net-snmp-coders — Discussion of internal project coding (Please use this OR -users, NOT both!)

Re: Varbind orfer in SNMP TRAP's

[Bill F. <fe...@gm...>]

On Thu, Oct 28, 2021 at 6:01 PM Fulko Hew <ful...@gm...> wrote:

>
>
> On Thu, Oct 28, 2021 at 5:23 PM Craig Small <csmall@dropbear.xyz> wrote:
>
>> On Fri, 29 Oct 2021 at 05:14, Feroz <fer...@gm...> wrote:
>>
>>> hi,
>>> Is it necessary to maintain any specific order in SNMP TRAP for varbinds?
>>>
>> For the first two, yes.
>>
>
> I always followed the principles of:
> 1/ least surprise
> 2/ Be precise in what you send, and forgiving in what you receive.
>
> Having said that, reading that the first 'two varbinds are the uptime and
> trapOID respectively'
> and that a MIB source file lists the varbind in some order... Why not send
> them in the order shown?
> Why randomize?  (ie. the principle of least surprise)
>

https://datatracker.ietf.org/doc/html/rfc3416#section-4.2.6 may not use
MUST but does use some pretty specific words with easily understood
meanings:

        If the OBJECTS clause is present in the invocation of
   the corresponding NOTIFICATION-TYPE macro, then each corresponding
   variable, as instantiated by this notification, is copied, in order,

   to the variable-bindings field.


To me it is pretty clear that the explicit inclusion of "in order" in this
sentence means that the ordering in the NOTIFICATION-TYPE macro in the MIB
module is the ordering that should be used in the Trap-PDU.

Section 4.2.6 continues:

             If any additional variables are
   being included (at the option of the generating SNMP entity), then
   each is copied to the variable-bindings field.


This addresses one of the points that Fulko mentioned - that an
intermediate proxy might add varbinds - BUT it also covers the case where
the originating agent is supplying additional varbinds beyond those
mentioned in the MIB.  One of our customers reported that their NMS stopped
displaying all of the trap variables when it loaded the MIB module - i.e.,
it only displayed the varbinds defined in the NOTIFICATION-TYPE macro.  But
the spec is clear that an agent has the option of adding additional
varbinds, and it's worth remembering this.

  Bill

Re: Varbind orfer in SNMP TRAP's

[Fulko H. <ful...@gm...>]

On Thu, Oct 28, 2021 at 5:23 PM Craig Small <csmall@dropbear.xyz> wrote:

> On Fri, 29 Oct 2021 at 05:14, Feroz <fer...@gm...> wrote:
>
>> hi,
>> Is it necessary to maintain any specific order in SNMP TRAP for varbinds?
>>
> For the first two, yes.
>

I always followed the principles of:
1/ least surprise
2/ Be precise in what you send, and forgiving in what you receive.

Having said that, reading that the first 'two varbinds are the uptime and
trapOID respectively'
and that a MIB source file lists the varbind in some order... Why not send
them in the order shown?
Why randomize?  (ie. the principle of least surprise)

And, regardless if they are sent in the order specified (why not?),
if you were to implement a receiver, you certainly couldn't go wrong by
'accepting' them
in any order. (principle #2).  After all, each variable _does_ come with
it's OID
(rather than just a simple pre-ordered list of values).


The other things to keep in mind are that:
a) some traps do not have a varbind list defined in the MIB, and yet send
varbinds anyway.
   (so there wasn't an order to follow)
   (but then again, the guy writing the MIB did a poor job in the first
place!)

b) there may be a trap re-writter in the middle between the sender and the
receiver.
   And that man-in-the-middle may add additional (unexpected/undocumented)
varbinds
   on the end of the original trap.  (And heck, if they can add stuff onto
the end,
   I wouldn't be surprised anymore to see someone shuffle the original
list, or throw new
   stuff anywhere in between.)


[I've seen both done 'in the real world', and I've cursed the
people/companies involved.]

Is snmptls still used?

[Craig S. <cs...@dr...>]

Hi,
  Currently Debian ships snmptls.  The lintian checker flagged that this
program doesn't have a manual page so I have written one.  The issue is, I
don't think the program is actually finished which makes me wonder does
anyone use it? In that case, is it worthwhile to ship it with the Debian
packages?

Specifically, the targetAddr sub-comand cannot work as it is missing lines
to parse argv correctly.
The help option says:
    targetAddr add <target-name> <hashType> [<hash_type>
<remote-fingerprint>] [server-identity]
But the code only imports argv once, for addr_name (which I assume is
target-name).
snmptls isn't mentioned on the Wiki either.

 - Craig
--

Craig Small             https://dropbear.xyz/  csmall at : dropbear.xyz
Debian GNU/Linux        https://www.debian.org/
<http://www.debian.org/>  csmall at : debian.org
GPG fingerprint:     5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

Re: Varbind orfer in SNMP TRAP's

[Craig S. <cs...@dr...>]

On Fri, 29 Oct 2021 at 05:14, Feroz <fer...@gm...> wrote:

> hi,
> Is it necessary to maintain any specific order in SNMP TRAP for varbinds?
>
For the first two, yes.


> e.g: "sysUpTime.0" should be the first one followed by "snmpTrapOID.0"
> then the actual data varbinds.
>
RFC 1905[1] section 4.2.6:
"The first two variable bindings in the variable binding list of an
SNMPv2-Trap-PDU are sysUpTime.0 [9] and snmpTrapOID.0 [9] respectively."

