1
Frequently Asked Questions (FAQ) for the UCD/Net-SNMP package
2
=============================================================
3
FAQ Author: Dave Shield
4
net-snmp Version: 5.1.1
5
net-snmp/ucd-snmp Project Leader: Wes Hardaker
6
Email: net-snmp-coders@lists.sourceforge.net
15
What documentation is available?
16
Are there binaries available?
17
What's the difference between UCD-SNMP and Net-SNMP?
18
What operating systems does it run on?
19
What happens if mine isn't listed?
20
Does it run on Windows?
21
How do I find out about new releases?
22
How can I find out what other people are doing?
23
How do I submit a patch or bug report?
24
Can I reuse the code in my commercial application?
25
What's the difference between SNMPv1, SNMPv2 and SNMPv3?
26
What's the difference between SNMPv2 and SNMPv2c?
27
Which versions of SNMP are supported in this package?
28
Can I use SNMPv1 requests with an SNMPv2 MIB (or vice versa)?
29
Where can I find more information about network management?
30
Is ucd-snmp thread safe?
33
How do I add a MIB to the tools?
34
Why can't I see anything from the agent?
35
Why can't I see values in the <INSERT ENTERPRISE HERE> tree?
36
Requests always seem to timeout, and don't give me anything back. Why?
37
I can see the system group, but nothing else. Why?
38
The agent worked for a while, then stopped responding. Why?
39
Requesting an object fails with "Unknown Object Identifier" Why?
40
Why do I get "noSuchName" when asking for "sysUpTime" (or similar)?
41
Why do I sometimes get "End of MIB" when walking a tree, and sometimes not?
42
I cannot set any variables in the MIB.
43
Variables seem to disappear when I try to set them. Why?
44
I still can't change sysLocation, though the access settings allow
46
I get an error when trying to set a negative value - why?
47
I get an error when trying to get a string-indexed table value - why?
48
How do I send traps and notifications?
49
How do I handle traps and notifications?
50
My traphandler script doesn't work when run like this - why not?
51
The ucdShutdown trap OID received by my manager is wrong. Why?
52
Why does snmptrapd complain about AgentX?
54
How big can an SNMP request (or reply) be?
55
How can I monitor my systems (disk, memory, etc)?
56
Applications complain about entries in your example 'snmp.conf' file. Why?
57
OK, what should I put in snmp.conf?
59
Where can I get the perl SNMP package?
60
How do I install the Perl SNMP modules?
61
But compiling this fails! Why?
62
Compiling the perl module works OK, but 'make test' fails. Why?
63
The perl 'make test' fails on the OID tests. Is it safe to continue?
64
I'm trying to use mib2c (or tkmib) and it can't locate SNMP.pm?
65
I'm trying to use mib2c (or tkmib) and it can't load SNMP.so?
66
I'm trying to use tkmib and it can't locate Tk.pm?
67
I've got a problem with the Net-SNMP module. Can you help?
69
Where can I find a MIB compiler?
70
I can't load any of the mib files, and they seem to be missing
71
the first two characters of the filename. What's happening?
72
Why aren't my mib files being read in?
73
I'm getting answers, but they're all numbers. Why?
74
What does "Cannot find module (XXX-MIB)" mean?
75
What about "unlinked OID"?
76
The parser doesn't handle comments properly. Why not?
77
How do I replace MIB values with new ones?
78
How can I get more information about these MIB file problems?
79
What's this about "too many imported symbols"?
81
What MIBs are supported?
82
What protocols are supported?
83
How do I configure the agent?
84
How do I add a MIB to the agent?
85
What's the difference between 'exec', 'sh' and 'pass'?
86
What's the difference between AgentX, SMUX and proxied SNMP?
87
What about 'dlmod' - what's that about?
89
Can I use AgentX when running under Windows?
90
Can I use AgentX (or an embedded SNMP agent) in a threaded application?
91
How can I run AgentX with a different socket address?
92
How can I combine two copies of the 'mib2' tree from separate subagents?
93
What traps are sent by the agent?
94
Where are these traps sent to?
95
How can I send a particular trap to selected destinations?
96
Why does calling 'send_v2trap' generate an SNMPv1 trap (or vice versa)?
97
When I run the agent it runs and then quits without staying around. Why?
98
After a while the agent stops responding, and starts eating CPU time. Why?
99
How can I stop other people getting at my agent?
100
How can I listen on just one particular interface?
101
How do I configure access control?
102
I don't understand the new access control stuff - what does it mean?
103
How do I configure SNMPv3 users?
104
The 'createUser' line disappears when I start the agent. Why?
105
What's the difference between /var/ucd-snmp and /usr/local/share/snmp?
106
My new agent is ignoring the old snmpd.conf file. Why?
107
Why am I getting "Connection refused"?
108
I'm getting errors about "bad security model" - why?
109
I'm getting errors about "bad prefix match parameter" - why?
110
Why can't I see values in the UCDavis 'extensible' or 'disk' trees?
111
Why can't I see values in the UCDavis 'memory' or 'vmstat' tree?
112
What do the CPU statistics mean - is this the load average?
113
How do I get percentage CPU utilization using ssCpuRawIdle?
114
What about multi-processor systems?
115
The speed/type of my network interfaces is wrong - how can I fix it?
116
The interface statistics for my subinterfaces are all zero - why?
117
Does the agent support the RMON-MIB?
118
What does "klread: bad address" mean?
119
What does "nlist err: wombat not found" (or similar) mean?
120
How about "Can't open /dev/kmem"?
121
The agent is complaining about 'snmpd.conf'. Where is this?
122
The system uptime (sysUpTime) returned is wrong!
123
How can I reduce the memory footprint?
125
How do I compile with 'cc' instead of 'gcc'?
126
But gcc doesn't compile it successfully on my new Solaris system. Why not?
127
On RedHat 8.0 or up I get "/usr/bin/ld: cannot find -lelf". Why?
128
I'm getting an error "autoheader: not found" - what's wrong?
129
What about a failed dependency on 'libcrypto'? Where can I get that?
130
Why is the project workspace empty under Visual C++?
131
Why does 'make test' skip five tests?
132
Why does 'make test' complain about a pid file?
134
How do I write C code to integrate with the agent?
135
How does the agent fetch the value of a variable from the system?
136
Mib2c complains about a missing "mib reference" - what does this mean?
137
Mib2c complains about not having a "valid OID" - what does this mean?
138
Why doesn't Mib2c like the MIB file I'm giving it?
139
Mib2c ignores my MIB and generates a pair of 'mib-2' code files. Why?
140
Mib2c complains about "configuration files". What's this for?
141
Which mib2c configuration file should I use?
142
How can I have Mib2c generate code for both scalars and tables?
143
Are there any examples, or documentation?
144
I've created a new module with 'mib2c' but it doesn't work. Why not?
145
Where should I put the files produced by 'mib2c'?
146
Mib2c only handles a single table in my MIB. How can I fix this?
147
How can I support a large table, with more than 256 column objects?
148
How can I get the agent to generate a trap (or inform)?
149
What if I'm using an AgentX sub-agent instead?
150
How can I register a MIB module in a different (SNMPv3) context?
152
Why are packets requesting the same information larger with UC-Davis SNMP?
153
What ASN.1 parser is used?
154
What is the Official Slogan of the net-snmp-coders list?
163
- Various tools relating to the Simple Network Management Protocol
166
* An extensible agent
168
* tools to request or set information from SNMP agents
169
* tools to generate and handle SNMP traps
170
* a version of the unix 'netstat' command using SNMP
171
* a graphical Perl/Tk/SNMP based mib browser
173
This package is originally based on the Carnegie Mellon University
174
SNMP implementation (version 2.1.2.1), but has developed significantly
183
- http://www.net-snmp.org/download/
184
- ftp://ftp.net-snmp.org/pub/sourceforge/net-snmp/
186
- http://www.net-snmp.org/md5/
188
- http://www.net-snmp.org/
189
Sourceforge Project page:
190
- http://www.net-snmp.org/project/
191
Mirrors (note that sourceforge download servers are mirrored themselves):
192
- US: ftp://ftp.freesnmp.com/mirrors/net-snmp/
193
- Bulgaria: http://rtfm.uni-svishtov.bg/net-snmp/ (appears to be out of date)
194
- Japan: ftp://ftp.ayamura.org/pub/net-snmp/ (may only work inside Japan)
195
- Germany: ftp://ftp.mpg.goe.ni.schule.de/pub/internet/net-snmp/ (unknown host)
196
- Greece: ftp://ftp.ntua.gr/pub/net/snmp/net-snmp/
198
The old ucd-snmp.ucdavis.edu web site and ftp server is now
199
offline and should not be accessed any longer.
203
What documentation is available?
204
-------------------------------
207
README and individual READMEs for various platforms
208
README.thread (discusses threading issues)
212
man pages for the individual tools, files and the API
213
A guide for extending the agent
214
Tutorials for both ucd-snmp v4 and net-snmp v5
215
at http://www.net-snmp.org/tutorial/
216
and http://www.net-snmp.org/tutorial-5/ respectively
218
Most of this documentation (plus archives of the mailing lists)
219
is also available on our web page:
221
http://www.net-snmp.org/
225
Are there binaries available?
226
----------------------------
228
- There are binaries for some systems available in the binaries
229
directory on the ftp site.
233
What's the difference between UCD-SNMP and Net-SNMP?
234
---------------------------------------------------
236
Not a great deal, really.
237
Although the project originally started at UC Davis (hence the name),
238
and it has always been based there, most of the contributors have had
239
little or no connection with this institution.
241
The move to SourceForge was intended to provide a more flexible
242
environment for the project, and to distribute the administrative
243
workload more evenly. The change of name simply reflects this move,
244
which was the last remaining link with UC Davis.
246
The 4.2.x line is the last release line that uses the ucd-snmp name,
247
and all releases under this banner will be bug-fixes only. Release
248
5.0 is the first version using the net-snmp name, and all new features
249
and significant development will be released under this name.
250
(Though the dividing line between a bug-fix and a new feature is
251
something of a vague one, so some changes in the 4.2.x line may be
252
relatively non-trivial!)
254
Starting with the 5.0 release, we are also trying to review and
255
rework the underlying code base to improve the readability and
256
maintainability of the package. The 5.0 changes have mostly
257
concentrated on the agent architecture, though there have been some
258
significant changes to the library as well. Future releases may
259
include further restructuring of the library.
260
This process will probably result in some changes to the API,
261
though we will attempt to retain some form of backwards
262
compatibility as far as possible, and clearly mark anything that has
263
changed. The most significant change with the 5.0 release is a
264
restructuring of the header file organisation - not least a change
265
from <ucd-snmp/xxx.h> to <net-snmp/yyy.h>.
269
What operating systems does it run on?
270
-------------------------------------
272
Both the applications and the agent have been reported as running
273
(at least in part) on the following operating systems:
275
* HP-UX (10.20 to 9.01 and 11.0 -- see README.hpux11)
276
* Ultrix (4.5 to 4.2)
277
* Solaris SPARC/ULTRA (2.8 to 2.3), Intel (2.9) and SunOS (4.1.4 to 4.1.2)
279
* NetBSD (1.5alpha to 1.0)
280
* FreeBSD (4.1 to 2.2)
281
* BSDi (4.0.1 to 2.1)
282
* Linux (kernels 2.4 to 1.3)
286
* OS X (10.1.1 and 10.1.2)
290
We have also been informed about a port to the Stratus VOS.
291
See http://ftp.stratus.com/vos/network/network.html for details.
293
See the next question but one for the status of Windows support.
295
Certain systems (e.g. HP-UX 11, Irix?) fail to compile particular
296
portions of the agent. These can usually be persuaded to compile
297
(at the loss of some functionality) by omitting the modules affected.
298
See the next question for more details.
300
Also note that the presence of a particular configuration in this
301
list does not imply a perfect or complete implementation. This is
302
simply what various people have reported as seeming to work. (Or more
303
frequently, the configurations people have reported problems with
304
that we think we've fixed!)
308
What happens if mine isn't listed?
309
---------------------------------
311
It's probably worth trying to compile it anyway. If your system
312
is reasonably similar to another supported configuration, it may
313
well compile with little or no difficulty. The most likely source
314
of problems will be MIB modules within the agent, as this tends to
315
be where the most system-specific code is found.
317
If only a few modules fail to compile, try removing them from
318
the agent by running "configure --with-out-mib-module=xxx,yyy",
319
and re-compiling. If a large number of modules fail, then it
320
might be easier to start from a relatively bare system, using
321
"configure --enable-mini-agent --with-defaults". Then if this
322
minimal agent compiles and runs successfully, try adding the
323
missing mibgroups using the configure option '--with-mib-module'.
325
If configure fails with "invalid configuration" messages, or
326
you get completely stuck, contact the coders list for advice.
327
Similarly, if you manage to get this working on a new system,
328
please let us know both details of the hardware you're using,
329
and what versions of the operating system you've tried it on.
330
The entry 'host' in the file 'config.status' will show this
331
information. Oh, and congratulations!
335
Does it run on Windows?
336
----------------------
338
The suite should compile and run on Win32 platforms, including
339
the library, command-line tools and the basic agent framework.
340
Note that the agent now includes support for the MIB-II module,
341
but this requires Microsoft's Core Platform SDK. Instructions
342
for how to install this are given in README.win32.
344
Some other MIB modules, including the UCD pass-through extensions,
345
do not currently work under Windows. Volunteers to assist in
346
these missing modules are likely to welcomed with open arms :-)
348
Further details of Windows support (currently Visual C++ and
349
Cygnus cygwin32) is available in the file README.win32
353
How do I find out about new releases?
354
------------------------------------
356
There is a mailing list for these announcements
358
net-snmp-announce@lists.sourceforge.net
360
To be added to (or removed from) this list, visit
361
http://www.net-snmp.org/lists/net-snmp-announce/. Or you can send a
362
message to the address
363
'net-snmp-announce-request@lists.sourceforge.net' with a subject
364
line of 'subscribe' (or 'unsubscribe' as appropriate).
366
Major code revisions may be announced more widely (e.g. on the
367
SNMP mailing lists, or comp.protocols.snmp) but this list is the most
368
reliable way to keep in touch with the status of this package.
370
Patches to fix known problems are also made available via the web site:
372
http://www.net-snmp.org/patches/
376
How can I find out what other people are doing?
377
----------------------------------------------
379
There is a general purpose discussion list
381
net-snmp-users@lists.sourceforge.net
383
To be added to (or removed from) this list, visit
384
http://www.net-snmp.org/lists/net-snmp-users. Or you can send a
385
message to the address 'net-snmp-users-request@lists.sourceforge.net'
386
with a subject line of 'subscribe' (or 'unsubscribe' as appropriate).
388
To find out what the developers are doing, and to help them out, please
389
read the PORTING file enclosed with the package.
391
There is also an net-snmp IRC channel set up on the freenode.net IRC
392
chat servers (you can use irc.freenode.net to connect and/or see
393
http://www.freenode.net/ for getting started with irc). Multiple
394
core developers hang out there on a regular basis.
398
How do I submit a patch or bug report?
399
-------------------------------------
401
All bug reports should be submitted to the bug database through the
402
interface found at http://www.net-snmp.org/bugs/. Be
403
sure to include the version of the package that you've been working
404
with, the output of the command 'uname -a', the precise command that
405
triggers the problem and a copy of the output it produces.
