This Article first appeared in the Linux Journal
It is reprinted and translated with the author's permission
Introduction
In today's world, where all the computing revolves around the concept of networking, the work for system administrators has become more and more overwhelming. It is the mission of maintaining the availability of resources such as routers, hubs, servers and every critical device in the network.
There are many reasons managers would like to monitor network devices: bandwidth utilization, operational state of links, bottlenecks, problems with the cabling or routing information distributed between its devices, etc. Monitoring network activity is also a good starting point for discovering security problems and misbehaviors.
In many cases, the network of an organization includes expensive links to remote networks (WAN) or the Internet, whose costs may be based on traffic volume. It's very important to maintain statistics of traffic going through these links. This is a very common task in Europe, where X.25 links are still very common. These links are charged on the basis of packets transmitted and received.
Other types of links, like Point to Point or Frame Relay, are usually charged on a flat rate. In these, the telco ensures a bandwidth that is important to monitor.
In the final part of this article we focus on a tool designed to monitor traffic in router interfaces, with a great graphical representation of this information. It can be easily modified to monitor other kinds of information.
What's SNMP?
The answer to all these needs is a protocol named Simple Network Management Protocol (SNMP). Designed in the '80s, SNMP's initial aim was to integrate the management of different types of networks with a simple design that caused very little stress on the network.
SNMP operates at the application level using TCP/IP transport-level protocols so it can ignore the underlying network hardware. This means the management software uses IP, and so can control devices on any connected network:not just those attached to its physical network. This also has disadvantages: if the IP routing is not working correctly between two devices, it's impossible to reach the target to monitor or reconfigure it.
There are two main elements in the SNMP architecture: the agent and the manager. It's a client-server architecture, where the agent is the server and the manager is the client.
The agent is a program running in each of the monitored or managed nodes of the network. It provides an interface to all the items of their configuration. These items are stored in a data structure called a management information base (MIB), which we explain later. It's the server side, as long as it maintains the information being managed and waits for commands from the client.
The manager is the software that runs in the monitoring station of the network, and its role is contacting the different agents running in the network to poll for values of its internal data. It's the client side of the communication.
There is a special command in the SNMP command set called trap that permits an agent to send unsolicited data to the manager, to inform it of events, such as errors, shutdowns, etc.
In essence, SNMP is a very simple protocol as long as all the operations it performs deal with the fetch-and-store paradigm, and this allows for a small command set. A manager can perform only two different operations on an agent: request or set the value of a variable in the MIB of the agent. These two operations are known as get-request and set-request. There's a command to respond to a get-request called get-response, which is used only by the agent.
The extensibility of the protocol is directly related to the capability of the MIB to store new items. If a manufacturer wants to add some new commands to a device such as a router, he must add the appropriate variables to its database (MIB).
Almost all manufacturers implement versions of SNMP agents in their devices: routers, hubs, operating systems, and so on. Linux is not an exception to this, and publicly available SNMP agents for Linux can be found on the Internet.
Dealing with Security
SNMP provides very little support for authentication schemes. It supports only a two-password scheme. The public allows managers to request the values of variables, and the private allows these values to be set. These passwords in SNMP are called communities. Every device connected to an SNMP-managed network must have these two communities configured.
It is very common to have the public community set to "public" and the private community to "private", but it's very important to change these values to reflect the security policy of your organization.
What's the MIB?
SNMP defines a separate standard for the data managed by the protocol. This standard defines the data maintained by a device in the network and what operations are allowed on it. The data is structured in a tree form, and there is a unique path to reach each variable. This structured tree is called the Management Information Base (MIB) and is documented in several RFCs.
The current version of the TCP/IP MIB is MIB-II and is defined in RFC-1213. It divides the information a TCP/IP device should maintain into eight categories (shown in Table 1), and each variable included in this information must fall in one of them.
Table 1. TCP/IP Information
Category |
Information |
system |
The host or router operating system information |
interfaces |
Network interrfaces information |
addr-translation |
Address translation information |
ip |
IP protocol information |
icmp |
ICMP protocol information |
tcp |
TCP protocol information |
udp |
UDP protocol information |
egp |
Exterior Gateway protocol information |
The MIB definition of a particular item also specifies the data type it can contain. Usually, items of an MIB can store single integers, but they can also contain strings or more complex structures, like tables. Items in an MIB are called objects. Objects are the leaf nodes of the MIB tree, but an object can have more than one instance: for example, a table object. To refer to the value contained in an object, you must add the number of the instance. When only one instance exists for an object, this is the 0 instance.
For example, the object ifNumber from category "interfaces" contains an integer with the number of interfaces present in this device, but the object ipRoutingTable from category "ip" contains the routing table of the device.
Remember to use the number of the instance to retrieve the value for an object. In this case, the number of interfaces present in a router can be viewed with the instance ifNumber.0.
In the case of a table object, you must use the index of the table as the last number to indicate a specific instance (row of the table).
There is another standard by which to define and identify MIB variables, called Structure of Management Information (SMI). SMI specifies MIB variables must be declared in an ISO formal language called ASN.1 that makes the form and contents of these variables unambiguous.
