diff options
Diffstat (limited to 'FAQ')
-rw-r--r-- | FAQ | 4048 |
1 files changed, 4048 insertions, 0 deletions
@@ -0,0 +1,4048 @@ + Frequently Asked Questions (FAQ) for the UCD/Net-SNMP package + ============================================================= + FAQ Author: Dave Shield + Net-SNMP Version: 5.4.3 SVN branch + Net-SNMP/UCD-SNMP Project Leader: Wes Hardaker + Email: net-snmp-coders@lists.sourceforge.net + +TABLE OF CONTENTS +================= + + TABLE OF CONTENTS + GENERAL + What is it? + Where can I get it? + What documentation is available? + Are there binaries available? + What's the difference between UCD-SNMP and Net-SNMP? + What operating systems does it run on? + What happens if mine isn't listed? + Does it run on Windows? + How do I find out about new releases? + How can I find out what other people are doing? + How do I submit a patch or bug report? + Can I reuse the code in my commercial application? + What's the difference between SNMPv1, SNMPv2 and SNMPv3? + What's the difference between SNMPv2 and SNMPv2c? + Which versions of SNMP are supported in this package? + Can I use SNMPv1 requests with an SNMPv2 MIB (or vice versa)? + How can I monitor my system with SNMP? + Where can I find more information about network management? + What ports does SNMP use? + Is Net-SNMP thread safe? + APPLICATIONS + How do I add a MIB? + How do I add a MIB to the tools? + Why can't I see anything from the agent? + Why doesn't the agent respond? + I can see the system group, but nothing else. Why? + Why can't I see values in the <ENTERPRISE> tree? + The agent worked for a while, then stopped responding. Why? + Requesting an object fails with "Unknown Object Identifier" Why? + Why do I get "noSuchName" when asking for "sysUpTime" (or similar)? + Why do I sometimes get "End of MIB" when walking a tree, and sometimes not? + How do I use SNMPv3? + Why can't I set any variables in the MIB? + Variables seem to disappear when I try to set them. Why? + Why can't I change sysLocation (or sysContact)? + I get an error when trying to set a negative value - why? + I get an error when trying to query a string-indexed table value - why? + How should I specify string-indexed table values? + How do I send traps and notifications? + How do I receive traps and notifications? + How do I receive SNMPv1 traps? + Why don't I receive incoming traps? + My traphandler script doesn't work when run like this - why not? + How can the agent receive traps and notifications? + How big can an SNMP request (or reply) be? + How can I monitor my systems (disk, memory, etc)? + Applications complain about entries in your example 'snmp.conf' file. Why? + OK, what should I put in snmp.conf? + How do I specify IPv6 addresses in tools command line arguments? + PERL + What is the purpose of the Perl SNMP module? + Where can I get the Perl SNMP package? + How do I install the Perl SNMP modules? + But compiling this fails! Why? + Compiling the Perl module works OK, but 'make test' fails. Why? + Why can't mib2c (or tkmib) locate SNMP.pm? + Why can't mib2c (or tkmib) load SNMP.so? + Why can't tkmib locate Tk.pm? + Why does your RPM complain about missing Perl modules? + I've got a problem with the Net-SNMP module. Can you help? + MIBS + Where can I find a MIB compiler? + Why aren't my MIB files being read in? + Where should I put my MIB files? + What does "Cannot find module (XXX-MIB)" mean? + I'm getting answers, but they're all numbers. Why? + What does "unlinked OID" mean? + The parser doesn't handle comments properly. Why not? + How can I get more information about problems with MIB files? + What's this about "too many imported symbols"? + Do I actually need the MIB files? + AGENT + What MIBs are supported? + What protocols are supported? + How do I configure the agent? + How do I remove a MIB from the agent? + I've installed a new MIB file. Why can't I query it? + How do I add a MIB to the agent? + What's the difference between 'exec', 'sh', 'extend' and 'pass'? + What's the difference between AgentX, SMUX and proxied SNMP? + What is the purpose of 'dlmod'? + Which should I use? + Can I use AgentX when running under Windows? + How can I run AgentX with a different socket address? + How can I turn off SMUX support? + How can I combine two copies of the 'mib2' tree from separate subagents? + What traps are sent by the agent? + Where are these traps sent to? + How can I send a particular trap to selected destinations? + When I run the agent it runs and then quits without staying around. Why? + After a while the agent stops responding, and starts eating CPU time. Why? + How can I stop other people getting at my agent? + How can I listen on just one particular interface? + The agent is complaining about 'snmpd.conf'. Where is this? + Why does the agent complain about 'no access control information'? + How do I configure access control? + How do I configure SNMPv3 users? + The 'createUser' line disappears when I start the agent. Why? + What's the difference between /var/net-snmp and /usr/local/share/snmp? + My new agent is ignoring the old snmpd.conf file. Why? + Where should the snmpd.conf file go? + Why am I getting "Connection refused"? + Why can't I see values in the UCDavis 'extensible' or 'disk' trees? + Why can't I see values in the UCDavis 'memory' or 'vmstat' tree? + What do the CPU statistics mean - is this the load average? + How do I get percentage CPU utilization using ssCpuRawIdle? + What about multi-processor systems? + The speed/type of my network interfaces is wrong - how can I fix it? + The interface statistics for my subinterfaces are all zero - why? + Does the agent support the RMON-MIB? + What does "klread: bad address" mean? + What does "nlist err: wombat not found" (or similar) mean? + What does "Can't open /dev/kmem" mean? + The system uptime (sysUpTime) returned is wrong! + Can the agent run multi-threaded? + Can I use AgentX (or an embedded SNMP agent) in a threaded application? + COMPILING + How do I control the environment used to compile the software? + How do I control the environment used to compile the software under Windows? + Why does the compilation complain about missing libraries? + How can I reduce the memory footprint? + How can I reduce the installation footprint or speed up compilation? + How can I compile the project for use on an embedded system? + How can I compile the project to use static linking? + Why does 'make test' skip various tests? + Why does 'make test' complain about a pid file? + CODING + How do I write C code to integrate with the agent? + How does the agent fetch the value of a MIB variable from the system? + Mib2c complains about a missing "mib reference" - what does this mean? + Mib2c complains about not having a "valid OID" - what does this mean? + Why doesn't mib2c like the MIB file I'm giving it? + Mib2c ignores my MIB and generates a pair of 'mib-2' code files. Why? + What's the difference between the various mib2c configuration files? + Which mib2c configuration file should I use? + How can I have mib2c generate code for both scalars and tables? + Are there any examples, or documentation for developing MIB modules? + Where should I put the files produced by 'mib2c'? + Why doesn't my new MIB module report anything? + Why does the iterator call my get_{first,next} routines so often? + How can I get the agent to generate a trap (or inform)? + How can I get an AgentX sub-agent to generate a trap (or inform)? + How can I get the agent to send an SNMPv1 (or SNMPv2c) trap? + How can I get the agent to include varbinds with an SNMPv1 trap? + How can I get the agent to send an SNMPv1 enterprise-specific trap? + How can I get the agent to send an SNMPv3 trap (or inform)? + Why does calling 'send_v2trap' generate an SNMPv1 trap (or vice versa)? + How can I register a MIB module in a different (SNMPv3) context? + MISC + What ASN.1 parser is used? + What is the Official Slogan of the net-snmp-coders list? + + +GENERAL +======= + +What is it? +---------- + + - Various tools relating to the Simple Network Management Protocol + including: + + * An extensible agent + * An SNMP library + * tools to request or set information from SNMP agents + * tools to generate and handle SNMP traps + * a version of the unix 'netstat' command using SNMP + * a graphical Perl/Tk/SNMP based mib browser + + This package is originally based on the Carnegie Mellon University + SNMP implementation (version 2.1.2.1), but has developed significantly + since then. + + + +Where can I get it? +------------------ + + Download: + - http://www.net-snmp.org/download/ + - ftp://ftp.net-snmp.org/pub/sourceforge/net-snmp/ + Web page: + - http://www.net-snmp.org/ + Sourceforge Project page: + - http://www.net-snmp.org/project/ + Mirrors (note that sourceforge download servers are mirrored themselves): + - US: ftp://ftp.freesnmp.com/mirrors/net-snmp/ + - Greece: ftp://ftp.ntua.gr/pub/net/snmp/net-snmp/ + + +What documentation is available? +------------------------------- + + This FAQ (!) + README and individual READMEs for various platforms + README.thread (discusses threading issues) + INSTALL + PORTING + EXAMPLE.conf + man pages for the individual tools, files and the API + A guide for extending the agent + Tutorials for both ucd-snmp v4 and net-snmp v5 + at http://www.net-snmp.org/tutorial/ + and http://www.net-snmp.org/tutorial-5/ respectively + + Most of this documentation (plus archives of the mailing lists) + is also available on our web page: + + http://www.net-snmp.org/ + + There is also a Wiki (including a community-maintained version + of this FAQ) at + + http://www.net-snmp.org/wiki/ + + + +Are there binaries available? +---------------------------- + + There are binaries for some versions/systems available under + the "net-snmp binaries" package on the SourceForge "Files" + page, which is linked to from the main project download web + page at http://www.net-snmp.org/download.html. + + These binaries are also available on the project FTP site, + with a link on the same web page. + + There is also a mirror at ftp://ftp.freesnmp.org/mirrors/net-snmp/ + + + +What's the difference between UCD-SNMP and Net-SNMP? +--------------------------------------------------- + + Not a great deal, really. + Although the project originally started at UC Davis (hence the name), + and it has always been based there, most of the contributors have had + little or no connection with this institution. + + The move to SourceForge was intended to provide a more flexible + environment for the project, and to distribute the administrative + workload more evenly. The change of name simply reflects this move, + which was the last remaining link with UC Davis. + + The 4.2.x line saw the last releases made using the ucd-snmp name, + and all releases on this line have been been bug-fixes only. Release + 5.0 was the first version released under the Net-SNMP name, and all + further development is being done on the 5.x code base. The 4.2.x + code line is now effectively closed down, as are the older 5.x branches. + + Much of the work done for the various 5.x releases has involved + some fairly significant changes to the code - in particular the + architecture of the agent. However attempts have been made to retain + backwards compatibility as much as possible, and most code written + for earlier releases should continue to work. The most visible + change from the 4.2.x UCD suite to the 5.x Net-SNMP releases was a + restructuring of the header file organisation - not least a change + from <ucd-snmp/xxx.h> to <net-snmp/yyy.h>. + + But given the maturity of the Net-SNMP code, this should be less + of a consideration for most current SNMP development projects. + + + +What operating systems does it run on? +------------------------------------- + + Both the applications and the agent have been reported as running + (at least in part) on the following operating systems: + + * Linux (kernels 2.6 to 1.3) + * Solaris/SPARC (11 to 2.3), Solaris/Intel (10, 9) -- see + README.solaris + * HP-UX (11.31 to 9.01) -- see README.hpux11 + * Mac OS X (10.5 to 10.1) -- see README.osX + * NetBSD (2.0 to 1.0) + * FreeBSD (7.0 to 2.2) + * OpenBSD (4.0 to 2.6) + * BSDi (4.0.1 to 2.1) + * AIX (6.1, 5.3, 5.2, 5.1, 4.3.3, 4.1.5, 3.2.5) -- see README.aix + * IRIX (6.5 to 5.1) + * OSF (4.0, 3.2 and Tru64 Unix 5.1B) -- see README.tru64 + * SunOS 4 (4.1.4 to 4.1.2) + * Ultrix (4.5 to 4.2) + * Dynix/PTX 4.4 + * QNX 6.2.1A + + We have also been informed about a port to the Stratus VOS. + See http://ftp.stratus.com/vos/network/network.html for details. + + See the next question but one for the status of Windows support. + + Certain systems fail to compile particular portions of the agent. + These can usually be persuaded to compile (at the loss of some + functionality) by omitting the modules affected. + See the next question for more details. + + Also note that the presence of a particular configuration in this + list does not imply a perfect or complete implementation. This + is simply what various people have reported as seeming to work. + (Or more frequently, the configurations where people have reported + problems that we think we've subsequently fixed!) + + + +What happens if mine isn't listed? +--------------------------------- + + It's probably worth trying to compile it anyway. Unless your + system is significantly different to the supported configurations, + most of the code (library, applications and the agent infrastructure) + should probably compile with little or no difficulty. The most + likely source of problems will be MIB modules within the agent, + as this tends to be where the most system-specific code is found. + + If only a few modules fail to compile, try removing them from + the agent by running "configure --with-out-mib-module=xxx,yyy", + and re-compiling. If a large number of modules fail, then it + might be easier to start from a relatively bare system, using + "configure --enable-mini-agent --with-defaults". Then if this + minimal agent compiles and runs successfully, try adding each of + the missing mibgroups individually using the configure option + '--with-mib-module'. + + If configure fails with "invalid configuration" messages, or + you get completely stuck, contact the coders list for advice. + Similarly, if you manage to get this working on a new system, + please let us know of any code changes that you needed to make, + together with details of the hardware you're using, and what + versions of the operating system you've tried it on. The entry + 'host' in the file 'config.status' should show this information. + Oh, and congratulations! + + + +Does it run on Windows? +---------------------- + + The suite should compile and run on Win32 platforms, including + the library, command-line tools and the basic agent framework. + Note that the agent now includes support for the MIB-II module, + but this requires Microsoft's Core Platform SDK. Instructions + for how to install this are given in README.win32. + + Pre-compiled binaries are available from the project web site. + + As of v5.4, the Net-SNMP agent is able to load the Windows SNMP + service extension DLLs by using the Net-SNMP winExtDLL extension. + + Some other Net-SNMP MIB modules, including the UCD pass-through + extensions, do not currently work under Windows. Volunteers to assist + with these missing modules are likely to welcomed with open arms :-) + + Further details of Windows support (currently Visual C++, MinGW + and Cygnus cygwin32) is available in the file README.win32. + + + +How do I find out about new releases? +------------------------------------ + + There is a mailing list for these announcements + + net-snmp-announce@lists.sourceforge.net + + To be added to (or removed from) this list, visit + http://www.net-snmp.org/lists/net-snmp-announce/ + Or you can send a message to the address + net-snmp-announce-request@lists.sourceforge.net + with a subject line of 'subscribe' (or 'unsubscribe' as appropriate). + + Advance notice of upcoming releases are also made on the + net-snmp-users list (for "release candidates") for a week + or two before the full release, and on the net-snmp-coders + list (for "pre-releases") during the period prior to this. + + Major code revisions may be announced more widely, but these + lists are the most reliable way to keep in touch with the + status of the package. + + Patches to fix known problems are also made available via the web site: + + http://www.net-snmp.org/patches/ + + + +How can I find out what other people are doing? +---------------------------------------------- + + There is a general purpose discussion list + + net-snmp-users@lists.sourceforge.net + + To be added to (or removed from) this list, visit + http://www.net-snmp.org/lists/net-snmp-users/ + Or you can send a message to the address + net-snmp-users-request@lists.sourceforge.net + with a subject line of 'subscribe' (or 'unsubscribe' as appropriate). + + To find out what the developers are doing, and to help them + out, please read the PORTING file enclosed with the package. + + There is also a #net-snmp IRC channel set up on the freenode.net + chat system. You can connect to this via chat.freenode.net. + See http://www.freenode.net/ for more information on getting + started with IRC. + Several core developers hang out on this channel on a fairly + regular basis. + + + +How do I submit a patch or bug report? +------------------------------------- + + The best way to submit a bug report is via the bug database through + the interface found at + http://www.net-snmp.org/bugs/ + Be sure to include the version of the package that you've been working + with, the output of the command 'uname -a', the precise configuration + or command that triggers the problem and a copy of any output produced. + + Questions about using the package should be directed at the + net-snmp-users@lists.sourceforge.net mailing list. Note that this + mailing list is relatively busy, and the people answering these + questions are doing so out of the goodness of their hearts, and in + addition to their main employment. Please note the following: + + - use plain text mail, rather than HTML + - don't resend questions more than once + (even if no-one answered immediately) + - include full details of exact commands and error messages + ("I've tried everything, and it doesn't work" isn't much use!) + - do *NOT* send messages to -users and -coders mailing lists + (most developers read both anyway) + - don't mail the developers privately - keep everything on the list + + We can't promise to be able to solve all problems, but we'll + certainly try and help. But remember that this is basically an + unsupported package. It's Open Source, so if you need something + fixing badly enough, fundamentally it's up to you to do the work. + + All patches should be submitted to the patch manager at + http://www.net-snmp.org/patches/ + If possible, submit a bug report describing the patch as well + (referencing it by its patch number) since the patch manager + doesn't contain a decent description field. + + The best way to submit patch (diff) information is by checking out + the current code from the development SVN trunk, making your changes + and then running "svn diff" after you're done. + + If you're working from a source code distribution, and comparing old + and new versions of a code file, use "diff -u OLDFILE NEWFILE" + + + +Can I reuse the code in my commercial application? +------------------------------------------------- + + The details of the COPYRIGHTs on the package can be found in the COPYING + file. You should have your lawyer read this file if you wish to use the + code in your commercial application. We will not summarize here what is + in the file, as we're not lawyers and are unqualified to do so. + + + +What's the difference between SNMPv1, SNMPv2 and SNMPv3? +------------------------------------------------------- +What's the difference between SNMPv2 and SNMPv2c? +------------------------------------------------ + + A full description is probably beyond the scope of this FAQ. + Very briefly, the original protocol and admin framework was + described in RFCs 1155-1157, and is now known as SNMPv1. + + Practical experience showed up various problems and deficiencies + with this, and a number of revised frameworks were developed to try + and address these problems. Unfortunately, it proved difficult to + achieve any sort of agreement - particularly over the details of + the administrative framework to use. + + There was less disagreement over the proposed changes to the + protocol operations. These included: + * increasing the range of errors that could be reported + * introducing "exception values" + (so a single missing value didn't affect + the other varbinds in the same request) + * a new GETBULK operation + (a supercharged GETNEXT) + * new notification PDUs + (closer in structure to the other request PDUs) + + Strictly speaking, it's this revised protocol (originally defined + in RFC 1905, and most recently in RFC 3416) that is "SNMPv2". + + The only framework based on this protocol that saw a significant + level of use was "Community-based SNMPv2" or "SNMPv2c" (defined + in RFC 1901). This retained the same administrative framework + as SNMPv1 (with all of the accompanying limitations), but using + the new protocol operations. + + More recently, a new administrative framework has been developed, + building on the various competing SNMPv2 proposals, and using the + same SNMPv2 protocol operations. This is SNMPv3, which is defined + in RFCs 3411-3418. It addresses some of the deficiencies of the + community-based versions, including significant improvements to + the security of SNMP requests (like it finally has some!). + SNMPv3 is now a full IETF standard protocol. + + Strictly speaking, SNMPv3 just defines a fairly abstract framework, + based around the idea of "Security Models" and "Access Control Models". + It's this combination of SNMPv3 plus accompanying models that actually + provides a working SNMP system. + However, the only models in common use are the "User-based Security + Model" (RFC 3414) and the "View-based Access Control Model" (RFC 3415). + So "SNMPv3" is frequently used to mean the combination of the basic + SNMPv3 framework with these two particular models. + This is also sometimes described as "SNMPv3/USM". + + + So in brief: + - SNMPv2c updated the protocol operations + but left the administrative framework unchanged. + - SNMPv3 updated the administrative framework + but left the protocol operations unchanged. + + + +Which versions of SNMP are supported in this package? +---------------------------------------------------- + + This package currently supports the original SNMPv1 (RFC 1157), + Community-based SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418). + The agent will respond to requests using any of these protocols, + and all the tools take a command-line option to determine which + version to use. + + Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452) + was dropped with the 4.0 release of the UCD-snmp package. + + + +Can I use SNMPv1 requests with an SNMPv2 MIB (or vice versa)? +------------------------------------------------------------ + + Yes. + + The syntax used to specify a MIB file (better referred + to as SMIv1 or SMIv2) is purely concerned with how to define + the characteristics of various management objects. This is + (almost) completely unrelated to the versions of the protocol + used to operate on these values. So it is quite reasonable to + use SNMPv1 requests on objects defined using SMIv2, or SNMPv2 + (or SNMPv3) requests on objects defined using SMIv1. + + The one exception is objects of syntax Counter64, which are + only accessible using SNMPv2 or higher. SNMPv1 requests will + either treat such objects as an error, or skip them completely. + + Note that SMIv1 is effectively obsolete, and all new MIBs + should be written using SMIv2. + + + +How can I monitor my system with SNMP? +------------------------------------- + + There are two main methods of using SNMP for monitoring. One is to regularly + query the SNMP agent for information of interest, graphing these values and/or + saving them for later analysis. That's not really the focus of the Net-SNMP + project - our tools are more low-level, single-shot commands. For this sort + of high-level management, you're really looking at a management console + application (such as Nagios or OpenNMS), or a data logging application + (such as RRDtool, or one of its front-ends - MRTG, Cacti, etc). + + The other approach is to configure the SNMP agent to monitor the relevant + information itself, and issue an alert when the values pass suitable limits. + See the section ACTIVE MONITORING in the snmpd.conf(5) man page for details. + + Note that this entry makes no reference as to _what_ you should monitor, or + what values might be significant. That's because it is impossible to provide + a universal answer to these questions. The information to monitor, and the + normal operating values will ultimately depend on your local environment. + SNMP is simply a tool to _help_ you manage your systems - it isn't a magic + panacea - you still have to think for yourself! + + + +Where can I find more information about network management? +---------------------------------------------------------- + + There are a number of sites with network management information on + the World Wide Web. Some of the most useful are + + http://www.simpleweb.org/ + http://www.snmplink.org/ + http://www.mibdepot.com/ + + The SNMP Usenet newsgroup is now mostly defunct, but although the + FAQ hasn't been updated for a while, it still contains a large + amount of useful information relating to SNMP, including books, + software, other sites, how to get an enterprise number, etc, etc. + This is available from + + ftp://rtfm.mit.edu/pub/usenet/comp.protocols.snmp/ + + or via any of the Web sites above. + + + +What ports does SNMP use? +------------------------ + + There are three main network ports (and one named socket), which are + typically used by SNMP. These are: + + - UDP port 161 - SNMP requests (GET* and SET) + - UDP port 162 - SNMP notifications (Traps/Informs) + - TCP port 705 - AgentX + - /var/agentx/master - AgentX + + However, these are simply the default "well-known" ports for these purposes, + and it is perfectly possible to accept requests on other ports. + + + +Is Net-SNMP thread safe? +----------------------- + + Strictly speaking, no. However, it is possible to use the library within + a multi-threaded management application. This is covered in detail in + the file README.thread (shipped with the standard distribution), but can + be summarised as follows: + + - Call 'snmp_sess_init()' prior to activating any threads. + This reads in and parses MIB information (which isn't thread-safe) + as well as preparing a session structure for subsequent use. + + - Open an SNMP session using 'snmp_sess_open()' which returns an + opaque session handle, which is essentially independent of any + other sessions (regardless of thread). + + - Resource locking is not handled within the library, and is the + responsibility of the main application. + + The Net-SNMP agent has not been designed for multi-threaded use. It + should be safe to use the agent library to embed a subagent within a + threaded application as long as *all* SNMP-related activity (including + generating traps, and parsing MIBs) is handled within a single thread. + + The command-line tools shipped as part of the Net-SNMP distribution + are simple single-threaded applications, and are not designed for + multi-threaded use. Adapting these to a threaded model is left as + an exercise for the student. + The same holds true for the notification receiver (snmptrapd). + + Unfortunately, the SNMPv3 support was added about the same time as + the thread support and since they occurred in parallel the SNMPv3 + support was never checked for multi-threading correctness. It is + most likely that it is not thread-safe at this time. + + +APPLICATIONS +============ + +How do I add a MIB? +------------------ + + This is actually two separate questions, depending on whether you + are referring to the tools, or the agent (or both). + See the next question or the next section respectively. + + + +How do I add a MIB to the tools? +------------------------------- + + Adding a MIB to the client-side tools has two main effects: + + - it allows you to refer to MIB objects by name + (rather than having to use the numeric OIDs) + - it allows the results to be displayed in a more immediately + meaningful fashion. Not just giving the object names, but + also showing named enumeration values, and interpreting table + indexes properly (particularly for string and OID index values). + + There are two steps required to add a new MIB file to the tools. + Firstly, copy the MIB file into the appropriate location: + + cp MY-MIB.txt /usr/local/share/snmp/mibs + (which makes it available to everyone on the system) + or + mkdir $HOME/.snmp + mkdir $HOME/.snmp/mibs + cp MY-MIB.txt $HOME/.snmp/mibs + (which makes it available to you only) + + Note that the location of the shared MIB directory may be different + from that given here - see the FAQ entry "Where should I put my MIB + files?" for more information. + + + Secondly, tell the tools to load this MIB: + + snmpwalk -m +MY-MIB ..... + (load it for this command only) + or + export MIBS=+MY-MIB + (load it for this session only) + or + echo "mibs +MY-MIB" >> $HOME/.snmp/snmp.conf + (load it every time) + + Note that the value for this variable is the name of the MIB + module, *not* the name of the MIB file. These are typically the + same (apart from the .txt suffix), but if in doubt, check the contents + of the file. The value to use is the token immediately before the + word DEFINITIONS at the start of the file. + + Or use the special value "all" to have the tools load all available + MIBs (which may slow them down, particularly if you have a large + number of MIB files. + + Note that you need *both* steps. + + + Adding a MIB in this way does *not* mean that the agent will + automatically return values from this MIB. The agent needs to be + explicitly extended to support the new MIB objects, which typically + involves writing new code. + See the AGENT section for details. + + Most of the tools (apart from 'snmptable') will work quite happily + without any MIB files at all - although the results won't be displayed + in quite the same way. Similarly, the agent doesn't need MIB files + either (other than to handle MIB object names in the configuration file). + + + +Why can't I see anything from the agent? +--------------------------------------- + + Fundamentally, there are two basic reasons why a request may go + unanswered. Either the management application does not like the + request (so never sends it), or the agent does not like the request + (so never responds). The simplest way to distinguish between the + two is to run the command with the command-line option '-d'. + + If this doesn't display a hex dump of the raw outgoing packet, then + it's the client side which is dropping the request. Hopefully you + should also see an error message, to help identify what's wrong. + + If this displays one or more outgoing dumps (but nothing coming back), + then the request is failing at the agent end. See the next entry for + more details. + + + There are three further possibilities to consider: + + One is that the agent may return a response to the original query, + but the management application may not like this response, and refuse + to display it. This is relatively unusual, and typically indicates + a flaw with the remote agent. (I hope you're not contemplating the + suggestion that the Net-SNMP command-line tools might contain bugs!) + + The typical symptoms of this would be that the '-d' option would + display a sequence of sending and received packet dumps, with the + same contents each time. Ask on the mailing list for advice. + + + Alternatively, the agent may simply not support the MIB objects being + requested. This is most commonly seen when using the "snmpwalk" tool + (particularly with SNMPv1). + + The symptoms here would be that '-d' would show two pairs of raw + packet dumps - one a GETNEXT request (A1 in the sending packet), + followed by a GET request (A0). Repeating the same request with the + "snmpgetnext" command-line tool should show the information (if any) + that the agent returned, which was then discarded by snmpwalk as + irrelevant. + + Note that this is how snmpwalk was designed to work. It is not an error. + + + Finally, it may be that the agent is simply taking too long to respond. + The easiest way to test for this is to add the command-line options + "-t 60 -r 0", which will send a single request (with no repetitions) + and wait for a minute before giving up. This ought to be long enough + for all but the most-overloaded agent, or inefficient MIB module! + + If this turns out to be the cause, then ask on the mailing list for + advice on options for improving the performance. + + + +Why doesn't the agent respond? +----------------------------- + + Assuming that the tests outlined in the previous entry indicate that + the problem lies with the agent not responding, the obvious question + is "why not". + + Again, there are two basic possibilities - either the agent never + sees the request, or it receives it but is unwilling (or unable) to + process it. If the remote system is running the Net-SNMP agent, + then the easiest way to distinguish between these two cases is to + shut down the agent, and re-start it manually using the options + -f -Le -d + Then send the same query as before. This should display raw dumps of + packets seen (or sent) by the agent, just as with the client side in + the previous entry. + + + If the agent does not display anything, then it is simply not receiving + the requests. This may be because they are being blocked by network + or local firewall settings ('iptables -L'), or the agent may not be + listening on the expected interfaces ('netstat -a'). + + This is most commonly encountered when running queries from a remote + host, particularly if the same request succeeds when run on the same + system as the agent itself. + + + If the agent displays a dump of the incoming request, but nothing going + out, then the most likely cause is access control settings. See the + relevant entries in the AGENT section for details. Note that if the agent + receives an SNMPv1 or SNMPv2c request with a unknown community string, + then it will not return an error response - the request is simply discarded. + + Another possibility is that the request may be rejected by settings in + /etc/hosts.{allow,deny}. Again, '-d' will display an incoming packet + dump but no corresponding outgoing response. However in this situation, + the agent should also log a message that the request is being refused. + + + Running the agent with '-d' can also help identify situations where the + agent *is* responding to the request, but only after a long delay. This + would be indicated by a series of incoming packet dumps (showing various + retries from the client side), followed by several outgoing dumps - possibly + long after the client tool has given up in disgust. + See the entry + The agent worked for a while, then stopped responding. Why? + later in this section. + + + +I can see the system group, but nothing else. Why? +-------------------------------------------------- + + This is almost definitely due to the access configuration of the agent. + Many pre-configured systems (such as most Linux distributions) will only + allow access to the system group by default, and need to be configured + to enable more general access. + + The easiest way to test this is to try a GETNEXT request on one of + the other standard groups + e.g. + snmpgetnext ..... interfaces + + If the agent responds with "hrSystemUptime.0" or "end of MIB", then it + is clearly configured in this way. See the entries on access control + in the AGENT section for more information. + + + +Why can't I see values in the <ENTERPRISE> tree? +----------------------------------------------- + + If you can see most of the standard information (not just the system and + hrSystem groups), but not in the vendor-specific 'enterprises' tree, then + once again there are several possible causes. + + Firstly, it's possible that the agent does not implement this particular + enterprise tree. Remember that adding a MIB to the client tools does + *not* automatically add support for these object to the agent. See the + AGENT section for more information. + + + Alternatively, it may be that the agent does implement some or all of this + enterprise tree, but the access control settings are configured to block + access to it. + + The simplest way to checks whether the agent implements a given portion + of the OID tree is to run + + snmpwalk .... nsModuleName + + and look for index values that fall in the area of interest. + (Always assuming that you have access to this particular section + of the Net-SNMP enterprise tree, of course!) + + Checking the access control settings can be done by examining the tables + vacmAccessTable and vacmViewTreeFamilyTable. Note that these are used + to configure access control for *all* versions of SNMP - not just SNMPv3. + + + The third possibility is that simply isn't any information in the specified + tree. For example, several of the tables in the UCDavis enterprise tree + (such as prTable, extTable, dskTable and fileTable) require explicit + configuration in the snmpd.conf file. If you query this particular tables + without the necessary configuration entries, then they will be empty. + + + Finally, if you can't see anything from *any* enterprise-specific tree, + then this may be down to how you are asking for the information. By + default, if "snmpwalk" is run without an explicitly starting OID, then + it will display the contents of the 'mib-2' tree, containing most of the + IETF-standard management information supported by the agent. + + When the agent reaches the end of this tree, it will return the first + enterprise-specific value, 'snmpwalk' will recognise that this marks the + end of the (implicit) requested tree, and stop. No enterprise-specific + information will be displayed. + + To walk the whole tree, and see *all* the information that the + agent supports, specify a starting point of '.iso' or '.1'. + To walk a specific enterprise subtree, specify the root of this tree + as the starting point - e.g: + + snmpwalk -v1 -c public localhost UCD-SNMP-MIB::ucdavis + + There is more information about particular UCD-specific subtrees in + the AGENT section. + + + +The agent worked for a while, then stopped responding. Why? +----------------------------------------------------------- + + There are three basic possibilities: + - the agent has crashed + - it is hanging + - it is temporarily overloaded + + Detecting whether the agent has crashed should be fairly straighforward. + If you can reliably reproduce this crash (e.g. by sending a particular + SNMP request), then contact the coders list for advice. + It's the other two cases that are probably more significant. + + To tell the difference between these two, try leaving the agent + undisturbed for a while, and then probe it using a single 'snmpget' + request, specifying a longer timeout (e.g. '-t 120'). If it now + responds, then something was probably sending requests (including + duplicate retries) faster than the agent could process them, and it + was building up a backlog. Try adjusting the timeout period and retry + frequency of these client requests, or look at improving the efficiency + of the implementation of the relevant MIB objects. + + If the agent remains unresponsive (particularly if the load on the + system is steadily climbing), then it's probably hanging, and all + you can really do is restart the agent. If you can identify what + causes this to happen, then contact the coders list for advice. + + + +Requesting an object fails with "Unknown Object Identifier" Why? +---------------------------------------------------------------- + + If a general snmpwalk shows a particular entry, but asking for it more + specifically gives a "sub-identifier not found:" or "Unknown Object + Identifier" error, then that's a problem with the tool, rather than + the agent. + + Firstly, make sure that you're asking for the object by the right name. + Object descriptors are case-sensitive, so asking for 'sysuptime' will + not be recognised, but 'sysUpTime' will. + + Alternatively, the object may be defined in a MIB that hasn't been + loaded. Try loading in all the MIB files: + + snmpget -m ALL -v1 -c public localhost sysUpTime.0 + + or specify the name of the appropriate MIB explicitly: + + snmpget -v1 -c public myhost SNMPv2-MIB::sysUpTime.0 + + Note that this uses the name of the *module*, not the name of the file. + However, if 'snmpwalk' displays the object by name, this is unlikely to + be the cause, and you should look closely at the exact object name you + are using. In particular, see the next entry. + + + +Why do I get "noSuchName" when asking for "sysUpTime" (or similar)? +------------------------------------------------------------------ + + Assuming that you do have access to this object, the most likely cause + is forgetting the instance subidentifier. + + If you try walking the 'system' group (or any other part of the MIB tree), + you should notice that all of the results have a number after the object + name. This is the "instance subidentifier" of that particular MIB instance. + + For values in tables (such as the sysORTable), this acts as an index into + the table - a very familiar concept. But *all* SNMP values will display an + instance number, whether or not they are part of a table. For non-table + objects ("scalars"), this instance subidentifier will always be '0', + and it *must* be included when making a GET request. + + Compare the following: + + $ snmpget -v1 -c public localhost sysUpTime + Error in packet + Reason: (noSuchName) There is no such variable name in this MIB. + This name