a valid OID instead.
|
|
|
|
|
|
|
|
What's the difference between the various mib2c configuration files?
|
|
-------------------------------------------------------------------
|
|
|
|
Most of the mib2c config files are concerned with implementing
|
|
MIB tables, and generate various alternative code templates.
|
|
These basically fall into four distinct categories.
|
|
|
|
'mib2c.raw-table.conf' is the lightest of the templates, and
|
|
just provides a fairly basic table framework. Most of the work
|
|
of implementing the table - detecting which row is required for a
|
|
given request, retrieving or updating the relevant column values,
|
|
and interacting with the underlying subsystem - are all left to
|
|
the MIB programmer.
|
|
|
|
The second group of templates - 'table_data', 'container' and
|
|
'tdata' - all share the same basic model (although the internal
|
|
details are rather different). The MIB implementer should define a
|
|
data structure to represent a row of the table, and the helper then
|
|
takes care of holding the table internally, as a collection of such
|
|
per-row data structures. This includes identifying which row is
|
|
required for a given request. Retrieving or updating the appropriate
|
|
column value is left to the MIB programmer, although the generated
|
|
framework includes most of the necessary code.
|
|
Allied to this is a fourth "internal data" mib2c configuration
|
|
file ('create-dataset') which handles the individual columns as
|
|
well. This is the closest to a Plug-and-Play configuration, and
|
|
the MIB implementer only needs to be concerned with any special
|
|
processing, such as linking the table with the underlying subsystem.
|
|
|
|
The third style of mib2c config assumes that the table data is
|
|
held externally to the helper - either within the MIB module code
|
|
itself, or in the external subsystem. The generated code framework
|
|
includes routines to "iterate" through the rows of the table, with
|
|
the iterator helper simply deciding which row is required for a
|
|
particular request. Once again, the MIB programmer must handle
|
|
retrieving or updating the appropriate column value, although the
|
|
generated framework includes most of the necessary code.
|
|
There is a variant of this config ('iterate_access') which works
|
|
in basically the same way. However this tries to separate out the
|
|
standard processing, from the code that needs to be amended by the
|
|
programmer for retrieving and updating the individual column values.
|
|
|
|
This is also the idea behind the final table-oriented mib2c config
|
|
template - 'mib2c.mfd.conf' (or "MIBs for Dummies"). This is a much
|
|
more flexible framework, which can be used with either internally
|
|
held data, or iterating through an external representation. The
|
|
distinguishing feature of this framework is that it separates out
|
|
standard and table-specific processing, at a much finer level of
|
|
detail than the others.
|
|
|
|
|
|
The other mib2c config templates are concerned with implementing
|
|
scalar objects ('scalar', 'int_watch'), code to generating traps
|
|
('notify'), and various specialised requirements. There is also a
|
|
template ('old-api') to generate code suitable for the previous v4
|
|
UCD agent - though this is not particularly complete or reliable.
|
|
It's probably better to use a pure v4 mib2c environment (or switch
|
|
wholeheartedly to the v5 style).
|
|
|
|
|
|
|
|
Which mib2c configuration file should I use?
|
|
-------------------------------------------
|
|
|
|
The answer to that heavily depends on the characteristics of the
|
|
MIB objects being implemented. Of the handler-based table frameworks,
|
|
'tdata' is more appropriate for tables that can be stored (or a copy
|
|
cached) within the agent itself, while 'iterate' is more relevant to
|
|
reporting data from outside the agent.
|
|
The raw interface is only suitable in very specific circumstances,
|
|
so it's probably sensible to start with one of the other frameworks
|
|
first, and only look at this if none of the alternatives seem to work.
|
|
|
|
The decision between the handler-based configs and MfD is more a
|
|
matter of the style of programming to use. Most of the frameworks
|
|
define a single handler routine to process an incoming request, so
|
|
all of the code is listed together, with the MIB programmer inserting
|
|
table-specific processing into this single block of code.
|
|
The MfD provides a series of individual object-specific routines,
|
|
each concerned with one very specific task, and hides as much as
|
|
possible from the programmer.
|
|
|
|
If you like to understand the broad thrust of what's happening,
|
|
then one of the handler-based approaches would be the best choice.
