SNMP编程

开发平台：

Unix_Linux

FAQ：源码内容

Frequently Asked Questions (FAQ) for the UCD/Net-SNMP package
=============================================================
FAQ Author: Dave Shield
net-snmp Version: 5.2.2 CVS branch
net-snmp/ucd-snmp Project Leader: Wes Hardaker
Email: net-snmp-coders@lists.sourceforge.net
TABLE OF CONTENTS
=================
TABLE OF CONTENTS
GENERAL
What is it?
Where can I get it?
What documentation is available?
Are there binaries available?
What's the difference between UCD-SNMP and Net-SNMP?
What operating systems does it run on?
What happens if mine isn't listed?
Does it run on Windows?
How do I find out about new releases?
How can I find out what other people are doing?
How do I submit a patch or bug report?
Can I reuse the code in my commercial application?
What's the difference between SNMPv1, SNMPv2 and SNMPv3?
What's the difference between SNMPv2 and SNMPv2c?
Which versions of SNMP are supported in this package?
Can I use SNMPv1 requests with an SNMPv2 MIB (or vice versa)?
Where can I find more information about network management?
Is Net-SNMP thread safe?
APPLICATIONS
How do I add a MIB?
How do I add a MIB to the tools?
Why can't I see anything from the agent?
Why can't I see values in the <INSERT ENTERPRISE HERE> tree?
Requests always seem to timeout, and don't give me anything back. Why?
I can see the system group, but nothing else. Why?
The agent worked for a while, then stopped responding. Why?
Requesting an object fails with "Unknown Object Identifier" Why?
Why do I get "noSuchName" when asking for "sysUpTime" (or similar)?
Why do I sometimes get "End of MIB" when walking a tree, and sometimes not?
I cannot set any variables in the MIB.
Variables seem to disappear when I try to set them. Why?
I still can't change sysLocation, though the access settings allow
it. Why not?
I get an error when trying to set a negative value - why?
I get an error when trying to get a string-indexed table value - why?
How do I send traps and notifications?
How do I handle traps and notifications?
My traphandler script doesn't work when run like this - why not?
The ucdShutdown trap OID received by my manager is wrong. Why?
Why does snmptrapd complain about AgentX?
How do I use SNMPv3?
How big can an SNMP request (or reply) be?
How can I monitor my systems (disk, memory, etc)?
Applications complain about entries in your example 'snmp.conf' file. Why?
OK, what should I put in snmp.conf?
PERL
Where can I get the perl SNMP package?
How do I install the Perl SNMP modules?
But compiling this fails! Why?
Compiling the perl module works OK, but 'make test' fails. Why?
The perl 'make test' fails on the OID tests. Is it safe to continue?
I'm trying to use mib2c (or tkmib) and it can't locate SNMP.pm?
I'm trying to use mib2c (or tkmib) and it can't load SNMP.so?
I'm trying to use tkmib and it can't locate Tk.pm?
I'm trying to install your RPM, but it complains about missing perl modules. Why?
I've got a problem with the Net-SNMP module. Can you help?
MIBS
Where can I find a MIB compiler?
I can't load any of the mib files, and they seem to be missing
the first two characters of the filename. What's happening?
Why aren't my mib files being read in?
I'm getting answers, but they're all numbers. Why?
What does "Cannot find module (XXX-MIB)" mean?
What about "unlinked OID"?
The parser doesn't handle comments properly. Why not?
How do I replace MIB values with new ones?
How can I get more information about these MIB file problems?
What's this about "too many imported symbols"?
Do I actually need the MIB files?
AGENT
What MIBs are supported?
What protocols are supported?
How do I configure the agent?
How do I add a MIB to the agent?
How do I remove a MIB from the agent?
I've installed a new MIB file. Why can't I query it?
What's the difference between 'exec', 'sh' and 'pass'?
What's the difference between AgentX, SMUX and proxied SNMP?
What about 'dlmod' - what's that about?
Which should I use?
Can I use AgentX when running under Windows?
Can I use AgentX (or an embedded SNMP agent) in a threaded application?
How can I run AgentX with a different socket address?
How can I turn off SMUX support?
How can I combine two copies of the 'mib2' tree from separate subagents?
What traps are sent by the agent?
Where are these traps sent to?
How can I send a particular trap to selected destinations?
When I run the agent it runs and then quits without staying around. Why?
After a while the agent stops responding, and starts eating CPU time. Why?
How can I stop other people getting at my agent?
How can I listen on just one particular interface?
How do I configure access control?
I don't understand the new access control stuff - what does it mean?
How do I configure SNMPv3 users?
The 'createUser' line disappears when I start the agent. Why?
What's the difference between /var/ucd-snmp and /usr/local/share/snmp?
My new agent is ignoring the old snmpd.conf file. Why?
Why am I getting "Connection refused"?
I'm getting errors about "bad security model" - why?
I'm getting errors about "bad prefix match parameter" - why?
Why can't I see values in the UCDavis 'extensible' or 'disk' trees?
Why can't I see values in the UCDavis 'memory' or 'vmstat' tree?
What do the CPU statistics mean - is this the load average?
How do I get percentage CPU utilization using ssCpuRawIdle?
What about multi-processor systems?
The speed/type of my network interfaces is wrong - how can I fix it?
The interface statistics for my subinterfaces are all zero - why?
Does the agent support the RMON-MIB?
What does "klread: bad address" mean?
What does "nlist err: wombat not found" (or similar) mean?
How about "Can't open /dev/kmem"?
The agent is complaining about 'snmpd.conf'. Where is this?
The system uptime (sysUpTime) returned is wrong!
Can the agent run multi-threaded?
COMPILING
How do I compile with 'cc' instead of 'gcc'?
But gcc doesn't compile it successfully on my new Solaris system. Why not?
On RedHat 8.0 or up I get "/usr/bin/ld: cannot find -lelf". Why?
What about '-lbz2' or '-lselinux' errors?
What about a failed dependency on 'libcrypto'? Where can I get that?
I'm getting an error "autoheader: not found" - what's wrong?
How can I reduce the memory footprint?
How can I reduce the installation footprint or speed up compilation?
How can I compile the project to use static linking?
Why is the project workspace empty under Visual C++?
Why does 'make test' skip five tests?
Why does 'make test' complain about a pid file?
CODING
How do I write C code to integrate with the agent?
How does the agent fetch the value of a MIB variable from the system?
Mib2c complains about a missing "mib reference" - what does this mean?
Mib2c complains about not having a "valid OID" - what does this mean?
Why doesn't Mib2c like the MIB file I'm giving it?
Mib2c ignores my MIB and generates a pair of 'mib-2' code files. Why?
Mib2c complains about "configuration files". What's this for?
Which mib2c configuration file should I use?
How can I have Mib2c generate code for both scalars and tables?
Are there any examples, or documentation?
Where should I put the files produced by 'mib2c'?
I've created a new module with 'mib2c' but it doesn't work. Why not?
I've added my code to this template and it still doesn't work. Why not?
Mib2c only handles a single table in my MIB. How can I fix this?
Why does the iterator call my get_{first,next} routines so often?
How can I support a large table, with more than 256 column objects?
How can I get the agent to generate a trap (or inform)?
How can I get the agent to send an SNMPv1 (or SNMPv2c) trap?
How can I get the agent to include varbinds with an SNMPv1 trap?
How can I get the agent to send an SNMPv1 enterprise-specific trap?
How can I get the agent to send an SNMPv3 trap (or inform)?
Why does calling 'send_v2trap' generate an SNMPv1 trap (or vice versa)?
What if I'm using an AgentX sub-agent instead?
How can I register a MIB module in a different (SNMPv3) context?
MISC
Why are packets requesting the same information larger with UC-Davis SNMP?
What ASN.1 parser is used?
What is the Official Slogan of the net-snmp-coders list?
GENERAL
=======
What is it?
----------
- Various tools relating to the Simple Network Management Protocol
including:
* An extensible agent
* An SNMP library
* tools to request or set information from SNMP agents
* tools to generate and handle SNMP traps
* a version of the unix 'netstat' command using SNMP
* a graphical Perl/Tk/SNMP based mib browser
This package is originally based on the Carnegie Mellon University
SNMP implementation (version 2.1.2.1), but has developed significantly
since then.