407
All patches should be submitted to the patch manager at
408
http://www.net-snmp.org/patches/. If possible, submit a
409
bug report describing the patch as well (referencing it by its patch
410
number) since the patch manager doesn't contain a decent description
413
Questions about using the package should be directed at the
414
net-snmp-users@lists.sourceforge.net mailing list. Note that this
415
mailing list is relatively busy, and the people answering these
416
questions are doing so out of the goodness of their hearts, and in
417
addition to their main employment. Please note the following:
419
- use plain text mail, rather than HTML
420
- don't resend questions more than once
421
(even if no-one answered immediately)
422
- include full details of exact commands and error messages
423
("I've tried everything, and it doesn't work" isn't much use!)
424
- do *NOT* send messages to -users and -coders mailing lists
425
(most developers read both anyway)
426
- don't mail the developers privately - keep everything on the list
428
Remember that this is basically an unsupported package. Fundamentally
429
it's Open Source, so you have the source code. If you need something
430
fixing badly enough, it's up to you to do the work.
432
We can't promise to be able to solve all problems, but we'll
433
certainly try and help. But remember that this is basically an
434
unsupported package. It's Open Source, so if you need something
435
fixing badly enough, fundamentally it's up to you to do the work.
437
Can I reuse the code in my commercial application?
438
-------------------------------------------------
440
The details of the COPYRIGHTs on the package can be found in the
441
COPYING file. You should have your lawyer read this file if you wish
442
to use the code in your commercial application. We will not summarize
443
here what is in the file, as we're not lawyers and are unqualified to
447
What's the difference between SNMPv1, SNMPv2 and SNMPv3?
448
-------------------------------------------------------
449
What's the difference between SNMPv2 and SNMPv2c?
450
------------------------------------------------
453
A full description is probably beyond the scope of this FAQ.
454
Very briefly, the original protocol and framework was described
455
in RFCs 1155-1157, and is now known as SNMPv1.
457
Practical experience showed up various problems and deficiencies
458
with this, and a number of revised frameworks were developed to try
459
and address these problems. Unfortunately, it proved difficult to
460
achieve any sort of agreement - particularly over the administrative
463
There was less disagreement over the proposed changes to the
464
protocol operations. These included:
465
* increasing the range of errors that could be reported
466
* introducing "exception values"
467
(so a single missing value didn't affect
468
the other varbinds in the same request)
469
* a new GETBULK operation
470
(a supercharged GETNEXT)
471
* new notification PDUs
472
(closer in structure to the other request PDUs)
474
Strictly speaking, it's this revised protocol (originally defined
475
in RFC 1905, and most recently in RFC 3416) that is "SNMPv2".
477
The only framework based on this protocol that saw a significant
478
level of use was "Community-based SNMPv2" or "SNMPv2c" (defined in
479
RFCs 1901-1908). This retained the same administrative framework
480
as SNMPv1 (with all of the accompanying deficiencies), but using
481
the new protocol operations.
483
More recently, a new administrative framework has been developed,
484
building on the various competing SNMPv2 proposals, and using the
485
same SNMPv2 protocol operations. This is SNMPv3, which is defined
486
in RFCs 3411-3418. It addresses some of the deficiencies of the
487
community-based versions, including significant improvements to
488
the security of SNMP requests (like it finally has some!).
489
SNMPv3 is now a full IETF standard protocol.
491
Strictly speaking, SNMPv3 just defines a fairly abstract framework,
492
based around the idea of "Security Models" and "Access Control Models".
493
It's this combination of SNMPv3 plus accompanying models that actually
494
provides a working SNMP system.
495
However, the only models in common use are the "User-based Security
496
Model" (RFC 3414) and the "View-based Access Control Model" (RFC 3415).
497
So "SNMPv3" is frequently used to mean the combination of the basic
498
SNMPv3 framework with these two particular models.
499
This is also sometimes described as "SNMPv3/USM".
503
- SNMPv2c updated the protocol operations
504
but left the administrative framework unchanged.
505
- SNMPv3 updated the administrative framework
506
but left the protocol operations unchanged.
510
Which versions of SNMP are supported in this package?
511
----------------------------------------------------
513
This package currently supports the original SNMPv1, Community-based
514
SNMPv2 (i.e. RFCs 1901-1908), and SNMPv3 (i.e. RFCs 3411-3418).
515
The agent will respond to requests using any of these protocols,
516
and all the tools take a command-line option to determine which
519
Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452)
520
was dropped with the 4.0 release of the UCD-snmp package.
524
Can I use SNMPv1 requests with an SNMPv2 MIB (or vice versa)?
525
------------------------------------------------------------
529
The version of the syntax used to define a MIB file
530
is better referred to as SMIv1 or SMIv2, and is purely
531
concerned with defining the characteristics of the
532
various management objects. This is (almost) completely
533
unrelated to the versions of the protocol operations.
534
So it is quite reasonable to use SNMPv1 requests on
535
objects defined using SMIv2, or SNMPv2 (or SNMPv3)
536
requests on objects defined using SMIv1.
538
The one exception is objects of syntax Counter64,
539
which are only accessible using SNMPv2 or higher.
540
SNMPv1 requests will either treat such objects as an
541
error, or skip over them completely.
545
Where can I find more information about network management?
546
----------------------------------------------------------
548
There are a number of sites with network management information on
549
the World Wide Web. Three of the most useful are
551
http://www.snmpweb.org/
552
http://www.snmplink.org/
553
http://www.mibdepot.com/
555
There are two Usenet newsgroups which are relevant.
556
'comp.dcom.net-management'
557
which discusses general issues relating to network management
558
'comp.protocols.snmp'
559
which is specifically concerned with use of SNMP in particular
561
(though there is a large overlap between these two groups).
562
The SNMP group also has an FAQ (split into two parts) which discusses more
563
general issues related to SNMP, including books, software, other sites,
564
how to get an enterprise number, etc, etc.
565
This is available from
567
ftp://rtfm.mit.edu/pub/usenet/comp.protocols.snmp/
569
or via any of the Web sites above.
573
Is ucd-snmp thread safe?
574
-----------------------
576
Strictly speaking, no. However, it should be possible to use the
577
library in a thread-safe manner. This is covered in detail in the file
578
README.thread (shipped with the standard distribution), but can be
579
summarised as follows:
581
- Call 'snmp_sess_init()' prior to activating any threads.
582
This reads in and parses MIB information (which isn't thread-safe)
583
as well as preparing a session structure for subsequent use.
585
- Open an SNMP session using 'snmp_sess_open()' which returns an
586
opaque session handle, which is essentially independent of any
587
other sessions (regardless of thread).
589
- Resource locking is not handled within the library, and is the
590
responsibility of the main application.
592
The applications and the agent have not been designed for threaded use.
602
This is actually two separate questions, depending on whether you
603
are referring to the tools, or the agent (or both).
604
See the next question or the next section respectively.
608
How do I add a MIB to the tools?
609
-------------------------------
613
cp MY-MIB.txt /usr/local/share/snmp/mibs
618
mkdir $HOME/.snmp/mibs
619
cp MY-MIB.txt $HOME/.snmp/mibs
627
echo "mibs +MY-MIB" >> $HOME/.snmp/snmp.conf
629
Note that you need *both* steps.
630
The first command copies the file defining the new MIB to a
631
expected location for MIB files. This defaults to
632
/usr/local/share/snmp/mibs (or PREFIX/share/snmp/mibs if the the
633
suite was installed into a different base location). Some
634
ready-packaged distributions (such as Linux RPM packages) may look
635
for MIB files in a different location, such as /etc/snmp/mibs - put
636
the new file in this directory instead. This makes it available for
637
everyone on the system.
638
The tools will also look for mibs in your personal $HOME/.snmp/mibs
639
directory, but this will only work for you.
641
The second command tells the tools to load in this new MIB file as well
642
as the default set. Note that the tools do *not* load every MIB found
643
in the directory - this is to avoid slowing them down excessively when
644
there is a large collection of MIB files. If you do want the tools to
645
load all the MIB files, set the environmental variable MIBS to the special
648
Note that the value for this variable is the name of the MIB module,
649
*not* the name of the MIB file. These are typically the same (apart
650
from the .txt suffix), but if in doubt, check the contents of the file.
651
The value to use is the token immediately before the word DEFINITIONS
652
at the start of the file. Of course, if you load 'ALL' mibs, then this
653
distinction is irrelevant.
655
Most of the tools (apart from 'snmptable') will work quite happily
656
without any MIB files at all, as long as you are prepared to work with
657
numeric OIDs throughout. The MIB files are only used for translating
658
between numeric and textual forms for queries and responses.
659
The same holds true for the agent - see the AGENT section for details.
663
Why can't I see anything from the agent?
664
---------------------------------------
666
There are two main general causes of problems retrieving information
667
from the agent. Firstly, the variable (or variables) specified may
668
not be recognised by the tools as valid names. In this case, the
669
tools will typically reject the request without ever contacting the
672
Alternatively, the tool may be happy with the request, but the agent
673
does not return the corresponding value(s). It may return an explicit
674
error message instead, or the request may time out without any response
675
being sent back at all. The next few entries look at these in more detail.
679
Why can't I see values in the <INSERT ENTERPRISE HERE> tree?
680
-----------------------------------------------------------
682
Having said that there are two main reasons for not getting a response,
683
the most likely cause of this problem is actually something else again.
685
The 'snmpwalk' command takes a point in the overall MIB tree, and tries
686
to display all the values that lie within this subtree. However, it
687
actually does this by issuing a series of "getnext" requests, until
688
the variable returned lies outside the subtree of interest. If the
689
very first request returns such an undesired value, then the command
690
will terminate, without having displayed anything at all.
692
If an expicit starting point is given to 'snmpwalk', then it is reasonably
693
clear what is happening, and that there is simply nothing in the subtree
694
specified. However, if 'snmpwalk' is called without giving an explicit
695
starting point, then it will display the contents of the 'mib-2' subtree.
696
It will not attempt to traverse any 'private.enterprise' subtree, such as
697
the UCD-specific objects (including any local extensions).
699
To walk the whole tree, specify a starting point of '.iso'
700
To walk a specific enterprise subtree, specify the root of this as
701
the starting point - e.g:
703
snmpwalk -v1 -c public localhost ucdavis
705
Or, of course, you can walk a selected portion of an enterprise subtree
706
by specifying the appropriate starting point - e.g:
708
snmpwalk -v1 -c public localhost ucdavis.version
710
If you still can't see any information, keep reading. The next few
711
questions will probably help you.
715
Requests always seem to timeout, and don't give me anything back. Why?
716
----------------------------------------------------------------------
718
There are a number of possible causes of this.
720
The most likely are the agent access control settings (who is allowed
721
access by the agent itself), or firewall/packet filtering settings
722
(who is allowed access by the underlying operating system).
724
A fuller list of possible causes (with indications of how to check
725
for each) is as follows:
727
- is the machine you are querying up and running?
728
(Does it respond to 'ping' or similar requests?)
729
- is there an SNMP agent running on it?
730
(Run 'ps -ef | grep snmp' or 'netstat -an | grep 161')
731
- are the requests arriving, or being blocked (e.g. by a firewall)?
732
(Restart the agent using 'snmpd -f -L -d'
733
and see if it shows the incoming packet dumps)
734
- is the agent simply taking a long time to respond?
735
(The 'snmpd -f -L -d' command should show a series of
736
incoming PDUs, followed eventually by the outgoing PDUs.
737
Try the request again with a long timeout value,
738
e.g. 'snmpcmd -t 120 ....')
739
- does the agent's control settings allow this request?
740
(The 'snmpd -f -L -d' command will show a series of
741
incoming PDUs with *no* corresponding outgoing PDUs)
743
Note that if the agent is not configured to allow access for a
744
particular community, then the SNMP specification declares that no
745
error response should be sent at all. The Net-SNMP tools will retry
746
the request a number of times, before reporting a timeout error.
748
If the agent is configured to allow partial access for a given
749
community, then requests that fall outside this authorised access
750
*will* result in an error response.
751
(SNMP agents can be very fussy over who they talk to!)
753
See the entries on access control in the AGENT section for how to
754
configure the Net-SNMP agent to allow suitable access. For other
755
vendors' agents, you will need to consult the relevant documentation.
759
I can see the system group, but nothing else. Why?
760
--------------------------------------------------
762
This is probably the same as the previous question - a problem with
763
the access configuration of the agent. Many pre-configured systems
764
(such as most Linux distributions) will only allow access to the system
765
group by default, and need to be configured to enable more general access.
767
The easiest way to test this is to try a GETNEXT request, that ought
768
to return the entry of interest.
770
snmpgetnext -v1 -c public localhost ucdavis.version.versionTag
772
snmpget -v1 -c public localhost ucdavis.version.versionTag.0
774
If the agent responds with "end of MIB" or a different object, then
775
either the agent doesn't implement that particular object at all, or
776
the access control won't allow you access to it.
778
See the entries on access control in the AGENT section for how to
779
configure the Net-SNMP agent, or consult the agent's own documentation.
783
The agent worked for a while, then stopped responding. Why?
784
-----------------------------------------------------------
786
Assuming that the agent hasn't crashed completely, the most likely
787
explanation is that it's simply overloaded, and is taking longer to
788
respond than the querying tool is waiting. Since the agent handles
789
each request in turn, without regard to earlier activity, and most
790
tools will retry a request when it times out, the list of outstanding
791
requests can grow longer and longer.
793
To determine whether this is the cause or not, try leaving the
794
agent undisturbed for a while, and then probe it using a longer
795
timeout (e.g. '-t 120'). This should give the agent time to handle
796
each request first time round, and avoids overloading it with
799
This is not a full solution, of course, but at least it should
800
allow you to isolate the offending portion of the tree. The
801
developers may then be able to offer a more long-term solution.
805
Requesting an object fails with "Unknown Object Identifier" Why?
806
----------------------------------------------------------------
808
If a general snmpwalk shows the entry, but asking for it more
809
specifically gives a "sub-identifier not found:" or "Unknown Object
810
Identifier" error, then that's a problem with the tool, rather than
813
Firstly, make sure that you're asking for the object by the right name.
814
Object descriptors are case-sensitive, so asking for 'sysuptime' will
815
not be recognised, but 'sysUpTime' will.
817
Secondly, the object may be defined in a MIB that hasn't been loaded.
818
Try loading in all the MIB files:
820
snmpget -m ALL -v1 -c public localhost sysUpTime.0
822
(though if snmpwalk translates it OK, that's less likely to be the cause).
824
Thirdly, earlier versions of the UCD software expected "full" paths
825
for object names, either based at the root of the whole MIB tree
826
(".iso.org.dod.internet.mgmt.mib-2.system.sysUpTime") or the 'mib-2'
827
subtree ("system.sysUpTime"). Try:
829
snmpget -v1 -c public myhost system.sysUpTime.0
831
These earlier versions of the tools may take a command-line option '-R'
832
or '-IR' (depending on vintage) to invoke this "random-access" mode.
833
Note that snmptranslate still requires "random-access" to be specified
834
explicitly - all other command tools now use this mode by defaults.
836
All versions of the UCD and Net-SNMP tools accept the syntax
838
snmpget -v1 -c public myhost RFC1213-MIB:sysUpTime.0
840
to denote a particular object in a specific MIB module. Note that this
841
uses the name of the *module*, not the name of the file. See the second
842
question in this section for the distinction.
846
Why do I get "noSuchName" when asking for "sysUpTime" (or similar)?
847
------------------------------------------------------------------
849
There are a number of possible causes of this (scattered throughout
850
this FAQ, so keep reading!). But one of the most likely snares for
851
the unwary is forgetting the instance subidentifier for 'non-table'
852
objects. If you walk the 'system' tree, you'll notice that all the
853
results (apart from the sysORTable), have a '.0' at the end of the OID.
