Basic principles of tutorial SNMP (Simple Network Management Protocol)

Introduction

SNMP means Simple Network Management protocol. It was created in 1998 in order to make monitoring of a big quantity of network devices easier. There were attempts to create other or different protocols, like CORBA or TMN but they did no succeed. Initially it was developed only for monitoring, but as for now it allows device control as well. There were three major releases or versions, SNMPv1, SNMPv2 and SNMPv3, however SNMPv2 for example had multiple huge reworks. SNMP allows to monitor any network device, that supports this protocol, and data monitored varies from uptime, different CPU load data to network parameters, device network options and etc.

Architecture:

Network, that utilizes SNMP has three major components: * SNMP manager - software tool, utilized by the admin machine, that performs control and gathers data * SNMP agent - software tool, running on a controlled device, that is being controlled * SNMP MIB - Management Information Base. It is a structured component, that contains data, agent and manager are exchanging. In fact it is a kind of a database, that stores some data.

SNMP agent/manager:

SNMP manager is a layer or interface between operator and node with SNMP agent, running on it. OR SNMP agent may be treated as an interface between SNMP manager and hardware. We cannot really apply traditional client-server approach here to define what agent and manager is. SNMP agent in fact is a service, running on a controlled device, and processes request on udp port 161. SNMP manager performs as a client that sends requests to SNMP agent. However in SNMP there is a thing called TRAP, which is a request or notification ( in latest SNMP versions SNMP Trap is sometimes even named notification ), sent from manager to agent. In such case they switch roles, and manager starts acting as a service, listening on udp port 162, and agent as a client. SNMP works on an Application Layer of OSI model[1], traditionally UDP is used as a transport, and interaction between agent and manager performs with a incapsulated PDU ( Protocol Data Unit ) objects. When encryption is enabled, default TRAPs are sent to udp port 10162 and communication is done on udp port 10161. SNMP can be setup to use different ports as well.

SNMP manager -> SNMP(PDU) -> UDP -> IP -> Ethernet -> IP -> UDP -> SNMP(PDU) -> agent

Agents gather information about network devices and write it to MIB database, that can be accessed by managers.

How it works

SNMP manager sends a request to agent on udp port 161 from the random port from ephemeral port diapason[2], attaching a specific RequestID. This request contains port and address of the source. Agent gets the request, parses it, and prepares the answer, which is sent to to the address and port from the initial request, using the same RequestID. RequestID is required to determine a specific request and specific answer.

What is SNMP PDU

As i have wrote SNMP PDU is a Protocol Data Unit. PDU contains specific PDU commands: GetRequest: manager->agent request to get the value of one or multiple variables.

SetRequest: manager->agent request to change the value of one or multiple variables.

GetNextRequest: manager->agent request to get the list of available variables. In fact it returns the variable binding of the next variable in the MIB, can be used to go through all the MIB by iterative requests starting with 0.

GetBulkRequest: introduced in SNMPv2, basically an improved version of GetNextRequest, allows you to get a bulk of data from MIB.

Response: returns variables and confirmation of success/failure.

Trap: agent-manager asynchrous notification about some event

InformRequest: introduced in SNMPv2, manager-manager notification ( later specifications allowed agent->manager communication ), that that allows managers to share information about MIBs.

PDU structure:

| version | community | PDU-type | request-id | error-status | error-index | variable binding

version: SNMP version community: a set of symbols, that define belonging to some group PDU-type: contains a digital identificator of PDU command ( GetRequest, GetNextRequest, TRAP and etc ) request-id: a set of symbols, that performs as a unique identificator of the request error-status: is a digit, that identifies the type of the error, or that there are no errors error-index: if error happened, it hold a pointer to the Object, that caused the erorr

Trap PDU contains some additional fields, that may differ, but generally it contains a field, that define a manufacturer of the host, trap type and timestamp.