Where can I get it?
------------------
Download:
- http://www.net-snmp.org/download/
- ftp://ftp.net-snmp.org/pub/sourceforge/net-snmp/
Web page:
- http://www.net-snmp.org/
Sourceforge Project page:
- http://www.net-snmp.org/project/
Mirrors (note that sourceforge download servers are mirrored themselves):
- US: ftp://ftp.freesnmp.com/mirrors/net-snmp/
- Bulgaria: http://rtfm.uni-svishtov.bg/net-snmp/ (appears to be out of date)
- Germany: ftp://ftp.mpg.goe.ni.schule.de/pub/internet/net-snmp/ (unknown host)
- Greece: ftp://ftp.ntua.gr/pub/net/snmp/net-snmp/
What documentation is available?
-------------------------------
This FAQ (!)
README and individual READMEs for various platforms
README.thread (discusses threading issues)
INSTALL
PORTING
EXAMPLE.conf
man pages for the individual tools, files and the API
A guide for extending the agent
Tutorials for both ucd-snmp v4 and net-snmp v5
at http://www.net-snmp.org/tutorial/
and http://www.net-snmp.org/tutorial-5/ respectively
Most of this documentation (plus archives of the mailing lists)
is also available on our web page:
http://www.net-snmp.org/
Are there binaries available?
----------------------------
- There are binaries for some systems available in the binaries
directory on the ftp site.
What's the difference between UCD-SNMP and Net-SNMP?
---------------------------------------------------
Not a great deal, really.
Although the project originally started at UC Davis (hence the name),
and it has always been based there, most of the contributors have had
little or no connection with this institution.
The move to SourceForge was intended to provide a more flexible
environment for the project, and to distribute the administrative
workload more evenly. The change of name simply reflects this move,
which was the last remaining link with UC Davis.
The 4.2.x line is the last release line that uses the ucd-snmp name,
and all releases under this banner will be bug-fixes only. Release
5.0 is the first version using the net-snmp name, and all new features
and significant development will be released under this name.
(Though the dividing line between a bug-fix and a new feature is
something of a vague one, so some changes in the 4.2.x line may be
relatively non-trivial!)
Starting with the 5.0 release, we are also trying to review and
rework the underlying code base to improve the readability and
maintainability of the package. The 5.0 changes have mostly
concentrated on the agent architecture, though there have been some
significant changes to the library as well. Future releases may
include further restructuring of the library.
This process will probably result in some changes to the API,
though we will attempt to retain some form of backwards
compatibility as far as possible, and clearly mark anything that has
changed. The most significant change with the 5.0 release is a
restructuring of the header file organisation - not least a change
from <ucd-snmp/xxx.h> to <net-snmp/yyy.h>.
What operating systems does it run on?
-------------------------------------
Both the applications and the agent have been reported as running
(at least in part) on the following operating systems:
* HP-UX (10.20 to 9.01 and 11.11 to 11.0 -- see README.hpux11)
* Ultrix (4.5 to 4.2)
* Solaris/SPARC (11 to 2.3), Solaris/Intel (10, 9) -- see
README.solaris
* SunOS (4.1.4 to 4.1.2)
* OSF (4.0, 3.2 and Tru64 Unix 5.1B -- see README.tru64)
* NetBSD (2.0 to 1.0)
* FreeBSD (5.3 to 2.2)
* BSDi (4.0.1 to 2.1)
* Linux (kernels 2.6 to 1.3)
* AIX (5.2, 5.1, 4.1.5, 3.2.5) -- see README.aix
* OpenBSD (3.7, 2.8, 2.6)
* IRIX (6.5 to 5.1)
* OS X (10.4 to 10.1) -- see README.osX
* Dynix/PTX 4.4
* QNX 6.2.1A
We have also been informed about a port to the Stratus VOS.
See http://ftp.stratus.com/vos/network/network.html for details.
See the next question but one for the status of Windows support.
Certain systems fail to compile particular portions of the agent.
These can usually be persuaded to compile (at the loss of some
functionality) by omitting the modules affected.
See the next question for more details.
Also note that the presence of a particular configuration in this
list does not imply a perfect or complete implementation. This is
simply what various people have reported as seeming to work. (Or more
frequently, the configurations people have reported problems with
that we think we've fixed!)
What happens if mine isn't listed?
---------------------------------
It's probably worth trying to compile it anyway. If your system
is reasonably similar to another supported configuration, it may
well compile with little or no difficulty. The most likely source
of problems will be MIB modules within the agent, as this tends to
be where the most system-specific code is found.
If only a few modules fail to compile, try removing them from
the agent by running "configure --with-out-mib-module=xxx,yyy",
and re-compiling. If a large number of modules fail, then it
might be easier to start from a relatively bare system, using
"configure --enable-mini-agent --with-defaults". Then if this
minimal agent compiles and runs successfully, try adding the
missing mibgroups using the configure option '--with-mib-module'.
If configure fails with "invalid configuration" messages, or
you get completely stuck, contact the coders list for advice.
Similarly, if you manage to get this working on a new system,
please let us know both details of the hardware you're using,
and what versions of the operating system you've tried it on.
The entry 'host' in the file 'config.status' will show this
information. Oh, and congratulations!
Does it run on Windows?
----------------------
The suite should compile and run on Win32 platforms, including
the library, command-line tools and the basic agent framework.
Note that the agent now includes support for the MIB-II module,
but this requires Microsoft's Core Platform SDK. Instructions
for how to install this are given in README.win32.
Some other MIB modules, including the UCD pass-through extensions,
do not currently work under Windows. Volunteers to assist in
these missing modules are likely to welcomed with open arms :-)
Further details of Windows support (currently Visual C++, MinGW
and Cygnus cygwin32) is available in the file README.win32
How do I find out about new releases?
------------------------------------
There is a mailing list for these announcements
net-snmp-announce@lists.sourceforge.net
To be added to (or removed from) this list, visit
http://www.net-snmp.org/lists/net-snmp-announce/. Or you can send a
message to the address
'net-snmp-announce-request@lists.sourceforge.net' with a subject
line of 'subscribe' (or 'unsubscribe' as appropriate).
Major code revisions may be announced more widely (e.g. on the
SNMP mailing lists, or comp.protocols.snmp) but this list is the most
reliable way to keep in touch with the status of this package.
Patches to fix known problems are also made available via the web site:
http://www.net-snmp.org/patches/
How can I find out what other people are doing?
----------------------------------------------
There is a general purpose discussion list
net-snmp-users@lists.sourceforge.net
To be added to (or removed from) this list, visit
http://www.net-snmp.org/lists/net-snmp-users. Or you can send a
message to the address 'net-snmp-users-request@lists.sourceforge.net'
with a subject line of 'subscribe' (or 'unsubscribe' as appropriate).
To find out what the developers are doing, and to help them out, please
read the PORTING file enclosed with the package.
There is also an net-snmp IRC channel set up on the freenode.net IRC
chat servers (you can use irc.freenode.net to connect and/or see
http://www.freenode.net/ for getting started with irc). Multiple
core developers hang out there on a regular basis.
How do I submit a patch or bug report?
-------------------------------------
All bug reports should be submitted to the bug database through the
interface found at http://www.net-snmp.org/bugs/. Be
sure to include the version of the package that you've been working
with, the output of the command 'uname -a', the precise command that
triggers the problem and a copy of the output it produces.
All patches should be submitted to the patch manager at
http://www.net-snmp.org/patches/. If possible, submit a
bug report describing the patch as well (referencing it by its patch
number) since the patch manager doesn't contain a decent description
field.
Questions about using the package should be directed at the
net-snmp-users@lists.sourceforge.net mailing list. Note that this
mailing list is relatively busy, and the people answering these
questions are doing so out of the goodness of their hearts, and in
addition to their main employment. Please note the following:
- use plain text mail, rather than HTML
- don't resend questions more than once
(even if no-one answered immediately)
- include full details of exact commands and error messages
("I've tried everything, and it doesn't work" isn't much use!)