doesn't exist: system.sysUpTime + + $ snmpget -v1 -c public localhost sysUpTime.0 + system.sysUpTime.0 = Timeticks: (69189271) 8 days, 0:11:32.71 + + This is a little less obscure when using SNMPv2c or v3 requests: + + $ snmpget -v 2c -c public localhost sysUpTime + system.sysUpTime = No Such Instance currently exists + + + +Why do I sometimes get "End of MIB" when walking a tree, and sometimes not? +-------------------------------------------------------------------------- + + This depends on which MIB modules are supported by the agent you are + querying and exactly what you're asking for. + + Note that a tree is walked by repeatedly asking for "the next entry" until + all the values under that tree have been retrieved. However, the agent has + no idea that this is what's happening - all it sees is a request for "the + next entry after X". + + If the object X happens to be the last entry in a sub-tree, the agent will + provide the next object supported (as requested) even though this will be + in a different subtree. It's up to the querying tool to recognise that + this last result lies outside the area of interest, and simply discard it. + + If the object X happens to be the last entry supported by the agent, it + doesn't have another object to provide, so returns an "end of MIB" + indication. The Net-SNMP tools report this with the message above. + + But in either case, the actual information provided will be the same. + + + +How do I use SNMPv3? +------------------- + + The simplest form of SNMPv3 request is unauthenticated and unencrypted + (noAuthNoPriv). It simply requires a user name, and would look something + like: + + snmpget -v 3 -l noAuthNoPriv -u dave localhost sysUpTime.0 + + However this approach foregoes the security protection which is the + main advantage of using SNMPv3 (and the agent must also be explicitly + configured to allow unauthenticated requests from that user). + + The most common form of SNMPv3 request is authenticated but not encrypted + (authNoPriv). This specifies the pass phrase to authenticate with: + + snmpget -v 3 -l authNoPriv -u dave -A "Open the Door" + localhost sysUpTime.0 + + A fully secure (i.e. encrypted) request (authPriv) would also specify + the privacy pass phrase: + + snmpget -v 3 -l authPriv -u dave -A "Open the Door" + -X "Bet you can't see me" localhost sysUpTime.0 + + In practise, most of these would probably be set via configuration + directives in a personal $HOME/.snmp/snmp.conf file (note, *not* the + agent's snmpd.conf file). + The equivalent settings for the third example would be: + + defSecurityName dave + defSecurityLevel authPriv + defAuthPassphrase "Open the Door" + defPrivPassphrase "Bet you can't see me" + + If the AuthPassphrase and the PrivPassphrase are the same, then you + can use the single setting + defPassphrase "Open the Door and see me" + instead. + + See the AGENT section for how to configure the agent for SNMPv3 access. + + + +Why can't I set any variables in the MIB? +---------------------------------------- + + There are three possible reasons for this: + + Many MIB objects are defined as "read-only" and inherently cannot be + changed via SET requests. Attempts to do so will typically be rejected + by the 'snmpset' command without ever being sent to the agent. + + Of those objects that can in principle be changed, the agent may not + include the code necessary to support SET requests. (GET and GETNEXT + are much easier to handle - particularly for objects relating to the + internals of the underlying operating system). + + Even if SET support has been implemented, the agent may not be configured + to allow write access to this object. + + Ready-installed distributions (such as those shipped with Linux) tend + to be configured with read-only access to part of the mib tree (typically + just the system group) and no write access at all. + + To change this, you will need to set up the agent's access control + configuration. See the AGENT section for more details. + + Note that neither the community string "public" nor "private" can be + used to set variables in a typical default configuration. + + + +Variables seem to disappear when I try to set them. Why? +-------------------------------------------------------- + + This is actually the same as the previous question - it just isn't + particularly obvious, particularly when using SNMPv1. A typical + example of this effect would be + + $ snmpget -v1 -c public localhost sysLocation.0 + sysLocation.0 = somewhere nearby + + $ snmpset -v1 -c public localhost sysLocation.0 s "right here" + Error in packet. + Reason: (noSuchName) There is no such variable name in this MIB. + This name doesn't exist: sysLocation.0 + + Trying the same request using SNMPv2 or above is somewhat more informative: + + $ snmpset -v 2c -c public localhost sysLocation.0 s "right here" + Error in packet. + Reason: notWritable + + The SNMPv1 error 'noSuchName' actually means: + + "You can't do that to this variable" + + rather than "this variable doesn't exist". + It may be the case that it doesn't exist at all. It may exist but you + don't have access to it (although different administrative credentials + might be accepted). Or it may exist, but you simply can't perform that + particular operation (e.g. changing it). + Similarly, the SNMPv2 error 'notWritable' means "not writable in this + particular case" rather than "not writable under any circumstances". + + If you are sure that the object is both defined as writable, and has been + implemented as such, then you probably need to look at the agent access + control. See the AGENT section for more details. + But see the next entry first. + + + +Why can't I change sysLocation (or sysContact)? +---------------------------------------------- + + There is one final possibility to consider for why a SET request might + be rejected. + + The values for certain MIB objects (including 'sysLocation' and 'sysContact') + can be configured via the snmpd.conf file. If this is done, then these + particular objects become read-only, and cannot be updated via SET commands, + even if the access control settings would otherwise allow it. + + This may seem perverse, but there is good reason for it. If there is a + configuration setting for one of these objects, then that value will be + used whenever the agent re-starts. If the object was allowed to be updated + using SET, this new value would be forgotten the next time the agent was + re-started. + + Hence the Net-SNMP agent rejects such requests if there's a value configured + via the 'snmpd.conf' file. If there isn't such a config setting, then the + write request will succeed (assuming suitable access control settings), and + the new value will be retained the next time the agent restarts. + + + +I get an error when trying to set a negative value - why? +-------------------------------------------------------- + + This is a different problem. What's happening here is that the + routine that parses the arguments to the 'snmpset' command is seeing + the '-' of the new value, and treating it as a command-line option. + This normally generates an error (since digits typically aren't valid + command line options). + + The easiest way to solve this is include the "end-of-option" + indicator '--' in the command line, somewhere before the new value + (but after all of the options, obviously). For example: + + snmpset -v 2c -c public localhost -- versionRestartAgent.0 i -1 + + (This command will still fail, since -1 isn't an acceptable value for + this particular object, but that's not the point here!) + + + +I get an error when trying to query a string-indexed table value - why? +---------------------------------------------------------------------- + + The Net-SNMP library will normally try to interpret string-based + index values, and display them in a meaningful manner: + + $ snmpgetnext .... vacmGroupName + vacmGroupName.3."dave" = theWorkers + + The command-line tools will also accept string-valued indexes within + an OID, and convert them into the appropriate numeric form before + sending an SNMP request. However the Unix shell will typically + swallow the quotes around the string index value, before the SNMP + tools can get a chance to interpret them. + + The answer is to escape the quotes, to protect them from the shell, + and allow them to be passed through to the OID parser: + + snmpget .... vacmGroupName.3.\"dave\" + or + snmpget .... 'vacmGroupName.3."dave"' + + + Another alternative is to avoid trying to specify the index value as + a string, and provide the numeric subidentifiers directly: + + snmpget .... vacmGroupName.3.4.100.97.118.101 + + (where '3' indicates SNMPv3, '4' is the length of the string index, + followed by the ASCII values of the individual characters). + + The command-line option '-Ob' will display the results of querying + a string-indexed table in this format: + + $ snmpgetnext -Ob .... vacmGroupName + vacmGroupName.3.4.100.97.118.101 = theWorkers + + + +How should I specify string-indexed table values? +------------------------------------------------ + + There's one other aspect of string-indexed tables that can cause + problems - the difference between implicit- and explicit-length + strings, and how to represent these when making an SNMP query. + + The most common style of string index uses an explicit length, + followed by the individual ASCII character values: + + "dave" = 4.'d'.'a'.'v'.'e' + + (as shown in the previous entry). + + However if the string index is defined in the MIB file as IMPLIED + (or if it has a fixed length, such as a physical ethernet address), + then the length subidentifier is omitted, and the index simply + consists of the character values: + + "dave" = 'd'.'a'.'v'.'e' + + Note that IMPLIED index objects can only appear as the *last* index + for a table. + + The Net-SNMP library uses double quotes (i.e. "dave) to indicate an + explicit length string index value, and single quotes (i.e. 'dave') + to indicate an implicit length one. If you use the wrong style of + quotes, then the resulting OID will be incorrect, and you'll get + confusing results to your query. + + + +How do I send traps and notifications? +--------------------------------------- + + Traps and notifications can be sent using the command 'snmptrap'. + The following examples generate the generic trap 'warmStart(1)' and a + (dummy) enterprise specific trap '99' respectively: + + snmptrap -v 1 -c public localhost "" "" 1 0 "" + snmptrap -v 1 -c public localhost "" "" 6 99 "" + + The empty parameters "" will use suitable defaults for the relevant + values (enterprise OID, address of sender and current sysUptime). + + An SNMPv2 or SNMPv3 notification (either trap or inform) takes + the OID of the trap to send: + + snmptrap -v 2c -c public localhost "" UCD-SNMP-MIB::ucdStart + snmptrap -v 2c -c public localhost "" .1.3.6.1.4.1.2021.251.1 + + (These two are equivalent ways of specifying the same trap). Again, + the empty parameter "" will use a suitable default for the relevant + value (sysUptime). + + Any of these commands can be followed by one or more varbinds, + using the same (OID/type/value) syntax as for 'snmpset': + + snmptrap -v 2c -c public localhost "" ucdStart sysContact.0 s "Dave" + + Generating traps from within the agent, or other applications, is + covered in the AGENT and CODING sections. + + You should also read the snmptrap tutorial at + http://www.net-snmp.org/tutorial-5/commands/snmptrap.html + which will help you understand everything you need to know about traps. + + + +How do I receive traps and notifications? +---------------------------------------- + + Handling incoming traps is the job of a "notification receiver". + The Net-SNMP suite include the tool 'snmptrapd' to act in this role. + This can log traps to a file or via the syslog mechanism, forward them + to another notification receiver and/or invoke a specified command + whenever a particular notification is received. + + Logging notifications would be done by starting snmptrapd as: + snmptrapd -Ls 7 (log to syslog using 'LOCAL7') + or + snmptrapd -f -Lo (log to standard output) + + Invoking a command to process a received notification uses one or + more 'traphandle' directives in the configuration file 'snmptrapd.conf'. + A typical configuration might look something like: + + traphandle .1.3.6.1.6.3.1.5.1 /path/to/page_me up + traphandle .1.3.6.1.4.1.2021.251.1 /path/to/page_me up + traphandle .1.3.6.1.4.1.2021.251.2 /path/to/page_me down + traphandle default /path/to/log_it + + where 'page_me' and 'log_it' are the commands to be run. + + Forwarding notifications to another receiver would be done using + similar 'snmptrapd.conf' directives: + + forward .1.3.6.1.4.1.8072.4.0.3 10.0.0.1 + forward default 10.0.0.2 + + There's a tutorial with more details on the web site at + http://www.net-snmp.org/tutorial-5/commands/snmptrap.html + + + +How do I receive SNMPv1 traps? +----------------------------- + + Directives in the 'snmptrapd.conf' file use the (SNMPv2) snmpTrapOID + value to identify individual notifications. This applies to *all* + versions of SNMP - including SNMPv1 traps. See the co-existence spec + (RFC 2576) for details of mapping SNMPv1 traps to SNMPv2 OIDs. + + Note that the first traphandle directive in the previous entry uses + the OID corresponding to the SNMPv1 'coldStart' trap. + + + +Why don't I receive incoming traps? +---------------------------------- + + Starting with net-snmp 5.3, snmptrapd will no longer automatically + accept all incoming traps. It must be configured with authorized + SNMPv1/v2c community strings and/or SNMPv3 users. Non-authorized + traps/informs will be dropped. + Please refer to the snmptrapd.conf(5) manual page for details. + + + +My traphandler script doesn't work when run like this - why not? +--------------------------------------------------------------- + + If a traphandler script works fine when run manually from the + command line, but fails or generates an error when triggered by + an incoming notification, then there are two likely causes. + + Firstly, the interactive shell environment may not be precisely + the same as that for programs executed by the snmptrapd daemon. + In particular, it's quite possible that the PATH environmental + variable may not include all the additional directories that are + commonly set up for a personal login configuration. To avoid this + problem (particularly for traphandler shell scripts), it's worth + giving the full path to all programs used within the script. + + Secondly, the snmptrapd daemon may not always recognise the + appropriate interpreter to use for a particular trap handler. + If this is the case, then you can specify this interpreter + explicitly as part of the trap handle directive: + + traphandle default /usr/bin/perl /usr/local/bin/log_it + + In this case, it's almost certain that you'll also + need to give the full path to the traphandle script (as shown) + + + +How can the agent receive traps and notifications? +------------------------------------------------- + + It can't. + + The primary purpose of an SNMP agent is to handle requests for + information from management applications. In SNMP terminology, + it acts as a "command responder". + + It may also issue traps to report significant events or conditions + ("notification generator"). But responding to such notifications + is a significantly different role, and this is handled by a separate + application ('snmptrapd'). Note that it is perfectly possible (even + normal) for both agent and trap receiver to run on the same host. + + + +How big can an SNMP request (or reply) be? +----------------------------------------- + + The protocol definition specifies a "minimum maximum" packet size + (484 bytes for UDP), which all systems must support, but does not + attempt to define an upper bound for this maximum size. This is left + to each individual implementation. + + The UCD software used a fixed size buffer of 1472 bytes to hold the + encoded packet, so all requests and responses had to fit within this. + The Net-SNMP releases handle packet buffers rather differently, and + are not subject to the same fixed restrictions. + + + +How can I monitor my systems (disk, memory, etc)? +------------------------------------------------ + + In general, the Net-SNMP suite consists of relatively low-level + tools, and there is nothing included that is designed for high-level, + long-term monitoring of trends in network traffic, disk or memory + usage, etc. + + There are a number of packages available that are designed for this + purpose. Two of the most widely used are MRTG (http://www.mrtg.org/) + and RRDtool (http://oss.oetiker.ch/rrdtool/). There are also several + frontends built on top of RRDtool, including Cacti (http://www.cacti.net/) + and Cricket (http://cricket.sourceforge.net/). There are details of + how to set up Cricket to monitor some of the UCD extensions at + http://www.afn.org/~jam/software/cricket/ + + We have also set up a page that describes in detail how MRTG + can be set up to monitor disk, memory and cpu activity at + http://www.net-snmp.org/tutorial-5/mrtg/index.html + + There is also a web-based network configuration system "Net-Policy", + based upon SNMP. This is not strictly connected to the Net-SNMP project, + but a number of the core developers are also involved with that system. + See http://net-policy.sourceforge.net for more details. + + + +Applications complain about entries in your example 'snmp.conf' file. Why? +-------------------------------------------------------------------------- + + There *is* no example 'snmp.conf' shipped with the standard distribution. + + The configuration file 'EXAMPLE.conf' is designed as a config for + the agent, and should be installed as 'snmpd.conf' (note the 'd'). + The file 'snmp.conf' is intended for general configuration options, + applicable to all applications (via the SNMP library). + Rename (or merge) the 'snmp.conf' file to 'snmpd.conf', and this + should fix the problem. + + See the AGENT section or the 'snmpd.conf(5)' man page for more information + about what should go in this file. + + + +OK, what should I put in snmp.conf? +---------------------------------- + + This is used to set common configuration values for most of the + applications, to avoid having to specify them every time. Examples + are the SNMPv3 settings mentioned above, defaults for which MIBs to + load and where from (see the second entry in this section), + and the default SNMP version, port and (if appropriate) community + string to use. + + Some of these (such as MIB information), might be best put in a + shared snmp.conf file (typically /usr/local/share/snmp/snmp.conf or + /etc/snmp/snmp.conf) to apply to all users of the system. Others + (particularly the SNMPv3 security settings), are more likely to refer + to a particular user, and should probably go in a personal snmp.conf + file (typically $HOME/.snmp/snmp.conf). + + See 'snmpget -H' and/or the snmp.conf(5) man page for more details. + + You can also use the "snmpconf" command to help you generate your + snmp.conf configuration file (just run it and answer its questions). + + + +How do I specify IPv6 addresses in tools command line arguments? +--------------------------------------------------------------- + + IPv6 addresses pose a particular problem for the Net-SNMP command + line tools, which parse host names into pieces. In particular, normally + if you specify a simple host name, it assumes you want UDP in IPv4 on + port 161. By default, these two commands are actually the same: + + snmpget 127.0.0.1 sysUpTime.0 + snmpget udp:127.0.0.1:161 sysUpTime.0 + + However, for IPv6 this causes a problem because IPv6 addresses also use + a colon to separate addressing parts. Thus you need to enclose the address + in square brackets ( [ and ] ). + Because most shells use these brackets too, you also likely need to quote it: + + snmpget 'udp6:[::1]:161' sysUpTime.0 + + + +PERL +==== + +What is the purpose of the Perl SNMP module? +------------------------------------------- + + Short, comprehensive (but ultimately unhelpful) anwer - to provide a + perl interface for SNMP operations. + + Longer, incomplete (but more useful) answer - there are probably two + main uses for the Perl SNMP module. The first is for developing client + management applications, using perl to send SNMP requests, and manipulating + or displaying the results. As such, this is a straight alternative to + various other SNMP toolkits currently available (for both perl and other + programming languages). + + The second is as a means for extending the functionality of the Net-SNMP + agent, by implementing new MIB modules. This is an alternative to the + other script-based extension mechanisms, but is more tightly bound to the + Net-SNMP agent (and hence more efficient), while still avoiding the need + to write C code. + + It is also possible to use the perl SNMP module in the snmpd.conf file, + or to process incoming notifications, but the above are probably the + two primary uses. + + + +Where can I get the Perl SNMP package? +------------------------------------- + + Joe Marzot's excellent Perl 'SNMP' module, is included in the Net-SNMP + source releases. It can be found located in the perl/SNMP subdirectory + of the source tree. This is accompanied by a number of Perl modules + grouped together under the NetSNMP namespace. + + The basic SNMP module (though not the NetSNMP additions), can also + be found at any Comprehensive Perl Archive Network (CPAN) mirror site, + under modules/by-module/SNMP. To find the CPAN site nearest you, + please see http://www.cpan.org/SITES.html. + + These Perl modules need to be used in conjunction with a compatible + version of the Net-SNMP library. Consult the README file in the SNMP + Perl distribution to find out which version of the library it needs. + + + +How do I install the Perl SNMP modules? +-------------------------------------- + + Assuming you have a reasonably new (and properly configured) Perl system, + this should be simply: + + cd perl + perl Makefile.PL + (press RETURN when prompted for host and community) + make + make test + make install (probably as root) + + + It might be possible to install the basic module using + + perl -MCPAN -e shell ; "install SNMP" + + but this has not been reliably tested, and very much relies on + having the correct version of the Net-SNMP library. + + There may also be appropriate pre-compiled versions of the Perl modules + available from the Net-SNMP project website, or your O/S vendor. + + + +But compiling this fails! Why? +----------------------------- + + The Perl module tends to delve quite deeply into the internals of the + main Net-SNMP library, and so is quite sensitive to changes within the + library. It's important to use the correct version of the module, that + corresponds to the version of the library you have installed. If you're + working with a Net-SNMP source distribution, the appropriate versions of + the Perl modules are shipped as part of the source code, but you *must* + have run "make install" on the main Net-SNMP distribution *first*. + + If you're working with a ready-installed version of the library, make + sure you obtain a compatible version of the Perl module. + + Note that the Perl modules will be compiled using the compiler + (and compiler settings) used for compiling the original perl binary, + *not* those used for compiling the Net-SNMP (or UCD) library. + If these are different (e.g. 