854
This is the "instance sub-identifier" - which *must* be included for
856
Compare the following:
858
$ snmpget -v1 -c public localhost sysUpTime
860
Reason: (noSuchName) There is no such variable name in this MIB.
861
This name doesn't exist: system.sysUpTime
862
$ snmpget -v1 -c public localhost sysUpTime.0
863
system.sysUpTime.0 = Timeticks: (69189271) 8 days, 0:11:32.71
865
This is a little less obscure when using SNMPv2c or v3 requests:
867
$ snmpget -v 2c -c public localhost sysUpTime
868
system.sysUpTime = No Such Instance currently exists
872
Why do I sometimes get "End of MIB" when walking a tree, and sometimes not?
873
--------------------------------------------------------------------------
875
This depends on which MIB modules are supported by the agent you are
876
querying and what you're asking for.
878
Recall that a tree is walked by repeatedly asking for "the next entry" until
879
all the values under that tree have been retrieved. However, the agent has
880
no idea that this is what's happening - all it sees is a request for "the
883
If the object X happens to be the last entry in a sub-tree, the agent will
884
provide the next object supported (as requested) even though this will be
885
in a different subtree. It's up to the querying tool to recognise that
886
this last result lies outside the area of interest, and simply discard it.
888
If the object X happens to be the last entry supported by the agent, it
889
doesn't have another object to provide, so returns an "end of MIB"
890
indication. The Net-SNMP tools report this with the message above.
892
But in either case, the actual information provided will be the same.
896
I cannot set any variables in the MIB.
897
-------------------------------------
899
There are three possible reasons for this:
901
The majority of MIB objects are defined as "read-only" and inherently
902
cannot be changed via SET requests.
904
Of those that can in principle be changed, not all have been implemented
905
as such in this agent.
907
Even if SET support has been implemented, the agent may not be configured
908
to allow write access to this object.
910
The example configuration file shipped with the basic distribution only
911
allows write access for the local host itself (and a suitable community
912
name must be configured first).
913
Ready-installed distributions (such as those shipped with Linux) tend
914
to be configured with read-only access to part of the mib tree (typically
915
just the system group) and no write access at all.
917
To change this, you will need to set up the agent's access control
918
configuration. See the AGENT section for more details.
920
Note that neither the community string "public" nor "private" can be
921
used to set variables in a typical default configuration.
925
Variables seem to disappear when I try to set them. Why?
926
--------------------------------------------------------
928
This is actually the same as the previous question - it just isn't
929
particularly obvious, particularly when using SNMPv1. A typical
930
example of this effect would be
932
$ snmpget -v1 -c public localhost system.sysLocation.0
933
system.sysLocation.0 = somewhere nearby
935
$ snmpset -v1 -c public localhost system.sysLocation.0 s "right here"
937
Reason: (noSuchName) There is no such variable name in this MIB.
938
This name doesn't exist: system.sysLocation.0
940
Trying the same request using SNMPv2 or above is somewhat more informative:
942
$ snmpset -v 2c -c public localhost system.sysLocation.0 s "right here"
946
The SNMPv1 error 'noSuchName' actually means:
948
"You can't do that to this variable"
950
This might be because the variable doesn't exist, it does exist but
951
you don't have access to it (but someone else may do), or it exists
952
but you can't perform that particular operation (i.e. changing it).
953
Similarly, the SNMPv2 error 'notWritable' means "not writable in
954
this particular case" rather than "not writable under any circumstances".
956
If you are sure that the object is writable (and has been implemented
957
as such), then you probably need to look at the agent access control.
958
See the AGENT section for more details.
962
I still can't change sysLocation, though the access settings allow it. Why not?
963
-------------------------------------------------------------------------------
965
One other possibility for the 'sysLocation' and 'sysContact' objects,
966
is that you've got a configuration option in the 'snmpd.conf' file which
967
already sets the corresponding value there.
969
Earlier versions of the agent would allow you to write to these objects,
970
but the new value would be forgotten the next time the agent was re-started.
971
More recent versions of the agent reject such write requests if there's a
972
value set via the config file. If there isn't such a config setting, then
973
the write request will succeed (assuming the access settings allow it), and
974
the new value will be retained the next time the agent restarts.
978
I get an error when trying to set a negative value - why?
979
--------------------------------------------------------
981
This is a different problem. What's happening here is that the
982
routine that parses the arguments to the 'snmpset' command is seeing
983
the '-' of the new value, and treating it as a command-line option.
984
This normally generates an error (since digits probably aren't valid
985
command line option).
987
The easiest way to solve this is include the "end-of-option"
988
indicator '--' in the command line, somewhere before the new value
989
(but after all of the options, obviously). For example:
991
snmpset -v 2c -c public localhost -- versionRestartAgent.0 i -1
993
(This will also fail, since -1 isn't an acceptable value for this
994
object, but it will be rejected by the agent, rather than confusing
995
the snmpset command!)
999
I get an error when trying to get a string-indexed table value - why?
1000
--------------------------------------------------------------------
1002
This is probably due to the shell swallowing the quotes, before
1003
they ever get to the SNMP command's OID parser. Try escaping them:
1005
snmpget ..... vacmSecurityModel.0.\"wes\"
1006
or snmpget ..... 'vacmSecurityModel.0."wes"'
1010
How do I send traps and notifications?
1011
---------------------------------------
1013
Traps and notifications can be sent using the command 'snmptrap'.
1014
The following examples generate the generic trap 'coldStart' and a
1015
(dummy) enterprise specific trap '99' respectively:
1017
snmptrap -v 1 -c public localhost "" "" 0 0 ""
1018
snmptrap -v 1 -c public localhost "" "" 6 99 ""
1020
The empty parameters "" will use suitable defaults for the relevant
1021
values (enterprise OID, address of sender and current sysuptime).
1023
An SNMPv2 or SNMPv3 notification (either trap or inform) takes
1024
the OID of the trap to send:
1026
snmptrap -v 2c -c public localhost "" UCD-SNMP-MIB::ucdStart
1027
snmptrap -v 2c -c public localhost "" .1.3.6.1.4.1.2021.251.1
1029
(These two are equivalent ways of specifying the same trap).
1031
Any of these commands can be followed by one or more varbinds,
1032
using the same (OID/type/value) syntax as for 'snmpset':
1034
snmptrap -v 2c -c public localhost "" ucdStart sysContact.0 s "Dave"
1036
Generating traps from within the agent is covered in the AGENT and
1039
You should also read the snmptrap tutorial at
1040
http://www.net-snmp.org/tutorial-5/commands/snmptrap.html
1041
which will help you understand everything you need to know about traps.
1045
How do I handle traps and notifications?
1046
---------------------------------------
1048
Handling received traps is done using the tool 'snmptrapd'.
1049
This can log these traps via the syslog mechanism:
1051
snmptrapd -s -l7 (log to 'LOCAL7')
1053
printed to standard output
1057
or pass them to an external command. This last approach uses
1058
a 'traphandle' directive in the configuration file 'snmptrapd.conf'.
1059
A typical file might look something like:
1061
traphandle .1.3.6.1.6.3.1.5.1 page_me up
1062
traphandle .1.3.6.1.4.1.2021.251.1 page_me up
1063
traphandle .1.3.6.1.4.1.2021.251.2 page_me down
1064
traphandle default log_it
1066
where 'page_me' and 'log_it' are the command to be run. (You probably
1067
need to specify full pathnames, to ensure that the commands will be
1068
found. They're just short here for readability).
1070
Note that the first entry uses the OID corresponding to the SNMPv1
1071
'coldStart' trap. See the co-existence RFC (RFC 2576) for details
1072
of mapping SNMPv1 traps to SNMPv2 OIDs.
1074
There's a tutorial with more details on the web site at
1075
http://www.net-snmp.org/tutorial-5/commands/snmptrap.html
1079
My traphandler script doesn't work when run like this - why not?
1080
---------------------------------------------------------------
1082
If a traphandler script works fine when run manually from the
1083
command line, but generates an error when triggered by an incoming
1084
notification, then this is probably down to one of two likely causes.
1086
Firstly, the interactive shell environment may not be precisely
1087
the same as that for programs executed by the snmptrapd daemon.
1088
In particular, it's quite possible that the PATH environmental
1089
variable may not include all the additional directories that are
1090
commonly set up for a personal login configuration. To avoid this
1091
problem (particularly for traphandler shell scripts), it's worth
1092
giving the full path to all programs used within the script.
1094
Secondly, the snmptrapd daemon may not always recognise the
1095
appropriate interpreter to use for a particular trap handler.
1096
If this is the case, then you can specify this interpreter
1097
explicitly as part of the trap handle directive:
1099
traphandle default /usr/bin/perl /usr/local/bin/log_it
1101
Note that in this case, it's almost certain that you'll also
1102
need to give the full path to the traphandle script (as shown)
1106
The ucdShutdown trap OID received by my manager is wrong. Why?
1107
-------------------------------------------------------------
1109
This is due to the way that traps are converted between
1110
SNMPv1 and SNMPv2 formats. The algorithm used for converting
1111
from an SNMPv1 enterprise-specific trap number, to an SNMPv2
1112
trap OID results in a penultimate '0' subidentifier, before
1113
the trap number itself. The definition of the trap objects
1114
in the UCD-SNMP-MIB file does not include this subidentifier.
1116
In due course, the intention is to define a new set of MIB
1117
objects, under the 'net-snmp' enterprise tree. This will
1118
include new trap OIDs, which will be designed such that
1119
this problem does not arise in the future.
1123
Why does snmptrapd complain about AgentX?
1124
----------------------------------------
1126
Starting from the v5 release, the trap handling daemon has
1127
implemented the notification logging aspects of the NOTIFICATION-MIB
1128
(RFC 3014). This is handled by the trap handler daemon registering
1129
as an AgentX subagent, to supply this statistical information.
1131
If there is no AgentX master agent available, this registration
1132
fails, generating the warning about "failed to connect to the agentx
1133
master". This warning only appears between version 5.0 and 5.0.4
1134
(in 5.0.4 and after the warning was silenced). This failure does
1135
not affect the main operation of the trap handler. It simply means
1136
that the nsmLog information won't be available for query via SNMP.
1138
Basically, this is a warning that can safely be ignored.
1142
How do I use SNMPv3?
1145
The simplest form of SNMPv3 request (unauthenticated, unencrypted)
1146
would be something like:
1148
snmpget -v 3 -l noAuthNoPriv localhost sysUpTime.0
1150
An authenticated request would specify a username and pass phrase:
1152
snmpget -v 3 -l authNoPriv -u dave -A "Open the Door"
1153
localhost sysUpTime.0
1155
A fully secure request would also specify the privacy pass phrase:
1157
snmpget -v 3 -l authPriv -u dave -A "Open the Door"
1158
-X "Bet you can't see me" localhost sysUpTime.0
1160
In practise, most of these would probably be set via configuration
1161
directives in a personal $HOME/.snmp/snmp.conf file (note, *not* the
1162
agent's snmpd.conf file). The equivalent settings for the third
1165
defSecurityName dave
1166
defSecurityLevel authPriv
1167
defAuthPassphrase "Open the Door"
1168
defPrivPassphrase "Bet you can't see me"
1170
If the AuthPassphrase and the PrivPassphrase are the same, then you
1172
defPassphrase "Open the Door and see me"
1175
For how to configure the agent to respond to SNMPv3 requests, see
1180
How big can an SNMP request (or reply) be?
1181
-----------------------------------------
1183
The protocol definition specifies a "minimum maximum" packet size
1184
(484 bytes for UDP), which all systems must support, but does not
1185
attempt to define an upper bound for this maximum size. This is left
1186
to each individual implementation.
1188
The UCD software uses a fixed size buffer of 1472 bytes to hold the
1189
encoded packet, so all requests and responses must fit within this.
1190
Unfortunately, it's not possible to predict how many varbinds this
1191
corresponds to, since it depends on the type and actual values being
1192
sent, as well as the corresponding OIDs.
1194
As a rule of thumb, sending 400 integer-valued varbinds seems to
1195
work OK, while 300 string-valued varbinds triggers an overrun.
1197
The Net-SNMP releases handle packet buffers rather differently,
1198
and are not subject to the same fixed restrictions.
1202
How can I monitor my systems (disk, memory, etc)?
1203
------------------------------------------------
1205
In general, the Net-SNMP suite consists of relatively low-level
1206
tools, and there is nothing included that is designed for high-level,
1207
long-term monitoring of trends in network traffic, disk or memory
1210
There are a number of packages available that are designed for this
1211
purpose. Two of the most widely used are MRTG (http://www.mrtg.org/)
1212
and Cricket (http://cricket.sourceforge.net/). There are details of
1213
how to set up Cricket to monitor some of the UCD extensions at
1214
http://www.afn.org/~jam/software/cricket/
1216
We have also set up a page that describes in detail how MRTG
1217
can be set up to monitor disk, memory and cpu activity at
1218
http://www.net-snmp.org/tutorial-5/mrtg/index.html
1220
There is also a web-based network configuration system "Net-Policy",
1221
based upon SNMP. This is not strictly connected to the Net-SNMP project,
1222
but a number of the core developers are also involved with that system.
1223
See http://net-policy.sourceforge.net for more details.
1227
Applications complain about entries in your example 'snmp.conf' file. Why?
1228
--------------------------------------------------------------------------
1230
The example configuration file 'EXAMPLE.conf' is designed as a config
1231
for the agent, and should be installed as 'snmpd.conf' (note the 'd').
1232
The file 'snmp.conf' is intended for general configuration options,
1233
applicable to all applications (via the SNMP library).
1234
Rename (or merge) the 'snmp.conf' file to 'snmpd.conf', and this should
1236
Note that there is no example snmp.conf shipped with the standard
1241
OK, what should I put in snmp.conf?
1242
----------------------------------
1244
This is used to set common configuration values for most of the
1245
applications, to avoid having to specify them every time. Examples
1246
include the SNMPv3 settings mentioned above, defaults for which MIBs
1247
to load and where from, and the default SNMP version, port and
1248
(if appropriate) the community string to use.
1250
Some of these (such as the MIB file location), might belong in a
1251
shared snmp.conf file (typically /usr/local/share/snmp/snmp.conf or
1252
/etc/snmp/snmp.conf) to apply to all users of the system. Others
1253
(particularly the SNMPv3 security settings), are more likely to refer
1254
to a particular user, and should go in a personal snmp.conf file
1255
(typically $HOME/.snmp/snmp.conf).
1257
Note that the Net-SNMP package does not come with an example snmp.conf
1258
file. See 'snmpget -H' and/or the snmp.conf(5) man page for more details.
1260
You can also use the "snmpconf" command to help you generate your
1261
snmp.conf configuration file (just run it and answer its questions).
1268
Where can I get the perl SNMP package?
1269
-------------------------------------
1271
Joe Marzot's excellent perl SNMP module, which requires the ucd-snmp
1272
library, is now included in the ucd-snmp source release. It's
1273
located in the perl/SNMP subdirectory of the ucd-snmp source tree.
1275
It can also be found at any Comprehensive Perl Archive Network
1276
(CPAN) site mirror in modules/by-module/SNMP. To find the CPAN site
1277
nearest you, please see http://www.cpan.org/SITES.html.
1279
With the v5 release of the Net-SNMP suite, this is now accompanied by
1280
a number of perl modules grouped together under the NetSNMP namespace.