- do *NOT* send messages to -users and -coders mailing lists
(most developers read both anyway)
- don't mail the developers privately - keep everything on the list
Remember that this is basically an unsupported package. Fundamentally
it's Open Source, so you have the source code. If you need something
fixing badly enough, it's up to you to do the work.
We can't promise to be able to solve all problems, but we'll
certainly try and help. But remember that this is basically an
unsupported package. It's Open Source, so if you need something
fixing badly enough, fundamentally it's up to you to do the work.
Can I reuse the code in my commercial application?
-------------------------------------------------
The details of the COPYRIGHTs on the package can be found in the COPYING
file. You should have your lawyer read this file if you wish to use the
code in your commercial application. We will not summarize here what is
in the file, as we're not lawyers and are unqualified to do so.
What's the difference between SNMPv1, SNMPv2 and SNMPv3?
-------------------------------------------------------
What's the difference between SNMPv2 and SNMPv2c?
------------------------------------------------
A full description is probably beyond the scope of this FAQ.
Very briefly, the original protocol and framework was described
in RFCs 1155-1157, and is now known as SNMPv1.
Practical experience showed up various problems and deficiencies
with this, and a number of revised frameworks were developed to try
and address these problems. Unfortunately, it proved difficult to
achieve any sort of agreement - particularly over the administrative
framework to use.
There was less disagreement over the proposed changes to the
protocol operations. These included:
* increasing the range of errors that could be reported
* introducing "exception values"
(so a single missing value didn't affect
the other varbinds in the same request)
* a new GETBULK operation
(a supercharged GETNEXT)
* new notification PDUs
(closer in structure to the other request PDUs)
Strictly speaking, it's this revised protocol (originally defined
in RFC 1905, and most recently in RFC 3416) that is "SNMPv2".
The only framework based on this protocol that saw a significant
level of use was "Community-based SNMPv2" or "SNMPv2c" (defined in
RFCs 1901-1908). This retained the same administrative framework
as SNMPv1 (with all of the accompanying deficiencies), but using
the new protocol operations.
More recently, a new administrative framework has been developed,
building on the various competing SNMPv2 proposals, and using the
same SNMPv2 protocol operations. This is SNMPv3, which is defined
in RFCs 3411-3418. It addresses some of the deficiencies of the
community-based versions, including significant improvements to
the security of SNMP requests (like it finally has some!).
SNMPv3 is now a full IETF standard protocol.
Strictly speaking, SNMPv3 just defines a fairly abstract framework,
based around the idea of "Security Models" and "Access Control Models".
It's this combination of SNMPv3 plus accompanying models that actually
provides a working SNMP system.
However, the only models in common use are the "User-based Security
Model" (RFC 3414) and the "View-based Access Control Model" (RFC 3415).
So "SNMPv3" is frequently used to mean the combination of the basic
SNMPv3 framework with these two particular models.
This is also sometimes described as "SNMPv3/USM".
So in brief:
- SNMPv2c updated the protocol operations
but left the administrative framework unchanged.
- SNMPv3 updated the administrative framework
but left the protocol operations unchanged.
Which versions of SNMP are supported in this package?
----------------------------------------------------
This package currently supports the original SNMPv1, Community-based
SNMPv2 (i.e. RFCs 1901-1908), and SNMPv3 (i.e. RFCs 3411-3418).
The agent will respond to requests using any of these protocols,
and all the tools take a command-line option to determine which
version to use.
Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452)
was dropped with the 4.0 release of the UCD-snmp package.
Can I use SNMPv1 requests with an SNMPv2 MIB (or vice versa)?
------------------------------------------------------------
Yes.
The version of the syntax used to define a MIB file
is better referred to as SMIv1 or SMIv2, and is purely
concerned with defining the characteristics of the
various management objects. This is (almost) completely
unrelated to the versions of the protocol operations.
So it is quite reasonable to use SNMPv1 requests on
objects defined using SMIv2, or SNMPv2 (or SNMPv3)
requests on objects defined using SMIv1.
The one exception is objects of syntax Counter64,
which are only accessible using SNMPv2 or higher.
SNMPv1 requests will either treat such objects as an
error, or skip over them completely.
Where can I find more information about network management?
----------------------------------------------------------
There are a number of sites with network management information on
the World Wide Web. Three of the most useful are
http://www.snmpweb.org/
http://www.snmplink.org/
http://www.mibdepot.com/
There are two Usenet newsgroups which are relevant.
'comp.dcom.net-management'
which discusses general issues relating to network management
'comp.protocols.snmp'
which is specifically concerned with use of SNMP in particular
(though there is a large overlap between these two groups).
The SNMP group also has an FAQ (split into two parts) which discusses more
general issues related to SNMP, including books, software, other sites,
how to get an enterprise number, etc, etc.
This is available from
ftp://rtfm.mit.edu/pub/usenet/comp.protocols.snmp/
or via any of the Web sites above.
Is Net-SNMP thread safe?
-----------------------
Strictly speaking, no. However, it should be possible to use the
library in a thread-safe manner. This is covered in detail in the file
README.thread (shipped with the standard distribution), but can be
summarised as follows:
- Call 'snmp_sess_init()' prior to activating any threads.
This reads in and parses MIB information (which isn't thread-safe)
as well as preparing a session structure for subsequent use.
- Open an SNMP session using 'snmp_sess_open()' which returns an
opaque session handle, which is essentially independent of any
other sessions (regardless of thread).
- Resource locking is not handled within the library, and is the
responsibility of the main application.
The applications and the agent have not been designed for threaded use.
It should be safe to use the agent library to embed a subagent within
a threaded application as long as *all* SNMP-related activity (including
generating traps, and parsing MIBs) is handled within a single thread.
APPLICATIONS
============
How do I add a MIB?
------------------
This is actually two separate questions, depending on whether you
are referring to the tools, or the agent (or both).
See the next question or the next section respectively.
How do I add a MIB to the tools?
-------------------------------
Firstly,
cp MY-MIB.txt /usr/local/share/snmp/mibs
or
mkdir $HOME/.snmp
mkdir $HOME/.snmp/mibs
cp MY-MIB.txt $HOME/.snmp/mibs
And then,
export MIBS=+MY-MIB
or alternatively:
echo "mibs +MY-MIB" >> $HOME/.snmp/snmp.conf
Note that you need *both* steps.
The first command copies the file defining the new MIB to a
expected location for MIB files. This defaults to
/usr/local/share/snmp/mibs (or PREFIX/share/snmp/mibs if the the
suite was installed into a different base location). Some
ready-packaged distributions (such as Linux RPM packages) may look
for MIB files in a different location, such as /etc/snmp/mibs - put
the new file in this directory instead. This makes it available for
everyone on the system.
The tools will also look for mibs in your personal $HOME/.snmp/mibs
directory, but this will only work for you.
The second command tells the tools to load in this new MIB file as well
as the default set. Note that the tools do *not* load every MIB found
in the directory - this is to avoid slowing them down excessively when
there is a large collection of MIB files. If you do want the tools to
load all the MIB files, set the environmental variable MIBS to the special
value "ALL".
Note that the value for this variable is the name of the MIB module,
*not* the name of the MIB file. These are typically the same (apart
from the .txt suffix), but if in doubt, check the contents of the file.
The value to use is the token immediately before the word DEFINITIONS
at the start of the file. Of course, if you load 'ALL' mibs, then this
distinction is irrelevant.
Most of the tools (apart from 'snmptable') will work quite happily
without any MIB files at all, as long as you are prepared to work with
numeric OIDs throughout. The MIB files are only used for translating
between numeric and textual forms for queries and responses.
The same holds true for the agent - see the AGENT section for details.
Why can't I see anything from the agent?
---------------------------------------
There are two main general causes of problems retrieving information
from the agent. Firstly, the variable (or variables) specified may
not be recognised by the tools as valid names. In this case, the
tools will typically reject the request without ever contacting the
remote agent.
Alternatively, the tool may be happy with the request, but the agent
does not return the corresponding value(s). It may return an explicit
error message instead, or the request may time out without any response
being sent back at all. The next few entries look at these in more detail.