|
|
If you prefer to concentrate on the nitty-gritty of a given table,
|
|
and are happy to trust that the rest of the processing will work
|
|
correctly, then the MfD framework would be more appropriate.
|
|
|
|
For implementing a group of scalar objects, then the choice is
|
|
simple - use 'mib2c.scalar.conf'. Similarly, for generating traps
|
|
or informs, use 'mib2c.notify.conf'. But note that this only assists
|
|
with the code to actually generate the trap. It does not address the
|
|
issue of _when_ to send the trap. See the FAQ entry "How can I get
|
|
the agent to generate a trap?" for more information.
|
|
|
|
|
|
|
|
How can I have mib2c generate code for both scalars and tables?
|
|
--------------------------------------------------------------
|
|
|
|
This uses a very powerful tool called a "text editor" :-)
|
|
|
|
The mib2c tool uses separate configuration files to generate code
|
|
for scalar objects, and for tables. This means that it's not possible
|
|
to automatically generate a single code file that supports both scalars
|
|
and tables.
|
|
|
|
Instead, the two code files need to be generated separately, and
|
|
then combined manually. This will typically mean copying the handler
|
|
routines for the scalar object(s) into the table file, and adding the
|
|
code to register these handler(s) to the table initialisation routine.
|
|
|
|
|
|
|
|
Are there any examples, or documentation for developing MIB modules?
|
|
-------------------------------------------------------------------
|
|
|
|
Many of the MIB modules shipped with the Net-SNMP agent still
|
|
use the v4 "traditional" MIB module API, but an increasing number
|
|
use one of the newer v5 helper-based handlers. All of these can
|
|
be found under 'agent/mibgroup'
|
|
|
|
The 'tdata' helper is used in the new DisMan Event, Expression
|
|
and Schedule MIB modules (see 'disman/{event,expr,schedule}/*').
|
|
The similar 'dataset' helper is used in the older DisMan Event
|
|
MIB implementation (see 'disman/mteEvent*') and the Notification
|
|
Log MIB (see 'notification-log-mib/*'), used by 'snmptrapd' to
|
|
log incoming traps.
|
|
|
|
The basic iterator handler is used in the TCP and UDP table
|
|
implementations (mibII/tcpTable & mibII/udpTable), VACM context
|
|
handling (mibII/vacm_context) and various tables relating to agent
|
|
internals (agent/*). These show a number of different approaches
|
|
to using the iterator helper, so it's worth comparing them.
|
|
|
|
The two examples/netSnmpHostsTable* modules provide a contrast
|
|
between the iterator and iterator_access helpers.
|
|
|
|
There are several examples based on the MfD framework (see
|
|
'{if,ip,tcp,udp}-mib/'). Much of this code is not intended to
|
|
be viewed directly, but individual files are clearly commented
|
|
to distinguish between internal implementation and public code.
|
|
|
|
The Net-SNMP agent does not currently include any MIB modules
|
|
using the array-user container-based helper. The best examples
|
|
of this are to be found in the net-policy project.
|
|
See http://net-policy.sourceforge.net/
|
|
|
|
|
|
|
|
Where should I put the files produced by 'mib2c'?
|
|
------------------------------------------------
|
|
|
|
If you're using the main source tree to compile your new module, then
|
|
put these two files (mymib.[ch]) in the directory 'agent/mibgroup'.
|
|
You should then re-run configure to add in your new module
|
|
configure --with-mib-modules=mymib
|
|
and recompile.
|
|
|
|
If you've got a number of new modules to add, it might be
|
|
sensible to put them all into a single subdirectory of 'mibgroup'.
|
|
Then create a header file, listing the individual components.
|
|
This might look something like:
|
|
|
|
config_require(mymib/myObjects)
|
|
config_require(mymib/myTable)
|
|
config_require(mymib/myOtherTable)
|
|
|
|
If this was saved as the file 'mymib.h', then the same configure
|
|
line given above, would pull in all three modules. See the current
|
|
contents of 'agent/mibgroup' for examples of this. Note that the
|
|
MfD framework will generate a similar grouping automatically.
|
|
|
|
|
|
|
|
Why doesn't my new MIB module report anything?
|
|
---------------------------------------------
|
|
|
|
There are probably four main reasons why a new MIB module isn't working.