1282
Consult the README file in the SNMP perl module distribution to find
1283
out what version of the ucd-snmp library it needs to be linked against.
1287
How do I install the Perl SNMP modules?
1288
--------------------------------------
1290
Assuming you have a reasonably new (and properly configured) perl system,
1291
this should be simply:
1294
or cd perl/SNMP (for 4.2.x)
1296
(press RETURN when prompted for host and community)
1299
make install (probably as root)
1301
Note that with the 5.0 release line, there are additional SNMP-related
1302
perl modules that should probably be installed as well. These can also
1303
be found under the 'perl' subdirectory. At the very least, install the
1304
'default_store' module.
1305
This is not necessary with the 4.2.x releases.
1309
But compiling this fails! Why?
1310
-----------------------------
1312
The perl module tends to delve quite deeply into the internals of the
1313
main Net-SNMP library, and so is quite sensitive to changes within the
1314
library. It's important to use the correct version of the module, that
1315
corresponds to the version of the library you have installed. If you're
1316
working with the main Net-SNMP distribution, the appropriate version of
1317
the perl module is shipped as part of this, but you *must* have
1318
run "make install" on the main Net-SNMP distribution *first*.
1320
If you're working with a ready-installed version of the library, make
1321
sure you obtain a compatible version of the perl module.
1323
Note that the perl modules will be compiled using the compiler
1324
(and compiler settings) used for compiling the original perl binary,
1325
*not* those used for compiling the Net-SNMP (or UCD) library.
1326
If these are different (e.g. 'gcc' used for one and 'cc' for the other)
1327
then this may well cause problems. It's much safer to use a consistent
1328
environment for both. This issue is discussed in greater detail in
1329
the README.solaris file.
1331
Also note that the v5 Net-SNMP suite *must* be configured to provide
1332
shared libraries in order for the perl modules to work correctly. This
1333
is not necessary with the v4 UCD-SNMP libraries.
1337
Compiling the perl module works OK, but 'make test' fails. Why?
1338
--------------------------------------------------------------
1340
That's difficult to answer in general.
1341
Some of the perl tests are rather picky, so this may simply be
1342
some minor inconsistency between your precise setup, and the
1343
expectations of the test environment.
1345
Check that you are working with the perl distribution that matches
1346
the SNMP libraries (use the 'perl/SNMP' in preference to CPAN), and
1347
that you have installed the main libraries successfully (uninstall
1348
any old versions if you're having trouble).
1350
If all this looks OK, and if most of the tests pass, then it's
1351
probably safe to run 'make install' anyway. Probably.
1355
The perl 'make test' fails on the OID tests. Is it safe to continue?
1356
-------------------------------------------------------------------
1358
No. Almost certainly not. If the "perl/OID" tests fail the first
1359
four tests, and then crashes out complaining about a "netsnmp_oidPtr",
1360
then this is a sign of a more fundamental problem.
1362
The 4.2.x line perl support was a single module, so was independent
1363
of the way that the C library was configured. In contrast to this,
1364
the 5.0.x perl support consist of a number of inter-cooperating modules,
1365
which rely on sharing a consistent C library environment. In practise,
1366
this means that the perl modules *MUST* be configured and compiled using
1367
a shared version of the C library. Unfortunately, the default for
1368
most early versions of the Net-SNMP suite was to compile using static
1369
libraries unless explicitly configured to use shared libraries. The
1370
default should be to use shared libraries from 5.0.7 onwards.
1372
The error "oid1 is not of type netsnmp_oidPtr" is a fairly sure indication
1373
that the C library was compiled statically. You'll need to re-configure
1374
the main Net-SNMP package using the "--enable-shared" configure flag.
1375
Then re-install the C library before re-configuring and re-compiling
1376
the perl module support.
1378
Note that this problem does not arise when using the 4.2.x version
1383
I'm trying to use mib2c (or tkmib) and it can't locate SNMP.pm?
1384
------------------------------------------------------------
1386
That's probably because the SNMP perl module hasn't been installed.
1387
It's not part of the standard perl distribution, nor is it installed
1388
by default in RedHat Linux (for example).
1389
You'll need to install it. See the previous two questions.
1393
I'm trying to use mib2c (or tkmib) and it can't load SNMP.so?
1394
------------------------------------------------------------
1396
This is probably the same problem. Either the SNMP module
1397
hasn't been installed, or it's the wrong version. See the
1398
previous two questions.
1402
I'm trying to use tkmib and it can't locate Tk.pm?
1403
-------------------------------------------------
1405
Tk.pm is another Perl package that needs to be installed before tkmib
1406
will run. It's also available on Perl CPAN. We suggest using version
1407
"Tk800.011" or later. It can be installed by issuing the command:
1409
perl -MCPAN -e shell ; "install Tk"
1413
I've got a problem with the Net-SNMP module. Can you help?
1414
----------------------------------------------------------
1416
Sorry, despite the similar-sounding name, the Net-SNMP (or Net::SNMP)
1417
module is nothing to do with this package, or the NetSNMP modules.
1418
Net::SNMP is a "pure-perl" implementation of SNMP support, developed
1419
by David Town. The developers of the (C-based) Net-SNMP suite do
1420
not have any significant experience in using this particular module,
1421
and you'll probably be better off asking for help via CPAN or some
1422
other perl-related forum.
1429
Where can I find a MIB compiler?
1430
-------------------------------
1432
That depends what you mean by a "MIB compiler". There are at least two
1433
types of tool that are commonly referred to by this name.
1435
The first is a tool to check MIB files for validity. This functionality
1436
is mostly integrated within the MIB parser (part of the Net-SNMP library)
1437
and hence included in all the applications. The tool 'snmptranslate' is
1438
probably the most appropriate for this purpose.
1439
Note that the parser is fairly forgiving (see 'What ASN.1 parser is used'
1440
below), so this should not be regarded as a stamp of approval.
1442
The second type of tool is one to turn a MIB specification into C code,
1443
specifically one designed to aid agent implementation. The command 'mib2c'
1444
is an example of such a tool for the Net-SNMP agent.
1445
See the CODING section for more information.
1449
I can't load any of the mib files, and they seem to be missing
1450
the first two characters of the filename. What's happening?
1451
-----------------------------------------------------------
1453
This is a problem experienced with Sun systems when the tools have
1454
been compiled with a mixture of BSD and Solaris environments.
1455
You'll need to re-configure and compile the tools, making sure that
1456
'/usr/ucb' is not in your PATH (or at least comes at the end).
1460
Why aren't my mib files being read in?
1461
-------------------------------------
1463
The Net-SNMP library only loads a subset of MIB files by default.
1464
This list is set at when the suite is first configured and compiled,
1465
and basically corresponds to the list of modules that the agent supports.
1466
(This is a simplification, but is a reasonable first approximation).
1468
You can override this by using the command-line option '-m', the
1469
environmental variable 'MIBS' or the snmp.conf directive 'mibs'.
1470
Each of these take a (colon-separated) list of MIB module names
1471
to load. Starting the list with a '+' character will add them to
1472
the default list - otherwise it replaces the defaults.
1474
Using the special value 'ALL' will load all the MIB files that
1475
the library can find.
1478
Alternatively, the tools may be looking in the wrong place.
1479
The default location for the mib files is /usr/local/share/snmp/mibs.
1480
Again, this is set when the suite is first configured and compiled.
1481
This can be changed using the environmental variable 'MIBDIRS'
1482
or the snmp.conf directive 'mibdirs'.
1484
Note that this may very well affect you if you've installed a
1485
new version of the suite manually, replacing one provided by the
1486
supplier (which typically would use a more 'central' location).
1489
Finally, are you sure that you've installed the MIB files?
1490
If you've compiled the suite from scratch, you need to run
1491
"make install" at least once, before the tools will be able to
1492
find the MIB files. This is unlikely to be a problem if you've
1493
been working with the tools for a while, but can bite those coming
1494
fresh to the SNMP world.
1498
I'm getting answers, but they're all numbers. Why?
1499
-------------------------------------------------
1501
This is actually the same as the previous question. Because the tools
1502
don't read in every MIB module they can find, it is quite possible
1503
for results from an agent to refer to modules that have not been loaded
1504
(particularly with GETNEXT requests, or when walking a tree).
1505
The tools will report the answer quite correctly, but won't translate
1506
identifiers and enumerations into readable strings. To fix this, use
1507
the environmental variables MIBS or MIBFILES (or the '-m' and '-M' flags)
1508
to read in the relevant module files.
1512
What does "Cannot find module (XXX-MIB)" mean?
1513
---------------------------------------------
1515
This is similar to the previous questions. In this case, it's
1516
stating that it can't find the specified module - either because
1517
it's not installed properly, or the name used is subtly wrong.
1519
If it's just one or two modules that are not being found, check
1520
that the files are in the expected location, are readable, and the
1521
name being used is correct. Note that the name reported is the
1522
name of the MIB module, which is not necessarily the same as the
1523
name of the file. See the question 'How do I add a MIB to the tools?'
1524
for more details on this.
1526
If the tool is generating a whole slew of errors, then it's
1527
likely that either the MIB files haven't been installed at all,
1528
or the library is looking in the wrong place. See the previous
1533
What about "unlinked OID"?
1534
-------------------------
1536
This means that the library has been able to find the MIB module,
1537
and parse the individual objects defined in it, but is having problems
1538
linking them together into a consistent tree. In particular, it
1539
can't find an object corresponding to the name within the braces
1540
(i.e. the 'xxx' in '{xxx 99}').
1542
This is probably due either to a typo in this name (remember that
1543
names are case sensitive, so a reference to 'xxx' will *not* match
1544
a definition of 'Xxx'), or else the name is defined in another MIB
1545
file, and this dependency is missing from the IMPORT clause of this
1550
The parser doesn't handle comments properly. Why not?
1551
------------------------------------------------------------
1553
The most likely reason is that the line in question contains two
1554
(or more) sequences of pairs of dashes. This is often used to try
1555
and "comment out" an unwanted line that already contains a comment:
1557
-- broken ::= { myMIB 1 } -- This isn't working yet
1559
The assumption here is that a comment continues to the end of the line.
1560
Unfortunately, this assumption is not correct.
1561
A comment will continue either to the end of the line, or the next
1562
occurance of a pair of dashes. Thus in this case, the definition of
1563
"broken" is commented out (as intended) but the following text is
1564
treated as part of the MIB, and will generate an error.
1566
A similar effect can be obtained when a line of dashes has been used
1567
to try and mark separate parts of a MIB file.
1569
Most of the applications have a command-line option (-Pc) which will
1570
work around this problem by treating the whole line as a comment. But
1571
this is not strictly legal, and the offending MIB file should really be
1576
How do I replace MIB values with new ones?
1577
-----------------------------------------
1579
The Net-SNMP parser generally takes the first definition it sees for each
1580
object in the MIB hierarchy. Even if you specify your file to be read
1581
first, if the IMPORTS clauses reference a MIB with competing objects,
1582
those objects will be parsed first.
1584
When specifying the Replace MIB command-line option (-PR), the parser
1585
will use definitions sourced from the most recent MIB file.
1586
The parser will replace MIB objects when the sub-identifier and name match.
1588
Caution: Using Replace MIB, there is NO guarantee that the resulting
1589
MIB tree will be correct. Other MIB objects matching the name but
1590
not the sub-identifier will persist. Sub-hierarchies may be reparented.
1591
In particular, random access searching [see man 1 snmpcmd]
1592
may give unexpected result.
1593
The Replace MIB option is experimental, buyer beware, carpe diem, etc.
1595
Here are a few considerations to help you obtain good results.
1596
These hold true even if you never use the Replace MIB feature.
1597
Your suggestions for improvement are welcomed.
1599
1. The parser searches the specified directories and attempt
1600
to parse every file whose path does not begin with "." (period).
1601
Remove (or rename) older MIB files from these directories.
1602
Rename "README" to ".README" , etc.
1604
2. Hint: the parser's module list is in LIFO order. You may see better
1605
results if the directory with the most correct MIB files is
1606
specified last in the MIBDIRS environment.
1608
3. Constrain the parser to not read in default MIB files by setting
1609
the MIBS environmental variable to the appropriate separator character
1610
(semi-colon on win32, colon everywhere else).
1611
Setting this to "" may also have the same effect.
1613
4. The MIBFILES environment can specify the path of the new MIB file.
1615
Within a program, the call:
1617
ds_set_boolean(DS_LIBRARY_ID, DS_LIB_MIB_REPLACE, 1 | 0);
1619
or, if using the 5.0.x series code:
1621
netsnmp_ds_set_boolean(NETSNMP_DS_LIBRARY_ID,
1622
NETSNMP_DS_LIB_MIB_REPLACE, 1 | 0);
1624
will enable or disable the Replace MIB feature respectively.
1625
If you're having problems loading a particular MIB file, this
1626
call can be used to disable this feature, before using read_mib() to
1627
load the required file, and then re-enabling the Replace MIB feature.
1628
(or vice versa, as appropriate).
1632
How can I get more information about these MIB file problems?
1633
------------------------------------------------------------
1635
The command 'snmptranslate' is used to translate between numeric
1636
and symbolic forms of OIDs. It uses the same routines as the
1637
'active' commands, but does not rely on communicating successfully
1638
with a network management agent. As such, it is a useful tool
1639
for identifying problems with reading in MIB files.
1641
In particular, the following options may be useful in
1642
identifying problems:
1643
-Pw warns about conflicting symbols
1644
-PW prints more verbose warnings about other problems as well
1645
(in both cases, ignore the 'xmalloc' reports)
1646
-T provides sub-options for various views of these entries
1648
There are other '-P' options to control various aspects of MIB parsing.
1649
See the 'snmptranslate(1)' and 'snmpcmd(1)' man pages for more details,
1651
http://www.net-snmp.org/tutorial-5/commands/snmptranslate.html
1655
What's this about "too many imported symbols"?
1656
---------------------------------------------
1658
Any MIB file starts with an (optional) list of identifiers that
1659
it "imports" from other files. The parser implements this using
1660
a fixed size buffer to hold the import information.
1661
There are two circumstances in which this can result in the
1662
error message shown above.
1664
Firstly, if the MIB file refers to an unusually large number
1665
of external identifiers. Handling this case requires a (trivial)
1666
patch to the parsing code. Contact the coders list for advice.
1667
(This is extremely rare - the only example that
1668
we've come across is the Cabletron Trap MIB).
1670
Much more common is a syntax error in the IMPORTS clause of the
1671
MIB file in question. In particular, check that this ends in a
1672
semicolon, before going on to the main definition section.
1679
What MIBs are supported?
1680
-----------------------
1682
The following MIBs are supported (at least in part and on some systems):
1684
- MIB-2 General network statistics (RFC 1213)
1685
- UCD agent extensions
1686
(processes, disks, memory, load average,
1687
shell commands, error handling)
1688
- Host Resources (RFC 1514 and 2790)
1689
- SNMPv3 MIBS (RFCs 2571-6)
1691
The SNMPv2 Party and Manager-to-Manager MIBs (RFCs 1447 & 1451) have been
1696
What protocols are supported?
1697
----------------------------
1699
The agent supports all three current versions of SNMP (v1, v2c and v3),
1700
over both UDP and TCP transports, as well as a SMUX (RFC 1227) master
1701
agent, AgentX (RFC 2257 ) in both master and subagent roles, and SNMP
1706
How do I configure the agent?
1707
----------------------------
1709
That depends on what you want it to do. See the snmpd.conf(5) manual
1710
page for the possibilities.
1712
You can also run the "snmpconf" perl script to help you create this
1713
file. Start off with 'snmpconf -g basic_setup' to get you going.
