AgentX Tutorial using Net-SNMP – Trap implementation

Third one in this series is implementation of SNMP Traps, the method which is the main strength of SNMP. These Traps provide an event based system where NMS relies heavily on the monitored stations to tell them if something of interest has happened. mib2c again provides an easy way to implement traps. This is actually one of the easiest ones of the three in this series. Again as I said before clone my repository and checkout the code to find what was done and how. Following are three commands of interest.


git clone https://github.com/jainvishal/agentx-tutorial.git
git checkout step3_traps_autogenerated
git checkout step3_traps_implement

mib2c provides mib2c.notify.conf to compile the MIB and generate C code. By default it uses SNMPv2 for traps and I leave it as is. Implementation is as simple as copying the data into right variables when time comes and they will be delivered. Continue reading

AgentX Tutorial using Net-SNMP – Simple Table MIB for Dummies

Second in the series of implementing an AgentX agent I describe a simple table implementation. Net-SNMP provides multiple implementations from easy one to more elaborate ones. An approach should be accepted based on the need. For most of the needs MIB for Dummies work (mib2c -c mib2c.mfd.conf). Points to consider for using MIB for dummies are :

  1. Data could be cached and smaller time windows are acceptable where data may be stale compared to real world values (or application can implement a logic to mark cache expired on real value change)
  2. Data reloads are not resource intensive
  3. Data set for table is small so memory foot print of copying to cache will be small

Continue reading

AgentX Tutorial using Net-SNMP – Simple Scalars

Since no good tutorials are available I put together what I learnt. My approach was step by step learning and that is what I describe here. So on day 1 or step one we will see how to create a simple MIB that has only two simple read-only scalars and how to implement them in the agent. I have configured net-snmpd agentx mode to run on TCP. Check this post on how to configure that.

You should clone my git repository and follow the README which describes the changes made. I have created tags in the git repository so it is easy to reference what is done when and for what.

git clone https://github.com/jainvishal/agentx-tutorial.git
git checkout step1_scalars_autogenerated
git checkout step1_scalars_implement

Notes

  1. I used net-snmp 5.7.3 for this tutorial.
  2. My test MIB AGENTX-TUTORIAL-MIB is under experimental branch (.1.3.6.1.3) so my MIB branch is .1.3.6.1.3.9999.
  3. smilint was used to verify that MIB was syntactically correct.
  4. mib2c was used with mib2c.scalar.conf to compile the MIB and generate the code, makefile and agent code.

Now wait for second tutorial where I will implement a simple table using MIB-For-Dummies configuration.

Net-SNMP configuration for non-root AgentX application

It is imperative to run the application when developing it. You may be testing it, debugging it or troubleshooting something. By default Net-SNMP uses named socket for AgentX communication which does not allow a non-root user to connect making troubleshooting difficult. There are security reasons for not allowing this kind of widely open access so do not set this up in your production environment. There are other ways to control the access which I will narrate in future posts.

To enable AgentX and allow non-root applications/Agents to connect to snmpd you can setup TCP socket as follows. TCP socket provides a cleaner access and allows easier troubleshooting e.g you could capture network traffic between snmpd and the AgentX application. Update /etc/snmp/snmpd.conf and ensure that following directives are set for TCP based AgentX communication.

rocommunity public default # or whatever community string/access control you want
master agentx # Run as an AgentX master agent
agentXSocket tcp:localhost:705 # Listen for localhost network connections instead of /var/agentx/master

Restart snmpd (/etc/init.d/snmpd restart)

Alternate is to set correct permissions for /var/agentx/master named socket or whatever you have configured.

Capture local network traffic for multi-homed host

If both end-points of a socket are on local system, network traffic will be seen on loopback interface even if applications are using non-loopback interface (e.g. eth0, wlan0…). Capturing data over loopback is quite obvious. But here I am discussing that applications are using one of the external interfaces (e.g. eth0, eth1, wlan0 …..).

Since both end-points are on  local system, kernel will shunt the traffic and not send it to the wire. The data will be delivered internally by queuing it to the read queue of other end-point. So we cannot capture the traffic on that particular interface, but this traffic is visible on loopback interface. Lets see an example.

