兰生幽谷,不为莫服而不芳;
君子行义,不为莫知而止休。
1 实验目标
1. 理解SNMP网络管理原理
2. 掌握SNMP服务器采集SNMP Agent数据的方法
3. 掌握SNMP报文发送和应答流程
4. 掌握典型GetResponsePDU数据结构分析的方法
4. 具备SNMP通信的故障排除能力
2 实验拓扑
图2- 1
实验先决条件:如拓扑图所示,任选一个服务器且任选一个Agent,即1SNMPserver+1SNMPAgent,也可以都选,多选一个加10分。
3.实验内容
实验内容:编写代码,测试
1)使用snm服务器发送SNMP数据包; 使用wireshark或tcpdump抓包;
2)根据抓包数据分析并验证SNMP协议的工作过程(参考教材图4-2);
3)挑选MIB-2功能组中系统功能组system采集过程的相应包,分析其SNMP协议工作过程;
4)查找标量对象标识符MIB-2的.1.3.6.1.2.1.1.4.0响应包,并按第2章BER编码方法、第3章MIB-2功能组及第4章SNMP PDU结构,分析该GetResponsePDU。
4实训原理/流程
RFC 1157给出了SNMPv1协议的定义,是ASN.1定义的。NMS向Agent发出三种请求:GetRequest、GetNextRequest和SetRequest,而Agent只有一种GetResponsePDU。
SNMP报文
| 版本号 | 团体名 | SNMP PDU |
GetRequestPDU、GetNextRequestPDU和SetRequestPDU
| PDU类型 | 请求标识 | 0 | 0 | 变量绑定表 |
GetResponsePDU
| PDU类型 | 请求标识 | 错误状态 | 错误索引 | 变量绑定表 |
TrapPDU
| PDU类型 | 制造商ID | 代理地址 | 一般trap | 自定trap | 时间戳 | 变量绑定表 |
变量绑定表
| 名1 | 值1 | 名2 | 值2 | …… | 名n | 值n |
图2- 2
图2- 3
各种报文发送和应答序列如下:
图2- 4
图2- 5
图2- 6
图2- 7
图2- 8
生成和发送SNMP报文
图2- 9
[实验步骤]
一)安装工具并查看:
服务器端和被监控端都要安装
| yum install -y net-snmp net-snmp-utils snmpd -v |
二)客户端配置
1. Lihnux客户端
我想多台NMS管理本机,根据需要。具体配置自行修改,注意红色部分。
| …… exec .1.3.6.1.2.1.1.1.0 /usr/local/bin/custom_sysdescr.sh rocommunity public 192.168.56.0/24 rwcommunity private 192.168.56.0/24 rocommunity MySecureComm 192.168.56.0/24 rwcommunity MyWriteComm 192.168.56.0/24 rocommunity MySecureComm 192.168.100.0/24 recommunity MyWriteComm 192.168.100.0/24 com2sec writeAccess 192.168.56.0/24 MyWriteComm com2sec writeAccess 192.168.100.0/24 MyWriteComm rwuser snmpuser auth -V 2c //这个是命令行生成的 agentAddress udp:161,udp6:[::1]:161 # For more information, read the FAQ as well as the snmpd.conf(5) # manual page. #### # First, map the community name "public" into a "security name" # sec.name source community com2sec notConfigUser default public #### # Second, map the security name into a group name: # groupName securityModel securityName group notConfigGroup v1 notConfigUser group notConfigGroup v2c notConfigUser …… #### # Third, create a view for us to let the group have rights to: # Make at least snmpwalk -v 1 localhost -c public system fast again. # name incl/excl subtree mask(optional) view systemview included .1.3.6.1.2.1.1 view systemview included .1.3.6.1.2.1.25.1.1 view systemview included .1 view systemview included .1.3.6.1.4.1.2021.9 #### # Finally, grant the group read-only access to the systemview view. # group context sec.model sec.level prefix read write notif access notConfigGroup "" any noauth exact systemview none none syslocation 7Jiao syscontact Admin # ----------------------------------------------------------------------------- # Here is a commented out example configuration that allows less # restrictive access. # YOU SHOULD CHANGE THE "COMMUNITY" TOKEN BELOW TO A NEW KEYWORD ONLY # KNOWN AT YOUR SITE. YOU *MUST* CHANGE THE NETWORK TOKEN BELOW TO # SOMETHING REFLECTING YOUR LOCAL NETWORK ADDRESS SPACE. ## sec.name source community #com2sec local localhost COMMUNITY #com2sec mynetwork NETWORK/24 COMMUNITY com2sec