1717
How do I add a MIB to the agent?
1718
-------------------------------
1719
How do I add functionality?
1720
--------------------------
1722
While simply adding a file to the MIB directory (and possibly tweaking
1723
the list of MIBs to load) is sufficient for the tools, unfortunately
1724
extending the functionality of the agent to include this is not so simple.
1725
In fact, the agent makes little or no use of these files, and will work
1726
quite happily without them. All the information about the syntax and
1727
scope of the variables supported is hardwired into the implementation
1730
There are a number of alternative ways to add functionality for a new
1733
Firstly, it is possible that the agent distribution already includes
1734
the desired functionality, but this has simply not been configured in
1735
to the running version. This is done using the configure option
1736
--with-mib-modules="list"
1737
(where "list" is a space-separated list of modules to include) then
1738
recompiling the agent.
1739
Note that some functionality concerned with monitoring and managing
1740
unix hosts is included in the UCD extension modules, which are located
1741
within the 'private' branch of the MIB tree. This is covered in a later
1742
question in this FAQ.
1744
Secondly, it is possible for the agent to run commands or shell scripts
1745
in response to queries. These can obtain and report the necessary
1746
information, or perform actions as required.
1747
Detailed information and examples are provided in the snmpd(8) and
1748
snmpd.conf(5) manual pages, and the EXAMPLE.conf file.
1749
This is known as "pass-through" support.
1751
Thirdly, it may be possible to link another agent (which already
1752
supports the desired MIB), as a "subagent" of the Net-SNMP master
1753
(or vice versa). The possibilities here are SMUX, AgentX or proxied
1754
SNMP (see the next question but one).
1756
Finally, the agent itself can be extended to support additional MIB
1757
groups, by writing the necessary C code, and including this within
1758
the main agent - either statically compiled in, or dynamically loaded.
1759
This is covered further in the next section.
1761
Note that there is no visible difference between 'pass-through'
1762
MIB support, subagents, and modules implemented within the main agent
1763
itself. Tools querying the agent will see a single MIB structure.
1767
What's the difference between 'exec', 'sh' and 'pass'?
1768
-----------------------------------------------------
1770
'exec' will fork off the specified command and return the exit status
1771
and/or the output. Arguments are passed directly to the command.
1773
'sh' is similar, but invokes a shell to run the command line given.
1774
This means that quoted arguments will be recognised as such, and also
1775
allows redirection, and other similar shell interpretation.
1777
Neither of these mechanisms require the command to have any knowledge
1778
of the fact that they are being used in this manner. Note that return
1779
values are cached within the agent for 30 seconds, rather than invoking
1780
the command for every request.
1783
'pass' is a more general mechanism for extending the agent, and the
1784
command given will be invoked for any request within the specific MIB
1785
subtree. Details of precisely how this command will be called in
1786
various circumstances is given in the 'snmpd.conf(5)' man page.
1788
'pass-persist' is similar, but the command will continue running
1789
even once the initial request has been answered.
1791
See 'snmpd.conf(5)' for more details.
1795
What's the difference between AgentX, SMUX and proxied SNMP?
1796
-----------------------------------------------------------
1798
All three are protocols that can be used to make two or more agents
1799
appear as one to the querying application. In each case, one agent
1800
takes the role of "master", and delegates requests to one of the others
1801
as and where this is appropriate. The differences between them mainly
1802
relate to how data is represented, and the mechanisms for communication
1803
between master and subagents.
1805
SMUX and proxy SNMP both essentially use the standard SNMP packet format.
1806
The main difference is that a proxy SNMP subagent need not be aware that
1807
it is acting in such a role. It typically listens on a non-standard port,
1808
and simply receives requests as usual, forwarded from the master agent.
1809
The main issue to be aware of is that such requests will usually appear
1810
to come from the local host, and this may affect how the access control
1811
mechanisms need to be set up.
1813
SMUX uses a similar packet format, but the subagent "registers" with
1814
the master agent, providing a suitable password. The Net-SNMP (and UCD)
1815
agent includes the possibility of acting as a SMUX master agent, but the
1816
suite does not include a subagent API. Note that the SMUX protocol has
1817
essentially been superceded by AgentX, but is still provided in order to
1818
support existing SMUX subagents. However the core developers have little
1819
experience (and even less interest!) in this code, so assistance with
1820
SMUX-related problems is likely to be somewhat limited.
1821
See the file 'agent/mibgroup/README.smux' for details.
1823
AgentX uses a more compact (and simpler) packet format, with a richer
1824
range of administrative commands, and provides a more flexible and reliable
1825
extension mechanism. The Net-SNMP agent can be used in both master and
1826
subagent roles, and the agent library can also be used to embed an AgentX
1827
subagent within another application.
1828
See the file 'README.agentx' for details.
1830
Note that support for SMUX is not configured in by default. You will
1831
need to run configure with the option
1833
--with-mib-modules=smux
1835
Starting from release 4.2.1, AgentX support is now included by default,
1836
but needs to be explicitly activated in the master agent. Do this by
1841
to the snmpd.conf file before starting the agent. Note that there are
1842
a number of known problems with the AgentX support in the 4.x line, and
1843
this should not be used on production systems. The 5.0 AgentX support
1844
has been significantly improved, and production use is less foolhardy.
1845
See README.agentx for details.
1849
What about 'dlmod' - what's that about?
1850
--------------------------------------
1852
Dynamically loaded modules are a means of including a MIB implementation
1853
module within the main SNMP agent (or an AgentX subagent) without needing
1854
to re-compile and re-link the agent binary. Instead, details of the
1855
module(s) to load are specified in the configuration file, and the agent
1856
locates the files listed, and merges them in at run time.
1858
See http://www.net-snmp.org/tutorial-5/toolkit/dlmod/ for more information.
1865
That's a difficult question.
1867
Comparing the three protocols, SNMP was not originally designed
1868
as an internal subagent-communication protocol, and there are
1869
certain architectural limitations to SMUX, which were addressed
1870
as part of the design of AgentX. These include such aspects as
1871
reliable handling of SET requests (particularly in the face of
1872
failures), a common value for sysUpTime, and a mechanism for
1873
sharing tables across multiple subagents.
1874
So from a purely functional point of view, AgentX is the most
1875
appropriate choice for subagent communication.
1877
In terms of implementation, SMUX is the most mature of the three,
1878
but is no longer being actively maintained. The original author
1879
has moved on, and the current developers don't use this facility.
1880
It also only includes master agent support - the package does not
1881
provide a SMUX sub-agent API.
1882
The AgentX support in the 4.x line has a number of known problems,
1883
and is not suitable for use in front-line situations (though it's
1884
probably sufficiently stable and functional for simple day-to-day
1885
use). The 5.0 agent has seen a significant amount of development,
1886
and is a much more reliable beast.
1887
Bear in mind that the AgentX and proxy SNMP implementations are
1888
relatively new code, so have not received the same level of active
1889
service that the core agent has. But with that caveat, either of
1890
these options should be suitable for most use.
1892
This decision will probably be dictated by external considerations
1893
(i.e. the other agents you need to combine with). Ideally, you
1894
should be looking towards AgentX, but this is not always possible.
1896
Dynamically loaded modules serve a somewhat different purpose,
1897
and are purely concerned with how the individual MIB implementation
1898
modules are located. These can be combined with either a "pure SNMP"
1899
model, an AgentX subagent or a proxied SNMP agent. They will involve
1900
a slightly greater load on agent start-up (plus an extra level of
1901
complexity if things go wrong) - balanced against the ability to
1902
avoid re-compiling and re-linking a working binary.
1904
Note that as far as individual MIB modules are concerned, the
1905
protocol used to transport the request is more or less irrelevant.
1906
The same information is being requested (or set) each time, so
1907
a MIB module ought to be protocol-independent. This was one of
1908
the design aims of the AgentX support, and the exact same module
1909
code can be included as part of a pure-SNMP master agent, or an
1910
AgentX subagent, either compiled in or dynamically loaded with no
1911
modifications needed to the MIB module code itself.
1915
Can I use AgentX when running under Windows?
1916
-------------------------------------------
1918
Yes, but there are a couple of things to be aware of.
1920
Firstly, by default the AgentX master listens on the Unix domain
1921
socket '/var/agentx/master', which doesn't work under Windows.
1922
You'll need to tell it to listen on a TCP port, either by using
1923
the command-line option "-x localhost:705", or by adding the
1924
directive "agentxAddress localhost:705" to the snmpd.conf file.
1926
Secondly, be aware that the security of AgentX connectivity is not
1927
particularly strong. The examples given here would allow any process
1928
running on the local machine to register as an AgentX subagent. The
1929
more obvious settings "-x 705" or "agentxAddress 705" would allow
1930
a system *anywhere* on the network (or even from remote networks) to
1931
register as an AgentX subagent. This could potentially be used to
1932
hijack the agent, or provide false information.
1936
Can I use AgentX (or an embedded SNMP agent) in a threaded application?
1937
-----------------------------------------------------------------------
1941
As mentioned in the earlier "thread-safe" FAQ entry, the Net-SNMP
1942
agent (including the AgentX subagent) has not been designed for
1943
threaded operation. In particular, it makes use of various global
1944
variables without attempting to protect them against simultaneous
1945
use. This means that it is *NOT* safe to have SNMP or AgentX
1946
related processing in two separate threads. This also applies to
1947
handling GET (and SET) processing in one thread, and generating traps
1948
in another. This is still vulnerable to the usual threading problems.
1950
However, as long as *all* of the SNMP-related activity is limited
1951
to the one thread, then there should be no reason why this cannot
1952
safely communicate with other threads within the same application,
1953
using private (thread-safe) mechanisms.
1955
But in terms of the Net-SNMP-provided code, the agent (and AgentX
1956
subagent) should *not* be regarded as thread-safe.
1960
How can I run AgentX with a different socket address?
1961
----------------------------------------------------
1963
There are two sides to an AgentX connection, and they need to
1964
agree about which socket address to use. So if you want to use
1965
a different socket, you need to configure both sides accordingly.
1967
For the Net-SNMP master agent, this is done using the command-line
1968
option '-x'. The command
1969
"snmpd -x localhost:705 ...."
1970
would start the agent listening on the TCP port 705 for connections
1971
from the local system.
1973
The main Net-SNMP agent can also be run in a "subagent" mode, and
1974
this uses the same command-line option to specify a different
1976
"snmpd -X -x localhost:705 ...."
1977
would start it as a subagent, and connect to the master agent
1978
listening on TCP port 705 on the same system.
1980
A subagent running embedded within some other application will
1981
typically not understand the same command-line options. This
1982
will need to set the same configuration programmatically.
1983
For example, the example subagent driving code from the Net-SNMP
1984
"subagent program" tutorial (on the project web pages) could
1985
be made to connect to the same TCP port by adding the line
1986
netsnmp_ds_set_string(NETSNMP_DS_APPLICATION_ID,
1987
NETSNMP_DS_AGENT_X_SOCKET, "localhost:705");
1988
before the 'init_agent' call.
1990
However, see the mention of AgentX security (or the lack of it!)
1991
in the previous entry.
1995
How can I combine two copies of the 'mib2' tree from separate subagents?
1996
-----------------------------------------------------------------------
1998
With the 4.x line agent, you can't. Sorry about that.
2000
With the 5.0 agent, this is possible by using the SNMPv3 context string
2001
to distinguish between parallel MIB trees. This can be set up for an
2002
individual MIB implementation module when it registers itself with the
2003
main agent framework (either directly, or via AgentX). It can also
2004
be set up for a proxied subagent as part of the proxy configuration
2005
entry (see 'snmpd.conf(5)').
2006
This facility is not currently available for SNMPv1 or SNMPv2c
2007
requests (although it ought to be possible to use the community
2008
string in a similar way).
2010
Another way to handle this would be to tweak one of the subagents to
2011
use a different set of (non-standard) OID assignments - perhaps by
2012
relocating the whole of the subtree to another (private) OID. This
2013
is not ideal, but should work with all configurations.
2017
What traps are sent by the agent?
2018
--------------------------------
2020
The agent sends a 'coldStart(0)' trap when it first starts up, and an
2021
enterprise-specific trap 'nsNotifyShutdown' (or 'ucdShutdown') when it
2022
stops. It can also be configured to send an 'authenticationFailure(4)'
2023
trap when it receives an SNMPv1 request using an unknown community name.
2024
The Net-SNMP agent generates an enterprise-specific trap 'nsNotifyRestart'
2025
(rather than the standard 'coldStart(0)' or 'warmStart(1)' traps) on
2026
receiving a HUP signal - typically after being re-configured.
2028
The agent does not send 'linkUp' or 'linkDown' traps by default. The
2029
Net-SNMP agent can be configured to do this using the 'monitor' config
2030
directive. See the 'snmpd.conf(5)' man page (under DISMAN-EVENT-MIB)
2031
for details (including the need for an 'agentSecName' setting).
2033
Similarly, it does not generate traps by default when one of the
2034
monitored characteristics (disk usage, running processes, etc) enters or
2035
leaves an error state. This can be configured using the 'defaultMonitors'
2036
config directive (also documented under DISMAN-EVENT-MIB). Note that
2037
these facilities are only available with the v5 Net-SNMP agent, and are
2038
not supported by the v4 UCD agent.
2042
Where are these traps sent to?
2043
-----------------------------
2045
With all these alerts, the agent also needs to be configured with
2046
(one or more) destinations to send them to, specifying the type of
2047
notification (v1 or v2 trap, or v2 inform) and the community name to
2048
use. This uses the snmpd.conf directives 'trapsink', 'trap2sink' and
2049
'informsink' for the destination type, and 'trapcommunity' for the
2050
community name. SNMPv3 destinations can be configured using the directive
2051
'trapsess'. See the 'snmpd.conf(5)' man page for details.
2053
Note that these directives control the type of notification that is
2054
generated. This is completely separate from the style of API used to
2055
request that the notification should be sent. If a module invokes the
2056
v1-style API 'send_easy_trap', this will still send SNMPv2 notifications
2057
to destinations configured using 'trap2sink' or 'informsink' (and vice
2060
A configuration block such as
2064
informsink localhost
2066
will result in *three* notifications being sent for each call to
2067
'send_easy_trap' (or 'send_v2trap'). See 'snmp_trap_api(3)' for details.
2069
Note that all notifications will be sent to all destinations. The
2070
agent does not (currently) support notification filtering.
2074
How can I send a particular trap to selected destinations?
2075
----------------------------------------------------------
2077
With the v4 UCD agent, this isn't possible (or at least not
2078
easily). When you request the agent to generate a trap (using
2079
either 'send_v2trap' or 'send_easy_trap'), this will be sent
2080
to *all* the known destinations.
2082
The v5 Net-SNMP agent introduced preliminary support for the
2083
snmpNotifyFilterTable which is designed to allow this sort of
2084
selective trap direction, though this is not currently active.
2085
(The tables are present, but the information is not consulted)
2086
Documentation on how to use this facility will appear once the
2087
functionality is working properly.
2091
Why does calling 'send_v2trap' generate an SNMPv1 trap (or vice versa)?
2092
----------------------------------------------------------------------
2094
The two versions of the trap API calls are concerned with how
2095
the trap is represented when it is passed *in* to the API, not
2096
the version of the trap PDU that will actually be generated by
2097
the agent. That is determined by the configuration token used
2098
to set up the trap destination.
2100
Remember that in general, all traps are sent to all destinations.
