Snmp Traps And Network Management

SNMP is a computer network protocol and stands for “Simple Network Management Protocol”. Of course, most network managers complain that it is anything but “simple”. This protocol is a method of communication that systems, routers, switches and other various network equipment running SNMP agents, use to transfer and broadcast critical information about their status, happenings on the network, and whatever else may be concerning them. Typically, these agents are listening on a couple different UDP ports, namely 161 for standard SNMP queries, and 162, for SNMP Traps. When a system sends an SNMP message in the form of a trap, it doesn’t matter which port it sends it out on, but because the remote listener is usually always listening on port 162, it must always send to 162. This is a reserved port for SNMP Traps in the list of assigned ports on the IANA website: (http://www.iana.org/assignments/port-numbers).

SNMP Traps are a crucial part of an entire network management solution. The traps utilize a push method of communication, i.e. they send unsolicited information to a network manager about themselves, in the form of an SNMP message called a Trap, Notification, or Inform. This information is then used by the manager to glean what possible happenings in the network can affect the business.

Fault management primarily consists of these traps, and because of that, it is a reactive type of technology. On the other hand, Performance management (a practice that does not capture traps), consists of polling or “proactive” monitoring, in which case a polling process contacts a list of agents in the manager’s configuration, talks to them on port 161, and queries these agents for information related to statistics that the manager is interested in. Both of these have their advantages and disadvantages, but what we want to talk about more here is the SNMP protocol and how it relates to these trap messages.

The Trap message has several different components. Here we will discuss only the SNMP version 1 trap. Please note that there are other versions, including version 2 and version 3, but that is beyond the scope of this article. The easiest way to see these components is to use a protocol analyzer (also known as a sniffer), and capture these SNMP messages on the wire. Once captured, the observer can see that the protocol data unit (PDU) is broken up into several parts, including the enterprise, agent address, generic and specific trap values, a time-stamp, and a list of variable bindings.

The Trap Enterprise field gives information in the format of an Object Identifier (OID), about the vendor of the equipment or agent that the trap originated from. This allows a network manager an easy way of looking up the information and cross-referencing with other events and/or faults. The agent address contains information about the originator (the sender) of the trap. This address, in the form of an Internet Protocol (IP) address, is not always from the sender, especially in the case that the trap was forwarded through an intermediary system. The Generic and Specific Type fields give the fault manager software an exact idea of the type of trap that is being sent. The timestamp specifies the exact time that this message was created and sent out on the wire. And finally, the variable-bindings include additional, detailed information that is specific to this event and that the manager can use to determine more about the event.

So, to sum up, the SNMP Trap PDU is not so simple, but luckily for us we have smart network monitoring programs and algorithms that know how to identify, decipher and act quickly on this information.

By: Groshan Fabiola

Article Directory: http://www.articledashboard.com

For more info about SNMP Traps or especially Fault Management please visit this website www.oidview.com