A simple way to tell which is the case would be to run the command
with the command-line option '-d'. If this displays a dump of the
packet, then the request is failing at the agent end. If not, then
it's the client-side which is dropping the request.
Why can't I see values in the <INSERT ENTERPRISE HERE> tree?
-----------------------------------------------------------
Having said that there are two main reasons for not getting a response,
the most likely cause of this problem is actually something else again.
The 'snmpwalk' command takes a point in the overall MIB tree, and tries
to display all the values that lie within this subtree. However, it
actually does this by issuing a series of "getnext" requests, until
the variable returned lies outside the subtree of interest. If the
very first request returns such an undesired value, then the command
will terminate, without having displayed anything at all.
If an expicit starting point is given to 'snmpwalk', then it is reasonably
clear what is happening, and that there is simply nothing in the subtree
specified. However, if 'snmpwalk' is called without giving an explicit
starting point, then it will display the contents of the 'mib-2' subtree.
It will not attempt to traverse any 'private.enterprise' subtree, such as
the UCD-specific objects (including any local extensions).
To walk the whole tree, specify a starting point of '.iso'
To walk a specific enterprise subtree, specify the root of this as
the starting point - e.g:
snmpwalk -v1 -c public localhost ucdavis
Or, of course, you can walk a selected portion of an enterprise subtree
by specifying the appropriate starting point - e.g:
snmpwalk -v1 -c public localhost ucdavis.version
If you still can't see any information, keep reading. The next few
questions will probably help you.
Requests always seem to timeout, and don't give me anything back. Why?
----------------------------------------------------------------------
There are a number of possible causes of this.
The most likely are the agent access control settings (who is allowed
access by the agent itself), or firewall/packet filtering settings
(who is allowed access by the underlying operating system).
A fuller list of possible causes (with indications of how to check
for each) is as follows:
- is the machine you are querying up and running?
(Does it respond to 'ping' or similar requests?)
- is there an SNMP agent running on it?
(Run 'ps -ef | grep snmp' or 'netstat -an | grep 161')
- are the requests arriving, or being blocked (e.g. by a firewall)?
(Restart the agent using 'snmpd -f -Le -d'
and see if it shows the incoming packet dumps)
- is the agent simply taking a long time to respond?
(The 'snmpd -f -Le -d' command should show a series of
incoming PDUs, followed eventually by the outgoing PDUs.
Try the request again with a long timeout value,
e.g. 'snmpcmd -t 120 ....')
- do the agent's control settings allow this request?
(The 'snmpd -f -Le -d' command will show a series of
incoming PDUs with *no* corresponding outgoing PDUs)
If the agent is not configured to allow access for a particular community,
then no error response will be returned. The Net-SNMP tools will retry
the request a number of times, before reporting a timeout error.
If the agent is configured to allow partial access for a given
community, then requests that fall outside this authorised access
*will* result in an error response.
(SNMP agents can be very fussy over who they talk to!)
See the entries on access control in the AGENT section for how to
configure the Net-SNMP agent to allow suitable access. For other
vendors' agents, you will need to consult the relevant documentation.
I can see the system group, but nothing else. Why?
--------------------------------------------------
This is almost definitely due to the access configuration of the agent.
Many pre-configured systems (such as most Linux distributions) will only
allow access to the system group by default, and need to be configured
to enable more general access.
The easiest way to test this is to try a GETNEXT request that ought
to return the entry of interest.
e.g.
snmpgetnext -v1 -c public localhost ucdavis.version.versionTag
instead of
snmpget -v1 -c public localhost ucdavis.version.versionTag.0
If the agent responds with "end of MIB" or a different object, then
either the agent doesn't implement that particular object at all, or
the access control won't allow you access to it.
See the entries on access control in the AGENT section for how to
configure the Net-SNMP agent, or consult the agent's own documentation.
The agent worked for a while, then stopped responding. Why?
-----------------------------------------------------------
Assuming that the agent hasn't crashed completely, the most likely
explanation is that it's simply overloaded, and is taking longer to
respond than the querying tool is waiting. Since the agent handles
each request in turn, without regard to earlier activity, and most
tools will retry a request when it times out, the list of outstanding
requests can grow longer and longer.
To determine whether this is the cause, try leaving the agent
undisturbed for a while, and then probe it using a single 'snmpget'
or 'snmpgetnext' request, specifying a longer timeout (e.g. '-t 120').
This should give the agent time to handle the request first time round,
and avoids overloading it with duplicate requests.
This is not a full solution, of course, but at least it should
allow you to isolate the offending portion of the tree. The
developers may then be able to offer a more long-term solution.
Requesting an object fails with "Unknown Object Identifier" Why?
----------------------------------------------------------------
If a general snmpwalk shows the entry, but asking for it more
specifically gives a "sub-identifier not found:" or "Unknown Object
Identifier" error, then that's a problem with the tool, rather than
the agent.
Firstly, make sure that you're asking for the object by the right name.
Object descriptors are case-sensitive, so asking for 'sysuptime' will
not be recognised, but 'sysUpTime' will.
Secondly, the object may be defined in a MIB that hasn't been loaded.
Try loading in all the MIB files:
snmpget -m ALL -v1 -c public localhost sysUpTime.0
(though if snmpwalk displays the object by name, this is unlikely to
be the cause).
Thirdly, earlier versions of the UCD software expected "full" paths
for object names, either based at the root of the whole MIB tree
(".iso.org.dod.internet.mgmt.mib-2.system.sysUpTime") or the 'mib-2'
subtree ("system.sysUpTime"). Try:
snmpget -v1 -c public myhost system.sysUpTime.0
These earlier versions of the tools may take a command-line option '-R'
or '-IR' (depending on vintage) to invoke this "random-access" mode.
Note that snmptranslate still requires "random-access" to be specified
explicitly - all other command tools now use this mode by defaults.
All versions of the UCD and Net-SNMP tools accept the syntax
snmpget -v1 -c public myhost RFC1213-MIB:sysUpTime.0
to denote a particular object in a specific MIB module. Note that this
uses the name of the *module*, not the name of the file. See the second
question in this section for the distinction.
Why do I get "noSuchName" when asking for "sysUpTime" (or similar)?
------------------------------------------------------------------
There are a number of possible causes of this (scattered throughout
this FAQ, so keep reading!). But one of the most likely snares for
the unwary is forgetting the instance subidentifier for 'non-table'
objects. If you walk the 'system' tree, you'll notice that all the
results (apart from the sysORTable), have a '.0' at the end of the OID.
This is the "instance sub-identifier" - which *must* be included for
a GET request.
Compare the following:
$ snmpget -v1 -c public localhost sysUpTime
Error in packet
Reason: (noSuchName) There is no such variable name in this MIB.
This name doesn't exist: system.sysUpTime
$ snmpget -v1 -c public localhost sysUpTime.0
system.sysUpTime.0 = Timeticks: (69189271) 8 days, 0:11:32.71
This is a little less obscure when using SNMPv2c or v3 requests:
$ snmpget -v 2c -c public localhost sysUpTime
system.sysUpTime = No Such Instance currently exists
Why do I sometimes get "End of MIB" when walking a tree, and sometimes not?
--------------------------------------------------------------------------
This depends on which MIB modules are supported by the agent you are
querying and what you're asking for.
Recall that a tree is walked by repeatedly asking for "the next entry" until
all the values under that tree have been retrieved. However, the agent has
no idea that this is what's happening - all it sees is a request for "the
next entry after X".
If the object X happens to be the last entry in a sub-tree, the agent will
provide the next object supported (as requested) even though this will be
in a different subtree. It's up to the querying tool to recognise that
this last result lies outside the area of interest, and simply discard it.
If the object X happens to be the last entry supported by the agent, it
doesn't have another object to provide, so returns an "end of MIB"
indication. The Net-SNMP tools report this with the message above.
But in either case, the actual information provided will be the same.
I cannot set any variables in the MIB.
-------------------------------------
There are three possible reasons for this:
The majority of MIB objects are defined as "read-only" and inherently
cannot be changed via SET requests.
Of those that can in principle be changed, not all have been implemented
as such in this agent.
Even if SET support has been implemented, the agent may not be configured
to allow write access to this object.