'gcc' used for one and 'cc' for the other) + then this may well cause problems. It's much safer to use a consistent + environment for both. This issue is discussed in greater detail in + the README.solaris file. + + Also note that the v5 Net-SNMP suite *must* be configured to provide + shared libraries in order for the Perl modules to work correctly. This + is not necessary with the v4 UCD-SNMP libraries. + + + +Compiling the Perl module works OK, but 'make test' fails. Why? +-------------------------------------------------------------- + + That's difficult to answer in general. + Some of the Perl tests are rather picky, so this may simply be + some minor inconsistency between your precise setup, and the + expectations of the test environment. + + Check that you are working with the Perl distribution that matches + the SNMP libraries (use the 'perl/SNMP' in preference to CPAN), and + that you have installed the main libraries successfully (uninstall + any old versions if you're having trouble). + + If all this looks OK, and if most of the tests pass, then it's + probably safe to run 'make install' anyway. Probably. + + + +Why can't mib2c (or tkmib) locate SNMP.pm? +----------------------------------------- + + That's probably because the SNMP Perl module hasn't been installed. + It's not part of the standard Perl distribution, nor is it included + in the default Fedora Linux installation (for example). + You'll need to install it yourself. + + See the second entry in this section. + + + +Why can't mib2c (or tkmib) load SNMP.so? +--------------------------------------- + + This is probably the same problem. Either the SNMP module + hasn't been installed, or it's the wrong version. See the + previous questions. + + + +Why can't tkmib locate Tk.pm? +---------------------------- + + Tk.pm is another Perl package that needs to be installed before tkmib + will run. It's also available on Perl CPAN. We suggest using version + "Tk800.011" or later. It can be installed by issuing the command: + + perl -MCPAN -e shell ; "install Tk" + + + +Why does your RPM complain about missing Perl modules? +----------------------------------------------------- + + This has been particularly noted on RedHat 9, complaining about the + module "perl(Term::ReadKey)" - even if this is actually present (e.g. + having been installed directly from CPAN). In fact, this is not + specific to Perl modules - the same issue can potentially arise with + other RPM dependencies. + + The problem is that the RPM mechanism keeps a local database of what + software packages have been installed, and checks this for any other + features that this RPM requires. If software is installed "manually" + rather than via rpm packages, then it will not appear in this database. + Attempting to install another RPM that rely on this functionality will + then complain about the "missing" package, because the RPM system doesn't + know that's it's actually available. + + The ideal solution is to *always* install software using a consistent + mechanism (which may involve building RPMs locally, or looking for a + suitable pre-built version). + + Failing this, it's possible to tell the "rpm" command to ignore such + dependencies, and install the package anyway. Try: + + rpm -i --nodeps {package} + + In this situation, it's then up to you to make sure that any other + necessary packages *are* actually present on the system. + + + +I've got a problem with the Net-SNMP module. Can you help? +---------------------------------------------------------- + + Sorry, despite the similar-sounding name, the Net-SNMP (or Net::SNMP) + module is nothing to do with this package, or the NetSNMP modules. + Net::SNMP is a "pure-perl" implementation of SNMP support, developed + by David Town. The developers of the (C-based) Net-SNMP suite do + not have any significant experience in using this particular module, + and you'll probably be better off asking for help via CPAN or some + other perl-related forum. + + + +MIBS +==== + +Where can I find a MIB compiler? +------------------------------- + + That depends what you mean by a "MIB compiler". There are at least two + types of tool that are commonly referred to by this name. + + The first is a tool to check MIB files for validity. With the Net-SNMP + software, this functionality is mostly integrated within the MIB parser, + and hence included in all the applications. The tool 'snmptranslate' is + probably the most appropriate for this purpose. + + Note that the parser is fairly forgiving (see 'What ASN.1 parser is used' + below), so this should not be regarded as a stamp of approval. For a + more rigourous validation, use a tool such as 'smilint', or the on-line + interface at http://wwwsnmp.cs.utwente.nl/ietf/mibs/validate/ + + The second type of "MIB compiler" is one to turn a MIB specification + into C code, specifically one designed to aid agent implementation. The + command 'mib2c' is an example of such a tool for the Net-SNMP agent. + See the CODING section for more information. + + + +Why aren't my MIB files being read in? +------------------------------------- + + There are two basic likely causes - either the library isn't attemping to + load these particular MIB files, or it's trying to load them but can't + locate them. + + By default, the Net-SNMP library loads a specific subset of MIB files. + This list is set when the suite is first configured and compiled, and + basically corresponds to the list of modules that the agent supports. + (This is a simplification, but is a reasonable first approximation). + + In order to load additional MIB files, it is necessary to add them to this + default list. See the FAQ entry "How do I add a MIB to the tools?" for + more information about how to do this. + + + Alternatively, the tools may be looking in the wrong place. The directory + where the library looks for MIB files is also set when the software is + first configured and compiled. If you put new MIB files in the wrong + location, then the library won't be able to find them (and will complain). + + This problem may arise when switching from a vendor-supplied distribution + to one compiled from source (or vice versa). + See the next entry for more information. + + + +Where should I put my MIB files? +------------------------------- + + If you've compiled the package from source (or are using binaries + from the project website), then you should probably put new MIB + files in the directory /usr/local/share/snmp/mibs + + If you are using vendor-supplied binaries, then the MIB files + may well be located somewhere else (e.g. /usr/share/snmp/mibs, + /opt/snmp/mibs, or /etc/sma/snmp/mibs). Have a look for where + existing MIB files are installed, and try adding your MIBs to + the same directory. + + If you compiled the source yourself, but specified a different + --prefix value when running configure, then the location of the + MIB directory will be {prefix}/share/snmp/mibs. + + If you're still not sure where to put your MIB files, try running + the command + + snmpget -Dparse-mibs 2>&1 | grep directory + + This will display the location(s) where the library is looking + for MIB files. + + + +What does "Cannot find module (XXX-MIB)" mean? +--------------------------------------------- + + If this error is only generated for one or two modules, then it's + likely that the named modules are not being found - perhaps they're + not installed in the correct location, are not readable, or the + name being used is incorrect. See the previous entries and the entry + "How do I add a MIB to the tools?" for more details. + + Note that the name reported is the name of the MIB *module*, which is + not necessarily the same as the name of the file. + + + If there are a large number of such errors, then it's more likely + that either the MIB files haven't been installed at all. If you are + compiling from source, then it is necessary to run "make install" in + order to set up the full run-time environment. + + Otherwise, see the previous entry to check whether the MIBs are installed + in the correct location for the tools to find them. + + + +I'm getting answers, but they're all numbers. Why? +------------------------------------------------- + + This is related to the previous questions. Remember, the results that + you receive from an agent do not depend on which MIBs are loaded by the + client tools - purely on how the agent was compiled and configured. + + Because the tools don't necessarily read in every MIB file they can find + (and the relevant MIB file may not be available anyway), it is quite + possible for results from an agent to refer to modules that have not + been loaded (particularly with GETNEXT requests, or when walking a tree). + + The results will be reported correctly, but won't be translated to use + named identifiers (or display the values in the most appropriate manner). + To fix this, add the missing MIB files to the list of MIBs to be loaded. + See the previous entries and the entry "How do I add a MIB to the tools?" + for more information. + + + +What does "unlinked OID" mean? +----------------------------- + + This means that the library has been able to find the MIB module, + and parse the individual objects defined in it, but is having problems + linking them together into a consistent tree. In particular, it + can't find an object corresponding to the name within the braces + (i.e. the 'xxx' in '{xxx 99}'). + + This is probably due either to a typo in this name (remember that + names are case sensitive, so a reference to 'xxx' will *not* match + a definition of 'Xxx'), or else the name is defined in another MIB + file, and this dependency is missing from the IMPORT clause of this + MIB file. + + + +The parser doesn't handle comments properly. Why not? +---------------------------------------------------- + + The way that comments are handled in a MIB file is subtly different + to the equivalent syntax in most typical programming languages, and + this difference can catch out the unwary. In particular, there are + two common situations which can lead to problems. + + The first scenario is where the MIB designer has attempted to "comment + out" an unwanted line that already contains a comment: + + -- broken ::= { myMIB 1 } -- This isn't working yet + + The assumption here is that a comment continues to the end of the line. + Unfortunately, this is not correct. A comment will continue either to + the end of the line, *or* the next occurance of a pair of dashes. + + Thus in this case, the definition of "broken" is commented out (as + intended) but the following text ("This isn't working yet") is treated + as an active part of the MIB, and will generate an error. + + + The second scenario is where a line of dashes has been used to mark + out separate parts of a MIB file. Depending on the exact number of + dashes used, this may still result in a syntactically valid MIB file, + but has a 1-in-4 possibility of triggering an error. This means that + this particular situation can be particularly difficult to spot! + + + Most of the Net-SNMP applications have a command-line option (-Pc) which + will work around this problem by treating the whole line as a comment. + But this is not strictly legal, and the offending MIB file should really + be corrected. + + + +How can I get more information about problems with MIB files? +------------------------------------------------------------ + + The command 'snmptranslate' is used to translate between numeric + and symbolic forms of OIDs. It uses the same MIB parsing routines + as the commands that actually communicate with a network management + agent, but can be used standalone. As such, it is a useful tool + for identifying problems with reading in MIB files. + + In particular, the following options may be useful in + identifying problems: + -Pw warns about conflicting symbols + -PW prints more verbose warnings about other problems as well + (in both cases, ignore the 'xmalloc' reports) + -T provides sub-options for various views of these entries + + There are other '-P' options to control various aspects of MIB parsing. + See the 'snmptranslate(1)' and 'snmpcmd(1)' man pages for more details, + or the tutorial at + http://www.net-snmp.org/tutorial-5/commands/snmptranslate.html + + For a more rigourous validation, use a tool such as 'smilint', or the + on-line interface at http://wwwsnmp.cs.utwente.nl/ietf/mibs/validate/ + + + +What's this about "too many imported symbols"? +--------------------------------------------- + + Any MIB file starts with an (optional) list of identifiers that + it "imports" from other files. The parser handles this using + a fixed size buffer to hold the import information. + There are two circumstances in which this can result in the + error message shown above. + + Firstly, if the MIB file refers to an unusually large number + of external identifiers. Handling this case requires a (trivial) + patch to the parsing code. Contact the coders list for advice. + (This is extremely rare - the only example that + we've come across is the Cabletron Trap MIB). + + Much more common is a syntax error in the IMPORTS clause of the + MIB file in question. In particular, check that this section ends + in a semicolon, before going on to the main MIB object definitions. + + + +Do I actually need the MIB files? +-------------------------------- + + Probably not. + The MIB files play two main roles - they are used to translate + between numeric OIDs and the corresponding textual names, and + they define the structure and syntax of the relevant MIB objects. + + This second role is perhaps best thought of in terms of a design + document. It's vital while developing an application (typically + the MIB module or handler within the agent), since it defines + what the application (MIB) must actually do. But once the code + has been written, the design document becomes redundent. + The agent then has the same information hardcoded into it + (literally!), and no longer needs the MIB file. + + The translation task is not strictly necessary - SNMP will + operate fine without any MIB files at all, as long as you're + happy to work with numeric OIDs throughout, and know which MIB + objects you're interested in. But it's much easier to work with + the (hopefully) meaningful names, enumeration tags and the like, + and to view the description of a particular object. + This requires having the relevant MIB files installed and loaded. + + + Since the agent needs MIBs the least and some systems are memory + restricted, it is possible to completely disable loading these MIBs + as well as remove the code that does the parsing by using the + --disable-mib-loading flag to configure. + + However, note that certain snmpd.conf tokens actually make use + of mib information so they won't be as easily usable. + + + +AGENT +===== + +What MIBs are supported? +----------------------- + + The following MIBs are supported (at least in part and on some systems): + + - MIB-2 General network statistics + (RFC 1213 and subsequent revisions) + - Host Resources (RFC 1514 and 2790) + - SNMPv3 framework (RFCs 2571-5, 3411-3418) + (including USM, VACM, Target + and Notification MIBs) + - DisMan Event and Schedule MIBs + - MTA-MIB (sendmail) + - private UCD/Net-SNMP agent extensions + (monitor specified processes and disks, + memory, CPU, load average, + extending + the agent using shell commands) + + See README.agent-mibs for details. + + Not all MIB modules are included by default on all systems. Some of + these may need to be explicitly requested when the software is first + configured and built, while others may not be available on all + architectures. + + There are a few other MIB implementations distributed as part of the + source tarball, but these are basically unsupported and most of the + core developers have little or no experience with using them. + + + +What protocols are supported? +---------------------------- + + The agent supports all three current versions of SNMP (v1, v2c and v3), + over both UDP and TCP transports, as well as acting as a SMUX (RFC 1227) + master agent, AgentX (RFC 2741) in both master and subagent roles, and + SNMP proxying. + + + +How do I configure the agent? +---------------------------- + + That's a somewhat ambiguous question, as there are two very different + stages where it is possible to "configure" the agent. + + Firstly, you can determine what capabilities and defaults are included + within the library and agent, at the time that the software is first + built. This uses suitable flags to the 'configure' script, before + compiling the source. + As far as the agent is concerned, the most significant option is + '--with-mib-modules' (or '--with-out-mib-modules') to control which + MIBs will be supported by the agent. See the next few entries for + details. + + You can also control various aspects of the agent behaviour (and the + information it returns) at run time, via the 'snmpd.conf' configuration + file. Various aspects of this are touched on throughout this FAQ. Or + see the snmpd.conf(5) manual page for full details. + The "snmpconf" script can help in creating this config file. + Start off with 'snmpconf -g basic_setup' to get you going. + + + +How do I remove a MIB from the agent? +------------------------------------ + + Deleting the text file for a MIB does not affect the agent (other than + to prevent it from recognising MIB object names in the config files). + It's necessary to tell the agent not to activate the relevant code that + actually implements these objects. There are three ways to do this: + + 1) re-run 'configure' to exclude the given MIB module(s) from the + build configuration, then recompile and reinstall: + + ./configure --with-out-mib-modules=path/to/unwanted .... + make + make install + + This specifies the path to the module code file, relative to + the 'agent/mibgroup' directory. Clearly, this approach is + only possible if you are working with a source distribution. + + 2) disable the MIB at runtime + + snmpd -I -unwanted + + Note that this relies on knowing which modules are used to + implement the relevant MIB objects. If you're not sure, + you could try walking the 'nsModuleName' MIB object, which + indicates the module responsible for each particular range + of OIDs. + You can also check which MIB modules are loaded by getting + the agent to report them as they are initialised: + + snmpd -Dmib_init -H + + From this information, it should then be fairly obvious which + modules to disable. + + 3) use access control to exclude the mib from the view used to + query the agent: + + view almostEverything included .1 + view almostEverything