|
|
Either it hasn't been included in the running agent, the code is present
|
|
but hasn't been initialised, the module has been initialised but the
|
|
handler isn't being called, or there's a problem with the module code itself.
|
|
|
|
To check whether the code files are being compiled, the easiest approach is
|
|
simply to look at the directory where the code is located. When the agent is
|
|
compiled, this should produce .o files (and probably .lo files) corresponding
|
|
to the C code files for this module. Alternatively, run 'nm' (or 'strings')
|
|
on the MIB module library (libnetsnmpmibs), and look for the names of the
|
|
initialisation routines or handlers (or the text of any messages displayed by
|
|
the module code).
|
|
|
|
One other thing to check is whether you have multiple copies of the software
|
|
installed on the system. This is a particular problem when compiling from
|
|
source (to include your new module), without first removing any vendor-supplied
|
|
version of the agent (which won't include this new code).
|
|
|
|
|
|
Assuming that you have confirmed that the module code is present in the agent,
|
|
the next step is to check whether the initialisation routine is being called
|
|
to register the MIB objects. The simplest way to do this is to include a
|
|
suitable debugging statement within the initialisation routine, and start
|
|
the agent with the corresponding '-Dtoken'. Alternatively, try walking the
|
|
nsModuleName column object, and look for mention of the new MIB module.
|
|
|
|
|
|
Assuming the module has been registered, the next step is to check whether
|
|
the handler is being called, when the agent receives a suitable SNMP request.
|
|
Again, the simplest way to do this is to include debugging statements within
|
|
the handler routine, and start the agent with the corresponding '-Dtoken'.
|
|
Then issue an "snmpget" request for an instance within the new MIB module.
|
|
(This command is preferable to the usual "snmpwalk" command, as it is more
|
|
closely focused on the MIB module in question).
|
|
|
|
If this indicates that the handler routine isn't being called, then there are
|
|
two main likely causes. Firstly, check the access control settings. If these
|
|
are configured to block access to this portion of the OID tree, then the MIB
|
|
handler will never be called. Secondly, several of the table helpers are
|
|
designed to know which rows of the table are valid, and will call the main
|
|
MIB handler with information about the relevant row. If the requested row is
|
|
not valid (or the table is empty), then the handler will not be called.
|
|
|
|
|
|
Finally, if the handler _is_ being called, but is still not returning any
|
|
information, then the cause probably lies with your MIB module code. In which
|
|
case, it's really up to you to find the problem and fix it! Either activate
|
|
any debugging code that you have included within the handler routine, or run
|
|
the agent under a source code debugger, and step through the handler processing.
|
|
In either case, it's much easier to debug these problems when processing an
|
|
"snmpget" request, rather than "snmpgetnext" or "snmpwalk".
|
|
|
|
Remember that 'mib2c' simply generates template code for your MIB module.
|
|
It's up to you to fill in the details, to report the actual information from
|
|
whatever underlying subsystem is being monitored. Mib2c cannot help with
|
|
the semantics of the MIB module - it's purely there to provide an initial
|
|
code framework, based on the _syntax_ of the MIB module objects.
|
|
|
|
|
|
|
|
Why does the iterator call my get_{first,next} routines so often?
|
|
-----------------------------------------------------------------------
|
|
|
|
The first thing to realise is that the 'get_first' and 'get_next'
|
|
hook routines are concerned with processing a single SNMP request, not
|
|
with walking the whole table. A full "snmpwalk" command will typically
|
|
involve a series of individual 'GetNext' requests, and every one of
|
|
these will trigger a separate 'get_first/get_next/get_next/....' cycle.
|
|
|
|
It's usually more efficient to use 'snmptable' which will walk
|
|
each column in parallel (as well as displaying the results in a
|
|
more natural manner).
|
|
|
|
Secondly, the iterator helper was originally designed to handle
|
|
unsorted data, so will look at every row of the internal table for
|
|
each request. If the data is actually held in the correct order,
|
|
then it's worth setting the NETSNMP_ITERATOR_FLAG_SORTED flag:
|
|
iinfo = SNMP_MALLOC_TYPEDEF(netsnmp_iterator_info);
|
|
iinfo->flags |= NETSNMP_ITERATOR_FLAG_SORTED;
|
|
This will help the situation somewhat.