I've always assumed anything else comes at me randomly though the same
section talks about an OBJECTS clause and things being copied in order.
The other problem is neither RFC 1905 or RFC 3416 (which updates it) use
RFC 2119/8174 keywords (e.g. SHOULD MUST).
That kinda makes it hard to say if something is compliant or not, and let's
face it a lot of vendors do SNMP badly.

If I was implementing something, I would
 * for the sender: make sure my sysUpTime and snmpTrapOID were in positions
1 and 2 because I'd be trying not to be on the list of "vendors who do SNMP
badly".
 * for the receiver: not make that assumption and check the varbinds OID to
determine what it really is; possibly bin it if the trap OID is not #2
(this would probably depend on how I'm doing my parsing).

There are people here with *way* more RFC/implementation experience than me
here, but I think that is correct.

 - Craig

1: https://datatracker.ietf.org/doc/html/rfc1905
9: https://datatracker.ietf.org/doc/html/rfc1907

Varbind orfer in SNMP TRAP's

[Feroz <fer...@gm...>]

hi,
Is it necessary to maintain any specific order in SNMP TRAP for varbinds?

e.g: "sysUpTime.0" should be the first one followed by "snmpTrapOID.0" then
the actual data varbinds.

*Detailed Varbinds:*

User Datagram Protocol, Src Port: 44724, Dst Port: 162
Simple Network Management Protocol
    version: v2c (1)
    community: public
    data: snmpV2-trap (7)
        snmpV2-trap
            request-id: 13413237
            error-status: noError (0)
            error-index: 0
            variable-bindings: 4 items
                *SNMPv2-MIB::sysUpTime.0 (1.3.6.1.2.1.1.3.0): 16516*
                *SNMPv2-MIB::snmpTrapOID.0 (1.3.6.1.6.3.1.1.4.1.0):
1.3.6.1.4.1.x.4.1.1.3.11.5.0.1*
                ABCD-MIB::arubaWiredFanName
(1.3.6.1.4.1.x.4.1.1.3.11.5.1.1.4): DATA_1
                ABCD-MIB::arubaWiredFanState
(1.3.6.1.4.1.x.4.1.1.3.11.5.1.1.5): DATA_2




-- 
Regards,
Feroz Ahmed

Re: How to support SNMPv2 mib traps per VRF.

[Bill F. <fe...@gm...>]

On Wed, Oct 20, 2021 at 5:00 AM chandrasekharreddy chinnapareddygari <
cha...@ho...> wrote:

> Spell check has done in line.
> ------------------------------
> *From:* chandrasekharreddy chinnapareddygari <cha...@ho...
> >
> *Sent:* Wednesday, 20 October, 2021, 14:15
> *To:* net...@li...;
> net...@li...
> *Subject:* How to support SNMPv2 mib traps per VRF.
>
> Hi ,
>
>
> We are supporting Multiple snmp servers (snmp server for each VRF).I want
> to enable authenticationfailure traps for each VRF.
>
> Net-snmp has inbuilt token authtrapenable .Authentication Failure traps
> are sending to the receivers ,If authtrapenable is set to 1 in
> /etc/snmp/snmpd.conf .
>
> But, /etc/snmp/snmpd.conf file is common file for all  VRFs. My
> requirement is trapsinks ,  ,authentication failure traps status , cold
> start and  warm start traps should be per VRF.
>
>
> I have tried with adding authtrapenable 1 token in snmp.conf file. Which
> is local for each VRF. But snmpwalk output of snmpEnableAuthenTraps Oid is
> returning as disable(2).
>

How are you getting snmpd to load the per-VRF snmp.conf?  Have you tried
prefixing it with [snmpd], i.e.,

[snmpd] authtrapenable 1

in the snmp.conf (or maybe some other per-VRF config file)?

  Bill

Need help regarding writing AgentX for support SNMP V3 Which running with Apache 2.4 Service.

[Suresh <skj...@ho...>]

Hi All
My C++ application running(on windows-64 bit application  with Apache 2.4 (Daemon )and this application support only SNMP V1 V2 using net-snmp API our C++ application get snmp call (for SNMPGET,SNMP walk using Windows OS provided SNMP Service using ExtensionAgents C:\Windows\system32\snmp.exe,-)  by adding my service community string in sercurity string like "xyz".



Since windows OS SNMP Aget service never provide support for SNMP V3 so we need to support SNMP V3 in our application.
So we need to write our own Agentx Which running with our application stack (like only walk/get on appliation mibs not for trap)not with net-snmp Daemon like snmpd.



Can someone light me how we can go head ,



Is snmpd need to run for master Agent then how master agent and sub Agent communicate when master Agent get request for our enterprise specific get/walk request.
Is MIB2c require for convert (Table/scalar) or generating code(because our enterprise specific MIB code will need run with our services not which Net-SNMP Daemon)
What configuration require in snmd.conf file getting  snmpget/walk call for our enterprise specific MIB.


Thanks
Suresh

Re: using net-snmp at scale with one process and one socket

[Wes H. <har...@us...>]

Neil Mckee <nei...@gm...> writes:

> You are very welcome. Let me know if you want to discuss any of the
> particulars.

Well, the biggest question in my mind is: are you willing to contribute
the patches back?