The example configuration file shipped with the basic distribution only
allows write access for the local host itself (and a suitable community
name must be configured first).
Ready-installed distributions (such as those shipped with Linux) tend
to be configured with read-only access to part of the mib tree (typically
just the system group) and no write access at all.
To change this, you will need to set up the agent's access control
configuration. See the AGENT section for more details.
Note that neither the community string "public" nor "private" can be
used to set variables in a typical default configuration.
Variables seem to disappear when I try to set them. Why?
--------------------------------------------------------
This is actually the same as the previous question - it just isn't
particularly obvious, particularly when using SNMPv1. A typical
example of this effect would be
$ snmpget -v1 -c public localhost system.sysLocation.0
system.sysLocation.0 = somewhere nearby
$ snmpset -v1 -c public localhost system.sysLocation.0 s "right here"
Error in packet.
Reason: (noSuchName) There is no such variable name in this MIB.
This name doesn't exist: system.sysLocation.0
Trying the same request using SNMPv2 or above is somewhat more informative:
$ snmpset -v 2c -c public localhost system.sysLocation.0 s "right here"
Error in packet.
Reason: notWritable
The SNMPv1 error 'noSuchName' actually means:
"You can't do that to this variable"
This might be because the variable doesn't exist, it does exist but
you don't have access to it (but someone else may do), or it exists
but you can't perform that particular operation (i.e. changing it).
Similarly, the SNMPv2 error 'notWritable' means "not writable in
this particular case" rather than "not writable under any circumstances".
If you are sure that the object is writable (and has been implemented
as such), then you probably need to look at the agent access control.
See the AGENT section for more details.
I still can't change sysLocation, though the access settings allow it. Why not?
-------------------------------------------------------------------------------
One other possibility for the 'sysLocation' and 'sysContact' objects,
is that you've got a configuration option in the 'snmpd.conf' file which
already sets the corresponding value there.
Earlier versions of the agent would allow you to write to these objects,
but the new value would be forgotten the next time the agent was re-started.
More recent versions of the agent reject such write requests if there's a
value set via the config file. If there isn't such a config setting, then
the write request will succeed (assuming the access settings allow it), and
the new value will be retained the next time the agent restarts.
I get an error when trying to set a negative value - why?
--------------------------------------------------------
This is a different problem. What's happening here is that the
routine that parses the arguments to the 'snmpset' command is seeing
the '-' of the new value, and treating it as a command-line option.
This normally generates an error (since digits probably aren't valid
command line option).
The easiest way to solve this is include the "end-of-option"
indicator '--' in the command line, somewhere before the new value
(but after all of the options, obviously). For example:
snmpset -v 2c -c public localhost -- versionRestartAgent.0 i -1
(This will also fail, since -1 isn't an acceptable value for this
object, but it will be rejected by the agent, rather than confusing
the snmpset command!)
I get an error when trying to get a string-indexed table value - why?
--------------------------------------------------------------------
This is probably due to the shell swallowing the quotes, before
they ever get to the SNMP command's OID parser. Try escaping them:
snmpget ..... vacmSecurityModel.0."wes"
or snmpget ..... 'vacmSecurityModel.0."wes"'
How do I send traps and notifications?
---------------------------------------
Traps and notifications can be sent using the command 'snmptrap'.
The following examples generate the generic trap 'coldStart' and a
(dummy) enterprise specific trap '99' respectively:
snmptrap -v 1 -c public localhost "" "" 0 0 ""
snmptrap -v 1 -c public localhost "" "" 6 99 ""
The empty parameters "" will use suitable defaults for the relevant
values (enterprise OID, address of sender and current sysuptime).
An SNMPv2 or SNMPv3 notification (either trap or inform) takes
the OID of the trap to send:
snmptrap -v 2c -c public localhost "" UCD-SNMP-MIB::ucdStart
snmptrap -v 2c -c public localhost "" .1.3.6.1.4.1.2021.251.1
(These two are equivalent ways of specifying the same trap).
Any of these commands can be followed by one or more varbinds,
using the same (OID/type/value) syntax as for 'snmpset':
snmptrap -v 2c -c public localhost "" ucdStart sysContact.0 s "Dave"
Generating traps from within the agent is covered in the AGENT and
CODING sections.
You should also read the snmptrap tutorial at
http://www.net-snmp.org/tutorial-5/commands/snmptrap.html
which will help you understand everything you need to know about traps.
How do I handle traps and notifications?
---------------------------------------
Handling received traps is done using the tool 'snmptrapd'.
This can log these traps via the syslog mechanism:
snmptrapd -s -l7 (log to 'LOCAL7')
printed to standard output
snmptrapd -f -P
or pass them to an external command. This last approach uses
a 'traphandle' directive in the configuration file 'snmptrapd.conf'.
A typical file might look something like:
traphandle .1.3.6.1.6.3.1.5.1 page_me up
traphandle .1.3.6.1.4.1.2021.251.1 page_me up
traphandle .1.3.6.1.4.1.2021.251.2 page_me down
traphandle default log_it
where 'page_me' and 'log_it' are the command to be run. (You probably
need to specify full pathnames, to ensure that the commands will be
found. They're just short here for readability).
Note that the first entry uses the OID corresponding to the SNMPv1
'coldStart' trap. See the co-existence RFC (RFC 2576) for details
of mapping SNMPv1 traps to SNMPv2 OIDs.
There's a tutorial with more details on the web site at
http://www.net-snmp.org/tutorial-5/commands/snmptrap.html
My traphandler script doesn't work when run like this - why not?
---------------------------------------------------------------
If a traphandler script works fine when run manually from the
command line, but generates an error when triggered by an incoming
notification, then this is probably down to one of two likely causes.
Firstly, the interactive shell environment may not be precisely
the same as that for programs executed by the snmptrapd daemon.
In particular, it's quite possible that the PATH environmental
variable may not include all the additional directories that are
commonly set up for a personal login configuration. To avoid this
problem (particularly for traphandler shell scripts), it's worth
giving the full path to all programs used within the script.
Secondly, the snmptrapd daemon may not always recognise the
appropriate interpreter to use for a particular trap handler.
If this is the case, then you can specify this interpreter
explicitly as part of the trap handle directive:
traphandle default /usr/bin/perl /usr/local/bin/log_it
Note that in this case, it's almost certain that you'll also
need to give the full path to the traphandle script (as shown)
The ucdShutdown trap OID received by my manager is wrong. Why?
-------------------------------------------------------------
This is due to the way that traps are converted between
SNMPv1 and SNMPv2 formats. The algorithm used for converting
from an SNMPv1 enterprise-specific trap number, to an SNMPv2
trap OID results in a penultimate '0' subidentifier, before
the trap number itself. The definition of the trap objects
in the UCD-SNMP-MIB file does not include this subidentifier.
In due course, the intention is to define a new set of MIB
objects, under the 'net-snmp' enterprise tree. This will
include new trap OIDs, which will be designed such that
this problem does not arise in the future.
Why does snmptrapd complain about AgentX?
----------------------------------------
Starting from the v5 release, the trap handling daemon has
implemented the notification logging aspects of the NOTIFICATION-MIB
(RFC 3014). This is handled by the trap handler daemon registering
as an AgentX subagent, to supply this statistical information.
If there is no AgentX master agent available, this registration
fails, generating the warning about "failed to connect to the agentx
master". This warning only appears between version 5.0 and 5.0.4
(in 5.0.4 and after the warning was silenced). This failure does
not affect the main operation of the trap handler. It simply means
that the nsmLog information won't be available for query via SNMP.
Basically, this is a warning that can safely be ignored.
How do I use SNMPv3?
-------------------
The simplest form of SNMPv3 request (unauthenticated, unencrypted)
would be something like:
snmpget -v 3 -l noAuthNoPriv localhost sysUpTime.0
An authenticated request would specify a username and pass phrase:
snmpget -v 3 -l authNoPriv -u dave -A "Open the Door"
localhost sysUpTime.0
A fully secure request would also specify the privacy pass phrase:
snmpget -v 3 -l authPriv -u dave -A "Open the Door"
-X "Bet you can't see me" localhost sysUpTime.0
In practise, most of these would probably be set via configuration
directives in a personal $HOME/.snmp/snmp.conf file (note, *not* the
agent's snmpd.conf file). The equivalent settings for the third
example would be:
defSecurityName dave
defSecurityLevel authPriv
defAuthPassphrase "Open the Door"
defPrivPassphrase "Bet you can't see me"
If the AuthPassphrase and the PrivPassphrase are the same, then you
can use the setting
defPassphrase "Open the Door and see me"
instead.
