Essential for Network Monitoring: Understanding SNMP and MIB

*This article is an English translation of the Engineer Notes article as of May 10, 2023.
*Please note that the content may have been updated since then.

Original Article

Many network devices, including SYNESIS, can be monitored using SNMP. This article explains the architecture of the "SNMP" protocol used by various vendors.

Currently, there are three versions of SNMP in use: v1, v2c, and v3. Unless otherwise specified, explanations will be based on v2c.

What is SNMP?

SNMP (Simple Network Management Protocol) is a protocol used for monitoring and controlling various devices over a network. Using SNMP allows network devices and servers to be monitored for status, resources, and performance on a common platform. Without SNMP, each vendor would need to create their own specifications, making management complex. Therefore, most network devices requiring continuous operation now support SNMP.

SNMPv1 and SNMPv2c are composed of an SNMP agent and an SNMP manager. The SNMP manager is the device (or software) that displays information from each SNMP agent. There are various products available, ranging from paid solutions for large networks to free, easy-to-use options. The SNMP agent is the entity being monitored by SNMP. Communication in SNMP occurs in two forms: "SNMP polling," where the agent responds to the manager's requests, and "SNMP traps," where the agent proactively sends information to the manager. Information exchange between the agent and the manager is done via the MIB (Management Information Base).

In polling, the manager specifies an OID (Object Identifier) to retrieve or modify the agent's MIB information.

SNMP Polling

SNMP Polling

In traps, the agent detects an event and sends related MIB information to the manager.

SNMP Traps

SNMP Traps

In v3, the terms "SNMP manager" and "SNMP agent" are replaced with "SNMP entity."

SNMP Versions

Here is a brief summary of the features of each version.

Version Description
v1 Get Request, GetNext Request, Set Request, Get Response, and TRAP are the five defined SNMP messages.
Authentication is plain text using a community name.
v2c Includes the five messages from v1 and adds GetBulk Request and Inform Request.
Authentication is plain text using a community name, similar to v1.
v3 Similar to v2c, supports seven messages.
Authentication can be plain text or encrypted using USM (User-based Security Model).

For details on coexisting versions, refer to RFC3584. SNMP-related RFCs vary by version, with over 20 RFCs related to SNMP. It is convenient to check what each RFC covers here first.

MIB Structure

The MIB is structured like a tree, using OIDs to define the information held by network devices managed by SNMP. It follows the standardized ASN.1 (Abstract Syntax Notation 1) format, branching out from "iso(1)" to "org(3)" to "dod(6)" to "internet(1)".
There are two main types of MIBs:

MIB Description
Standard MIB Generic MIBs that can be used across devices from different vendors.
Extended MIB MIBs created independently by each vendor.

Here is an example of SNMP trap decoding from SYNESIS.

SYNESIS SNMP Trap Decoding Screen

The SNMP trap OIDs from SYNESIS are defined as "1.3.6.1.4.1.36875.xx.xx...," which are part of our extended MIB. The tree structure starting from "1.3.6.1.4.1" represents extended MIBs, with "36875" being our Private Enterprise Number. This number is unique to each vendor and managed by IANA - Private Enterprise Numbers (PENs).

Useful snmpwalk Command

Once you grasp the basics of SNMP, you can use the snmpwalk command to observe actual data exchanges. The snmpwalk command allows you to retrieve information from a specified SNMP agent from a Linux terminal. It is a convenient command to verify if an SNMP agent is operational without needing a separate SNMP manager. Note that to use the snmpwalk command, you need to install and configure the net-snmp package. The procedure varies by distribution, so please refer to relevant documentation.

$ snmpwalk [option] <host> <community name> [OID]

Here are some common options and usage examples. You can also specify the port number along with the host, but if not specified, UDP port 161 is used by default.

# To retrieve the OID "1.3.6.1.2.1.1.1.0" information from an SNMP agent on "192.168.0.1" with community name "public" using "SNMPv1"
$ snmpwalk -v 1 -c public 192.168.0.1 1.3.6.1.2.1.1.1.0

# To retrieve all information from an SNMP agent on "192.168.0.1" with community name "public" using "SNMPv2c" and save it to a file
$ snmpwalk -v 2c -c public 192.168.0.1 1 > snmp_results.txt

# To retrieve specific OID "1.3.6.1.2.1.1.1.0" information from an SNMP agent on "192.168.0.1" with user name "myuser", authentication protocol "MD5", authentication password "mypassword", encryption protocol "DES", and encryption password "myencryptionpass" using "SNMPv3"
$ snmpwalk -v 3 -u myuser -a MD5 -A mypassword -x DES -X myencryptionpass 192.168.0.1 1.3.6.1.2.1.1.1.0

Note that the details of options may vary depending on your Linux distribution and SNMP version, so check the help or man command as needed.

New MIB Version of SYNESIS

The new version 8.0 of the packet capture product "SYNESIS" will be released this month. This version enhances SYNESIS monitoring capabilities and improves MIB, allowing SNMP trap management via OID.
SYNESIS offers robust alert features that detect network anomalies during capture. By pre-setting various thresholds, it can detect abnormalities such as network overload or frequent retransmissions and send SNMP traps.
Additionally, it can send SNMP traps if external factors prevent SYNESIS from operating normally, such as link down during capture or inability to write to the pcap storage.

Previously, the SNMP trap OIDs from SYNESIS were the same, and messages had to be interpreted to understand the content. From version 8.0 onwards, SNMP traps with different OIDs can be sent for each event. To utilize this, you need to add the updated SYNESIS MIB to your SNMP manager.

The SYNESIS MIB can be downloaded from the "SYNESIS Documentation & Distribution Files" section accessible via the help button. When registering with the SNMP manager, note that MIB files have dependencies, so both "TOYO MIB file" and "TOYO SYNESIS MIB file" need to be set.

SYNESIS MIB

We highly recommend upgrading to version 8.0 for current SYNESIS users. It enhances the usability of SYNESIS SNMP monitoring. If you are unsure whether your device can be upgraded, please contact us below.

Contact Us

Afterword

With the update to SYNESIS MIB making it more user-friendly, we summarized "SNMP" and "MIB" once again. As an older protocol, many people are likely using it.

We also introduced the distribution method for SYNESIS MIB. Network device MIBs may be updated with firmware upgrades. Since distribution methods vary by vendor, check their websites for details. Regularly reviewing not only firmware but also MIBs can lead to more efficient network monitoring.