[mrtg] Fwd: MRTG& SNMPv3
Daniel McDonald
dan.mcdonald at austinenergy.com
Wed Apr 24 16:22:27 CEST 2013
On 4/23/13 7:47 PM, "Tom Smyth" <tom.smyth at wirelessconnect.eu> wrote:
>
> Hi Lads,
>
> I was wondering if someone could help me, I have a query about how to get
> Cfgmaker and MRTG to talk SNMPv3
>
> with Privacy and Authentication enabled, to a Router.
>
> I can snmp walk the router fine... I just cant get mrtg + snmpv3 working...
>
> I know it may not be straight forward but Im looking for a fully worked snmp
> example... I am willing to pay someone for this so you can contact me on my
> email regarding this... or if you dont want to be paid more money I will
> Dontate more money to the project...
I normally sniff an interactive poll to determine the engineid. The
net-snmp-utils library doesn¹t detect it properly, but snmpwalk does. You
don't even need correct credentials:
$ tcpdump -vvv -x host somehost &
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 65535
bytes
$ snmpwalk -v3 -u foofoo -l authpriv -A 12345678 -X 12345678 somehost
09:13:05.621967 IP (tos 0x0, ttl 64, id 9037, offset 0, flags [none], proto
UDP (17), length 92, bad cksum 0 (->85d0)!)
10.10.207.244.57070 > elroy-probe.austin-energy.net.snmp: [bad udp cksum
6c33!] { SNMPv3 { F=r } { USM B=0 T=0 U= } { ScopedPDU E= C= {
GetRequest(14) R=1116332740 } } }
0x0000: 4500 005c 234d 0000 4011 0000 0a0a cff4
0x0010: 0a02 ed73 deee 00a1 0048 d1cd 303e 0201
0x0020: 0330 1102 0455 d8d3 a002 0300 ffe3 0401
0x0030: 0402 0103 0410 300e 0400 0201 0002 0100
0x0040: 0400 0400 0400 3014 0400 0400 a00e 0204
0x0050: 4289 e2c4 0201 0002 0100 3000
09:13:05.683814 IP (tos 0x0, ttl 247, id 0, offset 0, flags [DF], proto UDP
(17), length 120)
elroy-probe.austin-energy.net.snmp > 10.10.207.244.57070: [udp sum ok]
{ SNMPv3 { F= } { USM B=7 T=2922798 U= } { ScopedPDU E= C= { Report(29) R=0
S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=11458 } } }
0x0000: 4500 0078 0000 4000 f711 b200 0a02 ed73
0x0010: 0a0a cff4 00a1 deee 0064 10f6 305a 0201
0x0020: 0330 1102 0455 d8d3 a002 0300 ffe3 0401
0x0030: 0002 0103 041d 301b 040b 8000 43dd 0300
0x0040: 1985 e03e ce02 0107 0203 2c99 2e04 0004
0x0050: 0004 0030 2304 0004 00a8 1d02 0100 0201
0x0060: 0002 0100 3012 3010 060a 2b06 0106 030f
0x0070: 0101 0400 4102 2cc2
09:13:05.684078 IP (tos 0x0, ttl 64, id 3357
The engineID is in offset 0x003A and the length is specified in 0x0039.
Wireshark will break that out for you... TCPdump not-so-much... In this
case:
800043dd03001985e03ece
Now I can add --engineid=800043dd03001985e03ece to cfgmaker and discover it
fine.
>
> I currently have the following packages installed on a Centos 6.4 i386 box
> mrtg-2.16.2-7.el6.i686
> mrtg-libs-2.16.2-7.el6.i686
>
> net-snmp-utils-5.5-44.el6.i686
> net-snmp-perl-5.5-44.el6.i686
> net-snmp-5.5-44.el6.i686
> net-snmp-libs-5.5-44.el6.i686
> net-snmp-devel-5.5-44.el6.i686
>
> rrdtool-devel-1.3.8-6.el6.i686
> rrdtool-1.3.8-6.el6.i686
> rrdtool-perl-1.3.8-6.el6.i686
>
>
>
> My router SNMP v3 config
> /snmp community
> set [ find default=yes ] addresses=10.0.0.0/8 <http://10.0.0.0/8>
> authentication-password=testtest authentication-protocol=SHA1
> encryption-password=testtest name=Read_Only security=private
> /snmp
> set contact=support at wirelessconnect.eu enabled=yes trap-community=
> Read_Only trap-target=0.0.0.0 trap-version=3
>
>
> What Im looking for is a working example of
> MRTG Cfgmaker commnand that would successfully connect to a router with the
> configuration above with Auth and Priv enabled for a given context ID ... on
> SNMPv3
>
> If you have to do something funky with context ID ...? for example
>
>
> I get weird unrecognised ASN.1 errors from the Cfgmaker script with
> hexidecimal references that change every time I modify the cfgmaker command.
>
> I have tried many things and I just want some one . give me assistance to get
> the Cfgmaker command working...
>
> I can snmp walk the router fine... I just cant get mrtg + snmpv3 working...
>
>
> Below ... is some mails with more information
>
> On Mon, Apr 22, 2013 at 7:29 AM, Tom Smyth <tom.smyth at wirelessconnect.eu>
> wrote:
>> Hi lads,
>>
>> Does any one have tips here for me I just dont get how to get around the
>> Context ID,
>>
>> I can snmpwalk no problem without the context ID.. (which is not set on the
>> router as it is optional)
>>
>> But everytime I set it on the router and I set it on the command
>>
>> on Mrtg Server I set the following command
>> cfgmaker --enablesnmpv3 --contextengineid "" --username=Read_Only
>> --authpassword=testtest --authprotocol=sha --privpassword=testtest
>> --privprotocol=des --ifref=ip --community=Read_Only 10.17.1.250:::::3
>>
>>
>> I get this error on the router
>>
>> 07:21:39 snmp,debug v3 err: 3 unknown engine id
>> 07:21:39 snmp packet from: 10.64.34.77 version: 3
>> 07:21:39 snmp user: Read_Only_Secure
>> 07:21:39 snmp,debug v3 err: 1 not in time window or incorrect engine boots
>> 07:21:39 snmp packet from: 10.64.34.77 version: 3
>> 07:21:39 snmp user: Read_Only_Secure
>> 07:21:39 snmp,debug getnextgetbulk .1.3.6.1.2.1.1 reps:c nonreps:0
>>
>>
>> Any Help or advice would be appreciated
>>
>>
>> On Thu, Jan 24, 2013 at 11:00 PM, Tom Smyth <tom.smyth at wirelessconnect.eu>
>> wrote:
>>> Hi lads,
>>>
>>> Does anyone have any tips for running MRTG and SNMPv3 (with Auth and Priv)
>>> SHA & DES
>>>
>>> I have been having issues with Cfgmaker not accepting my command without
>>> mandatory Context ID (even tho context ID is Optional)
>>> I have tried commenting out the Die if Context is not set lines in cfgmaker
>>>
>>> I have been able to SNMP walk with SNmp tools and I have been able to
>>> communicate with routers with Cacti...
>>>
>>> but no matter what I try I cant get MRTG cfgmaker to work....with SNMPv3
>>>
>>>
>>> I have tried with v2.17.4 and with the standard mrtg package on Centos 6.2
>>>
>>>
>>> if anyone can help me with this...
>>>
>>> anything at all ... even a sample manual mrtg.cfg file for snmpv3 would be
>>> cool
>>>
>>> Thanks for your time
>>>
>>>
More information about the mrtg
mailing list