2101
This means that a trap specified using the SNMPv1 trap syntax
2102
needs to be converted to the SNMPv2 format before it can be sent
2103
to an SNMPv2 (or SNMPv3) destination. Similarly, a trap specified
2104
using the SNMPv2 syntax needs to be converted to the SNMPv1 format
2105
before it can be sent to an SNMPv1 sink.
2107
Essentially, the API call to use depends on what you asking for,
2108
which is not necessarily what the recipients will actually get!
2109
See 'snmp_trap_api(3)' for a fuller explanation.
2113
When I run the agent it runs and then quits without staying around. Why?
2114
-----------------------------------------------------------------------
2116
Firstly, are you certain that this is what is happening?
2118
The normal operation of the agent is to 'fork' itself into the
2119
background, detaching itself so that it will continue running even
2120
when you log out, and freeing the command line for subsequent use.
2121
This looks at first sight as if the agent has died, but using 'ps'
2122
to show all processes should reveal that the agent is still running.
2124
To prevent this behaviour (such as when attempting to debug the
2125
agent), you can start it with the '-f' flag. This suppresses the
2126
fork, and the agent will run as a 'normal' command. It's also often
2127
useful to use the '-L' (or '-Le') flag, to log messages to stdout.
2129
On the other hand, if 'ps' shows that the agent is not running, then
2130
this is an error, and probably show that something went wrong in
2131
starting the agent up. Check the agent log file for any error messages,
2132
or run it with '-f -L' and see what it reports.
2134
One known example of this is the 'ucd-snmp' RPM distributed by RedHat.
2135
This agent crashes if there is a 'disk' configuration entry in the
2136
snmpd.conf file. It is not currently known what causes this, as this
2137
setting works correctly if the agent is compiled from source.
2141
After a while the agent stops responding, and starts eating CPU time. Why?
2142
--------------------------------------------------------------------------
2144
This is most commonly seen when performing an "snmpwalk" on an agent
2145
that's either using a default "vendor provided" configuration
2146
(typically access to the 'system' group only), or which is trying
2147
to restrict access for individual users or communities to a subset
2148
of the whole OID tree.
2150
The agent implementation of "GetNext" processing is relatively
2151
inefficient when dealing with inaccessible objects, and it is quite
2152
easy for the clients to time-out and retry a request, while the agent
2153
is still trying to process the original. If this happens continually
2154
(as is typically the case with an snmpwalk), the agent can get swamped
2157
The 5.0.x line has now addressed this, starting with the 5.0.7 release.
2158
The 4.2.x line still suffers from this problem, and it is unlikely that
2159
this will be fixed. (The 5.0.7 approach relies on some of the new
2160
features in the 5.0.x line, and it has not proved possible to apply
2161
this to the 4.2.x code base).
2165
How can I stop other people getting at my agent?
2166
-----------------------------------------------
2168
Firstly, are you concerned with read access or write access?
2170
As far as changing things on the agent is concerned, there is relatively
2171
little that can actually be altered (see the answer to " I cannot set
2172
any variables in the MIB" above).
2174
If you are using the example config file, this is set up to allow
2175
read access from your local network, and write access only from the
2176
system itself (accessed as 'localhost'), both using the community name
2177
specified. You will need to set appropriate values for both NETWORK
2178
and COMMUNITY in this file before using it.
2179
This mechanism can also be used to control access much more precisely.
2180
(see the next few questions for details)
2182
Other options include:
2183
- Blocking access to port 161 from outside your organisation
2184
(using filters on network routers)
2185
- Using kernel-level network filtering on the system itself
2187
- Configuring TCP wrapper support ("--with-libwrap")
2188
This uses the TCP 'libwrap' library (available separately)
2189
to allow/deny access via /etc/hosts.{allow,deny}
2191
For strict security you should use only SNMPv3, which is the secure
2192
form of the protocol. However, note that the agent access control
2193
mechanisms does not restrict SNMPv3 traffic by location - an SNMPv3
2194
request will be accepted or rejected based purely on the user
2195
authentication, irrespective of where it originated.
2199
How can I listen on just one particular interface?
2200
-------------------------------------------------
2202
Normally, the agent will bind to the specified port on all interfaces
2203
on the system, and accept request received from any of them. With
2204
version 4.2, the '-p' option can be used to listen on individual
2205
interfaces. For example,
2207
snmpd -p 161@127.0.0.1
2209
will listen (on the standard port) on the loopback interface only, and
2211
snmpd -p 6161@10.0.0.1
2213
will listen on port 6161, on the (internal network) interface with address
2214
10.0.0.1. If you want to listen on multiple interfaces (but not all),
2215
then simply repeat this option for each one:
2217
snmpd -p 161@127.0.0.1 -p 6161@10.0.0.1
2219
The v5 Net-SNMP agent has a similar facility, but does not use the '-p'
2220
command line option flag. Instead, the ports and/or interfaces to listen
2221
on are simply listed on the command line, following any other options. Also,
2222
the syntax of port and interface is slightly different (interface:port).
2223
So the three examples above would be
2226
snmpd 127.0.0.1:6161
2227
snmpd 127.0.0.1:161 127.0.0.1:6161
2229
The AgentX port option ('-x') works in much the same way, using the
2230
"host:port" syntax (in both 4.2 and 5.0 lines - and yes, this *is* an
2231
inconsistency in 4.2!)
2235
How do I configure access control?
2236
---------------------------------
2238
The simplest way is to use the configure directives:
2240
rocommunity public (for SNMPv1/2c)
2243
rouser user1 (for SNMPv3)
2246
These specify the community names or security names to accept for
2247
read-only and read-write access to the whole of the supported MIB tree.
2248
(Obviously you should change these names to match your requirements -
2249
which is a particularly good idea in the case of 'rwcommunity'!)
2251
Note that it is *not* necessary (and not advisible) to specify the
2252
same community name for both rocommunity and rwcommunity directives.
2253
The rwcommunity setting automatically includes rocommunity access,
2254
and having both lines (with the same community name) may result in
2255
apparently inconsistent behaviour. Only use both settings when
2256
specifying *different* community names.
2257
The same holds true for rouser and rwuser.
2259
All four of these settings can can also be restricted to particular
2260
subtrees, and/or request sources. See 'snmpd.conf(5)' for details.
2262
These directives are effectively wrappers round the core access control
2263
mechanism, which uses the four directives 'com2sec', 'group', 'view'
2264
and 'access' to provide a more efficient and flexible control
2265
over who can access which portions of the tree.
2267
See the next question for the gory details, and the entry after
2268
that for setting up SNMPv3 users.
2272
I don't understand the new access control stuff - what does it mean?
2273
-------------------------------------------------------------------
2275
The idea behind the new access control model is to give a more flexible
2276
way of specifying who can see and do what within the MIB tree.
2277
It's more complicated to understand than the simple example above, but
2278
that's because it can do a whole lot more.
2280
There are four configuration keywords in the new scheme:
2281
'com2sec', 'group', 'view', and 'access'
2283
We'll consider these one at a time, starting with 'access'.
2284
(Because I feel like starting with the last one, that's why - OK?)
2287
The "access" keyword has the job of specifying who has access to
2288
which bits of the MIB tree. This has eight parameters, so can look
2289
rather offputting. Most of these can be safely left with default values
2290
in most cases (so don't you worry your pretty little head about them).
2293
access {group} "" any noauth exact {read-tree} {write-tree} {notify-tree}
2295
where the entries in braces need to be defined elsewhere (I'm coming
2296
to that - be patient!), and the rest can be left as shown here.
2298
[ If you really want to know, the 'sec.model' field can
2299
be used to have an access line that's only relevant to
2300
particular versions of SNMP (such v1 or v2c) rather than
2301
"any" version, and the 'sec.level' field to ensure that
2302
the request must be authenticated or encrypted.
2303
The context and prefix fields can be used to distinguish
2304
between parallel versions of the same overall OID tree
2308
The "view" keyword is used to define particular bits of the MIB tree,
2309
for use in the last three field of the access entry.
2312
view {name} included/excluded {subtree} {mask}
2314
where {name} is the identifier to be used for this view (i.e. what should
2315
appear in the access entry), and {subtree} is the portion of the MIB tree
2316
that this name refers to (in either numeric or named form).
2317
Note that the name of the view does not have to have anything to do
2318
with the MIB sub-identifier names - it's purely an identifying tag for
2319
use within the config file (though choosing a meaningful name is, as
2320
always, a very good idea).
2322
The {mask} field can be used to control which elements of the OID subtree
2323
should be regarded as relevant when determining which view an OID is in.
2324
Normally, the whole of the OID should be included, and in this case the
2325
mask field can be omitted. See snmpd.conf for a description of how this
2327
The third field can be used to include or exclude particular portions
2328
of the MIB from the view, and different lines can use the same view name
2329
to build up a more complicated view, if that's what's needed.
2331
The three view fields in the access line are used to control which
2332
portions of the MIB tree a particular {group} can see (GET et al),
2333
alter (SET), or request NOTIFYs on.
2337
That's dealt with the "what" - now for the "who".
2338
This is the role of the "group" and "com2sec" entries.
2340
The "group" keyword gives general control, by mapping between a "security
2341
name" (for a particular protocol version), and the internal name used in the
2342
access line. Note that the token "any" is no longer acceptable for the
2343
security model - the original support for this was due due to a misreading
2344
of the RFC. You should replace any such line with separate versions for
2345
each of the desired security models ('v1', 'v2c' & 'usm').
2347
For SNMPv1 and SNMPv2c, the group line is just an intermediate step
2348
between the "access" line and the "com2sec" line, which is the last bit
2349
of the jigsaw. The "com2sec" entry is used to determine a "security name"
2350
from the traditional community string, taking into account where the request
2351
has come from. Thus the same community string can give access to different
2352
portions of the tree, depending on where the request is sent from.
2354
For example, in an earlier version of the example config file, there
2355
were two com2sec lines with the community string "public" - one was valid
2356
from anywhere (with the security name "public") and one was only valid
2357
from the local network (using the security name "mynet").
2358
The group lines converted these security names into the groups "public"
2359
and "mygroup" respectively, and the access lines gave these two groups
2360
the ability to GET values in the 'system' sub-tree (from anywhere) or
2361
the 'mib-2' sub-tree (from the local network). Neither of these could
2362
SET any values though, (since the write-tree was "none" in both cases).
2363
Someone on the local machine, using the community string "private",
2364
had the security name "local" and the group name "local", and hence had
2365
full access (both GET and SET, as well as NOTIFY) to the whole of the
2366
MIB tree (or at least everything under .1, which covers most things!)
2368
Note that the three occurrences of "public", as community string,
2369
security name and group name, were three totally separate things.
2370
You can't use a community string in a security name field, or either
2371
of these as a group name (or vice versa), unless you set up suitable
2372
entries to map one name onto the other.
2374
With SNMPv3, the security name is part of the basic protocol, and can
2375
be used directly in a group definition.
2377
And here concludes our tour of the view-based access control mechanism.
2382
How do I configure SNMPv3 users?
2383
-------------------------------
2385
Create a file /var/ucd-snmp/snmpd.conf file, containing the line
2387
createUser {myUser} MD5 {myPassword} DES
2389
(where {myUser} and {myPassword} are the appropriate values, _without_
2390
the braces!). Then start (or re-start) the snmpd agent.
2391
This will create the new user. See the access control entries above
2392
for how to use this, and the file 'README.snmpv3' for more details.
2396
The 'createUser' line disappears when I start the agent. Why?
2397
-------------------------------------------------------------
2399
That's deliberate. The agent removes the (human-readable) 'createUser'
2400
directive, and replaces it with an equivalent 'usmUser'. This
2401
contains the same information, but in a form that's only meaningful
2402
internally. This means that the password is not longer stored in
2403
a human-readable form. Additionally, the password has been converted
2404
to a key that can only be used to access the local machine. If someone
2405
stole the new usmUser line on this machine, they could not use that
2406
information to access any of your other agents.
2410
What's the difference between /var/ucd-snmp and /usr/local/share/snmp?
2411
---------------------------------------------------------------------
2413
Most "static" agent configuration should go in the traditional location
2414
(typically /usr/local/share/snmp/snmpd.conf or /etc/snmp). The
2415
/var/ucd-snmp (or /var/net-snmp) location is used for information set during
2416
the running of the agent, which needs to be persistent between one run of
2417
the agent and the next.
2419
Putting the 'createUser' line in this persistent file is an exception,
2420
for security reasons (see above). In general you shouldn't need to put
2425
My new agent is ignoring the old snmpd.conf file. Why?
2426
-----------------------------------------------------
2428
The most likely explanation is that the new version of the agent is
2429
looking in a different location than the previous one. This is commonly
2430
experienced when replacing a ready-installed version (e.g. from a vendor
2431
distribution), with the current release installed from the source.
2433
The default location for this file with the basic distribution is
2434
/usr/local/share/snmp/snmpd.conf (or PREFIX/share/snmp/snmpd.conf).
2435
Ready-installed versions often look for the file as /etc/snmpd.conf,
2436
or /etc/snmp/snmpd.conf. Try moving the old config file to the new
2437
location, and restart the agent.
2439
With release 5.0, the name of the package changed from "ucd-snmp"
2440
to "net-snmp", and this change was reflected in the name of the persistent
2441
/var directory. So a v5 Net-SNMP agent will not look in
2442
/var/ucd-snmp/snmpd.conf for settings from a v4 UCD agent.
2446
Why am I getting "Connection refused"?
2447
-------------------------------------
2449
This is actually nothing to do with the access control mechanism
2450
(though that's an understandable mistake). This is the result of
2451
the TCP wrapper mechanism using the files 'hosts.allow' and 'hosts.deny'
2452
to control access to the service. Some distributions may come with
2453
this enabled automatically - otherwise you need to select it explicitly
2454
by configuring using '--with-libwrap'.
2456
The simplest way to avoid this problem is to add the line
2460
in the file /etc/hosts.allow (or wherever this file is on your system).
2461
Though be aware that doing this removes one level of protection and allows
2462
anyone to try and query your agent (though the agent's own access control
2463
mechanisms can still be used to restrict what - if anything - they can see).
2465
Note that personal firewalls (such as Linux' ipchains or iptables mechanism)
2466
may have a similar effect (though typically this won't be logged).
2467
See the earlier entry
2468
Requests always seem to timeout, and don't give me anything back. Why?
2472
I'm getting errors about "bad security model" - why?
2473
----------------------------------------------------
2475
Until release 4.2, the access control handling accepted the token "any"
2476
to cover all of the recognised security models. This is explicitly
2477
forbidden in the relevant RFC, so support for this is being withdrawn.
2478
As an interim measure, it is currently accepted (with the warning you
2479
see), but this will not be the case in future releases of the agent.
2481
You should replace the token 'any' with 'v1', 'v2c' or 'usm' as
2482
appropriate. If you want to support all three of these security models,
2483
you'll need to use three distinct group lines, one for each. See the
2484
example snmpd.conf file for details.
2488
I'm getting errors about "bad prefix match parameter" - why?
2489
------------------------------------------------------------
2491
This is similar to the previous question. With 4.2, the syntax of the
2492
'access' configure line has changed, and a value of '0' is no longer
2493
acceptable for the sixth field. Simply replace this with the word 'exact'.
2497
Why can't I see values in the UCDavis 'extensible' or 'disk' trees?
2498
------------------------------------------------------------------
2500
Both these trees are designed to report things you ask it to report
2501
on. If you don't declare anything in the snmpd.conf file for it to
2502
monitor, it will not report anything. See the snmpd.conf manual page
2503
and the EXAMPLE.conf file for details on configuring the agent.