The ISO name space is within a global name space with other trees for other standards organizations. Within the ISO name space there is a specific tree for the MIB information. Within that MIB part of the tree are areas for objects from all protocols and applications so their information can be represented unambiguously.
Figure 1 shows the TCP/IP MIB name space is located just down the mgmt name space of the IAB. The hierarchy also specifies a number for each of the levels.
Figure 1. TCP/IP Organizational Tree
|
It's important to notice that most of the software needs the leading dot (root) to locate the object in the MIB. If you don't include the leading dot, it assumes a relative path from .iso.org.dod.internet.mgmt.mib-2.
This way the object ifNumber from category "interfaces" can be named:
.iso.org.dod.internet.mgmt.mib-2.interfaces.ifnumber
or its numerical equivalent:
.1.3.6.1.2.1.2.1
and the instance as:
.iso.org.dod.internet.mgmt.mib-2.interfaces.ifnumber.0
or its numerical equivalent:
.1.3.6.1.2.1.2.1.0
Additional MIBs can be added to this tree as vendors create them and publish the suitable RFCs.
What's the Future of SNMP?
A new specification called SNMPv2 is being actively developed. It addresses the lack of security of the actual protocol with mechanisms that focus on privacy, authentication and access control. It also allows more complex specification of variables and has some additional commands. The problem with SNMPv2 is it still is not a commonly accepted standard, unlike SNMPv1. It is not easy to find SNMPv2 versions of the agents and software to take advantage of the new commands. Let's see what happens in the near future...
SNMP with Linux
One of the most popular SNMP packages is CMU-SNMP. Originally designed by Carnegie Mellon University, it has been ported to Linux by Juergen Schoenwaelder and Erik Schoenfelder. It's fully compliant with the SNMPv1 standard and includes some of the new proposed functionalities of SNMPv2.
The distribution contains some manager tools that permit, in a command line style, send requests to devices running SNMP agents. It also contains an SNMP agent program, designed to run under Linux, that provides managers running on the network (or the same system) information about the status of the interfaces, routing table, uptime, contact information, etc.
One very valuable add-on that comes with CMU-SNMP is a SNMP C-API, which lets programmers build more complex management tools based on the networking capabilities of the distribution.
The installation on a Linux system is easy, but a little different from the original CMU distribution. The distribution comes with precompiled binary versions of the manager tools, the daemon and the API library.
First of all, you must decide whether to get the binary or the source distribution. It's easy to locate the package on the Internet (check the resources sidebar). The binary distribution runs cleanly with the 2.0 kernel series and is ELF-based. We will explain how to install the binary distribution. It's a good practice to get binary distributions only from trusted sites to avoid viruses, Trojan-horse style attacks and other security problems.
Put the file cmu-snmp-linux-3.2-bin.tar.gz in the root directory (/) of your Linux system and decompress it with the command:
gunzip cmu-snmp-linux-3.2-bin.tar.gz
Then, untar the distribution to its final location with the command:
tar xvf cmu-snmp-linux-3.2-bin.tar
Now you will have all the utilities and libraries properly installed on your system, except the SNMP agent configuration file /etc/snmpd.conf. You can create it by running the script:
/tmp/cmu-snmp-linux-3.2/etc/installconf
with these options:
/tmp/cmu-snmp-linux-3.2/etc/installconf -mini
where password is the public community you want to use. Now you can edit the newly installed configuration file /etc/snmpd.conf. In it, you can change the values for the UDP port used by the agent, the systemContact, systemLocation and systemName variables and the interface speed parameters for your network cards and PPP ports.
The most important management tools you get are:
- /usr/bin/snmpget A tool designed to ask for a concrete value in the MIB of an agent in the network (a router, a hub, etc.)
- /usr/bin/snmpgetnext It allows you to get the next object in an MIB tree without knowing its name.
- /usr/bin/snmpset A tool to set values in remote agents
- /usr/bin/snmpwalk Tool that requests a complete object or series of objects without having to specify the exact instance. It's useful for requesting table objects.
- /usr/bin/snmpnetstat
- /usr/bin/snmptrapd Daemon that listens for traps sent by agents
- /usr/bin/snmptest Interactive tool designed to demonstrate the capacities of the API.
The agent is located in the /usr/sbin/snmpd directory.
CMU-SNMP also installs an MIB file in /usr/lib/mib.txt. It's a good reference to search for information we can request from a device.
The agent must be run at startup time, and can be set up with this line in one of your system boot files (/etc/rc.d/rc.local, for example):
/usr/sbin/snmpd -f ; echo 'starting snmpd'
Once you have the SNMP agent running for your Linux box, you can test it with one of the management tools, entering:
/usr/bin/snmpget -v 1 localhost public interfaces.ifNumber.0
which will return the number of network interfaces configured in the system, and:
/usr/bin/snmpwalk -v 1 localhost public system
will return all the values in the system subtree of the MIB. (See Figure 2 for the output of this command.)
|