notConfigUser default public ## group.name sec.model sec.name #group MyRWGroup any local #group MyROGroup any mynetwork group notConfigGroup v1 notConfigUser group notConfigGroup v2c notConfigUser access notconfigGroup any noauth # System contact information # # It is also possible to set the sysContact and sysLocation system # variables through the snmpd.conf file: sysdescr CentOS7.9.2207 sysobjectid 19216810022 syslocation Building No.7 7907 syscontact Wu Zhengzhong <1531036898@qq.com> sysname cts-zbxagt sysservices 72 ############################################################################### # Process checks. # # The following are examples of how to use the agent to check for # processes running on the host. The syntax looks something like: # # proc NAME [MAX=0] [MIN=0] # # NAME: the name of the process to check for. It must match # exactly (ie, http will not find httpd processes). # MAX: the maximum number allowed to be running. Defaults to 0. # MIN: the minimum number to be running. Defaults to 0. # # Examples (commented out by default): # # Make sure mountd is running proc mountd # Make sure there are no more than 4 ntalkds running, but 0 is ok too. proc ntalkd 4 # Make sure at least one sendmail, but less than or equal to 10 are running. proc sendmail 10 1 # A snmpwalk of the process mib tree would look something like this: # # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.2 enterprises.ucdavis.procTable.prEntry.prIndex.1 = 1 enterprises.ucdavis.procTable.prEntry.prIndex.2 = 2 enterprises.ucdavis.procTable.prEntry.prIndex.3 = 3 enterprises.ucdavis.procTable.prEntry.prNames.1 = "mountd" enterprises.ucdavis.procTable.prEntry.prNames.2 = "ntalkd" enterprises.ucdavis.procTable.prEntry.prNames.3 = "sendmail" # enterprises.ucdavis.procTable.prEntry.prMin.1 = 0 # enterprises.ucdavis.procTable.prEntry.prMin.2 = 0 # enterprises.ucdavis.procTable.prEntry.prMin.3 = 1 # enterprises.ucdavis.procTable.prEntry.prMax.1 = 0 # enterprises.ucdavis.procTable.prEntry.prMax.2 = 4 # enterprises.ucdavis.procTable.prEntry.prMax.3 = 10 # enterprises.ucdavis.procTable.prEntry.prCount.1 = 0 # enterprises.ucdavis.procTable.prEntry.prCount.2 = 0 # enterprises.ucdavis.procTable.prEntry.prCount.3 = 1 # enterprises.ucdavis.procTable.prEntry.prErrorFlag.1 = 1 # enterprises.ucdavis.procTable.prEntry.prErrorFlag.2 = 0 # enterprises.ucdavis.procTable.prEntry.prErrorFlag.3 = 0 enterprises.ucdavis.procTable.prEntry.prErrMessage.1 = "No mountd process running." enterprises.ucdavis.procTable.prEntry.prErrMessage.2 = "finish!" # enterprises.ucdavis.procTable.prEntry.prErrMessage.3 = "" # enterprises.ucdavis.procTable.prEntry.prErrFix.1 = 0 # enterprises.ucdavis.procTable.prEntry.prErrFix.2 = 0 # enterprises.ucdavis.procTable.prEntry.prErrFix.3 = 0 ############################################################################### # load average checks # # load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0] # # 1MAX: If the 1 minute load average is above this limit