|
|
|
|
But the iterator helper is inherently a relatively inefficient
|
|
mechanism, and it may be worth looking at one of the other helpers,
|
|
particularly if the data will be held within the agent itself.
|
|
|
|
|
|
|
|
How can I get the agent to generate a trap (or inform)?
|
|
------------------------------------------------------
|
|
|
|
There are two aspects to having the agent generate a trap -
|
|
knowing *how* to do this, and knowing *when* to do so.
|
|
|
|
Actually generating a trap is reasonably simple - just call one
|
|
of the trap API routines ('send_easy_trap()' or 'send_v2trap()')
|
|
with the relevant information (generic and specific trap values,
|
|
or a varbind list respectively).
|
|
|
|
The 'mib2c.notify.conf' configuration file can be used to
|
|
construct a suitable template routine for generating a trap,
|
|
including building the variable list from the MIB trap
|
|
definition. These variables can then be given suitable values,
|
|
before invoking the 'send_v2trap()' call to actually send the trap.
|
|
See the 'snmp_trap_api(3)' man page for further details.
|
|
|
|
Note that these APIs are only available within the agent (or
|
|
subagents), and are not available to stand-alone applications.
|
|
The code for 'snmptrap' shows an approach to use in such a case.
|
|
|
|
|
|
Determining *when* to generate the trap (either directly or
|
|
via the mib2c-generated routine) is often harder. If the trap
|
|
is generated in response to some action within the agent, (e.g.
|
|
as the result of a SET), then this isn't too much of a problem.
|
|
|
|
But if the trap is intended to report on a change of status
|
|
(e.g. a network interface going up or down, or a disk filling up),
|
|
then actually detecting this is non-trivial. Unless the underlying
|
|
system can signal this situation to the agent, then it's typically
|
|
necessary to poll the value(s) on a regular basis, save the results
|
|
and compare them with the new values the next time round.
|
|
|
|
The simplest way to handle this is via the DisMan Event MIB,
|
|
which is designed for exactly this purpose. As long as you can
|
|
specify a MIB object to monitor, and the value or thresholds
|
|
that should trigger a notification, then this module can check
|
|
these values regularly, and automatically send a suitable trap
|
|
when appropriate. See the 'snmpd.conf(5)' man page (under
|
|
ACTIVE MONITORING) for details.
|
|
|
|
Otherwise, you'd need to use the routines documented in
|
|
'snmp_alarm(3)' to regularly invoke a monitoring routine. This
|
|
would check the necessary conditions (which need not be MIB
|
|
objects), and call the 'send_xxx_trap()' routine (as generated
|
|
by 'mib2c.notify.conf') when appropriate.
|
|
|
|
|
|
|
|
How can I get an AgentX sub-agent to generate a trap (or inform)?
|
|
----------------------------------------------------------------
|
|
|
|
This is done in exactly the same manner as with the main SNMP agent.
|
|
Calling one of the routines described in 'snmp_trap_api(3)' will cause
|
|
the AgentX sub-agent to send a notification to the master agent, which
|
|
will then pass this on to the configured trap destination(s).
|
|
|
|
One of the original design aims of the Net-SNMP AgentX support was that
|
|
the agent (or subagent) framework should be transparent to a MIB module
|
|
implementer. The interface between the agent framework and a MIB module
|
|
should be independent of the protocol used to receive the original request.
|
|
So the exact same MIB module code could be used within a traditional
|
|
SNMP-only agent, or an AgentX subagent, with no changes needed.
|
|
|
|
This also holds for sending traps.
|
|
|
|
|
|
|
|
How can I get the agent to send an SNMPv1 (or SNMPv2c) trap?
|
|
-----------------------------------------------------------
|
|
|
|
It doesn't make any difference whether you use the v1-style
|
|
API call 'send_easy_trap()' or the v2-style 'send_v2trap()'.
|
|
What matters is the directive(s) in the snmpd.conf file.
|
|
|
|
If this file contains 'trapsink', then the agent will send
|
|
an SNMPv1 trap. If this file contains 'trap2sink', then the
|
|
agent will send an SNMPv2c trap. And if this file contains
|
|
both, then the agent will send *two* copies of this trap.