SNMP MIB:

As i have wrote, SNMP MIB is a Management Information Base - a set of of control information. Any network node that is running a SNMP agent, gives it's own set of data, often different for different vendors. Usually they are compatible, and standards are flexible enough to support it. So different network devices may have different MIBs. Each MIB has a hierarchical tree structure, where each object is characterized with it's specific Object Identifier ( OID ). Each branch of MIB ends with a variable ( which also has it's own OID ), that contains a value, written by SNMP agent. This value is actually some information about host, running SNMP agent, like uptime, CPU load, network load and etc. There is a Structure of Management Information standard ( SMI ) and other predefine by protocol standards and principals of MIB tree structure. There is also a specific ASN.1 ( Abstract Syntax Notation One ) and BER ( Basic Encoding Rules) standards that apply to MIB. Moreover MIB tree structure is covered by some ISO standards. So you can be pretty sure that MIB is standartized enough ) Here is the picture that depicts a MIB tree, please note that this is a basic picture, and real MIB trees may have a much more complex structure with more trees. However same applied to them as well. mib So how do we get an object ? Each object consists of a few digits, separated by dots. Digits have corresponding string values. SNMP does not have a separate service to resolve names, like DNS, all is done solely by SNMP. SNMP nodes exchange information in the form of digits and symbol view is available only in documention or to be displayed on screen. OIDs, that correspond to certain MIb objects, has specific assignments, top are assigned by ISO EIC, all the OID below are assigned by organizations, that are responsible for those branches. Top structure is a dot . . Let's go below to iso(o) branch, that has internet(1): iso.org.dod.internet: in numeric format it is .1.3.6.1 iso.org.dod.internet consists of:

directory, OID=1.3.6.1.1 (iso.org.dod.internet.directory)
mgmt, OID=1.3.6.1.2 (iso.org.dod.internet.mgmt)
private OID=1.3.6.1.4 (iso.org.dod.internet.private)

1.3.6.1.2 (iso.org.dod.internet.mgmt) is what is most interesting for us. It consists of mib-2 (1), enterpise and some others. This branch is usually a base branch for for most network devices, and usually you will get data from there. For example to get information about ip address, you will need:

iso.org.dod.internet.mgmt.mib-2.ip, OID=1.3.6.1.2.1.4

SNMP security

A few words about how secure SNMP is. Starting with SNMPv1 protocol was becoming more and more secure. Thus v1 is a most unsecure protocol, v3 - is the most secure. SNMPv3 has an authentication based security as well as privacy. It also supports traffic encryption. If you have a choice, better use SNMPv3. Following security managements are applied to it ( extract from the official documentation ): * Verifies the identify of the message's origin by checking the integrity of the data. * Thwarts accidental or intentional alterations of in-transit messages by checking the integrity of the data, including a time stamp. * Thwarts replay attacks by checking message stream integrity, including a time stamp. * Prevents eavesdropping by protocol analyzers, etc., by using encryption. * Verifies operator authorization and protects critical data from intentional and/or accidental corruption by using an access control table (part of policy-based management)

Please note: different protocol versions are NOT compatible, they have different structure of PDU objects.

SNMP MIB browsing tools and additional read: There are also some browsing tools, that allows you to view SNMP MIBs and check them visually. Some of the most popular are: Free SNMP Walk Tool[3] Unbrowse SNMP[4] JMIBBrowser[5]

There also exists a set of articles, guides and howto's by Harald Tveit Alvestrand from Google. http://www.alvestrand.no/objectid/[6] Also do not hesitate to read official documentation http://www.snmp.com/protocol/index.shtml[7]

Conclusion

Now you are much more familiar with what SNMP is and how it works! It is a big important step into implementing SNMP-based solutions into your network, save you a lot of time and resources, control and monitor your network devices and servers, and thus making your life easier.

[1]: https://en.wikipedia.org/wiki/OSI_model#Layer_7:_Application_Layer
[2]: https://en.wikipedia.org/wiki/Ephemeral_port
[3]: https://www.manageengine.com/products/mibbrowser-free-tool/
[4]: https://www.unleashnetworks.com/
[5]: https://sourceforge.net/projects/jmibbrowser/
[6]: https://www.alvestrand.no/objectid/
[7]: http://www.snmp.com/protocol/index.shtml