It's unclear if any of them break backwards compatability (which we
always strive for), but certainly many of them would not.

> Adding or importing your favorite tree implementation to the library
> would be a lot of new code

Well, there's one issue: lots of new code means bigger applications and
we do strive to be small to run on small devices.  That being said, the
sliding definition of "small" has certainly increased in size over time
with the continued increase of storage/memory availability in even the
smallest devices.


-- 
Wes Hardaker
Please mail all replies to net...@li...

Re: When exactly the response is received from node 2 ?

[Wes H. <har...@us...>]

Nishant Nayan <nay...@gm...> writes:

> Hi, you please explain what does the below line means in snmpd.conf ?

In this case the client (snmpget) is sending the request to the agent on
the localhost with a specific context in the message (ctx_remote).  The
agent, with this configuration that indicates anything coming in with
that context within the specified portion of the OID tree (.1.3.6.1)
should be forwarded, then forwards that request to node2 in order to get
the answer for it.  Once the middle-agent on localhost receives the
answer, it constructs the finale reply to send to the client and sends
it.

> Also what exactly does "com2sec -Cn ctx_remote  notConfigUser   default cmty_remote1"
> means?

You should read this page for information about access control
configuration:

https://net-snmp.sourceforge.io/wiki/index.php/Vacm
-- 
Wes Hardaker
Please mail all replies to net...@li...

Re: When exactly the response is received from node 2 ?

[Nishant N. <nay...@gm...>]

Hi, you please explain what does the below line means in snmpd.conf ?

" proxy -Cn ctx_remote -v1 -c public <ip of node2>:161 .1.3.6.1 "
ctx_remote is defined by the line :-
com2sec -Cn ctx_remote  notConfigUser   default cmty_remote1

On node 1 when I run "snmpget -v1 -c cmty_remote1 localhost
SNMPv2-MIB::sysName.0 " , I get the sysName of Node2 even though I have
mentioned " localhost " in command.

Can you please clarify what is the flow here?
where the request goes, who receives it, who sends the response here?
Also what exactly does "com2sec -Cn ctx_remote  notConfigUser   default
cmty_remote1" means?
A high level overview of this scenario will be highly appreciated.

Regards
Nishant


On Mon, 6 Sept 2021 at 19:26, Bill Fenner <fe...@gm...> wrote:

> On Sun, Sep 5, 2021 at 9:59 AM Nishant Nayan <nay...@gm...>
> wrote:
>
>> My aim is to know how various parameters like errorstat and errindex etc.
>> are set from response.
>>
>> For an example command :
>> snmpget -v1 -c cmty_remotehost1 localhost SNMPv2-MIB::sysName.1
>> SNMPv2-MIB::sysDescr.0 SNMPv2-MIB::sysObjectID.0
>>
>> SNMPv2-MIB::sysName.1 being an incorrect oid
>>
>
> I like to add "-Ddumpv,dumph" to get details of the messages that are
> being send and received.  Try running your get with that debugging to see
> if the output helps you understand where each field comes from.  (You can
> change it to just "-Ddump" to also get a hex dump, which you may be able to
> compare with the data field you see in your debugger).
>
> Each field in the packet is encoded using ASN.1, which is more or less a
> type/length/value encoding, but is fairly complex.  If you're trying to
> create your own packets, please see if it's feasible to use an existing
> ASN.1 encoder, because there have historically been many bugs in ASN.1
> parsing and encoding so it's best to use a well-tested implementation.
>
> Also, if you want to know what the SNMP protocol is doing, as opposed to
> what the helpful snmpget command is doing, you should add "-Cf" to the
> snmpget command line - when snmpget gets an error like this, it'll strip
> out the bad object and try again so that it gets the data that may exist,
> but that is not how SNMP works per se - that is how snmpget works.
>
>   Bill
>
>

Re: How to support SNMPv2 mib traps per VRF.

[chandrasekharreddy c. <cha...@ho...>]

Spell check has done in line.
________________________________
From: chandrasekharreddy chinnapareddygari <cha...@ho...>
Sent: Wednesday, 20 October, 2021, 14:15
To: net...@li...; net...@li...
Subject: How to support SNMPv2 mib traps per VRF.

Hi ,


We are supporting Multiple snmp servers (snmp server for each VRF).I want to enable authenticationfailure traps for each VRF.

Net-snmp has inbuilt token authtrapenable .Authentication Failure traps are sending to the receivers ,If authtrapenable is set to 1 in /etc/snmp/snmpd.conf .

But, /etc/snmp/snmpd.conf file is common file for all  VRFs. My requirement is trapsinks ,  ,authentication failure traps status , cold start and  warm start traps should be per VRF.


I have tried with adding authtrapenable 1 token in snmp.conf file. Which is local for each VRF. But snmpwalk output of snmpEnableAuthenTraps Oid is returning as disable(2).





Please help me to resolve above  issues.













Thanks,
Chandra.

How to support SNMPv2 mib traps per VRF.

[chandrasekharreddy c. <cha...@ho...>]

Hi ,


We a supporting Multiple snmp servers (snmp server for each VRF).I want to enable authenticationfailure traps for each VRF.

Net-snmp has inbuilt token authtrapenable .Authentication Failure traps are sending to the receivers ,If authtrapenable is set to 1 in /etc/snmp/snmpd.conf .

But,/etc/snmp/snmpd.conf file is common file for multiple VRFs. My requirement is trapsinks ,  ,authentication failure traps, cold start, warm start traps should be per  VRF.