|
|
|
|
See the entry
|
|
Where are these traps sent to?
|
|
in the AGENT section for details.
|
|
|
|
|
|
|
|
How can I get the agent to include varbinds with an SNMPv1 trap?
|
|
---------------------------------------------------------------
|
|
|
|
There are two ways to do this. You can either use the
|
|
'send_v2trap()' call and give a varbind list, starting with
|
|
the v2-equivalent of the SNMPv1 trap, followed by the
|
|
additional varbinds.
|
|
|
|
Alternatively, you can use the API call 'send_trap_vars()'
|
|
which takes the same generic/specific trap values as
|
|
'send_easy_trap()', plus the list of additional varbinds.
|
|
|
|
In either case, you also need to have 'trapsink' in the
|
|
snmpd.conf file. The resulting trap will be identical,
|
|
whichever approach is used.
|
|
|
|
|
|
|
|
How can I get the agent to send an SNMPv1 enterprise-specific trap?
|
|
------------------------------------------------------------------
|
|
|
|
There are two ways to do this. You can either use the
|
|
'send_v2trap()' call and give a varbind list, starting
|
|
with the v2-equivalent of the SNMPv1 trap, followed by the
|
|
additional varbinds.
|
|
|
|
Alternatively, you can use the (undocumented) API call
|
|
'send_enterprise_trap_vars()' which takes the same parameters
|
|
as 'send_trap_vars()', plus the enterprise OID to use (in the
|
|
usual name/length form). See the code file 'agent_trap.c'
|
|
|
|
In either case, you also need to have 'trapsink' in the
|
|
snmpd.conf file. The resulting trap will be identical,
|
|
whichever approach is used.
|
|
|
|
|
|
|
|
How can I get the agent to send an SNMPv3 trap (or inform)?
|
|
----------------------------------------------------------
|
|
|
|
It doesn't matter which API call you use to specify the
|
|
trap - 'send_easy_trap()', 'send_v2trap()' or one of the other
|
|
calls mentioned above. Generating an SNMPv3 notification
|
|
(rather than a community-based one) is controlled by the
|
|
snmpd.conf file.
|
|
|
|
To send an SNMPv3 trap, this file should contain a
|
|
'snmpsess' directive, specifying the version, security
|
|
level, user name and passphrases (if applicable), as
|
|
well as the destination address. This is basically
|
|
the same as the command line required for sending the
|
|
trap manually, using 'snmptrap'.
|
|
|
|
Note that (unlike 'snmptrap') this directive does *not*
|
|
read default settings from an 'snmp.conf' file, so these
|
|
must be specified explicitly in the 'snmpsess' line.
|
|
|
|
|
|
|
|
Why does calling 'send_v2trap' generate an SNMPv1 trap (or vice versa)?
|
|
----------------------------------------------------------------------
|
|
|
|
The two versions of the trap API calls are concerned with how
|
|
the trap is represented when it is passed *in* to the API, not
|
|
the version of the trap PDU that will actually be generated by
|
|
the agent. That is determined by the configuration token used
|
|
to set up the trap destination.
|
|
|
|
Remember that in general, all traps are sent to all destinations.
|
|
This means that a trap specified using the SNMPv1 trap syntax
|
|
needs to be converted to the SNMPv2 format before it can be sent
|
|
to an SNMPv2 (or SNMPv3) destination. Similarly, a trap specified
|
|
using the SNMPv2 syntax needs to be converted to the SNMPv1 format
|
|
before it can be sent to an SNMPv1 sink.
|
|
|
|
Essentially, the API call to use depends on what you asking for,
|
|
which is not necessarily what the recipients will actually get!
|
|
See 'snmp_trap_api(3)' for a fuller explanation.
|
|
|
|
|
|
|
|
How can I register a MIB module in a different (SNMPv3) context?
|
|
---------------------------------------------------------------
|
|
|
|
Contexts are a mechanism within SNMPv3 (and AgentX) whereby
|
|
an agent can support parallel versions of the same MIB objects,
|
|
referring to different underlying data sets. By default, a MIB
|
|
module registrations will use the default empty context of "".