See the AGENT section for how to configure the agent to respond to
SNMPv3 requests.
How big can an SNMP request (or reply) be?
-----------------------------------------
The protocol definition specifies a "minimum maximum" packet size
(484 bytes for UDP), which all systems must support, but does not
attempt to define an upper bound for this maximum size. This is left
to each individual implementation.
The UCD software uses a fixed size buffer of 1472 bytes to hold the
encoded packet, so all requests and responses must fit within this.
Unfortunately, it's not possible to predict how many varbinds this
corresponds to, since it depends on the type and actual values being
sent, as well as the corresponding OIDs.
As a rule of thumb, sending 400 integer-valued varbinds seems to
work OK, while 300 string-valued varbinds triggers an overrun.
The Net-SNMP releases handle packet buffers rather differently,
and are not subject to the same fixed restrictions.
How can I monitor my systems (disk, memory, etc)?
------------------------------------------------
In general, the Net-SNMP suite consists of relatively low-level
tools, and there is nothing included that is designed for high-level,
long-term monitoring of trends in network traffic, disk or memory
usage, etc.
There are a number of packages available that are designed for this
purpose. Two of the most widely used are MRTG (http://www.mrtg.org/)
and Cricket (http://cricket.sourceforge.net/). There are details of
how to set up Cricket to monitor some of the UCD extensions at
http://www.afn.org/~jam/software/cricket/
We have also set up a page that describes in detail how MRTG
can be set up to monitor disk, memory and cpu activity at
http://www.net-snmp.org/tutorial-5/mrtg/index.html
There is also a web-based network configuration system "Net-Policy",
based upon SNMP. This is not strictly connected to the Net-SNMP project,
but a number of the core developers are also involved with that system.
See http://net-policy.sourceforge.net for more details.
Applications complain about entries in your example 'snmp.conf' file. Why?
--------------------------------------------------------------------------
The example configuration file 'EXAMPLE.conf' is designed as a config
for the agent, and should be installed as 'snmpd.conf' (note the 'd').
The file 'snmp.conf' is intended for general configuration options,
applicable to all applications (via the SNMP library).
Rename (or merge) the 'snmp.conf' file to 'snmpd.conf', and this should
fix the problem.
Note that there is no example snmp.conf shipped with the standard
distribution.
OK, what should I put in snmp.conf?
----------------------------------
This is used to set common configuration values for most of the
applications, to avoid having to specify them every time. Examples
include the SNMPv3 settings mentioned above, defaults for which MIBs
to load and where from, and the default SNMP version, port and
(if appropriate) the community string to use.
Some of these (such as the MIB file location), might belong in a
shared snmp.conf file (typically /usr/local/share/snmp/snmp.conf or
/etc/snmp/snmp.conf) to apply to all users of the system. Others
(particularly the SNMPv3 security settings), are more likely to refer
to a particular user, and should go in a personal snmp.conf file
(typically $HOME/.snmp/snmp.conf).
Note that the Net-SNMP package does not come with an example snmp.conf
file. See 'snmpget -H' and/or the snmp.conf(5) man page for more details.
You can also use the "snmpconf" command to help you generate your
snmp.conf configuration file (just run it and answer its questions).
PERL
====
Where can I get the perl SNMP package?
-------------------------------------
Joe Marzot's excellent perl SNMP module, which requires the ucd-snmp
library, is now included in the ucd-snmp source release. It's
located in the perl/SNMP subdirectory of the ucd-snmp source tree.
It can also be found at any Comprehensive Perl Archive Network
(CPAN) site mirror in modules/by-module/SNMP. To find the CPAN site
nearest you, please see http://www.cpan.org/SITES.html.
With the v5 release of the Net-SNMP suite, this is now accompanied by
a number of perl modules grouped together under the NetSNMP namespace.
Consult the README file in the SNMP perl module distribution to find
out what version of the ucd-snmp library it needs to be linked against.
How do I install the Perl SNMP modules?
--------------------------------------
Assuming you have a reasonably new (and properly configured) perl system,
this should be simply:
cd perl (for 5.0.x)
or cd perl/SNMP (for 4.2.x)
perl Makefile.PL
(press RETURN when prompted for host and community)
make
make test
make install (probably as root)
Note that with the 5.0 release line, there are additional SNMP-related
perl modules that should probably be installed as well. These can also
be found under the 'perl' subdirectory. At the very least, install the
'default_store' module.
This is not necessary with the 4.2.x releases.
But compiling this fails! Why?
-----------------------------
The perl module tends to delve quite deeply into the internals of the
main Net-SNMP library, and so is quite sensitive to changes within the
library. It's important to use the correct version of the module, that
corresponds to the version of the library you have installed. If you're
working with the main Net-SNMP distribution, the appropriate version of
the perl module is shipped as part of this, but you *must* have
run "make install" on the main Net-SNMP distribution *first*.
If you're working with a ready-installed version of the library, make
sure you obtain a compatible version of the perl module.
Note that the perl modules will be compiled using the compiler
(and compiler settings) used for compiling the original perl binary,
*not* those used for compiling the Net-SNMP (or UCD) library.
If these are different (e.g. 'gcc' used for one and 'cc' for the other)
then this may well cause problems. It's much safer to use a consistent
environment for both. This issue is discussed in greater detail in
the README.solaris file.
Also note that the v5 Net-SNMP suite *must* be configured to provide
shared libraries in order for the perl modules to work correctly. This
is not necessary with the v4 UCD-SNMP libraries.
Compiling the perl module works OK, but 'make test' fails. Why?
--------------------------------------------------------------
That's difficult to answer in general.
Some of the perl tests are rather picky, so this may simply be
some minor inconsistency between your precise setup, and the
expectations of the test environment.
Check that you are working with the perl distribution that matches
the SNMP libraries (use the 'perl/SNMP' in preference to CPAN), and
that you have installed the main libraries successfully (uninstall
any old versions if you're having trouble).
If all this looks OK, and if most of the tests pass, then it's
probably safe to run 'make install' anyway. Probably.
The perl 'make test' fails on the OID tests. Is it safe to continue?
-------------------------------------------------------------------
No. Almost certainly not. If the "perl/OID" tests fail the first
four tests, and then crashes out complaining about a "netsnmp_oidPtr",
then this is a sign of a more fundamental problem.
The 4.2.x line perl support was a single module, so was independent
of the way that the C library was configured. In contrast to this,
the 5.0.x perl support consist of a number of inter-cooperating modules,
which rely on sharing a consistent C library environment. In practise,
this means that the perl modules *MUST* be configured and compiled using
a shared version of the C library. Unfortunately, the default for
most early versions of the Net-SNMP suite was to compile using static
libraries unless explicitly configured to use shared libraries. The
default should be to use shared libraries from 5.0.7 onwards.
The error "oid1 is not of type netsnmp_oidPtr" is a fairly sure indication
that the C library was compiled statically. You'll need to re-configure
the main Net-SNMP package using the "--enable-shared" configure flag.
Then re-install the C library before re-configuring and re-compiling
the perl module support.
Note that this problem does not arise when using the 4.2.x version
of perl support.
I'm trying to use mib2c (or tkmib) and it can't locate SNMP.pm?
------------------------------------------------------------
That's probably because the SNMP perl module hasn't been installed.
It's not part of the standard perl distribution, nor is it installed
by default in RedHat Linux (for example).
You'll need to install it. See the previous two questions.
I'm trying to use mib2c (or tkmib) and it can't load SNMP.so?
------------------------------------------------------------
This is probably the same problem. Either the SNMP module
hasn't been installed, or it's the wrong version. See the
previous two questions.
I'm trying to use tkmib and it can't locate Tk.pm?