I have tried with adding authtrapenable 1 token in snmp.conf file. Which is local for each VRF. But snmpwalk output of snmpEnableAuthenTraps Oid is returning as disable(2).





Please help me to resolve issues.













Thanks,

Chandra Sekhar.

Re: using net-snmp at scale with one process and one socket

[Neil M. <nei...@gm...>]

You are very welcome. Let me know if you want to discuss any of the
particulars.  For example, it seems like snmpusm.c is also trying to
please the SNMPv3 user MIB by getting everything in the right order
for GETNEXT there.  So my use of a hash-table breaks that,  but that's
OK for me because I am only using the library as a client.  I did
wonder if using something like a red-black tree with a carefully
crafted sort function would allow efficient lookup without breaking
the ordering,  but it was hard to make the logic turn out exactly the
same as it is now (e.g. I think it would require great care to make
sure an entry is removed and added again if it is ever modified in
situ).

Adding or importing your favorite tree implementation to the library
would be a lot of new code,  but could also be used to store
outstanding requests sorted by monotonic-clock "due" time,  which
helps to streamline the timeout mechanism when there are
hundreds/thousands of concurrent requests.

On balance,  however,  it doesn't seem like there is a case for
rocking the boat - especially when most client use-cases (perl,
python, snmpwalk etc.) make only one request in the life cycle of a
session. Plus it looks like you now have to consider multiple threads
too, so using more complex data-structures is hard.  I guess if you
decided to carve out a single-session, single-threaded client API then
it would be more tunable, but as long as the package is also an agent
and is also multi-threaded then it seems like your hands are tied? I
certainly won't object if nothing changes.


On Mon, Oct 18, 2021 at 10:30 AM Wes Hardaker
<har...@us...> wrote:
>
> Neil Mckee <nei...@gm...> writes:
>
> > This may have been covered many times before,  but just in case it
> > helps someone, here is a summary of my experience with using net-snmp
> > in a large network.
>
> Thank you for the very useful list of changes.
> --
> Wes Hardaker
> Please mail all replies to net...@li...

Re: using net-snmp at scale with one process and one socket

[Wes H. <har...@us...>]

Neil Mckee <nei...@gm...> writes:

> This may have been covered many times before,  but just in case it
> helps someone, here is a summary of my experience with using net-snmp
> in a large network.

Thank you for the very useful list of changes.
-- 
Wes Hardaker
Please mail all replies to net...@li...

Re: Interfacing Net-SNMP with Pi running Ubuntu 21.04

[Wes H. <har...@us...>]

Andrew Mwakibinga <amw...@en...> writes:

>                I have been having difficulty getting custom MIB OIDs to show up, when I
> perform SNMPGET/SET/WALK commands.

If (and only if) I understand you problem, you need to put the MIB file
into a place where snmpget/set/walk can find and read it.  And then set
your MIBS environment variable to be correct to.  So putting it in
/usr/local/share/snmp/mibs was the right first start, but you also need
to set the MIBS environment variable to be "+PERSONAL-MIB" or whatever
you called it (note you need the leading +)
-- 
Wes Hardaker
Please mail all replies to net...@li...

Interfacing Net-SNMP with Pi running Ubuntu 21.04

[Andrew M. <amw...@en...>]

PROPRIETARY

Greetings,
               I have been having difficulty getting custom MIB OIDs to show up, when I perform SNMPGET/SET/WALK commands. I have modified the snmpd.conf file to have the line "rocommunity public localhost" in case this a permissions issue. I have my created MIB located in /usr/local/share/snmp/mibs and my .c/.h files in /agent/mibgroup/personal-mib/. The configure line I used was  ./configure -with-mib-modules="personal-mib/personal" -disable-embedded-perl -without-perl-modules. I have been able to compile and run the same .c/.h files on a Centos OS & I was able to see my custom OIDs. Any advice would be appreciated, thanks for your time.
Andrew Mwakibinga
Software Engineer

[cid:image001.png@01D7C0E6.7D6103C0]

Envistacom, LLC
C: 845.392.8856
amw...@en...<mailto:amw...@en...>
www.envistacom.com<https://www.envistacom.com/>

--- CONFIDENTIALITY NOTICE: This email and any attachments are for the exclusive and confidential use of the intended recipient. If you are not the intended recipient, please do not read, distribute or take action in reliance upon this message. If you have received this in error, please notify us immediately by return email and promptly delete this message and its attachments from your computer system.

Re:

[Pushpa T. <pus...@gm...>]

Hi Larry Hayes,

Yes.  I have configured wireshark properly.
I have configured the wireshark to accept trap of credentials MD5+128 just
to verify settings are correct.

root#
root:~# snmptrap -v 3 -n "" -a MD5 -A mypassword -x *AES128* -X mypassword
-l authPriv -u putest128 -e 0x8000236e0300b0ae037994 10.12.73.118  ""
.1.3.6.1.4.1.8072.2.3.1 .1.3.6.1.4.1.8072.2.1.1 i 22222     <-----------
decrypt properly

root:~# snmptrap -v 3 -n "" -a MD5 -A mypassword -x *AES192* -X mypassword
-l authPriv -u putesting -e 0x8000236e0300b0ae037994 10.12.73.118  ""
.1.3.6.1.4.1.8072.2.3.1 .1.3.6.1.4.1.8072.2.1.1 i 123456  <---------
Throws 'Decrypted data not formatted as expected' error
root:~#

Attached wireshark snapshot for these two traps.