excluded unwantedMib + + rocommunity public default -V almostEverything + + This approach can also be used with the full com2sec/group/access + configuration directives (e.g. with versions earlier than 5.3, + which don't support the above mechanism). + + + +I've installed a new MIB file. Why can't I query it? +---------------------------------------------------- + + Installing a new MIB file will not magically enable the agent to know + what values to report for the objects defined in that MIB. It's + necessary to have some code which can provide the relevant information. + The next few entries, and the CODING section address this issue in more + detail. + + + +How do I add a MIB to the agent? +------------------------------- + + Adding a MIB essentially involves writing some code to implement the + objects defined in the new MIB. There are three basic approaches that + can be used to do this: + + - The agent can invoke an external command or shell script to + return the necessary information. There are several possible + variations on this approach - see the next entry for details. + + - The agent can pass the request off to another (sub-)agent, + which already implements the required MIB. Again, there are + several ways of doing this - including AgentX, SMUX and + proxied SNMP. See the next entry but one for details. + + - You can write code to implement the new MIB objects, and + include this within the agent. This is most commonly C + (or C++) code, although the agent can also support MIB modules + implemented in perl. + See the next section (CODING) for more details. + + Note that there is no visible difference between external commands, + subagents, and modules implemented within the main agent itself. + Tools querying the agent will see a single MIB structure. + + + +What's the difference between 'exec', 'sh', 'extend' and 'pass'? +--------------------------------------------------------------- + + 'exec' will run the specified command and return the exit status and + output. Any arguments are passed directly to the command, with no + special interpretation. + + 'sh' is similar, but invokes a shell to run the command line given. + This means that quoted arguments will be recognised as such, and also + allows redirection, and other similar shell interpretation. The results + are returned in exactly the same way. + + 'extend' is also similar, but provides a richer and more flexible MIB + framework - both for configuring the exact command to be run, and for + displaying the results. + + None of these mechanisms require the command to have any knowledge of + SNMP, or the fact that they are being used in this manner. But the + output is returned in a fixed format, and it is up to the receiving + application to interpret this appropriately. + + + 'pass' is a more general mechanism for implementing arbitrary MIB + objects. The specified command will be invoked for any request within + the named MIB subtree, and passed details of the requested OID. It + should return the information relevant to the requested OID. + + 'pass-persist' is similar, but the command will continue running + even after the initial request has been answered. These two mechanisms + can be used to implement a particular MIB, following the correct MIB + structure (as opposed to the fixed format of exec/sh/extend). + + All of these mechanisms are described in the 'snmpd.conf(5)' man page, + in the section entitled "Extending Agent Functionality". + + + +What's the difference between AgentX, SMUX and proxied SNMP? +----------------------------------------------------------- + + All three are protocols that can be used to make two or more agents + appear as one to the querying application. In each case, one agent + takes the role of "master", and delegates requests to one of the others + as and where this is appropriate. The differences between them mainly + relate to how data is represented, and the mechanisms for communication + between master and subagents. + + SMUX and proxy SNMP both essentially use the standard SNMP packet format. + The main difference is that a proxy SNMP subagent need not be aware that + it is acting in such a role. It typically listens on a non-standard port, + and simply receives requests as usual, forwarded from the master agent + (rather than directly). The main issue to be aware of is that such requests + will appear to come from the local host, and this may affect how the access + control mechanisms need to be set up. + + SMUX uses a similar packet format, but the subagent "registers" with + the master agent, providing a suitable password. The Net-SNMP (and UCD) + agent includes the possibility of acting as a SMUX master agent, but the + suite does not include a subagent API. Note that support for SMUX is not + included by default, and needs to be explicitly enabled by running: + + --with-mib-modules=smux + + before re-compiling the agent. + See the file 'agent/mibgroup/README.smux' for details. + + AgentX uses a more compact (and simpler) packet format, with a richer + range of administrative commands, and provides a more flexible and reliable + extension mechanism. The Net-SNMP agent can be used in both master and + subagent roles, and the agent library can also be used to embed an AgentX + subagent within another application. + See the file 'README.agentx' for details. + + AgentX support is included by default, but needs to be explicitly + activated in the master agent. Do this by adding the line + + master agentx + + to the snmpd.conf file before starting the agent. + + + +What is the purpose of 'dlmod'? +------------------------------ + + Most of the MIB information supplied by the Net-SNMP agent is provided + by C-coded implementation modules, and the choice of which modules to + include is usually made when the agent is first built. Adding new + MIB modules would therefore require re-compiling the agent. This is + not always convenient - particularly when working with a production + system, and/or pre-installed binaries. + + Dynamically loaded modules are a means of including a MIB implementation + module within the main SNMP agent (or an AgentX subagent) without needing + to re-compile and re-link the agent binary. Instead, details of the + module(s) to load are specified in the configuration file, and the agent + locates the files listed, and merges them in at run time. + + See http://www.net-snmp.org/tutorial-5/toolkit/dlmod/ for more information. + + + +Which extension mechanism should I use? +-------------------------------------- + + That's not easy to answer in general. + + If there's an existing agent that already implements the desired new + MIB, then it makes sense to re-use that, via whatever extension protocol + that agent might support. Note that the SMUX protocol has essentially + been superceded by AgentX, which provides a fuller and more reliable + mechanism than either SMUX or proxied SNMP. So ideally, this would + be the preferred extension approach. + But if the target subagent only supports SMUX or basic SNMP, then that + would dictate the extension protocol to use. + + Implementing the module in C within the main agent (directly or via + dlmod) is probably the most efficient and reliable, closely followed + by embedded perl (or python) extensions. These have the advantage of + minimal overheads between the code implementing the MIB module, and + the agent framework, and no inter-process communication issues. But + this does assume that there's a suitable mechanism for retrieving the + necessary information. + + If the new MIB is monitoring or managing some other subsystem, external + to the agent, then it may be necessary to embed a subagent within the + subsystem itself - particularly if there's no suitable public API to + retrieve the necessary information. In this case, AgentX is probably + the most appropriate way forward. + Alternatively, you could implement the missing public management API + for that subsystem, and develop a module within the main agent instead. + + + +Can I use AgentX when running under Windows? +------------------------------------------- + + Yes, but there are a couple of things to be aware of. + + Firstly, by default the AgentX master listens on the Unix domain + socket '/var/agentx/master', which doesn't work under Windows. + You'll need to tell it to listen on a TCP port, either by using + the command-line option "-x localhost:705", or by adding the + directive "agentxSocket localhost:705" to the snmpd.conf file. + + Secondly, be aware that the security of AgentX connectivity is not + particularly strong. The examples given here would allow any process + running on the local machine to register as an AgentX subagent. The + more obvious settings "-x 705" or "agentxSocket 705" would allow + a system *anywhere* on the network (or even from remote networks) to + register as an AgentX subagent. This could potentially be used to + hijack the agent, or provide false information. + + + +How can I run AgentX with a different socket address? +---------------------------------------------------- + + There are two sides to an AgentX connection, and they need to + agree about which socket address to use. So if you want to use + a different socket, you need to configure both parties accordingly. + + The socket that the Net-SNMP master agent uses to listen for AgentX + registrations (and send appropriate requests) can be specified using + the option '-x'. + The command + "snmpd -x tcp:localhost:705 ...." + would start the agent listening on the TCP port 705 for connections + from the local system. + The same effect can also be obtained by adding the line + agentxsocket localhost:705 + to the file 'snmpd.conf'. + + The same option can be used with the Net-SNMP agent when running in + This also holds when the Net-SNMP agent is running in + "subagent" mode, to specify the socket to register with (and receive + requests from). + So a subagent might connect to the master agent above (both running + on the same host), using: + "snmpd -X -x tcp:localhost:705 ...." + + A subagent running embedded within some other application will + typically not understand the same command-line options, so would + need to set the same configuration programmatically: + + netsnmp_ds_set_string(NETSNMP_DS_APPLICATION_ID, + NETSNMP_DS_AGENT_X_SOCKET, "tcp:localhost:705"); + + With the example subagent code from the Net-SNMP tutorial, this line + would be added immediately before the 'init_agent' call. + + The same approach can also be used to listen on a different named + socket, using: + agentxsocket /tmp/agentx + agentxperms 770 770 myuser mygroup + or + snmpd -x /tmp/agentx .... + or + netsnmp_ds_set_string(NETSNMP_DS_APPLICATION_ID, + NETSNMP_DS_AGENT_X_SOCKET, "/tmp/agentx"); + as appropriate. + + + +How can I turn off SMUX support? +------------------------------- + + Normally, you would use the command-line option '-I -{module}' to + disable the initialisation of a particular MIB module within the + agent. Unfortunately, it's not currently possible to turn off SMUX + support this way. + + The safest approach is to run + configure --with-out-mib-modules=smux + and recompile the agent. + + If this is not possible, an alternative workaround might be to have + the agent bind the SMUX socket to an invalid IP address, using a + snmpd.conf line such as: + + smuxsocket 1.0.0.0 + + The agent may complain at startup, but it won't accept any incoming + SMUX requests. + + If the agent complains about not recognising the "smuxsocket" + token, then you're out of luck. You'll either have to recompile + from source, or use local firewall rules to block connections + to port 199. + + + +How can I combine two copies of the 'mib2' tree from separate subagents? +----------------------------------------------------------------------- + + This is the purpose of the SNMPv3 'context' field. Register the MIB + module a second time in a non-default context (see the relevant entry + in the CODING section for details), and specify this context when + querying the agent. The MIB module can use this context information + to determine which set of information to report. + Or you could register two completely different handlers for the same + OID (using different contexts), and the agent will invoke the appropriate + code. This holds for both MIB modules implemented within the main agent, + or AgentX subagents - the same approach will work for both. + + Contexts can also be used with proxied SNMP requests - just specify + the option '-Cn {context}' as part of the "proxy" entry. See the + 'snmpd.conf(5)' man page for details. + + It's currently not possible to support parallel MIB trees when using + SNMPv1 or SNMPv2c. In principle, it should be possible to use the + community string in a similar way, but this has not (yet) been implemented. + + This mechanism is only available with the v5 Net-SNMP agent. The v4 + UCD agent does not support contexts at all. Sorry about that. + + Another way to handle this would be to tweak one of the subagents to + use a different set of (non-standard) OID assignments - perhaps by + relocating the whole of the subtree to another (private) OID. This + is not ideal, but should work with all configurations. + + + +What traps are sent by the agent? +-------------------------------- + + The Net-SNMP agent sends a 'coldStart(0)' trap when it first starts up, + and an enterprise-specific trap 'nsNotifyShutdown' when it stops. It + generates an enterprise-specific trap 'nsNotifyRestart' (rather than + the standard 'coldStart(0)' or 'warmStart(1)' traps) on receiving a HUP + signal - typically after being re-configured. It can also be configured + to send an 'authenticationFailure(4)' trap when it receives an SNMPv1 + (or SNMPv2c) request using an unknown community name. + + The agent does not send 'linkUp' or 'linkDown' traps by default. It can + be configured to do this using the directive 'linkUpDownNotifications'. + See the 'snmpd.conf(5)' man page (under ACTIVE MONITORING) for details. + + Similarly, it does not generate traps by default when one of the + monitored characteristics (disk usage, running processes, etc) enters or + leaves an error state. This can be configured using the 'defaultMonitors' + directive (again documented under ACTIVE MONITORING). + + + +Where are these traps sent to? +----------------------------- + + With all these alerts, the agent needs to be told where to send them, + specifying the type of notification (v1 or v2 trap, or v2 inform) and + the community name to use. This uses the snmpd.conf directives 'trapsink', + 'trap2sink' and 'informsink' for the destination type, and 'trapcommunity' + for the community name. SNMPv3 destinations can be configured using the + directive 'trapsess'. See the 'snmpd.conf(5)' man page for details. + + Note that the type of trap generated is totally determined by these + directives - irrespective of which API call was used to trigger sending + the trap. See the trap-related entries in the CODING section for details. + + Note also that you typically only want *one* of the settings: + + trapsink localhost + trap2sink localhost + informsink localhost + + Including two (or all three) of these lines in the snmpd.conf file will + will result in multiple copies of every notifications being sent for + each call to 'send_easy_trap()' (or 'send_v2trap()'). + This is probably not what was intended! + + + +How can I send a particular trap to selected destinations? +---------------------------------------------------------- + + This is not currently possible. All notifications will be sent to + all configured destinations. The agent does not (currently) support + notification filtering. + + There is a preliminary implementation of the snmpNotifyFilterTable + which is designed to allow this sort of selective trap direction. + However this is not currently active. (The tables are present and + can be manipulated and updated, but the information is not consulted) + Documentation on how to use this mechanism will appear once the + functionality is working properly. + + + +When I run the agent it runs and then quits without staying around. Why? +----------------------------------------------------------------------- + + Firstly, are you certain that this is what is happening? + + The normal operation of the agent is to 'fork' itself into the background, + detaching itself from the controlling terminal so that it will continue + running even when you log out, and freeing the command line for subsequent + use. This looks at first sight as if the agent has died, but using 'ps' + to show all processes should reveal that the agent is still running. + + To prevent this behaviour (such as when attempting to debug the agent), + you can start it with the '-f' flag. This suppresses the fork, and the + agent will run as a 'normal' command. It's also often useful to use the + '-Le' (or '-L') flag, to log messages to stderr. + + On the other hand, if 'ps' shows that the agent is not running, then + this is an error, and probably show that something went wrong in + starting the agent up. Check the agent log file for any error messages, + or run it with '-f -Le' and see what it reports. + + One possible cause might be an existing agent (or some other process) + that's already listening on the SNMP port. Trying to start a second + agent will fail with an error about "opening the specified endpoint". + + If you're starting the agent as a non-root user, then this may also + fail with the very same error. By default, the agent (and trap handler) + will attempt to listen on the standard SNMP port 161 (or 162 for the + trap handler). These are defined as "privileged ports", and processes + will need to be running as root in order to open them. + + One way to tackle this is to start the agent as root, but use the -u + option to switch to run as another user once the port has been opened. + Alternatively, you can specify a different port to use instead. + Anything greater than 1024 is available to non-root users. In this case, + you'll also need to specify the same port when issuing client commands. + + + +After a while the agent stops responding, and starts eating CPU time. Why? +-------------------------------------------------------------------------- + + This is basically the same problem described in the APPLICATIONS + section, in the entry + The agent worked for a while, then stopped responding. Why? + + See that entry for details. + + + +How can I stop other people getting at my agent? +----------------------------------------------- + + Firstly, are you concerned with read access or write access? + + As far as changing things on the agent is concerned, there is relatively + little that can actually be altered (see the entry "Why can't I set + any variables in the MIB?" above). + + If you are using the example config file, this is set up to allow + read access from your local network, and write access only from the + system itself (accessed as 'localhost'), both using the community name + specified. You will need to set appropriate values for both NETWORK + and COMMUNITY in this file before using it. + This mechanism can also be used to control access much more precisely. + (see the next few questions for details) + + Other options include: + - Blocking access to port 161 from outside your organisation + (using filters on network routers) + - Using kernel-level network filtering on the system itself + (such as IPTables) + - Configuring TCP wrapper support ("--with-libwrap") + This uses the TCP 'libwrap' library (available separately) + to allow/deny access via /etc/hosts.