Sunday, October 5, 2014

SNMP Traps in Windows Server

SNMP provides the ability to send traps, or notifications, to advise an administrator when one or more conditions have been met. Traps are network packets that contain data relating to a component of the system sending the trap. The data may be statistical in nature or even status related.

SNMP traps are alerts generated by agents on a managed device. These traps generate 5 types of data:
·    Coldstart or Warmstart: The agent reinitialized its configuration tables.
·    Linkup or Linkdown: A network interface card (NIC) on the agent either fails or reinitializes.
·     Authentication fails: This happens when an SNMP agent gets a request from an unrecognized community name.
·    egpNeighborloss: Agent cannot communicate with its EGP (Exterior Gateway Protocol) peer.
·    Enterprise specific: Vendor specific error conditions and error codes

There is separate service called SNMP Trap service, which runs in Microsoft operating systems and listens for traps on UDP port 162 by default.
UDP port 161       - SNMP requests (GET* and SET)
UDP port 162       - SNMP notifications  (Traps/Informs)

I want my SNMP manager to listen for SNMP Traps on a different UDP port. Is this possible?
Yes, open the file named “Services”, which is located in %systemroot%\system32\drivers\etc.
Edit the port number on the following line on the file with your customized port numbers:
snmptrap 162/udp snmp-trap #SNMP trap

Save the file as it was with no extension. Restart the SNMP Trap service. Run the following command in a Command: Netstat -ano and you should see the SNMP Trap service listening on the new port number.

How do I test if my SNMP Manager is able to receive SNMP Traps?
first make sure the built in SNMP Trap Service is able to receive traps. If the SNMP Trap service is able to receive traps then it’s the application, which is not working the way it should.

To check the functionality of the built-in SNMP Trap service, do the following:
  1. Create a new folder under any drive (For example: C:\snmputil) on the SNMP Manager machine which is configured to listen for the traps.
  2. Copy the “snmputil.exe” utility to the newly created folder.
    Snmputil.exe is available from the Windows 2000 and Windows Server 2003 Resource Kits.
  3. Open up a Command Prompt and change to the directory where you have the snmputil.exe (in our example it is C:\snmputil) and run the following command: “Snmputil trap”.
    You will see the following output:
           snmputil: listening for traps...
               Let the command run and do not close the Command Prompt window.
  4. Stop and Restart the SNMP Service on any SNMP Agent, which is configured to send traps to the SNMP Manager mentioned in step 1 above.
  5. If the test is successful, you should see the below output in the SNMP Manager Command Prompt window on the SNMP manager machine. This will show that traps generated by the agent are being received.
  6. snmputil: listening for traps...
    Incoming Trap:
    generic = 0
    specific = 0
    enterprise = .iso.org.dod.internet.private.enterprises.microsoft.software.syst
    ems.os.windowsNT.server
    agent = 10.10.10.100
    source IP = 10.10.10.100
    community = public
    Incoming Trap:
    generic = 3
    specific = 0
    enterprise = .iso.org.dod.internet.private.enterprises.microsoft.software.syst
    ems.os.windowsNT.server
    agent = 10.10.10.100
    source IP = 10.10.10.100
    community = public
    variable = interfaces.ifTable.ifEntry.ifIndex.1
    value = Integer32 1
    Incoming Trap:
    generic = 3
    specific = 0
    enterprise = .iso.org.dod.internet.private.enterprises.microsoft.software.syst
    ems.os.windowsNT.server
    agent = 10.10.10.100
    source IP = 10.10.10.100
    community = public
    variable = interfaces.ifTable.ifEntry.ifIndex.262147
    value = Integer32 262147
Valid snmputilCommands:
·    get: This command gets the value of the requested object identifier.
·    getnext: This command gets the value of the next object that follows the specified object identifier.
·    walk: You use this command is used to step through (walk) the Management Information Base (MIB) branch that is specified by the object identifier

Sample Query:
snmputil getnext <machine name> public .1.3

Sample Response:
Variable = String Hardware: x86 Family 15 Model 2 Stepping 4 AT/AT COMPATIBLE
Value = Windows Version 5.2 (Build 3621 Uniprocessor Free)

                   =========================================================

Where is all of this information stored?
All of the values that SNMP reports are dynamic and are not stored in any file or registry key. However, the information needed to get the specified values is stored in the Management Information Base (MIB). This information ranges from Object IDs (OIDs) to Protocol Data Units (PDUs). The MIBs must be located at both the agent and the manager to work effectively.

Glossary
Manager: Third-party software used to configure thresholds and monitor SNMP information.
MIB: Management Information Base. A database that defines the PDUs and OIDs.
OID: Object Identifier. This is a unique ID # that is used to identify system objects; for instance, .1.3.6.1.4.1.311 identifies the Microsoft enterprise.
PDU: Protocol Data Unit. PDUs are the building blocks of SNMP messages.
Trap host: Manager responsible for monitoring SNMP traps.

Know the Difference Between SNMPv1, SNMPv2, and SNMPv3:
SNMPv1 was the first version Although it accomplished its goal of being an open, standard protocol, it was found to be lacking in key areas for certain applications.

SNMPv2: advantage over previous versions is the Inform command Unlike Traps, which are simply received by a manager, Informs are positively acknowledged with a response message. If a manager does not reply to an Inform, the SNMP agent will resend the Inform.

Other advantages include:
·  improved error handling
·  improved SET commands

SNMPv3 is the newest version of SNMP. Its primary feature is enhanced security.
SNMPv3 security comes primarily in 2 forms:

  • Authentication is used to ensure that traps are read by only the intended recipient. As messages are created, they are given a special key that is based on the EngineID of the entity. The key is shared with the intended recipient and used to receive the message.
  • Privacy Encrypts the payload of the SNMP message to ensure that it cannot be read by unauthorized users. Any intercepted traps will be filled with garbled characters and will be unreadable. Privacy is especially useful in applications where SNMP messages must be routed over the Internet
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)