On Fri, Oct 1, 2021 at 1:34 AM Larry Hayes <lh...@gm...> wrote:

> Are you sure you have Wireshark setup correctly to decrypt the messages?
>
> WireShark:
> Edit -> Preferences -> Protocols -> SNMP -> Users Table
>
> https://wiki.wireshark.org/SNMP  is a helpful link also.
>
>
>
> On Thu, Sep 30, 2021 at 1:56 PM Pushpa Thimmaiah <
> pus...@gm...> wrote:
>
>> Hi ,
>>
>> I am using net-snmp-5.9 (centos)and  tried following command.  Wireshark
>> says 'Decrypted data not formatted as expected'. [Attached snapshot
>> wireshark.jpeg]
>>   Used same snmpv3 credentials used at agent and wireshark .
>>
>> snmptrap -v 3 -n "" -a MD5 -A mypassword -x AES192 -X mypassword -l
>> authPriv -u testing123 -e 0x8000236e0320b3ae337994 10.12.74.4 69
>> .1.3.6.1.4.1.8072.2.3.1 .1.3.6.1.4.1.8072.2.1.1 i 123456
>>
>> Kindly let me know if anything is missed.
>>
>> Thanks,
>> Pushpa.T
>> _______________________________________________
>> Net-snmp-coders mailing list
>> Net...@li...
>> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>>
>

Re:

[Larry H. <lh...@gm...>]

Are you sure you have Wireshark setup correctly to decrypt the messages?

WireShark:
Edit -> Preferences -> Protocols -> SNMP -> Users Table

https://wiki.wireshark.org/SNMP  is a helpful link also.



On Thu, Sep 30, 2021 at 1:56 PM Pushpa Thimmaiah <pus...@gm...>
wrote:

> Hi ,
>
> I am using net-snmp-5.9 (centos)and  tried following command.  Wireshark
> says 'Decrypted data not formatted as expected'. [Attached snapshot
> wireshark.jpeg]
>   Used same snmpv3 credentials used at agent and wireshark .
>
> snmptrap -v 3 -n "" -a MD5 -A mypassword -x AES192 -X mypassword -l
> authPriv -u testing123 -e 0x8000236e0320b3ae337994 10.12.74.4 69
> .1.3.6.1.4.1.8072.2.3.1 .1.3.6.1.4.1.8072.2.1.1 i 123456
>
> Kindly let me know if anything is missed.
>
> Thanks,
> Pushpa.T
> _______________________________________________
> Net-snmp-coders mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>

[Pushpa T. <pus...@gm...>]

Hi ,

I am using net-snmp-5.9 (centos)and  tried following command.  Wireshark
says 'Decrypted data not formatted as expected'. [Attached snapshot
wireshark.jpeg]
  Used same snmpv3 credentials used at agent and wireshark .

snmptrap -v 3 -n "" -a MD5 -A mypassword -x AES192 -X mypassword -l
authPriv -u testing123 -e 0x8000236e0320b3ae337994 10.12.74.4 69
.1.3.6.1.4.1.8072.2.3.1 .1.3.6.1.4.1.8072.2.1.1 i 123456

Kindly let me know if anything is missed.

Thanks,
Pushpa.T

Re: When exactly the response is received from node 2 ?

[Nishant N. <nay...@gm...>]

The agent(node2) is also net-snmp
The node1 (master) also has its agent of its own right?


Nishant

On Sun, 26 Sep 2021, 06:53 Bill Fenner, <fe...@gm...> wrote:

> On Thu, Sep 23, 2021 at 6:43 AM Nishant Nayan <nay...@gm...>
> wrote:
>
>> Thanks for the suggestions, I have tried that and I could see the data
>> sent and data received, however I am interested in the receiver part, as to
>> how the date is prepared by the receiver(node 2) based on sender's request
>> and then sent back to sender(node1),
>>
>
> The terms that we use in the SNMP world to describe these entities are
> that the manager sends a request to the agent, who then sends a response
> back to the manager.  You are asking how the agent builds its response.
> What kind of agent is it?  Is it also net-snmp, or is it something else?
>
>
>> specifically how the error index and error status is getting
>> prepared/calculated from receiver side, is there a way to debug this?
>>
>
> RFC3416 talks about the rules for setting them - e.g., general definitions
> in section 4.1
> https://datatracker.ietf.org/doc/html/rfc3416#section-4.1
> and specifics about how they are set when handling a GetRequest in section
> 4.2.1
> https://datatracker.ietf.org/doc/html/rfc3416#section-4.2.1
>
>   Bill
>
>
>
>>
>>
>> Thanks
>> Nishant
>>
>> On Mon, 6 Sept 2021 at 19:34, Bill Fenner <fe...@gm...> wrote:
>>
>>> By the way, I wanted to mention - I noticed your example was using
>>> SNMPv1.  SNMPv1 has been obsolete since 2002 (when the RFC was moved to
>>> historic status).  You should ideally be using SNMPv3, with its
>>> authorization and privacy improvements, and if not, at least use SNMPv2
>>> which is not obsolete.
>>>
>>>   Bill
>>>
>>>

Re: When exactly the response is received from node 2 ?