2505
Optionally, run snmpconf -g monitoring to help you set up this
2506
section of the snmpd.conf file.
2510
Why can't I see values in the UCDavis 'memory' or 'vmstat' trees?
2511
----------------------------------------------------------------
2513
These mib modules are not supported on all operating systems, and
2514
will not be included on any other system. Currently, they are only
2515
supported on Linux, HP-UX (memory only), Solaris, BSDi (vmstat on
2516
BSDi4 only), Dynix, FreeBSD, NetBSD and OpenBSD.
2517
If you want to help port it to other systems, let us know.
2519
Note that these subtrees only report the current usage when
2520
explicitly queried. They do *not* generate traps when the
2521
usage strays outside the configured bounds.
2522
See the earlier FAQ entry
2523
What traps are sent by the agent?
2527
What do the CPU statistics mean - is this the load average?
2528
----------------------------------------------------------
2530
No. Unfortunately, the original definition of the various CPU statistics
2531
was a little vague. It referred to a "percentage", without specifying
2532
what period this should be calculated over. It was therefore
2533
implemented slightly differently on different architectures.
2535
Recent releases includes "raw counters", which can be used to
2536
calculate the percentage usage over any desired period. This is
2537
the "right" way to handle things in the SNMP model. The original
2538
flawed percentage objects should not be used, and will be removed
2539
in a future release of the agent.
2541
Note that this is different from the Unix load average, which is
2542
available via the loadTable, and is supported on all architectures.
2546
How do I get percentage CPU utilization using ssCpuRawIdle?
2547
-----------------------------------------------------------
2549
This one of the "raw counters" mentioned in the previous entry.
2550
You need to take two readings of this object and look at the
2551
difference between them. That difference divided by the total
2552
number of 'ticks' between the two readings (where one tick is
2553
probably 0.01 seconds) will give you the percentage utilization
2558
What about multi-processor systems?
2559
----------------------------------
2561
Sorry - the CPU statistics (both original percentages, and the
2562
newer raw statistics) both refer to the system as a whole. There
2563
is currently no way to access individual statistics for a particular
2564
processor (except on Solaris systems - see below).
2566
Note that although the Host Resources table includes a hrProcessorTable,
2567
the current implementation suffers from two major flaws. Firstly, it
2568
doesn't currently recognise the presence of multiple processors, and
2569
simply assumes that all systems have precisely one CPU. Secondly, it
2570
doesn't calculate the hrProcessorLoad value correctly, and either returns
2571
a dummy value (based on the load average) or nothing at all.
2573
As of net-snmp version 5.1, the Solaris operating system delivers some
2574
information about multiple CPU's such as speed and type.
2576
Other than that, to monitor a multi-processor system, you're currently
2577
out of luck. We hope to address this in a future release of the agent.
2578
But you've got the source, so you can always have a go yourself :-)
2582
The speed/type of my network interfaces is wrong - how can I fix it?
2583
-------------------------------------------------------------------
2585
Some operating systems will provide a mechanism for determining
2586
the speed and type of network interfaces, but many do not. In this
2587
case, the agent attempts to guess the most appropriate values, based
2588
on the name of the interface.
2589
Version 4.2 allows you to override these guessed values, using the
2590
configuration directive 'interface', specifying the name, type and
2591
speed of a particular interface. This is particularly useful for
2592
fast-ethernet, or dial-up interfaces, where the speed cannot be
2593
guessed from the name.
2594
See the snmpd.conf(5) man page for details.
2598
The interface statistics for my subinterfaces are all zero - why?
2599
----------------------------------------------------------------
2601
Unfortunately, most kernels that support multiple logical
2602
interfaces on a single physical interface, don't keep separate
2603
statistics for each of these. They simply report the overall
2604
statistics for the physical interface itself.
2605
There's no easy way around this problem - the agent can only
2606
report such values as it can find out. If the kernel doesn't
2607
keep track of these figures, the agent can't report them.
2612
Does the agent support the RMON-MIB?
2613
-----------------------------------
2617
There is an "Rmon" code module included within the agent source
2618
code tree, but this is best thought of as a template for the
2619
RMON-MIB statistics groups, rather than a full implementation.
2621
With most MIBs, the hardest part of implementing the MIB is often
2622
getting hold of the data to report. This is definitely true of the
2623
RMON-MIB, which relies on gathering (and analysing) a potentially
2624
large quantity of network traffic. The Rmon code distributed with
2625
the Net-SNMP agent code avoids this problem, by using random data.
2627
Some of the functionality of the RMON-MIB, such as the alarm and
2628
event groups, has since been superceded by the work of the DisMan
2629
IETF working group. The Net-SNMP agent does implement these (more
2630
general) MIB modules. But the statistics gathering aspects of
2631
the RMON-MIB are not readily available.
2633
Note too that none of the core developers have any significant
2634
experience with this code, and the person who originally wrote it
2635
is no longer active on the mailing lists. So there's no point in
2636
asking on the lists whether these modules work or not. You've got
2637
the source - how badly do you need this functionality?
2641
What does "klread: bad address" mean?
2642
-------------------------------------
2644
This means that the agent was unable to extract some of the
2645
necessary information from the kernel structures. This is
2647
- either looking in the wrong place for kernel information
2648
(check the value of KERNEL_LOC)
2649
- an error in the implementation of part of the MIB tree
2650
for that architecture. Try and identify which
2651
OID is generating the error, and contact the
2652
list 'net-snmp-coders@lists.sourceforge.net'
2653
Remember to tell us what architecture you have!
2657
What does "nlist err: wombat not found" (or similar) mean?
2658
----------------------------------------------------------
2660
This means that the agent wasn't able to locate one of the
2661
kernel structures it was looking for. This may or may not
2662
be important - some systems provide alternative mechanisms
2663
for obtaining the necessary information - Solaris, for example,
2664
can produce a whole slew of such messages, but still provide
2665
the correct information.
2666
This error only occurs if you have used the flag
2667
'--enable-debugging' as part of the initial configuration.
2668
Reconfigure the agent with '--disable-debugging' and these
2669
messages will disappear. (It won't fix the underlying problem,
2670
but at least you won't be nagged about it).
2674
How about "Can't open /dev/kmem"?
2675
--------------------------------
2677
This device is normally restricted to just being accessible by root
2678
(or possibly by a special group such as 'kmem' or 'sys'). The agent
2679
must be able to read this device to obtain the necessary information
2680
about the running system.
2681
Check that the agent was started by root, and is running with UID 0
2682
(or suitable GID if appropriate). The agent will normally continue
2683
to run without this level of access permission, but won't be able to
2684
report values for many of the variables (particularly those relating
2685
to network statistics).
2689
The agent is complaining about 'snmpd.conf'. Where is this?
2690
-----------------------------------------------------------
2692
It doesn't exist in the distribution as shipped. You need to
2693
create it to reflect your local requirement.
2694
To get started, you can either just create this as an empty file,
2695
or run snmpconf to help you create one.
2696
See the snmpd.conf(5) manual page for further details.
2700
The system uptime (sysUpTime) returned is wrong!
2701
-----------------------------------------------
2704
The defined meaning of 'sysUpTime' is
2705
"the time ... since the *network management*
2706
portion of the system was re-initialized."
2708
In other words, when the snmp agent was started, not when the
2709
system itself last booted. This latter information is available
2710
in the Host Resources MIB as "host.hrSystem.hrSystemUpTime"
2711
Note that even if the full Host Resources is not supported on
2712
your system, it's worth configuring in the system portion using
2714
'--with-mib-modules=host/hr_system'
2716
and recompiling. This particular group is reasonably likely to
2717
work, even if some of the other more system-specific groups don't.
2721
How can I reduce the memory footprint?
2722
--------------------------------------
2724
In order to reduce the memory footprint (for instance, to
2725
embed the snmpd into a device), the following configure options
2728
'--disable-debugging'
2729
This turns off all compilation of debugging info.
2731
'--enable-mini-agent' '--with-out-mib-modules=examples/ucdDemoPublic'
2732
This creates an agent the minimum amount of MIB modules
2734
NOTE: If you need more MIB modules add then with the option
2735
'--with-mib-modules=...' you add of course extra memory footprint.
2737
'--with-transports=UDP'
2738
This option specifies the transports domain you need.
2739
For a simple agent UDP should be sufficient.
2741
'--without-kmem-usage'
2742
This can be used in order not to include the code that
2743
operates on the /dev/kmem. This option cannot be used when
2744
you do want a MIB module compiled in that depends on it.
2746
'--with-mibdirs=' and '--with-mibs='
2747
These options specify not loading the MIB modules for the
2748
agent. It reduces the memory footprint only during
2751
On top of this one could even attempt to exclude the complete
2752
MIB loading functionality, but there is currently no
2753
configure option for this.
2755
Once the agent (snmpd) has been linked, you might also try running
2756
'strip snmpd' to remove un-necessary debug/symbol information.
2763
How do I compile with 'cc' instead of 'gcc'?
2764
-------------------------------------------
2766
Run configure with --with-cc=cc
2768
Note that if you've already run configure once, it will probably have
2769
detected the presence of 'gcc', cached this information, and may still
2770
try to use this anyway. In which case, simply remove the 'config.cache'
2771
file before re-running configure.
2775
But gcc doesn't compile it successfully on my new Solaris system. Why not?
2776
-------------------------------------------------------------------------
2778
Whenever you upgrade the operating system under Solaris, you need to
2779
reinstall gcc, and run the 'fixincludes' script. (This is probably
2780
a sensible step to take when you upgrade any operating system).
2781
Under Solaris 2.6, there is also a bug in the gcc 'fixinc.sv4' script.
2782
This needs an additional line as follows:
2784
*** fixinc.svr4.cln Thu Jun 15 22:03:29 1995
2785
--- fixinc.svr4 Tue Nov 25 09:47:57 1997
2789
s/__STDC__ - 0 == 0/!defined (__STRICT_ANSI__)/g
2790
+ s/__STDC__ - 0 == 1/defined (__STRICT_ANSI__)/g
2792
NOTE: This appears to have been resolved.
2796
On RedHat 8.0 or up I get "/usr/bin/ld: cannot find -lelf"?
2797
----------------------------------------------------------
2799
RedHat 8.0 and up doesn't come with libelf installed (properly) by
2800
default. In order to build Net-SNMP you'll need the elfutils-devel
2801
rpm installed, which you currently don't have.
2803
Alternatively, this could quickly fix the problem without requiring
2804
the -devel rpm installed (as this is one of the things the -devel rpm
2805
does when you install it):
2807
cd /usr/lib ; ln -s libelf.so.1 libelf.so
2809
Note that this will only affect you if you are trying to compile in
2810
the host resources mib support, as it'll try to use the rpm libraries
2811
which will in turn require that libelf.a or libelf.so be present.
2815
I'm getting an error "autoheader: not found" - what's wrong?
2816
-----------------------------------------------------------
2818
This usually appears when compiling the current development source
2819
version, obtained via CVS. Unfortunately, the timestamps on some of
2820
the configure files are such that make assumes (mistakenly) that the
2821
configure script needs to be re-generated.
2822
A similar problem may arise relating to 'autoconf'.
2824
In both cases, this can be corrected by running the command
2825
"make -k touchit" before attempting to make the main package.
2829
What about a failed dependency on 'libcrypto'? Where can I get that?
2830
--------------------------------------------------------------------
2832
This is typically encountered when installing a Linux RPM of
2833
the ucd-snmp package. This library is part of the 'openssl'
2834
suite, so simply install that RPM first, or download the source
2835
from ftp://ftp.openssl.org and compile and install that.
2837
When compiling {UCD,Net}-SNMP from source, the configure script
2838
should detect that this library is not present, and use alternative
2839
arrangements for MD5-based authentication.
2841
If encryption (or SHA1-based authentication) is required, then
2842
this typically requires compiling from source. Under Linux, both
2843
the 'openssl' and 'openssl-devel' RPMs should be installed, and the
2844
'config.cache' file removed before running "configure --with-openssl"
2849
Why is the project workspace empty under Visual C++?
2850
---------------------------------------------------
2852
This is probably due to the different ways that Unix and Windows
2853
handle text file line termination. Older versions of WinZip don't
2854
handle this properly, and Visual C++ gets confused (poor dear!).
2855
The latest version of WinZip is reported to unpack this correctly.
2859
Why does 'make test' skip five tests?
2860
-----------------------------------
2862
You mean T053agentv1trap, T054agentv2ctrap, T055agentv1mintrap,
2863
T056agentv2cmintrap and T113agentxtrap?
2865
These tests rely upon functionality in the NET-SNMP-EXAMPLES-MIB
2866
which is not implemented in the default agent configuration. To
2867
include these tests, invoke the `configure` script to include
2868
'--with-mib-modules="examples/example".
2872
Why does 'make test' complain about a pid file?
2873
-----------------------------------------------
2875
Typically it says something like:
2877
cat: cannot open /tmp/snmp-test-1-8694/*pid*
2879
It's trying to tell you the port is blocked - typically because
2880
another copy of the agent is still running, left over from from a
2881
previous testing run.
2883
If you type 'ps -ef' you should notice an orphaned process like:
2885
snmpd -d -r -U -P /tmp/snmp-test-5-27295/snmpd.pid...
2889
This could be happening for several reasons including:
2891
1. You are trying to do concurrent runs of 'make test'.
2893
2. On a slow machine, the agent might be taking too long to
2894
start up. Try changing the value of the variable SNMP_SLEEP
2895
in testing/RUNTESTS from 1 to something higher - say 3 or 5.
2902
How do I write C code to integrate with the agent?
2903
-------------------------------------------------
2905
At the moment, there are three methods for integrating external C code
2908
The code can be included within the agent itself, statically configured
2909
and linked in when the agent is compiled. Alternatively, with the 4.2
2910
release of the agent, it's possible to dynamically load MIB modules once
2911
the agent is running. Finally, the agent can be configured to pass certain
2912
portions of the MIB tree off to one or more subagents. See the earlier
2913
question on AgentX, SMUX and proxied SNMP for more details.
2915
All three mechanisms use the same module API. This is described (in
2916
excruciating detail) in the file AGENT.txt, shipped with the standard
2917
distribution. There is also an HTML version accessible via the project
2918
web page. This task can be aided using the tool 'mib2c' which generates
2919
most of the necessary skeleton code from the description in the MIB file.
2921
Note that the UCD suite does not include support for SMUX subagents.
2925
How does the agent fetch the value of a variable from the system?
2926
----------------------------------------------------------------
2928
Much of the information is extracted from kernel memory - usually
2929
by seeking to the appropriate location and reading the structures
2931
Some systems provide cleaner interfaces to such kernel information
2932
(it would be hard to think of a less clean interface!), via ioctl()
2933
calls or similar system routines and these mechanisms are usually used
2938
Mib2c complains about a missing "mib reference" - what does this mean?
2939
---------------------------------------------------------------------
2941
This basically means that it hasn't loaded the MIB file containing
2942
the definition of the MIB subtree you're trying to implement. This
2943
might be because it hasn't been installed, the name is wrong, or
2944
(most likely), because it isn't in the default list. See the MIBS
2945
section for more details.
2949
Mib2c complains about not having a "valid OID" - what does this mean?
2950
---------------------------------------------------------------------
2952
This probably means that you gave it the name of a MIB file (or
2953
module), rather than the name of an object defined in that file.
2954
Mib2c expects the name of a 'root' object, and will generate a
2955
template for the sub-tree starting from there.