at query # time, the errorFlag will be set. # 5MAX: Similar, but for 5 min average. # 15MAX: Similar, but for 15 min average. # Check for loads: load 12 14 14 # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.10 # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.1 = 1 # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.2 = 2 # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.3 = 3 enterprises.ucdavis.loadTable.laEntry.loadaveNames.1 = "Load-1" enterprises.ucdavis.loadTable.laEntry.loadaveNames.2 = "Load-5" enterprises.ucdavis.loadTable.laEntry.loadaveNames.3 = "Load-15" |
2. HCL网络设备客户端
| v1&v2c | 备注 |
| snmp-agent sys-info version v1 v2c snmp-agent community read public snmp-agent community write private snmp-agent sys-info contact Mr.WuZhengzhong-Mob:15523232551 snmp-agent sys-info location CQIE7Jiao,7907 snmp-agent trap enable nmp-agent target-host trap address udp-domain [snmp server IP] params securityname public v1 | 适配版本 读共同体 写共同体 联系电话 设备位置 允许向用共同体public NMS发trap |
由于MobaXterm与主机相连是加密连接的,所以,用wireshark去抓包,通常无法得到所需的数据结构。
下面我们试一下:
图2- 10
| #启动wireshark,抓取VirtualBox Host-only网卡的数据包 #在snmp服务器(192.168.56.220)上获取客户端(192.168.56.22)参数 [root@zbx624oe2203 wutool]# snmpwalk -c public -v 2c 192.168.56.22 sysName SNMPv2-MIB::sysName.0 = STRING: cts-zbxagt |
此时,在wireshark上抓取的包,没有解析出来:
图2- 11
所以,我们在获取信息的时候,应该是在snmp上用专有的抓包工具来分析:
| yum install -y tcpdump |
启动snmp获取数据,然后启动snmpwalk -v 2c -c public 192.168.56.22 system
| tcpdump -i ens37 -s 0 -w snmp.pcap udp port 161 |
| 接口 抓到完整的数据包 保存文件名 指定协议 指定端口 |
在指定文件夹中,会出现snmp.pcap数据包
图2- 12
查看数据包snmp.pcap:
图2- 13
看不懂。要用专门的格式
| [root@zbx624oe2203 wutool]# tcpdump -r snmp.pcap |
自己找所需的信息
| reading from file snmp.pcap, link-type EN10MB (Ethernet), snapshot length 262144 dropped privs to tcpdump 11:04:22.237693 IP zbx624oe2203.58465 > 192.168.56.22.snmp: GetNextRequest(26) system 11:04:22.238182 IP 192.168.56.22.snmp > zbx624oe2203.58465: GetResponse(115) system.sysDescr.0="Linux cts-zbxagt 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64" 11:04:22.238270 IP zbx624oe2203.58465 > 192.168.56.22.snmp: GetNextRequest(28) system.sysDescr.0 11:04:22.238604 IP 192.168.56.22.snmp > zbx624oe2203.58465: GetResponse(38) system.sysObjectID.0=E:8072.3.2.10 11:04:22.238689 IP zbx624oe2203.58465 > 192.168.56.22.snmp: GetNextRequest(28) system.sysObjectID.0 11:04:22.239105 IP 192.168.56.22.snmp > zbx624oe2203.58465: GetResponse(31) system.sysUpTime.0=153002 11:04:22.239160 IP zbx624oe2203.58465 > 192.168.56.22.snmp: GetNextRequest(28) system.sysUpTime.0 11:04:22.239484 IP 192.168.56.22.snmp > zbx624oe2203.58465: GetResponse(61) system.sysContact.0="Wu Zhengzhong <1531036898@qq.com>" 11:04:22.239546 IP zbx624oe2203.58465 > 192.168.56.22.snmp: GetNextRequest(28) system.sysContact.0 11:04:22.239856 IP 192.168.56.22.snmp > zbx624oe2203.58465: GetResponse(39) system.sysName.0="WuSnmpAgent" 11:04:22.239903 IP zbx624oe2203.58465 > 192.168.56.22.snmp: GetNextRequest(28) system.sysName.0 11:04:22.240142 IP 192.168.56.22.snmp > zbx624oe2203.58465: GetResponse(46) system.sysLocation.0="Building No.7 7907" …… 11:04:22.249635 IP 192.168.56.22.snmp > zbx624oe2203.58465: GetResponse(29) interfaces.ifNumber.0=5 11:04:44.060966 IP zbx624oe2203.33528 > 192.168.56.22.snmp: GetNextRequest(26) system 11:04:44.061492 IP 192.168.56.22.snmp > zbx624oe2203.33528: GetResponse(115) system.sysDescr.0="Linux cts-zbxagt 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64" 11:04:44.061606 IP zbx624oe2203.33528 > 192.168.56.22.snmp: GetNextRequest(28) system.sysDescr.0 11:04:44.061920 IP 192.168.56.22.snmp > zbx624oe2203.33528: GetResponse(38) system.sysObjectID.0=E:8072.3.2.10 11:04:44.061990 IP zbx624oe2203.33528 > 192.168.56.22.snmp: GetNextRequest(28) system.sysObjectID.0 11:04:44.062259 IP 192.168.56.22.snmp > zbx624oe2203.33528: GetResponse(31) system.sysUpTime.0=155184 11:04:44.062325 IP zbx624oe2203.33528 > 192.168.56.22.snmp: GetNextRequest(28) system.sysUpTime.0 11:04:44.062559 IP 192.168.56.22.snmp > zbx624oe2203.33528: GetResponse(61) system.sysContact.0="Wu Zhengzhong <1531036898@qq.com>" 11:04:44.062641 IP zbx624oe2203.33528 > 192.168.56.22.snmp: GetNextRequest(28) system.sysContact.0 11:04:44.062924 IP 192.168.56.22.snmp > zbx624oe2203.33528: GetResponse(39) system.sysName.0="WuSnmpAgent" 11:04:44.062975 IP zbx624oe2203.33528 > 192.168.56.22.snmp: GetNextRequest(28) system.sysName.0 11:04:44.063215 IP 192.168.56.22.snmp > zbx624oe2203.33528: GetResponse(46) system.sysLocation.0="Building No.7 7907" 11:04:44.063307 IP zbx624oe2203.33528 > 192.168.56.22.snmp: GetNextRequest(28) system.sysLocation.0 …… 11:04:44.072969 IP zbx624oe2203.33528 > 192.168.56.22.snmp: GetNextRequest(30) system.9.1.4.10 11:04:44.073290 IP 192.168.56.22.snmp > zbx624oe2203.33528: GetResponse(29) interfaces.ifNumber.0=5 |
2- 14
图2- 15
修改一下得到:
| 00 0c 29 ea d2 35 0c cd 87 b7 01 05 08 00 45 00 00 66 00 51 00 00 ff 11 c8 99 c0 a8 38 6f c0 a8 38 dc 00 a1 8a 42 00 52 98 86 30 48 02 01 01 04 06 70 75 62 6c 69 63 a2 3b 02 04 09 6a 72 95 02 01 00 02 01 00 30 2d 30 2b 06 08 2b 06 01 02 01 01 04 00 04 21 57 75 20 5a 68 65 6e 67 7a 68 6f 6e 67 20 3c 31 35 33 31 30 33 36 38 39 38 40 71 71 2e 63 6f 6d 3e |
2. HCL网络设备客户端
图2- 16
图2- 17
| 00 0c 29 ea d2 35 0c cd 87 b7 01 05 08 00 45 00 00 66 00 51 00 00 ff 11 c8 99 c0 a8 38 6f c0 a8 38 dc 00 a1 8a 42 00 52 98 86 30 48 02 01 01 04 06 70 75 62 6c 69 63 a2 3b 02 04 09 6a 72 95 02 01 00 02 01 00 30 2d 30 2b 06 08 2b 06 01 02 01 01 04 00 04 1f 4d 72 2e 57 75 5a 68 65 6e 67 7a 68 6f 6e 67 2d 4d 6f 62 3a 31 35 35 32 33 32 33 32 35 35 31 00 0c 29 ea d2 35 //目的MAC 0c cd 87 b7 01 05 //源MAC 08 00 //IP数据报 45 00 00 66 00 51 00 00 ff 11 c8 99 c0 a8 38 6f c0 a8 38 dc //IP头 00 a1 8a 42 00 52 98 86 //UDP头 30 //SNMP SEQUENCE 48 //SNMP报文长度 02 01 01 //版本号 04 06 70 75 62 6c 69 63 //public a2 3b //是RequestPDU报文,长度3b 02 04 09 6a 72 95 //请求标识 02 01 00 //0 02 01 00 //0 //后面就是变量绑定表 30 2d // SNMP SEQUENCE?45 30 2b // SNMP SEQUENCE?43 06 08 2b 06 01 02 01 01 04 00 //.1.3.6.1.2.1.4.0 04 1f //OCTSTRING 长度1f 4d 72 2e 57 75 5a 68 65 6e 67 7a 68 6f 6e 67 2d 4d 6f 62 3a 31 35 35 32 33 32 33 32 35 35 31 //Mr.WuZhengzhong-Mob:15523242551 |