-------------------------------------------------
Tk.pm is another Perl package that needs to be installed before tkmib
will run. It's also available on Perl CPAN. We suggest using version
"Tk800.011" or later. It can be installed by issuing the command:
perl -MCPAN -e shell ; "install Tk"
I'm trying to install your RPM, but it complains about missing perl modules. Why?
--------------------------------------------------------------------------------
This has been particularly noted on RedHat 9, complaining about the
module "perl(Term::ReadKey)" - even if this is actually present (e.g.
having been installed directly from CPAN). In fact, this is not
specific to perl modules - the same issue can potentially arise with
other RPM dependencies.
The problem is that the RPM mechanism keeps a local database of what
software packages have been installed, and checks this for any other
features that this RPM requires. If software is installed "manually"
rather than via rpm packages, then it will not appear in this database.
Attempting to install another RPM that rely on this functionality will
then complain about the "missing" package, because the RPM system doesn't
know that's it's actually available.
The ideal solution is to *always* install software using a consistent
mechanism (which may involve building RPMs locally, or looking for a
suitable pre-built version).
Failing this, it's possible to tell the "rpm" command to ignore such
dependencies, and install the package anyway. Try:
rpm -i --nodeps {package}
In this situation, it's then up to you to make sure that any other
necessary packages *are* actually present on the system.
I've got a problem with the Net-SNMP module. Can you help?
----------------------------------------------------------
Sorry, despite the similar-sounding name, the Net-SNMP (or Net::SNMP)
module is nothing to do with this package, or the NetSNMP modules.
Net::SNMP is a "pure-perl" implementation of SNMP support, developed
by David Town. The developers of the (C-based) Net-SNMP suite do
not have any significant experience in using this particular module,
and you'll probably be better off asking for help via CPAN or some
other perl-related forum.
MIBS
====
Where can I find a MIB compiler?
-------------------------------
That depends what you mean by a "MIB compiler". There are at least two
types of tool that are commonly referred to by this name.
The first is a tool to check MIB files for validity. This functionality
is mostly integrated within the MIB parser (part of the Net-SNMP library)
and hence included in all the applications. The tool 'snmptranslate' is
probably the most appropriate for this purpose.
Note that the parser is fairly forgiving (see 'What ASN.1 parser is used'
below), so this should not be regarded as a stamp of approval.
The second type of tool is one to turn a MIB specification into C code,
specifically one designed to aid agent implementation. The command 'mib2c'
is an example of such a tool for the Net-SNMP agent.
See the CODING section for more information.
I can't load any of the mib files, and they seem to be missing
the first two characters of the filename. What's happening?
-----------------------------------------------------------
This is a problem experienced with Sun systems when the tools have
been compiled with a mixture of BSD and Solaris environments.
You'll need to re-configure and compile the tools, making sure that
'/usr/ucb' is not in your PATH (or at least comes at the end).
Why aren't my mib files being read in?
-------------------------------------
The Net-SNMP library only loads a subset of MIB files by default.
This list is set at when the suite is first configured and compiled,
and basically corresponds to the list of modules that the agent supports.
(This is a simplification, but is a reasonable first approximation).
You can override this by using the command-line option '-m', the
environmental variable 'MIBS' or the snmp.conf directive 'mibs'.
Each of these take a (colon-separated) list of MIB module names
to load. Starting the list with a '+' character will add them to
the default list - otherwise it replaces the defaults.
Using the special value 'ALL' will load all the MIB files that
the library can find.
Alternatively, the tools may be looking in the wrong place.
The default location for the mib files is /usr/local/share/snmp/mibs.
Again, this is set when the suite is first configured and compiled.
This can be changed using the environmental variable 'MIBDIRS'
or the snmp.conf directive 'mibdirs'.
Note that this may very well affect you if you've installed a
new version of the suite manually, replacing one provided by the
supplier (which typically would use a more 'central' location).
Finally, are you sure that you've installed the MIB files?
If you've compiled the suite from scratch, you need to run
"make install" at least once, before the tools will be able to
find the MIB files. This is unlikely to be a problem if you've
been working with the tools for a while, but can bite those coming
fresh to the SNMP world.
I'm getting answers, but they're all numbers. Why?
-------------------------------------------------
This is actually the same as the previous question. Because the tools
don't read in every MIB module they can find, it is quite possible
for results from an agent to refer to modules that have not been loaded
(particularly with GETNEXT requests, or when walking a tree).
The tools will report the answer quite correctly, but won't translate
identifiers and enumerations into readable strings. To fix this, use
the environmental variables MIBS or MIBFILES (or the '-m' and '-M' flags)
to read in the relevant module files.
What does "Cannot find module (XXX-MIB)" mean?
---------------------------------------------
This is similar to the previous questions. In this case, it's
stating that it can't find the specified module - either because
it's not installed properly, or the name used is subtly wrong.
If it's just one or two modules that are not being found, check
that the files are in the expected location, are readable, and the
name being used is correct. Note that the name reported is the
name of the MIB module, which is not necessarily the same as the
name of the file. See the question 'How do I add a MIB to the tools?'
for more details on this.
If the tool is generating a whole slew of errors, then it's
likely that either the MIB files haven't been installed at all,
or the library is looking in the wrong place. See the previous
two questions.
What about "unlinked OID"?
-------------------------
This means that the library has been able to find the MIB module,
and parse the individual objects defined in it, but is having problems
linking them together into a consistent tree. In particular, it
can't find an object corresponding to the name within the braces
(i.e. the 'xxx' in '{xxx 99}').
This is probably due either to a typo in this name (remember that
names are case sensitive, so a reference to 'xxx' will *not* match
a definition of 'Xxx'), or else the name is defined in another MIB
file, and this dependency is missing from the IMPORT clause of this
MIB file.
The parser doesn't handle comments properly. Why not?
------------------------------------------------------------
The most likely reason is that the line in question contains two
(or more) sequences of pairs of dashes. This is often used to try
and "comment out" an unwanted line that already contains a comment:
-- broken ::= { myMIB 1 } -- This isn't working yet
The assumption here is that a comment continues to the end of the line.
Unfortunately, this assumption is not correct.
A comment will continue either to the end of the line, or the next
occurance of a pair of dashes. Thus in this case, the definition of
"broken" is commented out (as intended) but the following text is
treated as part of the MIB, and will generate an error.
A similar effect can be obtained when a line of dashes has been used
to try and mark separate parts of a MIB file.
Most of the applications have a command-line option (-Pc) which will
work around this problem by treating the whole line as a comment. But
this is not strictly legal, and the offending MIB file should really be
corrected.
How do I replace MIB values with new ones?
-----------------------------------------
The Net-SNMP parser generally takes the first definition it sees for each
object in the MIB hierarchy. Even if you specify your file to be read
first, if the IMPORTS clauses reference a MIB with competing objects,
those objects will be parsed first.
When specifying the Replace MIB command-line option (-PR), the parser
will use definitions sourced from the most recent MIB file.
The parser will replace MIB objects when the sub-identifier and name match.
Caution: Using Replace MIB, there is NO guarantee that the resulting
MIB tree will be correct. Other MIB objects matching the name but
not the sub-identifier will persist. Sub-hierarchies may be reparented.
In particular, random access searching [see man 1 snmpcmd]
may give unexpected result.
The Replace MIB option is experimental, buyer beware, carpe diem, etc.
Here are a few considerations to help you obtain good results.
These hold true even if you never use the Replace MIB feature.
Your suggestions for improvement are welcomed.
1. The parser searches the specified directories and attempt
to parse every file whose path does not begin with "." (period).
Remove (or rename) older MIB files from these directories.
Rename "README" to ".README" , etc.
2. Hint: the parser's module list is in LIFO order. You may see better
results if the directory with the most correct MIB files is
specified last in the MIBDIRS environment.
3. Constrain the parser to not read in default MIB files by setting
the MIBS environmental variable to the appropriate separator character
(semi-colon on win32, colon everywhere else).
Setting this to "" may also have the same effect.
