TUT:snmptrap SNMPv3

Jump to: navigation, search

Contents
[hide]

1 TRAPs vs INFOR s !or "N Pv# o 1$1 Prere%uisite reading: o 1$& TRAPs vs INFOR s o 1$# "N Pv# TRAPs & Tutoria' "ections

[edit]

TRAPs vs INFORMs for SNMPv3

[edit]

Prerequisite reading:

snmpv# options trap summar(

[edit]

TRAPs vs INFORMs
A %uic) recap on the di!!erence *et+een TRAPs and INFOR s: A TRAP is a "N P message sent !rom one app'ication to another ,+hich is t(pica''( on a remote host-$ The(.re purpose is mere'( to noti!( the other app'ication that something has happened, has *een noticed, etc$ The *ig pro*'em +ith TRAPs is that the(.re unac)no+'edged so (ou don.t actua''( )no+ i! the remote app'ication received (our oh/so/important message to it$ "N Pv& P01s !i2ed this *( introducing the notion o! an INFOR , +hich is nothing more than an ac)no+'edged TRAP$ I3, +hen the remote app'ication receives the INFOR it sends *ac) a 4I got it4 message$ This is nice *ecause then the person sending the traps can )eep tr(ing unti' the trap gets through$ The net/snmp snmptrap program can send *oth TRAPs and INFOR s$ Add /5i to the command 'ine o! snmptrap i! (ou +ant it to send a an INFOR instead, or ca'' the snmpin!orm command ,+hich is !unctiona''( the same as snmptrap /5i-$ Note that (ou must use snmpv&c or snmpv# to send INFOR s$ snmptrapd is a*'e to receive and disp'a( *oth INFOR s and TRAPs$ Note: snmptrapd +i'' not disp'a( "N Pv# TRAPs or INFOR s sent *( a user +hich has not *een con!igured using the create1ser directives discussed *e'o+$ The( +i'' *e si'ent'( dropped *( the snmptrapd program$ I! (our run snmptrapd +ith the /0usm !'ag (ou.'' get de*ugging output +hich sa(s 4no such user4, +hich is e2act'( +h( the(.re *eing dropped$ Note: "tarting +ith net/snmp 6$#, snmptrapd +i'' no 'onger accept a'' traps *( de!au't$ It must *e con!igured +ith authori7ed "N Pv18v&c communit( strings and8or "N Pv# users$ Non/authori7ed traps8in!orms +i'' *e dropped$ P'ease re!er to the snmptrapd$con!,6- manua' page !or detai's$ "N Pv#, users and engineI0s

TRAPs and INFOR s get a 'itt'e more comp'e2 +ith respect to "N Pv#$ The reason *ehind it is ho+ the user data*ase is maintained$ "N Pv1 and "N Pv&c communit( *ased messages mere'( a'+a(s disp'a( the message to the end user$ "N Pv# mandates that the message is re9ected un'ess the "N Pv# user sending the trap a'read( e2ists in the user data*ase$ "ounds simp'e enough, right: 32cept !or one sma'' pro*'em: The user data*ase in a "N Pv# app'ication is actua''( re!erenced *( a com*ination o! the user.s name ,ca''ed a 4securit( Name4- and a identi!ier !or the given "N P app'ication (our ta')ing to ,ca''ed an 4engineI04-$ Norma''( +hen (ou use the rest o! the snmp app'ications ,snmpget, snmp+a'), $$$- the app'ication 4discovers4 the remote engineI0 !or (ou and then inserts the username, engineI0 and pass+ords into user data*ase *ased on this remote engineI0$ a)es things a'' nice and simp'e +hen ta')ing to a remote agent$ "N Pv# INFOR s INFOR s operate on a simi'ar principa'$ ;hen (ou send an INFOR (ou use the remote engineI0 +hen sending the message and the securit(Name and engineI0 must e2ist as a pair in the remote user ta*'e$ The snmptrap program discovers the remote engineI0 9ust 'i)e the rest o! the app'ications +ou'd do and then appropriate'( creates the "N Pv# message +ith the proper user that the remote side is e2pecting to get$ And a'' is +e''$ "o, a'' (ou have to do +hen setting up the remote snmptrapd app'ication ,assuming (ou.re using our trap8in!orm receiver- is to create a v# user in the snmptrapd con!iguration data*ase$ <ou do this as !o''o+s:

"top an( current'( running snmptrapd edit 8var8net/ snmp8snmptrapd$con! to insert the !o''o+ing 'ine:

createUser myuser MD5 mypassword DES myotherpassword

;here m(user is the securit( name (ou +ant to use, and m(pass+ord is (our authentication pass+ord and m(otherpass+ord is (our encr(ption pass+ord ,or 'eave it *'an) i! (ou +ant it to *e the same or don.t +ant to use encr(ption-$

,re-start the snmptrapd program$

No+, (ou shou'd *e a*'e to use the snmpin!orm command to send the trap demon a co'd"tart INFOR message:
snmpinform -v 3 -u myuser -a MD5 -A mypassword -l authNoPriv localhost 42 coldStart !

I! (ou did ever(thing correct'(, (ou shou'd have seen something 'i)e this in (our snmptrapd output:
2001-10-31 11:21:05 localhost.localdomain 12!.0.0.1": sysUp#ime$nstance % #imetic&s: '(2) 0:00:00.(2 *$D: coldStart.0 snmp#rap*$D.0 %

[edit]

SNMPv3 TRAPs
"N Pv# TRAPs are a *it more comp'icated in some +a(s, *ut it ma)es sense the protoco' +or)s this +a( i! (ou spend a 'ong time thin)ing a*out it$ The di!!erence is that "N Pv#

TRAPs use the engineI0 o! the 'oca' app'ication sending the trap rather than the engineI0 o! the remote app'ication$ This means that (ou have to create users in (our remote user data*ase +ith a *it more care and need to create one !or ever( engineI0 (ou +ish to send traps !rom$ This means that i! (ou +ant to have 1== snmp agents send snmpv# traps to (our trap receiver, (ou need 1== create1ser directives in (our 8var8net/snmp8snmptrapd$con! !i'e$ "o, tr( the !o''o+ing:

"top an( current'( running snmptrapd edit 8var8net/ snmp8snmptrapd$con! to insert the !o''o+ing 'ine:

createUser -e 0+0102030(05 myuser MD5 mypassword DES myotherpassword

Note that this time +e e2p'icit'( set the engineI0 o! the user to =2=1=&=#=>=6 ,+hich technica''( is not a recommended va'ue, *ut it rea''( doesn.t matter-$

,re-start the snmptrapd program$

No+, (ou shou'd *e a*'e to use the snmptrap command to send the trap demon a co'd"tart v# TRAP message:
snmptrap -e !"!#!2!3!4!5 -v 3 -u myuser -a MD5 -A mypassword -l authNoPriv localhost 42 coldStart !

This shou'd produce simi'ar output as the e2amp'e a*ove did$ I shou'd go ram*'ing on here a*out the intricate detai's o! v# engineI0s, INFOR s, TRAPs, engineI0 discover(, secret )e(s, pass+ords, 'oca'i7ed )e(s, etc$ ?ut it too) the "N Pv# +or)ing group 1@&&# 'ines o! te2t ,RF5s &6A= / &6A6- to tr( and e2p'ain it a'', so I don.t thin) I.'' reiterate that here$