2957
If you've got a file 'MY-MIB.txt', defining the MIB module
2958
'MY-MIB' which contains a subtree based on the object 'myMib',
2959
then you should invoke mib2c as
2962
"mib2c .... MY-MIB.txt"
2963
or "mib2c .... MY-MIB"
2965
Note that you'll probably also have to add your MIB to the list of
2966
MIBs that are loaded automatically, in order for mib2c to recognise
2967
the name of this object. So the command would typically be
2968
"MIBS=+MY-MIB mib2c .... myMib"
2969
or "MIBS=ALL mib2c .... myMib"
2973
Why doesn't Mib2c like the MIB file I'm giving it?
2974
-------------------------------------------------
2976
This is the same problem as above. Mib2c takes the name of a MIB
2977
object, not the name of a file (or a MIB module). Try using the
2978
name of the MODULE-IDENTITY definition.
2982
Mib2c ignores my MIB and generates a pair of 'mib-2' code files. Why?
2983
---------------------------------------------------------------------
2985
This is the same problem as above - giving mib2c the name of
2986
the file containing the MIB, rather than an object within it.
2987
Earlier versions of mib2c didn't detect this situation, and
2988
rather than report an error, it merrily constructed a template
2989
for a default starting point of the mib-2 node.
2991
More recent versions issue the error mentioned above, instead.
2995
Mib2c complains about "configuration files". What's this for?
2996
------------------------------------------------------------
2998
You've probably upgraded to the v5 net-snmp release (from the
2999
v4 ucd-snmp release). This introduced a new approach to agent
3000
module development, including a number of different "helpers".
3001
The mib2c tool comes with configurations to generate code for
3002
many of these, but you'll need to select which is most convenient
3003
for your particular case.
3007
Which mib2c configuration file should I use?
3008
-------------------------------------------
3010
If the MIB contains scalar objects, then use the config file
3011
'mib2c.scalar.conf'. This will generate template handlers for
3012
these scalar objects (ignoring internal structural definitions,
3013
table objects and notifications).
3015
If the MIB contains tables, then there are number of possible
3016
choices. There are at least four configuration files that will
3017
generate template handlers for table objects (ignoring internal
3018
internal structural definitions, scalar objects and notifications).
3019
Which to use depends on the characteristics of the table being
3020
modelled (in particular where the data is held), and preferences
3021
as to the style of code structure.
3023
The config file 'mib2c.create-dataset.conf' assumes that the
3024
data is held internally within the agent, and generates a single
3025
handler routine for each table. Most of the processing is handled
3026
internally within the agent, so this handler routine is really
3027
only needed if particular column objects require special processing.
3029
The config file 'mib2c.iterate.conf' is aimed at tables which
3030
model data held external to the agent (not necessarily ordered
3031
according to the MIB indexing requirements). It generates a pair
3032
of "iteration" routines, which can be used to step through the
3033
table, to select the appropriate row for any given request.
3034
This row is then passed to the (single) table handler routine,
3035
which handles the rest of the processing for all of the column
3036
objects (for both GET and SET requests).
3038
There is also a similar 'mib2c.iterate_access.conf' which
3039
builds on this, but generates a series of individual routines
3040
for handling GET or SET requests for each column object.
3042
The config file 'mib2c.array-user.conf' is again primarily
3043
aimed at data held within the agent (although it can also be used
3044
with external data). In contrast to the single handler routine of
3045
the first two approaches, this generates a series of separate
3046
template routines to handle different aspects of processing the
3047
request. As with the 'mib2c.create-dataset.conf' approach, much
3048
of the processing is handled internally. Many of the generated
3049
routines can be deleted if the relevant objects need no special
3052
The most recent 'mfd' (or 'MIBs For Dummies') configuration takes
3053
this idea of small (often optional) 'stub' routines even further.
3054
This generates a collection of separate *files*, each of which
3055
implements a particular aspect of the table processing. The idea
3056
here is to have lots of "baby steps", rather than have all the
3057
processing dealt with in one place.
3059
There are also some other 'mib2c' configuration files, for more
3060
specialised requirements (e.g. generating notifications, "watched"
3061
scalar objects, or code that is compatible with the v4 UCD agent
3062
API), but these are the main choices for most requirements.
3066
How can I have Mib2c generate code for both scalars and tables?
3067
--------------------------------------------------------------
3069
The v5 Net-SNMP mib2c tool uses separate configuration files to
3070
generate code for scalar objects, and for tables. This means that
3071
it's not possible to automatically generate a single code file
3072
that supports both scalars and tables.
3074
Instead, it's necessary to generate the two code files separately,
3075
and then combine the two files manually. The handler routines from
3076
one file can simply be included in the other with no changes needed.
3077
The corresponding registration of these handlers can then be copied
3078
from the first initialisation routine into the second.
3082
Are there any examples, or documentation?
3083
-------------------------------------------
3085
Most of the MIB modules shipped with the Net-SNMP agent still
3086
use the v4 "traditional" MIB module API, but a few use one of the
3087
newer v5 helper-based handlers.
3089
The dataset handler is used in the two DISMAN-EVENT-MIB modules
3090
(disman/mteEventTable and disman/mteEventNotificationTable), as
3091
well as the 'snmptrapd' implementation of logging incoming traps
3092
(apps/notification_log)
3094
The basic iterator handler is used in a number of modules, such
3095
as the latest TCP and UDP table implementations (mibII/tcpTable &
3096
mibII/udpTable), VACM context handling (mibII/vacm_context) and
3097
various tables relating to agent internals (agent/*). These show
3098
a number of different approaches to using the iterator helper, so
3099
it's worth comparing them.
3101
The two examples/netSnmpHostsTable* modules provide a contrast
3102
between the iterator and iterator_access helpers.
3104
The Net-SNMP agent does not currently include any MIB modules
3105
using the array-user container-based helper. The best examples
3106
of this are to be found in the net-policy project.
3107
See http://net-policy.sourceforge.net/
3111
I've created a new module with 'mib2c' but it doesn't work. Why not?
3112
--------------------------------------------------------------------
3114
Remember that 'mib2c' generates a template for the MIB implementation.
3115
It doesn't fill in all the details for you. In particular, it cannot
3116
know how to obtain the information needed to answer particular queries.
3117
That's the job of the MIB module programmer (you!) - See the previous
3118
question for how to proceed.
3120
Essentially mib2c handles the syntax of the MIB implementation,
3121
leaving you to concentrate on the semantics.
3125
Where should I put the files produced by 'mib2c'?
3126
------------------------------------------------
3128
If you're using the main source tree to compile your new module, then
3129
put these two files (mymib.[ch]) in the directory 'agent/mibgroup'.
3130
You should then re-run configure to add in your new module
3131
("configure --with-mib-modules=mymib") and recompile.
3133
If you've got a number of new modules to add, it might be
3134
sensible to put them all into a single subdirectory of 'mibgroup'.
3135
Then create a header file, listing the individual components.
3136
This might look something like:
3138
config_require(mymib/myObjects)
3139
config_require(mymib/myTable)
3140
config_require(mymib/myOtherTable)
3142
If this was saved as the file 'mymib.h', then the same configure
3143
line given above, would pull in all three modules. See the
3144
current contents of 'agent/mibgroup' for examples of this.
3148
Mib2c only handles a single table in my MIB. How can I fix this?
3149
---------------------------------------------------------------
3151
This was a bug in the mib2c script, which was corrected with
3152
the 4.2 release. Earlier versions can be fixed by applying the
3155
$ diff -u mib2c.cln mib2c
3156
--- mib2c.cln Wed Nov 29 15:12:47 2000
3157
+++ mib2c Wed Nov 29 15:13:18 2000
3159
#============================================
3160
foreach $vtable (@table_list) {
3161
foreach $ptable (@processtable) {
3162
- $variables{$ptable}{'processed'} =
3163
+ $variables{$ptable}{'processed'} .=
3164
(eval "\"$variables{$ptable}{'code'}\"") . "\n\n";
3169
How can I support a large table, with more than 256 column objects?
3170
------------------------------------------------------------------
3172
This is a problem (at least apparently) with the v4 UCD module
3173
API, which uses a "magic number" to distinguish between the various
3174
column objects implemented by a common variable handling routine.
3175
Since this field is defined as an unsigned character, it can only
3176
take values 0-255. So it would appear that the agent cannot
3177
support tables (or scalar groups) with more than 256 objects,
3178
since this would start to duplicate these magic numbers.
3180
However, the agent doesn't actually care which routine implements
3181
a given object, and magic numbers only need to be unique within a
3182
single variable handling routine. So it is actually perfectly
3183
possible to implement a larger table by splitting it between two
3184
(or more) variable handling routines. These can then re-use the
3185
magic numbers quite safely:
3187
struct variable1 [] = {
3188
{MAGIC1, ASN_INTEGER, RWRITE, var_myfirst, 1, { 1}},
3189
{MAGIC2, ASN_INTEGER, RWRITE, var_myfirst, 1, { 2}},
3191
{MAGIC255, ASN_INTEGER, RWRITE, var_myfirst, 1, {255}},
3192
{MAGIC1, ASN_INTEGER, RWRITE, var_mysecond, 1, {256}},
3193
{MAGIC2, ASN_INTEGER, RWRITE, var_mysecond, 1, {257}},
3195
{MAGIC255, ASN_INTEGER, RWRITE, var_mysecond, 1, {510}}
3198
All that matters is that a given magic number isn't re-used within
3199
the same variable handling routine. The v5 table handlers typically
3200
use an integer variable for holding column information, so aren't
3201
subject to the same limitations.
3203
Though I'd have to question whether having such a wide table is
3204
necessarily a particularly good design strategy!
3208
How can I get the agent to generate a trap (or inform)?
3209
------------------------------------------------------
3211
Generating a trap is reasonably simple - just call one of the
3212
trap API routines 'send_easy_trap()' or 'send_v2trap' with the
3213
relevant information (generic and specific trap values, or a
3214
varbind list respectively). See the 'snmp_trap_api(3)' man page
3217
The 'mib2c.notify.conf' configuration file can be used to
3218
construct a suitable template routine for generating a trap,
3219
including building the variable list from the MIB trap
3220
definition. These variables can then be given suitable values,
3221
before invoking the 'send_v2trap' call to actually send the trap.
3223
Note that these APIs are only available within the agent (or
3224
subagents), and are not available to stand-alone applications.
3225
The code for 'snmptrap' shows an approach to use in such a case.
3227
Determining _when_ to generate the trap (either directly or
3228
via the mib2c-generated routine) is often harder. If the trap
3229
is generated in response to some action within the agent, (e.g.
3230
as the result of a SET), then this isn't too much of a problem.
3232
But if the trap is intended to report on a change of status
3233
(e.g. a network interface going up or down, or a disk filling up),
3234
then actually detecting this is non-trivial. It's necessary to
3235
poll the value(s) on a regular basis, save the results and compare
3236
them with the new values the next time round.
3238
With the v4 UCD agent, this would have to be done manually,
3239
using the routines documented in 'snmp_alarm(3)'. The v5 Net-SNMP
3240
agent has implemented the Distributed Management Event MIB, which
3241
provides this functionality in a flexible, standardised manner.
3242
See the 'snmpd.conf(5)' man page (under DISMAN-EVENT-MIB) for
3243
details (including the need for an 'agentSecName' setting).
3247
What if I'm using an AgentX sub-agent instead?
3248
---------------------------------------------
3250
That doesn't matter - the routines described in 'snmp_trap_api(3)'
3251
can still be used, and the subagent will do the Right Thing.
3253
One of the original design aims of the AgentX support was that this
3254
should be transparent to a MIB module implementer. The agent-module
3255
interface should be independent of the protocol used to receive the
3256
original request. So the exact same MIB module code could be used
3257
within a traditional SNMP-only agent, or an AgentX subagent, with no
3259
In fact, the main agent supplied as part of the package can indeed
3260
be run as an SNMP agent or an AgentX subagent, simply based on command
3261
line flags (or similar configuration options).
3265
How can I register a MIB module in a different (SNMPv3) context?
3266
---------------------------------------------------------------
3268
Contexts are a mechanism within SNMPv3 (and AgentX) whereby
3269
an agent can support parallel versions of the same MIB objects,
3270
referring to different underlying data sets. By default, a MIB
3271
module registrations will use the default empty context of "".
3272
But it's also possible to explicitly register an individual MIB
3273
module using a different context.
3275
With the v4 API, this uses the call 'register_mib_context()'
3276
rather than the REGISTER_MIB macro. This is significantly more
3277
detailed, but most of the additional parameters can take fixed
3278
values, if all that's needed is to change the registration context.
3280
Instead of the macro call:
3281
REGISTER_MIB("my_token", my_variables, variable1, my_variables_oid);
3282
use the function call:
3283
register_mib_context( "my_token",
3284
my_variables, sizeof(variable1),
3285
sizeof(my_variables)/sizeof(variable1),
3287
sizeof(my_variables_oid)/sizeof(oid),
3288
DEFAULT_MIB_PRIORITY, 0, 0, NULL,
3289
"my_context", -1, 0);
3291
Things are much easier with the v5 helper-based API. Having
3292
created the registration structure, this just requires setting the
3293
'contextName' field before actually registering the MIB module:
3294
netsnmp_handler_registration *reg;
3295
reg = netsnmp_create_handler_registration(.....);
3296
reg->contextName = strdup("my_context");
3297
netsnmp_register_handler(reg);
3299
In either case, it will also be necessary to define suitable
3300
access control entries to cover requests using the new context.
3301
This can either list each context explicitly:
3303
access {group} "my_context" any noauth exact ......
3305
or use a single entry to cover all possible contexts:
3307
access {group} "" any noauth prefix ......
3309
But note that *both* steps are required. Changing the access
3310
control settings won't affect the default context used for MIB
3311
registrations, and registering a MIB in a non-default context
3312
won't automatically configure the necessary access control settings.
3319
Why are packets requesting the same information larger with UC-Davis SNMP?
3320
-------------------------------------------------------------------------
3322
This shouldn't happen with version 4.2 or later, but for older
3323
version the following still applies:
3325
Some users note that UCD-SNMP applications always generate larger PDUs
3326
than other SNMP packages, even if the information requested is the same.
3327
Further, there are some agents that refuse PDUs from UCD-SNMP applications
3328
but accept PDUs from other applications.
3330
UCD-SNMP is based on the CMU code from a long time ago which encoded things
3331
using the long form of length encoding. Some agents use the short form
3332
of length encoding only, and do not understand the long form.
3334
This should not be a problem with UCD v4.2 or higher, or the Net-SNMP
3339
What ASN.1 parser is used?
3340
-------------------------
3342
The parser used by both the agent and client programs is coded by hand.
3343
This parser has recently been re-vamped to allow control of which of
3344
the available MIBs should be included, and to handle duplicate object
3346
The source code can be found in the snmplib directory (in 'parse.c'),
3347
and the parser is usually bundled into the library 'libsnmp.a'
3349
Note that the parser attempts to be fairly forgiving of some common
3350
errors and incompatibilities in MIB files. The Net-SNMP tools accepting
3351
a MIB file without complaint does *not* imply that the MIB is strictly
3353
Certain MIBs may need some amendments to allow them to be read
3354
correctly by the parser. Contact the coders' list for advice.
3358
What is the Official Slogan of the net-snmp-coders list?
3359
-------------------------------------------------------
3361
"The current implementation is non-obvious and may need to be improved."
3362
(with thanks to Rohit Dube)
3364
And an alternate, added 26-Apr-2000:
3366
"In theory, it shouldn't be that hard, but it just needs to be done."
added
removed
FAQ