抓包结果分析
| SNMPv1原始报文内容: 00 23 5a 9e 58 b9 00 4c 41 49 50 55 08 00 45 00 00 48 00 00 40 00 40 11 a5 4e c0 a8 0a 01 c0 a8 0a 05 0c 00 00 a2 00 34 ff e0 30 2a 02 01 00 04 06 70 75 62 6c 69 63 a4 1d 06 0a 2b 06 01 04 01 bf 08 03 02 0a 40 04 c0 a8 0a 01 02 01 00 02 01 00 43 01 0e 30 00 目的MAC:00 23 5a 9e 58 b9 源MAC:00 4c 41 49 50 55 协议类型:08 00 ,为IP数据报 IP头:45 00 00 48 00 00 40 00 40 11 a5 4e c0 a8 0a 01 c0 a8 0a 05 UDP头:0c 00 00 a2 00 34 ff e0 其余部分都为SNMP报文,接下来我们对照前面的报文结构体来逐个分析一下。 30 表示SNMP消息是ASN.1的SEQUENCE类型; 2a 表示该SNMP报文的总长度是42(0x2a)个字节,该字段所表示的报文长度起始于它后面的第一个字节直到报文结束; 02 01 00 表示版本号,可见其确实为BER编码方式。02表示该字段是INTEGER类型;01表示该字段占1个字节;00表示版本号,该值为“版本号-1”; 04 06 70 75 62 6c 69 63 表示团体名, 04表示该字段为OCTETSTRING类型; 06表示该字段占6个字节; 70 75 62 6c 69 63表示团体名的ANSII码的十六进制形式,这里是“public”; a4 1d 其中a4中的“4”表示这是一个trap报文,a4又叫报文的标签标记; 1d表示后面还有29(0x1d)个字节的数据; 06 0a 2b 06 01 04 01 bf 08 03 02 0a 企业OID标识。 06表示该字段是个对象标识符,OBJECTIDENTIFIER; 0a表示该字段占10(0x0a)个字节; 关于SNMP的OID的编码方式有些奇特:例如1.3.6.1.2…. 取前两个数字分别记为x和y。编码时40*x+y,这里x=1,y=3,因此结果为40*1+3=43,即表示十六进制的2b。因此,这里的企业OID编码即为1.3.6.1.4.1.8072.3.2.10; 40 04 c0 a8 0a 01 同样 40表示该字段为OCTET STRING 类型; 04表示IP地址占4个字节;IP地址为192.168.10.1; 02 01 00 其中00表示trap类型为coldStart; 02 01 00 其中00表示我们指定的trap即specific-trap也为coldStart类型; 43 01 0e 43表示为TimeTicks类型; 01表示该字段占1个字节; 0e即十进制的14表示时间标签为0.14秒,这里时间计数器以0.01秒递增; 30 00 30表示“键-值”值对的编码类型 30为SEQUENCE; 00表示该字段占0个字节,即没有该字段。 |
SNMPv2原始报文内容:
| 00 23 5a 9e 58 b9 00 4c 41 49 50 55 08 00 45 00 00 7b 00 00 40 00 40 11 a5 1b c0 a8 0a 01 c0 a8 0a 05 0c 01 00 a2 00 67 04 bb 30 5d 02 01 01 04 06 70 75 62 6c 69 63 a7 50 02 04 17 73 2c fb 02 01 00 02 01 00 30 42 30 0d 06 08 2b 06 01 02 01 01 03 00 43 01 0e 30 17 06 0a 2b 06 01 06 03 01 01 04 01 00 06 09 2b 06 01 0603 01 01 05 01 30 18 06 0a 2b 06 01 06 03 01 01 04 03 00 06 0a 2b 06 01 04 01 bf 08 03 02 0a 目的MAC:00 23 5a 9e 58 b9 源MAC:00 4c 41 49 50 55 协议类型:08 00,IP报文 IP头:45 00 00 7b 00 00 40 00 40 11 a5 1b c0 a80a 01 c0 a80a 05 UDP头:0c 01 00 a2 00 67 04 bb 余下部分全为SNMP报文内容,这里我们做一下简单的约定: xx 标注类型;xx 标注长度;xx 标注真正的数据。 这样一来上面这串原始数据就好分析多了J 30 5d 整个SNMP报文的编码方式 30为SEQUENCE类型, 5d报文长度93(0x5d)字节; 02 01 01 版本号01即v2版本; 04 06 70 75 62 6c 69 63 团体名70 75 62 6c69 63 即英文的“public”; a7 50 a7表示trap类型为7,即厂商自定义trap; 50表示PDU区段占80(0x50)字节; 02 04 17 73 2c fb 请求ID为17 73 2c fb 十进制的393424123; 02 01 00 错误状态0; 02 01 00 错误索引0; 30 42 “变量名-值”对编码类型 30 即SEQUENCE类型; 42 “变量名-值”所占总字节0x42,即66字节; 30 0d 06 08 2b 06 01 02 01 01 03 00 43 01 0e 30第一个“名-值”对区段编码方式,即SEQUENCE类型; 0d第一个“名-值”对总长度0x0d,13字节; 06第一个变量名的编码类型0x06,时间标签; 08第一个变量名占0x08个字节; 2b 06 01 02 01 01 03 00第一个变量名,为1.3.6.1.2.1.1.3.0; 0e第一个变量值为0x0e,即14; 30 17 06 0a 2b 06 01 06 03 01 01 04 01 00 06 09 2b 06 01 06 03 01 01 05 01 第二个“名-值”对;变量名1.3.6.1.6.3.1.1.4.1.0;变量值1.3.6.1.6.3.1.1.5.1; 30 18 06 0a2b 06 01 06 03 01 01 04 03 00 06 0a 2b 06 01 04 01 bf 08 03 02 0a 第三个“名-值”对;变量名1.3.6.1.6.3.1.1.4.3.0;变量值1.3.6.1.4.1.8072.3.2.10; |