{allow,deny} + + For strict security you should use only SNMPv3, which is the secure + form of the protocol. However, note that the agent access control + mechanisms does not restrict SNMPv3 traffic by location - an SNMPv3 + request will be accepted or rejected based purely on the user + authentication, irrespective of where it originated. Source-based + restrictions on SNMPv3 requests would need to use one of the "external" + mechanisms listed above. + + + +How can I listen on just one particular interface? +------------------------------------------------- + + Normally, the agent will bind to the specified port on all interfaces + on the system, and accept requests received from any of them. However, + if a particular port (or ports) is specified when the agent is first + started, then it will only listen for requests on these particular + ports. + For example: + snmpd 127.0.0.1:161 + + would listen (on the standard port) on the loopback interface only, and: + + snmpd 10.0.0.1:6161 + + would listen on port 6161, on the (internal network) interface with + address 10.0.0.1. To listen on both of these interfaces (and no others) + provide a list of all the desired addresses: + + snmpd 127.0.0.1:161 127.0.0.1:6161 + + The AgentX port option ('-x') works in much the same way. + + + +The agent is complaining about 'snmpd.conf'. Where is this? +----------------------------------------------------------- + + It doesn't exist in the distribution as shipped. You need to + create it to reflect your local requirement. + To get started, you can either just create this file manually, + or run snmpconf to help you create one. At the very least, you + will need some form of access control configuration, if the agent + is to be of any use whatsoever. This can be as simple as: + + rocommunity public + + See the snmpd.conf(5) manual page or relevant entries in this + FAQ for further details. + + + +Why does the agent complain about 'no access control information'? +------------------------------------------------------------------ + + Although an SNMP agent may support a wide range of management + information, it is not necessarily appropriate to report the whole + of this to every SNMP management station who asks for it. Some + information may be sensitive, and should restricted to authorized + administrators only. SNMP therefore includes mechanisms for + controlling who has access to what information - both in terms of + what can be seen, and (even more importantly) what can be changed. + + By default, the Net-SNMP agent starts up with a completely empty + access control configuration. This means that *no* SNMP request + would be successful. It is necessary to explicitly configure + suitable access control settings, based on who should be granted + access in that particular environment. + + If there are no access control entries configured (perhaps because + no snmpd.conf configuration file has been loaded, or it contains no + access control settings), then the agent will not respond to any + SNMP requests whatsoever. This is almost certainly not what was + intended, so the agent reports this situation. + + See the next entry for how to configure access control settings. + + + +How do I configure access control? +--------------------------------- + + The simplest way is to use the configure directives: + + rocommunity public (for SNMPv1/2c) + rwcommunity private + or + rouser user1 (for SNMPv3) + rwuser user2 + + These specify the community names or security names to accept for + read-only and read-write access to the whole of the supported MIB tree. + (Obviously you should change these names to match your requirements - + which is a particularly good idea in the case of 'rwcommunity'!) + + Note that you should *not* specify the same community name for both + rocommunity and rwcommunity directives. The rwcommunity setting + automatically provides read access, and having both lines (with the + same community name) may result in unexpected behaviour. + Only use both settings when specifying *different* community names. + The same holds true for rouser and rwuser. + + The two community directives can be restricted to only allow requests + from particular sources, and all four can be restricted to a particular + subtrees or (from v5.3) a named view. See 'snmpd.conf(5)' for details. + + + +How do I configure SNMPv3 users? +------------------------------- + + There are three ways to configure SNMPv3 users: + + 1) Stop the agent, and add the line + + createUser {myUser} MD5 {myPassword} DES + + to the file /var/net-snmp/snmpd.conf (where {myUser} and + {myPassword} are the appropriate values for username and password, + _without_ the braces!). Then re-start the snmpd agent. + + 2) Stop the agent, run the command + + net-snmp-config --create-snmpv3-user + + and follow the prompts given. This will create an entry + in the /var/net-snmp/snmpd.conf file similar to the above. + Then re-start the snmpd agent. + + 3) Make sure the agent is running, and will respond to an SNMPv3 + request (using an existing user with the desired authentication + and privacy protocols). Then use the 'snmpusm' command to clone + this template user, and change the password. + + + See the access control entries above and the file 'README.snmpv3' + for more details about how to use SNMPv3 users, + + Note that simply having a 'rouser' or 'rwuser' line does *not* + automatically create the corresponding SNMPv3 user. You will need + the above 'createUser' line (or an equivalent 'usmUser') as well. + + + +The 'createUser' line disappears when I start the agent. Why? +------------------------------------------------------------- + + This is deliberate. + + The agent removes the (human-readable) 'createUser' directive, and + replaces it with an equivalent 'usmUser' entry. This contains the + same information, but in a form that's only meaningful internally. + Not only is the passphrase no longer visible in the config file, it + has actually been converted to a key that is only valid on this + particular system. If someone stole the configuration file, they + could not use the information from the usmUser entry to access any + of your other agents (even if the usernames and passwords were the same). + + + +What's the difference between /var/net-snmp and /usr/local/share/snmp? +--------------------------------------------------------------------- + + The /var/net-snmp location is primarily used for information set + during the running of the agent, which needs to be persistent between + one run of the agent and the next. Apart from "createUser" (see + the previous entry), you shouldn't need to touch this file. + + All other user-provided configuration should go in the traditional + location (typically /usr/local/share/snmp/snmpd.conf or /etc/snmp). + + + +My new agent is ignoring the old snmpd.conf file. Why? +----------------------------------------------------- + + The most likely explanation is that the new version of the agent is + looking in a different location than the previous one. This is commonly + experienced when replacing a ready-installed version (e.g. from a vendor + distribution), with the current release installed from the source. + + Try moving the old config file to the new location, and restart the agent. + If you're not sure where this should go, see the next entry. + + + +Where should the snmpd.conf file go? +----------------------------------- + + The default location for this file with the basic distribution is + /usr/local/share/snmp/snmpd.conf (or PREFIX/share/snmp/snmpd.conf). + Ready-installed versions often look for the file as /etc/snmpd.conf, + or /etc/snmp/snmpd.conf. + + If you are still not sure, try running the command + + snmpd -f -Le -Dread_config 2>&1 | grep "config path" + + The first line of output will display the list of locations where + the agent is looking for configuration information. + + + +Why am I getting "Connection refused"? +------------------------------------- + + This is actually nothing to do with the access control mechanism + (though that's an understandable mistake). This is the result of + the TCP wrapper mechanism using the files 'hosts.allow' and 'hosts.deny' + to control access to the service. Some distributions may come with + this enabled automatically - otherwise you need to explicitly activate + this by running + configure --with-libwrap + and recompiling the agent. + + If TCP wrappers are enabled, and both hosts.allow and hosts.deny are + empty, then all requests will be rejected (with "Connection refused"). + The simplest way to avoid this problem and allow incoming requests is + to add the line + + snmpd: ALL + + to the file /etc/hosts.allow. Be aware that doing this removes one + level of protection and allows anyone to try and query your agent. + The agent's own access control mechanisms can still be used to restrict + what - if anything - they can see. + + If you do wish to use the TCP wrappers to restrict access, it's sensible + to have an explicit entry: + + snmpd: ALL + + in the file /etc/hosts.deny, which makes it crystal clear that access + to the SNMP agent has been denied. This mechanism can also be used to + restrict access to specific management hosts, using a hosts.deny entry + such as: + + snmpd: ALL EXCEPT 127. + + which will allow connections from localhost, and nothing else. + + Note that personal firewalls, such as the Linux iptables mechanism, + may have a similar effect (though typically this won't be logged). + See the earlier entry + Requests always seem to timeout, and don't give me anything back. Why? + + + +Why can't I see values in the UCDavis 'proc' or 'disk' trees? +------------------------------------------------------------------ + + Both these trees are designed to report precisely those things that + have been explicitly configured for monitoring. If there are no + relevant configuration entries in the snmpd.conf file, then these + tables will be empty. See the snmpd.conf manual page and the + EXAMPLE.conf file for details on configuring the agent. + + Optionally, run snmpconf -g monitoring to help you set up this + section of the snmpd.conf file. + + + +Why can't I see values in the UCDavis 'memory' or 'vmstat' trees? +---------------------------------------------------------------- + + These trees do not need any explicit configuration, and should + be present automatically. + + However the C code necessary to implement these particular MIB + modules are not supported on all operating systems. These trees + will be omitted on any system for which there is no underlying + code. Currently, they are only supported on Linux, HP-UX (memory + only), Solaris, BSDi (vmstat on BSDi4 only), Dynix, FreeBSD, NetBSD + and OpenBSD. + If you want to help port it to other systems, let us know. + + Note that these subtrees only report the current usage when + explicitly queried. They do *not* automatically generate traps + when the usage strays outside the configured bounds. + See the earlier FAQ entry + What traps are sent by the agent? + or the snmpd.conf section on active monitoring, for more information. + + + +What do the CPU statistics mean - is this the load average? +---------------------------------------------------------- + + No. Unfortunately, the original definition of the various CPU + statistics was a little vague. It referred to a "percentage", + without specifying what period this should be calculated over. + It was therefore implemented slightly differently on different + architectures. + + The 5.4 release has clarified the situation, and standardised on + calculating these percentages over a minute. The relevant MIB + descriptions have been updated to make the desired behaviour + more explicit. + + The Net-SNMP agent also includes "raw counters", which can be used + to calculate the percentage usage over any desired period. This is + the "right" way to handle things in the SNMP model. The original + percentage objects have been deprecated, and may possibly be removed + in a future release of the agent. + + Note that this is different from the Unix load average, which is + available via the loadTable, and is supported on all architectures. + + + +How do I get percentage CPU utilization using ssCpuRawIdle? +----------------------------------------------------------- + + This one of the "raw counters" mentioned in the previous entry. + You need to take two readings of this object and look at the + difference between them. That difference divided by the total + number of 'ticks' between the two readings (where one tick is + probably 0.01 seconds) will give you the percentage utilization + over that period. + + + +What about multi-processor systems? +---------------------------------- + + The CPU objects (both percentages and raw counters) were designed to + monitor the overall CPU activity of a system, and typically reflect + whatever the underlying operating system reports for the (single) + CPU statistics information. How these are handled for a multi-CPU + system will differ from one O/S to another, and will need + to be investigated for each system individually. + + The htProcessorTable was designed to handle monitoring multi-CPU + machines, but the Net-SNMP implementation has up to now treated + most systems (with the honourable exception of Solaris, and more + recently Linux) as implicitly single-CPU. + + With the 5.4 release, there is now a cleaner framework for reporting + on multi-CPU equipment, and it is hoped that an increasing number + of systems will be able to report suitable processor information. + Also with the 5.4 release, for the first time the agent will report + the hrProcessorLoad value properly, which should provide some simple + per-CPU statistics. + + + +The speed/type of my network interfaces is wrong - how can I fix it? +------------------------------------------------------------------- + + Some operating systems will provide a mechanism for determining + the speed and type of network interfaces, but many do not. In such + cases, the agent attempts to guess the most appropriate values, + usually based on the name of the interface. + + The snmpd.conf directive "interface" allows you to override these + guessed values, and provide alternative values for the name, type + and speed of a particular interface. This is particularly useful + for fast-ethernet, or dial-up interfaces, where the speed cannot be + guessed from the name. + + See the snmpd.conf(5) man page for details. + + + +The interface statistics for my subinterfaces are all zero - why? +---------------------------------------------------------------- + + Unfortunately, most kernels that support multiple logical + interfaces on a single physical interface, don't keep separate + statistics for each of these. They simply report the overall + statistics for the physical interface itself. + + There's no easy way around this problem - the agent can only + report such information as is available. If the kernel doesn't + keep track of these figures, the agent can't report them. + + Sorry! + + + +Does the agent support the RMON-MIB? +----------------------------------- + + Not really. + + There is an "Rmon" code module included within the agent source + code tree, but this is best thought of as a template for the + RMON-MIB statistics groups, rather than a full implementation. + + With most MIBs, the hardest part of implementing the MIB is often + getting hold of the data to report. This is definitely true of the + RMON-MIB, which relies on gathering (and analysing) a potentially + large quantity of network traffic. The Rmon code distributed with + the Net-SNMP agent code avoids this problem, by using random data. + + Some of the functionality of the RMON-MIB, such as the alarm and + event groups, has since been superseded by the work of the DisMan + IETF working group. The Net-SNMP agent does implement these (more + general) MIB modules. But the statistics gathering aspects of + the RMON-MIB are not readily available. + + Note too that none of the core developers have any significant + experience with this code, and the person who originally wrote it + is no longer active on the mailing lists. So there's no point in + asking on the lists whether these modules work or not. You've got + the source - how badly do you need this functionality? + + + +What does "klread: bad address" mean? +------------------------------------- + + This means that the agent was unable to extract some of the + necessary information from the kernel structures. This is + possibly due to: + - either looking in the wrong place for kernel information + (check the value of KERNEL_LOC) + - an error in the implementation of part of the MIB tree + for that architecture. Try and identify which + OID is generating the error, and contact the + list 'net-snmp-coders@lists.sourceforge.net' + Remember to tell us what architecture you have! + + + +What does "nlist err: wombat not found" (or similar) mean? +---------------------------------------------------------- + + This means that the agent wasn't able to locate one of the + kernel structures it was looking for. This may or may not + be important - some systems provide alternative mechanisms + for obtaining the necessary information - Solaris, for example, + can produce a whole slew of such messages, but still provide + the correct information. + This error only occurs if you have used the flag + '--enable-debugging' as part of the initial configuration. + Reconfigure the agent with '--disable-debugging' and these + messages will disappear. (It won't fix the underlying problem, + but at least you won't be nagged about it). + + + +What does "Can't open /dev/kmem" mean? +------------------------------------- + + This device is normally restricted to just being accessible by root + (or possibly by a special group such as 'kmem' or 'sys'). The agent + must be able to read this device to obtain the necessary information + about the running system. + Check that the agent was started by root, and is running with UID 0 + (or suitable GID if appropriate). The agent will normally continue + to run without this level of access permission, but won't be able to + report values for many of the variables (particularly those relating + to network statistics). + + + +The system uptime (sysUpTime) returned is wrong! +----------------------------------------------- + + Oh no it's not. + The defined meaning of 'sysUpTime' is + "the time ... since the *network management* + portion of the system was re-initialized." + + In other words, when the snmp agent was started, not when the + system itself last booted. This latter information is available + in the Host Resources MIB as "hrSystemUpTime.0" + Note that even if the full Host Resources is not supported on + your system, it's worth configuring in the system portion using + + '--with-mib-modules=host/hr_system' + + and recompiling. This particular group is reasonably likely to work, + even if some of the other more architecture-specific groups don't. + + + +Can the agent run multi-threaded? +-------------------------------- + + Short answer - no. + Longer answer - not easily. + + Net-SNMP within a single thread of an threaded application is fine, + as long as *all* snmp code is kept within the same thread. This lets + you add SNMP support to an existing threaded application. + + If you are concerned with the time taken for to process requests for + a particular agent, object or subtree, and you want the agent to + continue to respond to other requests in the meantime, there are + two options. + + The first method is using AgentX sub-agents. If you have several + tables, each implemented by a separate subagent, then a single + request for entries from each of the tables will be processed + in parallel (and the agent will continue to respond to other + requests while it waits for the subagents to return the necessary + information). But a request for several objects from the same + table will be passed off to the relevant subagent, where it will + (normally) be processed serially. + + The second method is to use delegated requests + IPC to another + process. If takes a long time to retrieve a value for a given object, + then the object handler could do whatever necessary to start or + communicate with another (non-SNMP) process/thread to actually + retrieve the value, and mark the request as delegated. + The main agent (or subagent) can then receive and process other + requests while waiting for the delegated request to finish. + Dealing with resource contention is all up to you. + + All of this only applies to the GET family of requests. A SET + request will block until all pending GET requests have finished, + and then will not accept new requests until the SET is complete. + + Adding full multi-thread support directly to the agent would be + nice. We just need someone with time/money to do/sponsor the work. + + + +Can I use AgentX (or an embedded SNMP agent) in a threaded application? +----------------------------------------------------------------------- + + With care. + + As mentioned in the earlier "thread-safe" FAQ entry, the Net-SNMP + agent (including the AgentX subagent) has not been designed for + threaded operation. In particular, it makes use of various global + variables without attempting to protect them against simultaneous + use. This means that it is *NOT* safe to have SNMP or AgentX + related processing in two separate threads. This also applies to + handling GET (and SET) processing in one thread, and generating traps + in another. This is still vulnerable to the usual threading problems. + + However, as long as *all* of the SNMP-related activity is limited + to the one thread, then there should be no reason why this cannot + safely communicate with other threads within the same application, + using private (thread-safe) mechanisms. + + But in terms of the Net-SNMP-provided code, the agent (and AgentX + subagent) should *not* be regarded as thread-safe. + + + +COMPILING +========= + +How do I control the environment used to compile the software? +------------------------------------------------------------- + + The basic mechanism for compiling the Net-SNMP project software is to + run "configure", followed by "make" (to compile it), "make test" (to + check that it's working properly) and then "make install" (to install + the files into the correct locations - which typicalyl needs to be done + as root. + + The primary role of "configure" is to determines various aspects about + the system that the software is being compiled on. However there are + also a number of options to configure