[Bill F. <fe...@gm...>]

On Thu, Sep 23, 2021 at 6:43 AM Nishant Nayan <nay...@gm...>
wrote:

> Thanks for the suggestions, I have tried that and I could see the data
> sent and data received, however I am interested in the receiver part, as to
> how the date is prepared by the receiver(node 2) based on sender's request
> and then sent back to sender(node1),
>

The terms that we use in the SNMP world to describe these entities are that
the manager sends a request to the agent, who then sends a response back to
the manager.  You are asking how the agent builds its response.  What kind
of agent is it?  Is it also net-snmp, or is it something else?


> specifically how the error index and error status is getting
> prepared/calculated from receiver side, is there a way to debug this?
>

RFC3416 talks about the rules for setting them - e.g., general definitions
in section 4.1
https://datatracker.ietf.org/doc/html/rfc3416#section-4.1
and specifics about how they are set when handling a GetRequest in section
4.2.1
https://datatracker.ietf.org/doc/html/rfc3416#section-4.2.1

  Bill



>
>
> Thanks
> Nishant
>
> On Mon, 6 Sept 2021 at 19:34, Bill Fenner <fe...@gm...> wrote:
>
>> By the way, I wanted to mention - I noticed your example was using
>> SNMPv1.  SNMPv1 has been obsolete since 2002 (when the RFC was moved to
>> historic status).  You should ideally be using SNMPv3, with its
>> authorization and privacy improvements, and if not, at least use SNMPv2
>> which is not obsolete.
>>
>>   Bill
>>
>>

Re: When exactly the response is received from node 2 ?

[Nishant N. <nay...@gm...>]

Thanks for the suggestions, I have tried that and I could see the data sent
and data received, however I am interested in the receiver part, as to how
the date is prepared by the receiver(node 2) based on sender's request and
then sent back to sender(node1), specifically how the error index and error
status is getting prepared/calculated from receiver side, is there a way to
debug this?


Thanks
Nishant

On Mon, 6 Sept 2021 at 19:34, Bill Fenner <fe...@gm...> wrote:

> By the way, I wanted to mention - I noticed your example was using
> SNMPv1.  SNMPv1 has been obsolete since 2002 (when the RFC was moved to
> historic status).  You should ideally be using SNMPv3, with its
> authorization and privacy improvements, and if not, at least use SNMPv2
> which is not obsolete.
>
>   Bill
>
>

Re: Difference between AES192 and AES192C

[Craig S. <cs...@dr...>]

Hi Pushpa,
  Yes, your results were expected. They use the same encryption algorithm
but are identified under either the Cisco or ESO enterprise OID.  There is
probably no way of knowing in advance which one a particular piece of
equipment will use.

 - Craig



On Tue, 21 Sept 2021 at 04:22, Pushpa Thimmaiah <pus...@gm...>
wrote:

> Hi Craig,
>
> Following are my observations. Please let me know if the behaviour is
> correct.
>
> ----------snmp agent
> 192.168.1.12-------------------------------------------
> I added two snmpv3 users
> createUser pushaaes129 SHA mypassword AES192 mypassword
> createUser pushaaes129c SHA mypassword AES192C mypassword
>
> --------snmp manager  192.168.1.13 --------------------------
> pushpat@pushpat-ThinkPad-L480:~$ snmpget -D -t50  -v3 -u pushaaes129c -l
> authPriv -a SHA1 -A mypassword -x *AES192C* -X mypassword 192.168.1.12
> SNMPv2-MIB::sysDescr.0
> registered debug token t50, 0
> SNMPv2-MIB::sysDescr.0 = STRING: Microsemi
> pushpat@pushpat-ThinkPad-L480:~$ snmpget -D -t50  -v3 -u pushaaes129c -l
> authPriv -a SHA1 -A mypassword -x* AES192 *-X mypassword 192.168.1.12
> SNMPv2-MIB::sysDescr.0
> registered debug token t50, 0
> Timeout: No Response from 192.168.1.12.
> pushpat@pushpat-ThinkPad-L480:~$
>
> I thought AES192, AES192C are same. It looks like they are not. Any idea
> when to use AES192 and AES192C(cisco algorithm)
>
>
>
>
> =========== USM entries in snmp agent persistent
> config=================================
> usmUser 1 3 0x<engineid> "pushaaes129" "pushaaes129"   NULL
> .1.3.6.1.6.3.10.1.1.3 0x837954cd0cadfa4c198f22bf7b1b15db1141b8b1
> .1.3.6.1.4.1.14832.1.3  0x837954cd0cadfa4c198f22bf7b1b15db1141b8b18f973286
> 0x
> usmUser 1 3 0x<engineid> "pushaaes129c" "pushaaes129c" NULL
> .1.3.6.1.6.3.10.1.1.3 0x837954cd0cadfa4c198f22bf7b1b15db1141b8b1
> .1.3.6.1.4.1.9.12.6.1.1 0x837954cd0cadfa4c198f22bf7b1b15db1141b8b15aeeb711
> 0x
>
> .1.3.6.1.4.1.9.12.6.1.1 : iso(1) identified-organization(3) dod(6)
> internet(1) private(4) enterprise(1) cisco(9)
> .1.3.6.1.4.1.14832.1.3  : iso(1) org(3) dod(6) internet(1) private(4)
> enterprise(1) esoConsortiumMIB(14832)
>
>
>
>
> On Thu, Sep 16, 2021 at 5:07 AM Craig Small <csmall@dropbear.xyz> wrote:
>
>> Hi Pushpa,
>>   It's a matter of identifying it.
>>
>> When the packet comes in, the receiver looks at the authentication
>> protocol and sees one value or the other. That's why you need to specify
>> which method you are using.
>> In theory, I expect that the receiver could just look at the auth
>> protocol and use the same method for both values, but they don't.
>>
>>  - Craig
>>
>>
>> On Wed, 15 Sept 2021 at 15:44, Pushpa Thimmaiah <
>> pus...@gm...> wrote:
>>
>>> Hi Craig Small,
>>>
>>> Thank you . This is really helpful.
>>> If AES192 and AES192C are AES standard from different entity  then are
>>> they interchangeable ?
>>> Eg: I did configure AES192 on snmpd and use AES192C from mibbrowser.
>>> Tool 'snmpget'  fails.
>>>
>>> It would help me if I know why CFB-AES192 (on silvercreek browser)
>>> fails  with AES192 configured on snmp-agent.  It works fine when AES192C
>>> configured on snmpd.
>>>
>>>
>>> On Wed, Sep 15, 2021 at 4:10 AM Craig Small <csmall@dropbear.xyz> wrote:
>>>
>>>> Hi Pushpa,
>>>>   As you have discovered, there are two AES192 standards.
>>>>
>>>> When you select AES192 (with no C) this is the IETF draft Blumenthal
>>>> standard.
>>>>
>>>> When you select AES192C this is the Cisco "standard".
>>>>
>>>> What is the actual difference? As far as I can tell, it comes down to
>>>> the OID used for some of the parameters like the IV.
>>>>
>>>> The Cisco standard uses something under enterprises.Cisco, as you would
>>>> expect, while the draft IETF standard uses something under enterprises.ESO
>>>> ESO is Extended Security Options consortium, you can see their MIB at
>>>> http://www.snmp.com/eso/esoConsortiumMIB.txt
>>>>
>>>> To me, it looks like the same protocol, just how it identifies itself
>>>> and where it stores things changes. So it's not like one is doing CFB and
>>>> the other thought for some reason ECB was the way to go.
>>>>
>>>> If you look online for SNMP and AES 192 or 256, you can see this
>>>> confuses a bunch of people (e.g. AES192 works for device X, but not device
>>>> Y, why?)
>>>>
>>>>  - Craig
>>>>
>>>> ObXKCD https://xkcd.com/927/
>>>>
>>>>
>>>> On Wed, 15 Sept 2021 at 01:51, Pushpa Thimmaiah <
>>>> pus...@gm...> wrote:
>>>>
>>>>> Hi Folks,
>>>>>
>>>>> I am using SilverCreek as mib browser(windows10)  and net-snmp-.5.9 on
>>>>> snmp-agent(linux).
>>>>>
>>>>> *snmp-agent*
>>>>> creatUser testmd5aes192 MD5  testingauth AES192 testingpriv
>>>>>
>>>>> *SilverCreek*
>>>>> It provides CFB-AES192 option for privprotocol . So I selected
>>>>> authprotocol as 'MD5' and priv protocol 'CFB-AES192'
>>>>> snmpquery on fails for this
>>>>>
>>>>> So, I  changed AES192 to AES192C at snmp-agent side as mentioned below
>>>>> and it works
>>>>> creatUser testmd5aes192 MD5  testingauth AES192C testingpriv
>>>>>
>>>>> Kindly let me know when to use AES192 and AES192C. Is it based on
>>>>> cipher methods of AES?
>>>>>
>>>>> Thanks,
>>>>> Pushpa.T
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Net-snmp-coders mailing list
>>>>> Net...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>>>>>
>>>>

Re: Difference between AES192 and AES192C

[Pushpa T. <pus...@gm...>]

Hi Craig,

Following are my observations. Please let me know if the behaviour is
correct.

----------snmp agent 192.168.1.12-------------------------------------------
I added two snmpv3 users
createUser pushaaes129 SHA mypassword AES192 mypassword
createUser pushaaes129c SHA mypassword AES192C mypassword

--------snmp manager  192.168.1.13 --------------------------
pushpat@pushpat-ThinkPad-L480:~$ snmpget -D -t50  -v3 -u pushaaes129c -l
authPriv -a SHA1 -A mypassword -x *AES192C* -X mypassword 192.168.1.12
SNMPv2-MIB::sysDescr.0
registered debug token t50, 0
SNMPv2-MIB::sysDescr.0 = STRING: Microsemi
pushpat@pushpat-ThinkPad-L480:~$ snmpget -D -t50  -v3 -u pushaaes129c -l
authPriv -a SHA1 -A mypassword -x* AES192 *-X mypassword 192.168.1.12
SNMPv2-MIB::sysDescr.0
registered debug token t50, 0
Timeout: No Response from 192.168.1.12.
pushpat@pushpat-ThinkPad-L480:~$

I thought AES192, AES192C are same. It looks like they are not. Any idea
when to use AES192 and AES192C(cisco algorithm)




