Howto:SNMPv3
Testing SNMPv3 from a Linux host
The following tests are based on Debian 9.
snmpwalk
Under Linux you can use snmpwalk to check the connection and read the OID tree. Replace the variables in the square brackets with the values of the snmp configuration on the innovaphone gateway.
- snmpwalk -v 3 -a SHA -A [Password(Auth)] -l authPriv -u [User] -x AES -X [Password(Crypt)] [IP address]
SNMPv3 Traps
Under Linux you can receive SNMPv3 traps using snmptrapd. The following example shows a snmptrapd.conf in /etc/snmp/. Replace the variables in the square brackets with the values of the snmp configuration on the innovaphone gateway.
createUser -e [engineID] [User] SHA [Password(Auth)] AES [Password(Crypt)]
authUser log,execute,net [User] priv
Now the snmptrapd daemon must be activated and started.
- systemctl enable snmptrapd.service
- systemctl start snmptrapd.service
After a restart of the snmptrapd daemon it should listen on Port 162 and you can receive the traps in syslog. Also make sure that the Linux firewall does not block ports 161 and 162.
- netstat -ntulp | grep :162
udp 0 0 0.0.0.0:162 0.0.0.0:* 28086/snmptrapd
- tail -f /var/log/syslog
Alternatively you can start snmptrapd directly from the command line. The events are displayed directly on the console. The snmptrapd service must be stopped before.
- systemctl stop snmptrapd.service
- snmptrapd -f -Lo
Important Note: After each change to /etc/snmp/snmptrap.conf, you must also clean up /var/lib/snmp/snmptrapd.conf (or /var/net-snmp/snmptrapd.conf). Scroll down! There are many blank rows in it. This persistent file is automatically created and used when smnptrapd starts, but is not automatically cleaned. Because of the required write permissions to this directory, snmptraced must be started as root.
Helpful documents
https://support.nagios.com/kb/article/snmp-trap-snmptrapd-service-88.html
Testing from a Windows host
iReasoning MIB Browser Professional could be a good choice. The program also includes a SNMPv3 Trap Recorder.
Decoding of encrypted SNMPv3 packets in Wireshark
Encrypted SNMPv3 packets can be decrypted by setting the credentials in the Wireshark Protocol Preferences.