which can be used to control + various aspects of the compilation environment. + + The most common options are "--with-mib-modules" and "--with-out-mib-modules" + which control the set of MIB module code files that are included within + the agent binary. Adding or removing these modules will affect what MIB + information the agent can return. + See the entry "How do I add a MIB to the agent?" for more details. + + + The configure script can also specify the compiler to use for compiling + the source code (e.g. "configure --with-cc=cc"), the flags passed to + this compiler (e.g. "configure --with-cflags=-g"), or to the linker + (e.g. "configure --with-ldflags=-Bstatic"), and various other aspects of + the build environment. + Run "configure --help" for a full list. + + + +How do I control the environment used to compile the software under Windows? +--------------------------------------------------------------------------- + + If you are compiling the project within the MinGW or Cygwin environments, + then these use the same "configure" mechanism as Unix-based systems. See + the previous entry for more information. + + If you are compiling the project from within Visual Studio, then this does + not use the standard configure mechanism. Instead, there is a separate + "Configure" script within the 'win32' directory. This can be used enable + or disable various aspects of the build environment, such as support for + encryption or IPv6. + Run "Configure --help" for more information + + Note that this script does not include an equivalent of "--with-mib-modules" + for extending the MIB information supported by the agent. Instead, this + needs to be done by tweaking the build environment manually. See the file + README.win32 for more details of this, and various other aspects of building + the project on Windows systems. + + + +Why does the compilation complain about missing libraries? +--------------------------------------------------------- + + This has been seen in a number of guises over the years - most commonly + on Linux systems (although the problem may also occur elsewhere). The + underlying problem is that typical installation may not always include + the full set of library links required for building the Net-SNMP software. + + This problem can usually be fixed by installing the missing packages + (typically the development version of a package that is already there). + + Examples of this that we have come across include: + + -lelf elfutils-devel (later renamed to elfutils-libelf-devel) + -lbz2 bzip2-devel + -lselinux libselinux-devel + -lcrypto openssl/openssl-devel + -lbeecrypt libbeecrypt/beecrypt/beecrypt-devel. + + These are the names of the RedHat/Fedora RPMs. Other distributions + or O/S's may use different names, but the basic idea should be the + same. + + If the compilation is complaining about a missing .so file, then an + alternative quick fix is to add the missing symbolic link, using + something like: + ln -s libelf.so.1 /usr/lib/libelf.so + + giving the appropriate generic library name from the error message, + and the correct number for whichever version of this library you + have installed. + + If the compilation is complaining about a .la file, then you should + install the relevant development package, as listed above. + + + +How can I reduce the memory footprint? +-------------------------------------- + + In order to reduce the memory footprint (for instance, to + embed the snmpd into a device), the following configure options + could be used. + + '--disable-debugging' + This turns off the compilation of all debugging statements. + + '--enable-mini-agent' '--with-out-mib-modules=examples/ucdDemoPublic' + This creates an agent with just the essential MIB modules included. + NOTE: If you need additional MIB modules, then simply add them + using the option '--with-mib-modules=...' but this will of course + increase the memory footprint. + + '--with-transports=UDP' + This option specifies the transport domains to include. + For a simple standalone agent, just UDP should be sufficient. + (Although the 'disman' and 'agentx' modules may require the + Callback, TCP and/or Unix transport domains as well). + + '--without-kmem-usage' + This can be used in order to omit the code that operates on the + /dev/kmem interface. Clearly, this option cannot be used when + one of the configured MIB modules depends on it. + + '--with-mibdirs=' and '--with-mibs=' + These options tell the agent not to load any MIB modules. + This doesn't affect the size of libraries or application + binaries, but will reduce the memory footprint during runtime. + + '--disable-mib-loading' + This can be used in order to omit the code that loads and + parses the MIB files altogether. This will reduce both the + runtime memory footprint, and the binary sizes. + + Once the agent (snmpd) has been linked, you might also try running + 'strip snmpd' to remove un-necessary debug/symbol information. + + + +How can I reduce the installation footprint or speed up compilation? +------------------------------------------------------------------- + + The following configure options may also be useful: + + --disable-agent Do not build the agent (snmpd). + --disable-applications Do not build the apps (snmpget, ...). + --disable-manuals Do not install the manuals. + --disable-scripts Do not install the scripts (mib2c, ...). + --disable-mibs Do not install the mib files. + --disable-mib-loading Do not include code that parses and + manipulates the mib files. + + + +How can I compile the project for use on an embedded system? +----------------------------------------------------------- + + Although this is definitely a Frequently Asked Question on the project + mailing lists, it hasn't really been a Frequently _Answered_ Question. + The basic problem is that none of the core development team have much + involvement or experience with embedded systems. And although we have + repeatedly put out a plea for implementation reports and advice, this + has not so far been particularly successful. So the first thing to say + is that the following suggestions should be treated with a greater than + usual level of suspicion. + + The second thing to say is that compiling the Net-SNMP project for use + on an embedded system typically means compiling the *agent* (rather than + the trap receiver, or command-line tools). So that is what this entry + will concentrate on. + + There are three main aspects to consider: + - how to compile the code, + - *what* code to compile, and + - how to install the resulting agent binary. + + The Net-SNMP project uses the standard "configure" mechanism, so the + usual cross-compilation options are available - in particular "--host" + and "--target". It is also possible to specify the compiler and linker + to use ("--with-cc" and "--with-ld"), and any special flags to pass + to them ("--with-cflags" and "--with-ldflags"). There shouldn't be + anything particularly special about compiling the Net-SNMP code, so + see the documentation for your target environment for more information. + (And please let us know if there *is* anything special that should be + mentioned here!) + + If the aim is simply to generate an SNMP agent to run on the target + system, it's probably not necessary to compile the command-line tools + or trap receiver. The configure option "--disable-applications" will + omit these elements. See the previous entry for other potentially + relevant useful options. + + Unfortunately, the SNMP agent (and in particular, the code for individual + MIB modules) is the most system-specific part of the Net-SNMP software. + It may prove necessary to disable particular MIB modules if they do not + compile successfully, or attempt to use the wrong system-specific APIs. + This can be done using the configure option "--with-out-mib-modules". + Alternatively, the option "--enable-mini-agent" will omit all but the + core MIB module code. Additional modules can then be added individually + using "--with-mib-modules". + + Further information about how to deal with problems with individual MIB + modules is reliant on suitable reports being forthcoming from the wider + Net-SNMP community. The ball is in your court! + + Finally, installing the agent binary is _not_ simply a matter of copying + the "snmpd" file onto the target system. The agent typically relies on + a number of additional libraries (and possibly the presence of assorted + MIB files, unless this has been explicitly omitted). It is normally + necessary to run "make install", before copying the installed framework + to the target system. + + If the install destination needs to be different to the eventual location + on the target system, this can be handled using the configure options + "--prefix" (for the target location) and "--with-install-prefix" (for the + temporary install location). Alternatively, this can be handled as part + of the install command: + make install prefix={target location} INSTALL_PREFIX={temp location} + + Alternatively, if the agent is compiled with static linking (and no MIB + files), then it may be possible to simply copy the agent binary across to + the target system. See the next entry for details. + + + +How can I compile the project to use static linking? +--------------------------------------------------- + + For totally static net-snmp executables, use + configure --with-ldflags=-Bstatic + + To compile your application with static libraries (eg for easier + debugging), and to link to a non-installed build directory, try the + following Makefile fragment: + + NETSNMPDIR=/usr/local/build/snmp/full-clean-cvs-V5-1-patches + NETSNMPCONFIG=$(NETSNMPDIR)/net-snmp-config + + NETSNMPBASECFLAGS := $(shell $(NETSNMPCONFIG) --base-cflags) + NETSNMPINCLUDES := $(shell $(NETSNMPCONFIG) --build-includes $(NETSNMPDIR)) + # base flags after build/src include, in case it has /usr/local/include + NETSNMPCFLAGS=$(NETSNMPINCLUDES) $(NETSNMPBASECFLAGS) + + NETSNMPBASELIBS := $(shell $(NETSNMPCONFIG) --base-agent-libs) + NETSNMPEXTLIBS := $(shell $(NETSNMPCONFIG) --external-agent-libs) + NETSNMPLIBDIRS := $(shell $(NETSNMPCONFIG) --build-lib-dirs $(NETSNMPDIR)) + NETSNMPLIBDEPS := $(shell $(NETSNMPCONFIG) --build-lib-deps $(NETSNMPDIR)) + LIB_DEPS=$(NETSNMPLIBDEPS) + LIBS=$(NETSNMPLIBDIRS) -Wl,-Bstatic $(NETSNMPBASELIBS) -Wl,-Bdynamic $(NETSNMPEXTLIBS) + + STRICT_FLAGS = -Wall -Wstrict-prototypes + CFLAGS=-I. $(NETSNMPCFLAGS) $(STRICT_FLAGS) + + This replaces the standard Makefile section, which will used installed + libraries: + + NETSNMPCONFIG=net-snmp-config + + # uncomment this if you have GNU make + #NETSNMPCFLAGS := $(shell $(NETSNMPCONFIG) --base-cflags) + #NETSNMPLIBS := $(shell $(NETSNMPCONFIG) --agent-libs) + NETSNMPCFLAGS=`$(NETSNMPCONFIG) --base-cflags` + NETSNMPLIBS=`$(NETSNMPCONFIG) --agent-libs` + + LIBS=$(NETSNMPLIBS) + + + +Why does 'make test' skip various tests? +--------------------------------------- + + Some of the tests are only relevant to particular operating systems, + or rely on specific areas of functionality. The test framework will + check whether the relevant elements are available before running the + relevant tests, and will skip them if these modules have been omitted + from the build environment (or do not apply to the current system). + + One example of this are the tests T053agentv1trap, T054agentv2ctrap, + T055agentv1mintrap, T056agentv2cmintrap and T113agentxtrap, which + rely upon functionality from the NET-SNMP-EXAMPLES-MIB implementation. + This module is not included in the default agent configuration, so the + test framework will skip these tests. + To include them, run + "configure --with-mib-modules=examples/example" + and re-compile. + + + +Why does 'make test' complain about a pid file? +----------------------------------------------- + + Typically it says something like: + + cat: cannot open /tmp/snmp-test-1-8694/*pid* + + It's trying to tell you the port is blocked - typically because + another copy of the agent is still running, left over from from a + previous testing run. + + If you type 'ps -ef' you should notice an orphaned process like: + + snmpd -d -r -U -P /tmp/snmp-test-5-27295/snmpd.pid... + + Kill this process. + + This could be happening for several reasons including: + + 1. You are trying to do concurrent runs of 'make test'. + + 2. On a slow machine, the agent might be taking too long to + start up. Try changing the value of the variable SNMP_SLEEP + in testing/RUNTESTS from 1 to something higher - say 3 or 5. + + + +CODING +====== + +How do I write C code to integrate with the agent? +------------------------------------------------- + + There are three main methods for integrating external C code + within the agent. The code can be compiled directly into the + agent itself, it can be loaded dynamically while the agent is + running, or it can be compiled into a separate application + (a "subagent") which communicates with the main master agent. + All three approaches have been touched on elsewhere within this FAQ. + + As far as the module code is concerned, all three mechanisms + use exactly the same module API. So a module developed for use + directly within the agent, could also be included within a subagent, + or loaded dynamically with no (or minimal) code changes needed. + + Most of this section is concerned with more detailed aspects + of developing such code - including the 'mib2c' tool, which can + handle generating a basic code framework for implementing a + given set of MIB objects. + + + +How does the agent fetch the value of a MIB variable from the system? +-------------------------------------------------------------------- + + That's typically the hardest bit of implementing a new MIB module, + and is the one thing that 'mib2c' can't help with. It very much + depends on the MIB variable concerned (and often the underlying + operating system as well). + + Relatively few MIB modules are completely self-contained, with all + the information held internally within the agent, and all updates + being done via SNMP requests. Such MIB modules can be implemented + fairly easily. + + More commonly, the agent needs to provide an SNMP-based interface to + information held elsewhere, perhaps in the operating system kernel or + some other application. Handling this is much more complex - since + a lot depends on what mechanisms are provided for retrieving (and + possibly updating) this information. The mib2c tool can generate code + for processing SNMP requests, based on some internal cache of management + information, but it cannot help with populating this cache with the + underlying data. That is up to the MIB implementer. + + See the existing MIB modules in the Net-SNMP source tree for various + examples of assorted approaches to this task. + + + +Mib2c complains about a missing "mib reference" - what does this mean? +--------------------------------------------------------------------- + + This basically means that it hasn't loaded the MIB file containing + the definition of the MIB subtree you're trying to implement. This + might be because it hasn't been installed, the name is wrong, or + (most likely), because it isn't in the default list. See the MIBS + section for more details, or the next entry for suitable invocations + of 'mib2c'. + + + +Mib2c complains about not having a "valid OID" - what does this mean? +--------------------------------------------------------------------- + + This probably means that you gave it the name of a MIB file (or + module), rather than the name of an object defined in that file. + Mib2c expects the name of a 'root' object, and will generate a + template for the sub-tree starting from there. + + If you've got a file 'MY-MIB.txt', defining the MIB module + 'MY-MIB' which contains a subtree based on the object 'myMib', + then you should invoke mib2c as + "mib2c .... myMib" + rather than + "mib2c .... MY-MIB.txt" + or "mib2c .... MY-MIB" + + Note that you'll probably also have to add your MIB to the list of + MIBs that are loaded automatically, in order for mib2c to recognise + the name of this object. So the command would typically be + "MIBS=+MY-MIB mib2c .... myMib" + or "MIBS=ALL mib2c .... myMib" + + + +Why doesn't mib2c like the MIB file I'm giving it? +------------------------------------------------- + + This is most likely the same problem as the previous entry. Mib2c + takes the name of a MIB _object_, not the name of a file (or MIB + module). Try using the name of the MODULE-IDENTITY definition. + + Another possibility is that the MIB may contain syntax errors. + Try running it through 'snmptranslate' or a dedicated SMI + validation tool (such as 'smilint' or the on-line interface at + http://wwwsnmp.cs.utwente.nl/ietf/mibs/validate/) + + + +Mib2c ignores my MIB and generates a pair of 'mib-2' code files. Why? +--------------------------------------------------------------------- + + This is usually a sign of the same problem as the previous entries, + giving mib2c the name of the file containing the MIB (or of the MIB + itself), rather than an object within it. + + Earlier versions of mib2c didn't detect this situation, and merrily + constructed a template for a default starting point of the mib-2 node. + + More recent versions complain about not having a valid OID instead. + + + +What's the difference between the various mib2c configuration files? +------------------------------------------------------------------- + + Most of the mib2c config files are concerned with implementing + MIB tables, and generate various alternative code templates. + These basically fall into four distinct categories. + + 'mib2c.raw-table.conf' is the lightest of the templates, and + just provides a fairly basic table framework. Most of the work + of implementing the table - detecting which row is required for a + given request, retrieving or updating the relevant column values, + and interacting with the underlying subsystem - are all left to + the MIB programmer. + + The second group of templates - 'table_data', 'container' and + 'tdata' - all share the same basic model (although the internal + details are rather different). The MIB implementer should define a + data structure to represent a row of the table, and the helper then + takes care of holding the table internally, as a collection of such + per-row data structures. This includes identifying which row is + required for a given request. Retrieving or updating the appropriate + column value is left to the MIB programmer, although the generated + framework includes most of the necessary code. + Allied to this is a fourth "internal data" mib2c configuration + file ('create-dataset') which handles the individual columns as + well. This is the closest to a Plug-and-Play configuration, and + the MIB implementer only needs to be concerned with any special + processing, such as linking the table with the underlying subsystem. + + The third style of mib2c config assumes that the table data is + held externally to the helper - either within the MIB module code + itself, or in the external subsystem. The generated code framework + includes routines to "iterate" through the rows of the table, with + the iterator helper simply deciding which row is required for a + particular request. Once again, the MIB programmer must handle + retrieving or updating the appropriate column value, although the + generated framework includes most of the necessary code. + There is a variant of this config ('iterate_access') which works + in basically the same way. However this tries to separate out the + standard processing, from the code that needs to be amended by the + programmer for retrieving and updating the individual column values. + + This is also the idea behind the final table-oriented mib2c config + template - 'mib2c.mfd.conf' (or "MIBs for Dummies"). This is a much + more flexible framework, which can be used with either internally + held data, or iterating through an external representation. The + distinguishing feature of this framework is that it separates out + standard and table-specific processing, at a much finer level of + detail than the others. + + + The other mib2c config templates are concerned with implementing + scalar objects ('scalar', 'int_watch'), code to generating traps + ('notify'), and various specialised requirements. There is also a + template ('old-api') to generate code suitable for the previous v4 + UCD agent - though this is not particularly complete or reliable. + It's probably better to use a pure v4 mib2c environment (or switch + wholeheartedly to the v5 style). + + + +Which mib2c configuration file should I use? +------------------------------------------- + + The answer to that heavily depends on the characteristics of the + MIB objects being implemented. Of the handler-based table frameworks, + 'tdata' is more appropriate for tables that can be stored (or a copy + cached) within the agent itself, while 'iterate' is more relevant to + reporting data from outside the agent. + The raw interface is only suitable in very specific circumstances, + so it's probably sensible to start