Howto:SNMPv3

From innovaphone wiki
Jump to navigation Jump to search

Testing SNMPv3 from a Linux host

The following tests are based on Debian 9.

snmpwalk

Under Linux you can use snmpwalk to check the connection and read the OID tree. Replace the variables in the square brackets with the values of the snmp configuration on the innovaphone gateway.

  1. snmpwalk -v 3 -a SHA -A [Password(Auth)] -l authPriv -u [User] -x AES -X [Password(Crypt)] [IP address]

SNMPv3 Traps

Under Linux you can receive SNMPv3 traps using snmptrapd. The following example shows a snmptrapd.conf in /etc/snmp/. Replace the variables in the square brackets with the values of the snmp configuration on the innovaphone gateway. createUser -e [engineID] [User] SHA [Password(Auth)] AES [Password(Crypt)] authUser log,execute,net [User] priv


Now the snmptrapd daemon must be activated and started.

  1. systemctl enable snmptrapd.service
  2. systemctl start snmptrapd.service


After a restart of the snmptrapd daemon it should listen on Port 162 and you can receive the traps in syslog. Also make sure that the Linux firewall does not block ports 161 and 162.

  1. netstat -ntulp | grep :162

udp 0 0 0.0.0.0:162 0.0.0.0:* 28086/snmptrapd

  1. tail -f /var/log/syslog


Alternatively you can start snmptrapd directly from the command line. The events are displayed directly on the console. The snmptrapd service must be stopped before.

  1. systemctl stop snmptrapd.service

  1. snmptrapd -f -Lo

Important Note: After each change to /etc/snmp/snmptrap.conf, you must also clean up /var/lib/snmp/snmptrapd.conf (or /var/net-snmp/snmptrapd.conf). Scroll down! There are many blank rows in it. This persistent file is automatically created and used when smnptrapd starts, but is not automatically cleaned. Because of the required write permissions to this directory, snmptraced must be started as root.


Helpful documents

http://net-snmp.sourceforge.net/wiki/index.php/TUT:Configuring_snmptrapd_to_receive_SNMPv3_notifications

https://support.nagios.com/kb/article/snmp-trap-snmptrapd-service-88.html


Testing from a Windows host

iReasoning MIB Browser Professional could be a good choice. The program also includes a SNMPv3 Trap Recorder.

Decoding of encrypted SNMPv3 packets in Wireshark

Encrypted SNMPv3 packets can be decrypted by setting the credentials in the Wireshark Protocol Preferences.

Wireshark snmp decode.jpg