I use netcat for setting up our test client and server program. nc -kl 9090 will run server on all interfaces on port 9090. And nc 10.1.1.100 9090 will setup a client. Here 10.1.1.100 is the external IP of my system(wlan0). Now instead of using the interface name associated with that IP (in my case wlan0), we have to use loopback interface lo to capture the traffic as below.

tcpdump -i lo tcp port 9090

Now anything that is typed on the client terminal when sent will be seen by tcpdump. Problem solved.

vpn : Split Tunnel Concept

Once a user starts a vpn client to connect to company extranet, all network traffic is diverted to the vpn tunnel. Routing gets setup by VPN client such that everything would go down the tunnel. Split tunnel can fix that by keeping traffic for internet from tunnel and only direct extranet traffic to the tunnel. But it comes with few risks on its own. Lets review the concept for a minute.

The VPN tunnel can be configured to work in two modes.

  1. Mandatory (default)
    While a client tunnel is established in mandatory mode, all client traffic is tunneled through it by default. This is the default vpn mode. So accessing yahoo.com will go through vpn tunnel to company extranet which will then route it via its own internet connection after applying access policy etc.
  2. Split Tunneled mode
    Split Tunneling allows configuring specific network routes that are then tunneled and sent to the client’s Extranet adapter; any other traffic goes to the local PC Ethernet or Dialup adapter interface. So Split tunneling allows the user to get access to the Internet or print locally even while the system is tunneled into the company Extranet. But this comes with a security issue because it opens a backdoor into the secure office network from internet via the home system. A hacker can exploit the home system and can use that as a jump box to get into the company network. Or if the system at home is infected it will further that infection into office network. That is why organizations want vpn users to ensure they are up to date and have anti-virus installed and most will provide vpn clients that are tightly controlled to enable the Default mode. Continue reading

snmp : find network information of a system centrally

Anyone can login to a system and run ifconfig or netstat or other similar commands to find the network information of a system. But what will be even better? Do it remotely without logging in to each and every system. How? Using snmpwalk one can retrieve all this information provided that subject has both snmpd running, snmpd supporting network information and the querying host is allowed to make SNMP queries. Lets see how.

Interface table is covered by basic SNMP (just like system information, udp, tcp  socket information, address translation and snmp stats etc). Here is how to query the interface table to get the IP address and Subnet mask information.

unixite@sanbox:~/ > snmpwalk -v1 -c public sandboxS:161 1.3.6.1.2.1.4.20.1.1
iso.3.6.1.2.1.4.20.1.1.1.2.3.4 = IpAddress: 1.2.3.4
iso.3.6.1.2.1.4.20.1.1.127.0.0.1 = IpAddress: 127.0.0.1
iso.3.6.1.2.1.4.20.1.1.192.168.1.10 = IpAddress: 192.168.1.10
iso.3.6.1.2.1.4.20.1.1.10.0.0.2 = IpAddress: 10.0.0.2
unixite@sanbox:~/ > snmpwalk -v1 -c public sandboxS:161 1.3.6.1.2.1.4.20.1.3
iso.3.6.1.2.1.4.20.1.3.1.2.3.4 = IpAddress: 255.0.0.0
iso.3.6.1.2.1.4.20.1.3.127.0.0.1 = IpAddress: 255.0.0.0
iso.3.6.1.2.1.4.20.1.3.192.168.1.10 = IpAddress: 255.255.255.0
iso.3.6.1.2.1.4.20.1.3.10.0.0.2 = IpAddress: 255.255.0.0

First one here retrieves the IP addresses on the system while second one get the subnet masks. -c public has to be changed to right community string and also the version if your supports a different one. My system name here is sandboxS and snmpd is listening on default port 161. If not then you can change the port to match yours.

Most often used Network Sniffer flags for tcpdump and snoop

Most often used flags for tcpdump and snoop are below. Snoop is for SunOS while tcpdump is available for mostly all Unix/Linux kinds. We will discuss filters in another post. And to read back and process the captured files, I use wireshark which provides lots of options to deep dive into the packet stream.

Purpose snoop tcpdump Description
Select Interface -d <iface> -i <iface> Not needed if system has only one interface (ignoring localhost)
Capture full -s 0 -s 0 Snap length controls how much to capture. Zero means capture all.
Write capture to a file -o <filename> -w <filename>
Avoid DNS lookups for IPs in capture -r -n So no DNS lookups are performed when displaying real-time capture, good for efficiency

Continue reading