with one of the other frameworks + first, and only look at this if none of the alternatives seem to work. + + The decision between the handler-based configs and MfD is more a + matter of the style of programming to use. Most of the frameworks + define a single handler routine to process an incoming request, so + all of the code is listed together, with the MIB programmer inserting + table-specific processing into this single block of code. + The MfD provides a series of individual object-specific routines, + each concerned with one very specific task, and hides as much as + possible from the programmer. + + If you like to understand the broad thrust of what's happening, + then one of the handler-based approaches would be the best choice. + If you prefer to concentrate on the nitty-gritty of a given table, + and are happy to trust that the rest of the processing will work + correctly, then the MfD framework would be more appropriate. + + For implementing a group of scalar objects, then the choice is + simple - use 'mib2c.scalar.conf'. Similarly, for generating traps + or informs, use 'mib2c.notify.conf'. But note that this only assists + with the code to actually generate the trap. It does not address the + issue of _when_ to send the trap. See the FAQ entry "How can I get + the agent to generate a trap?" for more information. + + + +How can I have mib2c generate code for both scalars and tables? +-------------------------------------------------------------- + + This uses a very powerful tool called a "text editor" :-) + + The mib2c tool uses separate configuration files to generate code + for scalar objects, and for tables. This means that it's not possible + to automatically generate a single code file that supports both scalars + and tables. + + Instead, the two code files need to be generated separately, and + then combined manually. This will typically mean copying the handler + routines for the scalar object(s) into the table file, and adding the + code to register these handler(s) to the table initialisation routine. + + + +Are there any examples, or documentation for developing MIB modules? +------------------------------------------------------------------- + + Many of the MIB modules shipped with the Net-SNMP agent still + use the v4 "traditional" MIB module API, but an increasing number + use one of the newer v5 helper-based handlers. All of these can + be found under 'agent/mibgroup' + + The 'tdata' helper is used in the new DisMan Event, Expression + and Schedule MIB modules (see 'disman/{event,expr,schedule}/*'). + The similar 'dataset' helper is used in the older DisMan Event + MIB implementation (see 'disman/mteEvent*') and the Notification + Log MIB (see 'notification-log-mib/*'), used by 'snmptrapd' to + log incoming traps. + + The basic iterator handler is used in the TCP and UDP table + implementations (mibII/tcpTable & mibII/udpTable), VACM context + handling (mibII/vacm_context) and various tables relating to agent + internals (agent/*). These show a number of different approaches + to using the iterator helper, so it's worth comparing them. + + The two examples/netSnmpHostsTable* modules provide a contrast + between the iterator and iterator_access helpers. + + There are several examples based on the MfD framework (see + '{if,ip,tcp,udp}-mib/'). Much of this code is not intended to + be viewed directly, but individual files are clearly commented + to distinguish between internal implementation and public code. + + The Net-SNMP agent does not currently include any MIB modules + using the array-user container-based helper. The best examples + of this are to be found in the net-policy project. + See http://net-policy.sourceforge.net/ + + + +Where should I put the files produced by 'mib2c'? +------------------------------------------------ + + If you're using the main source tree to compile your new module, then + put these two files (mymib.[ch]) in the directory 'agent/mibgroup'. + You should then re-run configure to add in your new module + configure --with-mib-modules=mymib + and recompile. + + If you've got a number of new modules to add, it might be + sensible to put them all into a single subdirectory of 'mibgroup'. + Then create a header file, listing the individual components. + This might look something like: + + config_require(mymib/myObjects) + config_require(mymib/myTable) + config_require(mymib/myOtherTable) + + If this was saved as the file 'mymib.h', then the same configure + line given above, would pull in all three modules. See the current + contents of 'agent/mibgroup' for examples of this. Note that the + MfD framework will generate a similar grouping automatically. + + + +Why doesn't my new MIB module report anything? +--------------------------------------------- + + There are probably four main reasons why a new MIB module isn't working. + Either it hasn't been included in the running agent, the code is present + but hasn't been initialised, the module has been initialised but the + handler isn't being called, or there's a problem with the module code itself. + + To check whether the code files are being compiled, the easiest approach is + simply to look at the directory where the code is located. When the agent is + compiled, this should produce .o files (and probably .lo files) corresponding + to the C code files for this module. Alternatively, run 'nm' (or 'strings') + on the MIB module library (libnetsnmpmibs), and look for the names of the + initialisation routines or handlers (or the text of any messages displayed by + the module code). + + One other thing to check is whether you have multiple copies of the software + installed on the system. This is a particular problem when compiling from + source (to include your new module), without first removing any vendor-supplied + version of the agent (which won't include this new code). + + + Assuming that you have confirmed that the module code is present in the agent, + the next step is to check whether the initialisation routine is being called + to register the MIB objects. The simplest way to do this is to include a + suitable debugging statement within the initialisation routine, and start + the agent with the corresponding '-Dtoken'. Alternatively, try walking the + nsModuleName column object, and look for mention of the new MIB module. + + + Assuming the module has been registered, the next step is to check whether + the handler is being called, when the agent receives a suitable SNMP request. + Again, the simplest way to do this is to include debugging statements within + the handler routine, and start the agent with the corresponding '-Dtoken'. + Then issue an "snmpget" request for an instance within the new MIB module. + (This command is preferable to the usual "snmpwalk" command, as it is more + closely focused on the MIB module in question). + + If this indicates that the handler routine isn't being called, then there are + two main likely causes. Firstly, check the access control settings. If these + are configured to block access to this portion of the OID tree, then the MIB + handler will never be called. Secondly, several of the table helpers are + designed to know which rows of the table are valid, and will call the main + MIB handler with information about the relevant row. If the requested row is + not valid (or the table is empty), then the handler will not be called. + + + Finally, if the handler _is_ being called, but is still not returning any + information, then the cause probably lies with your MIB module code. In which + case, it's really up to you to find the problem and fix it! Either activate + any debugging code that you have included within the handler routine, or run + the agent under a source code debugger, and step through the handler processing. + In either case, it's much easier to debug these problems when processing an + "snmpget" request, rather than "snmpgetnext" or "snmpwalk". + + Remember that 'mib2c' simply generates template code for your MIB module. + It's up to you to fill in the details, to report the actual information from + whatever underlying subsystem is being monitored. Mib2c cannot help with + the semantics of the MIB module - it's purely there to provide an initial + code framework, based on the _syntax_ of the MIB module objects. + + + +Why does the iterator call my get_{first,next} routines so often? +----------------------------------------------------------------------- + + The first thing to realise is that the 'get_first' and 'get_next' + hook routines are concerned with processing a single SNMP request, not + with walking the whole table. A full "snmpwalk" command will typically + involve a series of individual 'GetNext' requests, and every one of + these will trigger a separate 'get_first/get_next/get_next/....' cycle. + + It's usually more efficient to use 'snmptable' which will walk + each column in parallel (as well as displaying the results in a + more natural manner). + + Secondly, the iterator helper was originally designed to handle + unsorted data, so will look at every row of the internal table for + each request. If the data is actually held in the correct order, + then it's worth setting the NETSNMP_ITERATOR_FLAG_SORTED flag: + iinfo = SNMP_MALLOC_TYPEDEF(netsnmp_iterator_info); + iinfo->flags |= NETSNMP_ITERATOR_FLAG_SORTED; + This will help the situation somewhat. + + But the iterator helper is inherently a relatively inefficient + mechanism, and it may be worth looking at one of the other helpers, + particularly if the data will be held within the agent itself. + + + +How can I get the agent to generate a trap (or inform)? +------------------------------------------------------ + + There are two aspects to having the agent generate a trap - + knowing *how* to do this, and knowing *when* to do so. + + Actually generating a trap is reasonably simple - just call one + of the trap API routines ('send_easy_trap()' or 'send_v2trap()') + with the relevant information (generic and specific trap values, + or a varbind list respectively). + + The 'mib2c.notify.conf' configuration file can be used to + construct a suitable template routine for generating a trap, + including building the variable list from the MIB trap + definition. These variables can then be given suitable values, + before invoking the 'send_v2trap()' call to actually send the trap. + See the 'snmp_trap_api(3)' man page for further details. + + Note that these APIs are only available within the agent (or + subagents), and are not available to stand-alone applications. + The code for 'snmptrap' shows an approach to use in such a case. + + + Determining *when* to generate the trap (either directly or + via the mib2c-generated routine) is often harder. If the trap + is generated in response to some action within the agent, (e.g. + as the result of a SET), then this isn't too much of a problem. + + But if the trap is intended to report on a change of status + (e.g. a network interface going up or down, or a disk filling up), + then actually detecting this is non-trivial. Unless the underlying + system can signal this situation to the agent, then it's typically + necessary to poll the value(s) on a regular basis, save the results + and compare them with the new values the next time round. + + The simplest way to handle this is via the DisMan Event MIB, + which is designed for exactly this purpose. As long as you can + specify a MIB object to monitor, and the value or thresholds + that should trigger a notification, then this module can check + these values regularly, and automatically send a suitable trap + when appropriate. See the 'snmpd.conf(5)' man page (under + ACTIVE MONITORING) for details. + + Otherwise, you'd need to use the routines documented in + 'snmp_alarm(3)' to regularly invoke a monitoring routine. This + would check the necessary conditions (which need not be MIB + objects), and call the 'send_xxx_trap()' routine (as generated + by 'mib2c.notify.conf') when appropriate. + + + +How can I get an AgentX sub-agent to generate a trap (or inform)? +---------------------------------------------------------------- + + This is done in exactly the same manner as with the main SNMP agent. + Calling one of the routines described in 'snmp_trap_api(3)' will cause + the AgentX sub-agent to send a notification to the master agent, which + will then pass this on to the configured trap destination(s). + + One of the original design aims of the Net-SNMP AgentX support was that + the agent (or subagent) framework should be transparent to a MIB module + implementer. The interface between the agent framework and a MIB module + should be independent of the protocol used to receive the original request. + So the exact same MIB module code could be used within a traditional + SNMP-only agent, or an AgentX subagent, with no changes needed. + + This also holds for sending traps. + + + +How can I get the agent to send an SNMPv1 (or SNMPv2c) trap? +----------------------------------------------------------- + + It doesn't make any difference whether you use the v1-style + API call 'send_easy_trap()' or the v2-style 'send_v2trap()'. + What matters is the directive(s) in the snmpd.conf file. + + If this file contains 'trapsink', then the agent will send + an SNMPv1 trap. If this file contains 'trap2sink', then the + agent will send an SNMPv2c trap. And if this file contains + both, then the agent will send *two* copies of this trap. + + See the entry + Where are these traps sent to? + in the AGENT section for details. + + + +How can I get the agent to include varbinds with an SNMPv1 trap? +--------------------------------------------------------------- + + There are two ways to do this. You can either use the + 'send_v2trap()' call and give a varbind list, starting with + the v2-equivalent of the SNMPv1 trap, followed by the + additional varbinds. + + Alternatively, you can use the API call 'send_trap_vars()' + which takes the same generic/specific trap values as + 'send_easy_trap()', plus the list of additional varbinds. + + In either case, you also need to have 'trapsink' in the + snmpd.conf file. The resulting trap will be identical, + whichever approach is used. + + + +How can I get the agent to send an SNMPv1 enterprise-specific trap? +------------------------------------------------------------------ + + There are two ways to do this. You can either use the + 'send_v2trap()' call and give a varbind list, starting + with the v2-equivalent of the SNMPv1 trap, followed by the + additional varbinds. + + Alternatively, you can use the (undocumented) API call + 'send_enterprise_trap_vars()' which takes the same parameters + as 'send_trap_vars()', plus the enterprise OID to use (in the + usual name/length form). See the code file 'agent_trap.c' + + In either case, you also need to have 'trapsink' in the + snmpd.conf file. The resulting trap will be identical, + whichever approach is used. + + + +How can I get the agent to send an SNMPv3 trap (or inform)? +---------------------------------------------------------- + + It doesn't matter which API call you use to specify the + trap - 'send_easy_trap()', 'send_v2trap()' or one of the other + calls mentioned above. Generating an SNMPv3 notification + (rather than a community-based one) is controlled by the + snmpd.conf file. + + To send an SNMPv3 trap, this file should contain a + 'snmpsess' directive, specifying the version, security + level, user name and passphrases (if applicable), as + well as the destination address. This is basically + the same as the command line required for sending the + trap manually, using 'snmptrap'. + + Note that (unlike 'snmptrap') this directive does *not* + read default settings from an 'snmp.conf' file, so these + must be specified explicitly in the 'snmpsess' line. + + + +Why does calling 'send_v2trap' generate an SNMPv1 trap (or vice versa)? +---------------------------------------------------------------------- + + The two versions of the trap API calls are concerned with how + the trap is represented when it is passed *in* to the API, not + the version of the trap PDU that will actually be generated by + the agent. That is determined by the configuration token used + to set up the trap destination. + + Remember that in general, all traps are sent to all destinations. + This means that a trap specified using the SNMPv1 trap syntax + needs to be converted to the SNMPv2 format before it can be sent + to an SNMPv2 (or SNMPv3) destination. Similarly, a trap specified + using the SNMPv2 syntax needs to be converted to the SNMPv1 format + before it can be sent to an SNMPv1 sink. + + Essentially, the API call to use depends on what you asking for, + which is not necessarily what the recipients will actually get! + See 'snmp_trap_api(3)' for a fuller explanation. + + + +How can I register a MIB module in a different (SNMPv3) context? +--------------------------------------------------------------- + + Contexts are a mechanism within SNMPv3 (and AgentX) whereby + an agent can support parallel versions of the same MIB objects, + referring to different underlying data sets. By default, a MIB + module registrations will use the default empty context of "". + But it's also possible to provide MIB information using a different + (non-default) context. + + There are three aspects involved in doing this. Firsly, it's necessary + to register the MIB module in this non-default context. With the v4 API, + this uses the call 'register_mib_context()' rather than the REGISTER_MIB + macro. This is significantly more detailed, but most of the additional + parameters can take fixed values, if all that's needed is to change the + registration context. + + Instead of the macro call: + REGISTER_MIB("my_token", my_variables, variable1, my_variables_oid); + use the function call: + register_mib_context( "my_token", + my_variables, sizeof(variable1), + sizeof(my_variables)/sizeof(variable1), + my_variables_oid, + sizeof(my_variables_oid)/sizeof(oid), + DEFAULT_MIB_PRIORITY, 0, 0, NULL, + "my_context", -1, 0); + + Things are much easier with the v5 helper-based API. Having + created the registration structure, this just requires setting the + 'contextName' field before actually registering the MIB module: + netsnmp_handler_registration *reg; + reg = netsnmp_create_handler_registration(.....); + reg->contextName = strdup("my_context"); + netsnmp_register_handler(reg); + + + Secondly, it is necessary to configure the access control settings to allow + access to information in the new context. This is handled automatically + when using the simple "rouser" or "rwuser" directives. But if access control + is configured using the fuller com2sec/group/view/access mechanism, then the + "access" line must specify the appropriate context(s), either explicitly: + + access {group} "my_context" any noauth exact ...... + + or using a single entry to cover all possible contexts: + + access {group} "" any noauth prefix ...... + + + Finally, the SNMP request used to retrieve (or update) the information + must also specify the required context. With SNMPv3 requests, the context + is part of the protocol, so this can be done using a command-line option: + + snmpwalk -v 3 -n my_context ..... + + With community-based requests (SNMPv1 and SNMPv2c), things aren't so simple. + Although the "rocommunity" and "rwcommunity" settings also configure access + for all possible contexts, there's no way to specify a non-default context + as part of the request. + + The only way to handle non-default contexts with community-based SNMP requests + is to set up a mapping from the community string to the desired context. This + uses the "com2sec" directive, with an additional "-Cn" parameter. Note that + this also means that the access control must be configured using the full + com2sec/group/view/access mechanism. The short-form access control directives + do not handle the mapping of community strings to non-default contexts. + + + +MISC +====== + +What ASN.1 parser is used? +------------------------- + + The parser used by both the agent and client programs is coded by hand. + This parser has recently been re-vamped to allow control of which of + the available MIBs should be included, and to handle duplicate object + subidentifiers. + The source code can be found in the snmplib directory (in 'parse.c'), + and the parser is usually bundled into the library 'libnetsnmp.a' + + Note that the parser attempts to be fairly forgiving of some common + errors and incompatibilities in MIB files. The Net-SNMP tools accepting + a MIB file without complaint does *not* imply that the MIB is strictly + correct. + Certain MIBs may need some amendments to allow them to be read + correctly by the parser. Contact the coders' list for advice. + + + +What is the Official Slogan of the net-snmp-coders list? +------------------------------------------------------- + + "The current implementation is non-obvious and may need to be improved." + (with thanks to Rohit Dube) + + And an alternate, added 26-Apr-2000: + + "In theory, it shouldn't be that hard, but it just needs to be done." + + + |