4. The MIBFILES environment can specify the path of the new MIB file.
Within a program, the call:
/* 4.2.x */
ds_set_boolean(DS_LIBRARY_ID, DS_LIB_MIB_REPLACE, 1 | 0);
or, if using the 5.0.x series code:
/* 5.0.x */
netsnmp_ds_set_boolean(NETSNMP_DS_LIBRARY_ID,
NETSNMP_DS_LIB_MIB_REPLACE, 1 | 0);
will enable or disable the Replace MIB feature respectively.
If you're having problems loading a particular MIB file, this
call can be used to disable this feature, before using read_mib() to
load the required file, and then re-enabling the Replace MIB feature.
(or vice versa, as appropriate).
How can I get more information about these MIB file problems?
------------------------------------------------------------
The command 'snmptranslate' is used to translate between numeric
and symbolic forms of OIDs. It uses the same routines as the
'active' commands, but does not rely on communicating successfully
with a network management agent. As such, it is a useful tool
for identifying problems with reading in MIB files.
In particular, the following options may be useful in
identifying problems:
-Pw warns about conflicting symbols
-PW prints more verbose warnings about other problems as well
(in both cases, ignore the 'xmalloc' reports)
-T provides sub-options for various views of these entries
There are other '-P' options to control various aspects of MIB parsing.
See the 'snmptranslate(1)' and 'snmpcmd(1)' man pages for more details,
or the tutorial at
http://www.net-snmp.org/tutorial-5/commands/snmptranslate.html
What's this about "too many imported symbols"?
---------------------------------------------
Any MIB file starts with an (optional) list of identifiers that
it "imports" from other files. The parser implements this using
a fixed size buffer to hold the import information.
There are two circumstances in which this can result in the
error message shown above.
Firstly, if the MIB file refers to an unusually large number
of external identifiers. Handling this case requires a (trivial)
patch to the parsing code. Contact the coders list for advice.
(This is extremely rare - the only example that
we've come across is the Cabletron Trap MIB).
Much more common is a syntax error in the IMPORTS clause of the
MIB file in question. In particular, check that this ends in a
semicolon, before going on to the main definition section.
Do I actually need the MIB files?
--------------------------------
Probably not.
The MIB files play two main roles - they are used to translate
between numeric OIDs and the corresponding textual names, and
they define the structure and syntax of the relevant MIB objects.
This second role is perhaps best thought of in terms of a design
document. It's vital while developing an application (typically
the MIB module or handler within the agent), since it defines
what the application (MIB) must actually do. But once the code
has been written, the design document becomes redundent.
The agent then has the same information hardcoded into it
(literally!), and no longer needs the MIB file.
The translation task is not strictly necessary - SNMP will
operate fine without any MIB files at all, as long as you're
happy to work with numeric OIDs throughout, and know which MIB
objects you're interested in. But it's much easier to work with
the (hopefully) meaningful names, enumeration tags and the like,
and to view the description of a particular object.
This requires having the relevant MIB files installed and loaded.
AGENT
=====
What MIBs are supported?
-----------------------
The following MIBs are supported (at least in part and on some systems):
- MIB-2 General network statistics (RFC 1213)
- Host Resources (RFC 1514 and 2790)
- SNMPv3 MIBS (RFCs 2571-5, 3411-3418)
(including USM, VACM, Target
and Notification MIBs)
- DisMan EVENT-MIB
- MTA-MIB (sendmail)
- private agent extensions
(monitor specified processes and disks,
memory, CPU, load average, plus extend
the agent using shell commands)
The Host Resources MIB, the Event MIB and the MTA MIB are not
included by default, and need to be explicitly requested when
the suite is first configured and built.
There are a few other MIB implementations distributed as part of the
source tarball, but these are basically unsupported and most of the
core developers have little or no experience with using them.
What protocols are supported?
----------------------------
The agent supports all three current versions of SNMP (v1, v2c and v3),
over both UDP and TCP transports, as well as a SMUX (RFC 1227) master
agent, AgentX (RFC 2257 ) in both master and subagent roles, and SNMP
proxying.
How do I configure the agent?
----------------------------
That depends on what you want it to do. See the snmpd.conf(5) manual
page for the possibilities.
You can also run the "snmpconf" perl script to help you create this
file. Start off with 'snmpconf -g basic_setup' to get you going.
How do I add a MIB to the agent?
-------------------------------
How do I add functionality?
--------------------------
While simply adding a file to the MIB directory (and possibly tweaking
the list of MIBs to load) is sufficient for the tools, unfortunately
extending the functionality of the agent to include this is not so simple.
In fact, the agent makes little or no use of these files, and will work
quite happily without them. All the information about the syntax and
scope of the variables supported is hardwired into the implementation
of the agent.
There are a number of alternative ways to add functionality for a new
MIB to the agent.
Firstly, it is possible that the agent distribution already includes
the desired functionality, but this has simply not been configured in
to the running version. This is done using the configure option
--with-mib-modules="list"
(where "list" is a space-separated list of modules to include) then
recompiling the agent.
Note that some functionality concerned with monitoring and managing
unix hosts is included in the UCD extension modules, which are located
within the 'private' branch of the MIB tree. This is covered in a later
question in this FAQ.
Secondly, it is possible for the agent to run commands or shell scripts
in response to queries. These can obtain and report the necessary
information, or perform actions as required.
Detailed information and examples are provided in the snmpd(8) and
snmpd.conf(5) manual pages, and the EXAMPLE.conf file.
This is known as "pass-through" support.
Thirdly, it may be possible to link another agent (which already
supports the desired MIB), as a "subagent" of the Net-SNMP master
(or vice versa). The possibilities here are SMUX, AgentX or proxied
SNMP (see the next question but one).
Finally, the agent itself can be extended to support additional MIB
groups, by writing the necessary C code, and including this within
the main agent - either statically compiled in, or dynamically loaded.
This is covered further in the next section.
Note that there is no visible difference between 'pass-through'
MIB support, subagents, and modules implemented within the main agent
itself. Tools querying the agent will see a single MIB structure.
How do I remove a MIB from the agent?
------------------------------------
Deleting the text file for a MIB does not affect the agent, other than
to prevent it from recognising textual names instead of raw OIDs in the
config files. There are three options to prevent the agent returning
information from a particular MIB:
1) re-run configure to exclude the given MIB module, rebuild,
and reinstall:
./configure --with-out-mib-module=host ....
make
make install
2) use access control to exclude the mib from the view used to
query the agent:
com2sec public default public
group public v1 public
group public v2c public
view ourmib included system
view ourmib included printmib
view ourmib excluded host
view ourmib included privatemib
access public "" any noauth exact ourmib none none
3) disable the MIB at runtime
First you need to figure out which MIB modules are being
loaded by getting the agent to report them as they are
initialised:
snmpd -Dmib_init -H
Then turn off the ones you don't want:
snmpd -I -hr_system,hr_storage,hr_device,hr_other,....
I've installed a new MIB file. Why can't I query it?
----------------------------------------------------
Unfortunately, simply installing the MIB file isn't enough for
the agent to automatically provide the corresponding information.
This typically requires writing some code.
See the section CODING, and the on-line documentation.
It may sometimes be possible to achieve the same effect using
the various extension directives, but this typically still involves
providing a suitable script or command. The agent isn't magic
and doesn't know how to locate the MIB information. Somebody
has to tell it.
What's the difference between 'exec', 'sh' and 'pass'?
-----------------------------------------------------
'exec' will fork off the specified command and return the exit status
and/or the output. Arguments are passed directly to the command.
'sh' is similar, but invokes a shell to run the command line given.
This means that quoted arguments will be recognised as such, and also
allows redirection, and other similar shell interpretation.
Neither of these mechanisms require the command to have any
knowledge of the fact that they are being used in this manner.
But the output is returned in a fixed format, and it is up to
the receiving application to interpret this appropriately.
Note that with the 4.2.x and 5.0.x lines, return values are cached
within the agent for 30 seconds, rather than invoking the command
for every request. This does not hold for the 5.1.x agent.
'pass' is a more general mechanism for extending the agent, and the
command given will be invoked for any request within the specific MIB
subtree. Details of precisely how this command will be called in
various circumstances is given in the 'snmpd.conf(5)' man page.
'pass-persist' is similar, but the command will continue running
even once the initial request has been answered.
See 'snmpd.conf(5)' for more details.