=========== USM entries in snmp agent persistent
config=================================
usmUser 1 3 0x<engineid> "pushaaes129" "pushaaes129"   NULL
.1.3.6.1.6.3.10.1.1.3 0x837954cd0cadfa4c198f22bf7b1b15db1141b8b1
.1.3.6.1.4.1.14832.1.3  0x837954cd0cadfa4c198f22bf7b1b15db1141b8b18f973286
0x
usmUser 1 3 0x<engineid> "pushaaes129c" "pushaaes129c" NULL
.1.3.6.1.6.3.10.1.1.3 0x837954cd0cadfa4c198f22bf7b1b15db1141b8b1
.1.3.6.1.4.1.9.12.6.1.1 0x837954cd0cadfa4c198f22bf7b1b15db1141b8b15aeeb711
0x

.1.3.6.1.4.1.9.12.6.1.1 : iso(1) identified-organization(3) dod(6)
internet(1) private(4) enterprise(1) cisco(9)
.1.3.6.1.4.1.14832.1.3  : iso(1) org(3) dod(6) internet(1) private(4)
enterprise(1) esoConsortiumMIB(14832)




On Thu, Sep 16, 2021 at 5:07 AM Craig Small <csmall@dropbear.xyz> wrote:

> Hi Pushpa,
>   It's a matter of identifying it.
>
> When the packet comes in, the receiver looks at the authentication
> protocol and sees one value or the other. That's why you need to specify
> which method you are using.
> In theory, I expect that the receiver could just look at the auth protocol
> and use the same method for both values, but they don't.
>
>  - Craig
>
>
> On Wed, 15 Sept 2021 at 15:44, Pushpa Thimmaiah <
> pus...@gm...> wrote:
>
>> Hi Craig Small,
>>
>> Thank you . This is really helpful.
>> If AES192 and AES192C are AES standard from different entity  then are
>> they interchangeable ?
>> Eg: I did configure AES192 on snmpd and use AES192C from mibbrowser.
>> Tool 'snmpget'  fails.
>>
>> It would help me if I know why CFB-AES192 (on silvercreek browser) fails
>> with AES192 configured on snmp-agent.  It works fine when AES192C
>> configured on snmpd.
>>
>>
>> On Wed, Sep 15, 2021 at 4:10 AM Craig Small <csmall@dropbear.xyz> wrote:
>>
>>> Hi Pushpa,
>>>   As you have discovered, there are two AES192 standards.
>>>
>>> When you select AES192 (with no C) this is the IETF draft Blumenthal
>>> standard.
>>>
>>> When you select AES192C this is the Cisco "standard".
>>>
>>> What is the actual difference? As far as I can tell, it comes down to
>>> the OID used for some of the parameters like the IV.
>>>
>>> The Cisco standard uses something under enterprises.Cisco, as you would
>>> expect, while the draft IETF standard uses something under enterprises.ESO
>>> ESO is Extended Security Options consortium, you can see their MIB at
>>> http://www.snmp.com/eso/esoConsortiumMIB.txt
>>>
>>> To me, it looks like the same protocol, just how it identifies itself
>>> and where it stores things changes. So it's not like one is doing CFB and
>>> the other thought for some reason ECB was the way to go.
>>>
>>> If you look online for SNMP and AES 192 or 256, you can see this
>>> confuses a bunch of people (e.g. AES192 works for device X, but not device
>>> Y, why?)
>>>
>>>  - Craig
>>>
>>> ObXKCD https://xkcd.com/927/
>>>
>>>
>>> On Wed, 15 Sept 2021 at 01:51, Pushpa Thimmaiah <
>>> pus...@gm...> wrote:
>>>
>>>> Hi Folks,
>>>>
>>>> I am using SilverCreek as mib browser(windows10)  and net-snmp-.5.9 on
>>>> snmp-agent(linux).
>>>>
>>>> *snmp-agent*
>>>> creatUser testmd5aes192 MD5  testingauth AES192 testingpriv
>>>>
>>>> *SilverCreek*
>>>> It provides CFB-AES192 option for privprotocol . So I selected
>>>> authprotocol as 'MD5' and priv protocol 'CFB-AES192'
>>>> snmpquery on fails for this
>>>>
>>>> So, I  changed AES192 to AES192C at snmp-agent side as mentioned below
>>>> and it works
>>>> creatUser testmd5aes192 MD5  testingauth AES192C testingpriv
>>>>
>>>> Kindly let me know when to use AES192 and AES192C. Is it based on
>>>> cipher methods of AES?
>>>>
>>>> Thanks,
>>>> Pushpa.T
>>>>
>>>>
>>>> _______________________________________________
>>>> Net-snmp-coders mailing list
>>>> Net...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>>>>
>>>

Re: I have some qhestions about work you library.

[Bill F. <fe...@gm...>]

Hi Ivan,

Does the example at
http://www.net-snmp.org/wiki/index.php/TUT:Simple_Application help?
Specifically, in that example, "session.peername" is the remote DNS name,
but you can place a (string-formatted) IP address in that field as well.

  Bill


On Wed, Sep 15, 2021 at 5:27 PM Иван Иванов <tir...@ya...> wrote:

> I write some soft for network work with snmp. We have device with snmp
> server and whant to work with it via snmp lib. Now i have got some problem
> with work you snmp applications. I want to make snmpset and snmpget
> programs on the local host, transfering conection to server on device. The
> question is : where i should put ip adress of the snmp server and port for
> remote host. Can you make simple example about it, and it's will be nice if
> you will add this information to the documentation for you tools.
>
>
>
> All the best, Ivan Ivanov.
>
>
> _______________________________________________
> Net-snmp-coders mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>