|
|
But it's also possible to provide MIB information using a different
|
|
(non-default) context.
|
|
|
|
There are three aspects involved in doing this. Firsly, it's necessary
|
|
to register the MIB module in this non-default context. With the v4 API,
|
|
this uses the call 'register_mib_context()' rather than the REGISTER_MIB
|
|
macro. This is significantly more detailed, but most of the additional
|
|
parameters can take fixed values, if all that's needed is to change the
|
|
registration context.
|
|
|
|
Instead of the macro call:
|
|
REGISTER_MIB("my_token", my_variables, variable1, my_variables_oid);
|
|
use the function call:
|
|
register_mib_context( "my_token",
|
|
my_variables, sizeof(variable1),
|
|
sizeof(my_variables)/sizeof(variable1),
|
|
my_variables_oid,
|
|
sizeof(my_variables_oid)/sizeof(oid),
|
|
DEFAULT_MIB_PRIORITY, 0, 0, NULL,
|
|
"my_context", -1, 0);
|
|
|
|
Things are much easier with the v5 helper-based API. Having
|
|
created the registration structure, this just requires setting the
|
|
'contextName' field before actually registering the MIB module:
|
|
netsnmp_handler_registration *reg;
|
|
reg = netsnmp_create_handler_registration(.....);
|
|
reg->contextName = strdup("my_context");
|
|
netsnmp_register_handler(reg);
|
|
|
|
|
|
Secondly, it is necessary to configure the access control settings to allow
|
|
access to information in the new context. This is handled automatically
|
|
when using the simple "rouser" or "rwuser" directives. But if access control
|
|
is configured using the fuller com2sec/group/view/access mechanism, then the
|
|
"access" line must specify the appropriate context(s), either explicitly:
|
|
|
|
access {group} "my_context" any noauth exact ......
|
|
|
|
or using a single entry to cover all possible contexts:
|
|
|
|
access {group} "" any noauth prefix ......
|
|
|
|
|
|
Finally, the SNMP request used to retrieve (or update) the information
|
|
must also specify the required context. With SNMPv3 requests, the context
|
|
is part of the protocol, so this can be done using a command-line option:
|
|
|
|
snmpwalk -v 3 -n my_context .....
|
|
|
|
With community-based requests (SNMPv1 and SNMPv2c), things aren't so simple.
|
|
Although the "rocommunity" and "rwcommunity" settings also configure access
|
|
for all possible contexts, there's no way to specify a non-default context
|
|
as part of the request.
|
|
|
|
The only way to handle non-default contexts with community-based SNMP requests
|
|
is to set up a mapping from the community string to the desired context. This
|
|
uses the "com2sec" directive, with an additional "-Cn" parameter. Note that
|
|
this also means that the access control must be configured using the full
|
|
com2sec/group/view/access mechanism. The short-form access control directives
|
|
do not handle the mapping of community strings to non-default contexts.
|
|
|
|
|
|
|
|
MISC
|
|
======
|
|
|
|
What ASN.1 parser is used?
|
|
-------------------------
|
|
|
|
The parser used by both the agent and client programs is coded by hand.
|
|
This parser has recently been re-vamped to allow control of which of
|
|
the available MIBs should be included, and to handle duplicate object
|
|
subidentifiers.
|
|
The source code can be found in the snmplib directory (in 'parse.c'),
|
|
and the parser is usually bundled into the library 'libnetsnmp.a'
|
|
|
|
Note that the parser attempts to be fairly forgiving of some common
|
|
errors and incompatibilities in MIB files. The Net-SNMP tools accepting
|
|
a MIB file without complaint does *not* imply that the MIB is strictly
|
|
correct.
|
|
Certain MIBs may need some amendments to allow them to be read
|
|
correctly by the parser. Contact the coders' list for advice.
|
|
|
|
|
|
|
|
What is the Official Slogan of the net-snmp-coders list?
|
|
-------------------------------------------------------
|
|
|
|
"The current implementation is non-obvious and may need to be improved."
|
|
(with thanks to Rohit Dube)
|
|
|
|
And an alternate, added 26-Apr-2000:
|
|
|
|
"In theory, it shouldn't be that hard, but it just needs to be done."
|
|
|
|
|
|
|