[snmp] decoding traps from a mulit homed host - raw pdu listener

Birgit Arkesteijn birgit at westhawk.co.uk
Thu Mar 20 11:59:10 GMT 2008 

Dear Sri,

This "chicken and egg" is a recurring problem.

The philosophy is that a trap listener always knows who sends traps and 
what the parameters are (like community name) of that trap.
After all, the community name is a security measure (albeit a poor one).

I understand from your email that the community name that is sent with 
each trap request will differ from machine to machine. Is that correct?
It's a slightly surprising setup, but I'm sure it has its reasons.

If that's the case, yes, you have a problem.
However, when using SNMPv1 and v2c, you can change the stack easily to 
decode those traps.
For example, you can change
   uk.co.westhawk.snmp.stack.AsnDecoderv1.DecodeSNMP(InputStream in, 
String community)
and omit the community parameter and remove the test on the community name.
You could even make a version that joins v1 & v2c, by omitting the test 
on the SNMP version as well.

You run the risk of accepting malicious traps, but it sounds like you're 
not that bothered about the community name anyway.

Hope the above helps,
Birgit




On 19/03/08 17:57, Nookala, Sridevi (Sridevi) wrote:
> Dear westhawk,
> 
>  
> 
> In my code I am listening for traps on a specific port using Listening
> context pool, I am using my own trap listener this way
> 
>  
> 
> New ListeningContextPool( port).addListener( listener);
> 
>  
> 
> Where listener = new MyRawPduListenerImp();
> 
>  
> 
> public class MyRawPduListenerImp implements RawPduListener
> 
>  {
> 
>       public void rawPduReceived(RawPduEvent evt)
> 
>       {
> 
>         try
> 
>         {
> 
>           //RawPduEvent is always undecoded
> 
>           //If it is an undecoded trap, then the version number, the
> hostAddress and the byte array is available
> 
>  
> 
>           //The SNMP version number of the trap. The version is part of
> an undecoded trap event.
> 
>  
> 
>           int version = evt.getVersion();
> 
>  
> 
>           //The IP address of the host where the trap came from. The
> host address is part of an undecoded the trap event
> 
> .
> 
>           String host = evt.getHostAddress();
> 
>  
> 
>           //To decode an undecoded trap event, you create a context on
> the fly and call processIncomingPdu
> 
>           //The context should contain all the parameters needed to
> decode the message.
> 
>  
> 
>           if ( ( version == SnmpConstants.SNMP_VERSION_1 ) ||
> 
>                ( version == SnmpConstants.SNMP_VERSION_2c ) )
> 
>           {
> 
>               SnmpContextBasisFace context = getSnmpContext( host,
> port,version );
> 
>  
> 
>               System.err.println("context is " + context.toString() );
> 
>  
> 
>               if( context instanceof SnmpContextv2c )
> 
>                 ((SnmpContextv2c)context).setCommunity(
> getCommunity(host) );
> 
>               else if (  context instanceof SnmpContext )
> 
>                 ((SnmpContext)context).setCommunity( getCommunity(host)
> );
> 
>  
> 
>               System.err.println("context again is " +
> context.toString() );
> 
>  
> 
>               Pdu trapPdu =
> context.processIncomingPdu(evt.getMessage());
> 
>          }
> 
>       }
> 
>       Catch(Exception e) { }
> 
>    }
> 
>  
> 
>   Now the trap sender for me is a multihomed host. So the "FROM ADDRESS"
> got via evt.getHostAddress() is header. The actual instance address/
> Ethernet address is not available until I have a PDU as it is one of the
> varbinds.
> 
>  
> 
>   The trap pdu is not available unless I decode it and for decoding the
> trap from raw byte array, I need the correct community. 
> 
>  
> 
>   I don't have the community for this Header IP. I have the community
> configured only for each of its "interface address"
> 
>  
> 
>   So I kind of have a chicken / egg issue. I need the community to get
> pdu on the fly and I do not know the community unless I have the pdu as
> one of the varbinds is the interface address.
> 
>  
> 
>   Is there any way, I can get the actual interface address from
> RawPduEvt and not the base address/ header ip
> 
>  
> 
> Thx,
> 
> Sri
> 
> _______________________________________________
> snmp mailing list
> snmp at snmp.westhawk.co.uk
> http://snmp.westhawk.co.uk/mailman/listinfo/snmp

-- 
-- Birgit Arkesteijn, birgit at westhawk.co.uk,
-- Westhawk Ltd, Albion Wharf, 19 Albion Street, Manchester M1 5LN, UK
-- Company no: 1769350
-- Registered Office:
-- 15 London Road, Stockton Heath, Warrington WA4 6SJ. UK.
-- tel.: +44 (0)161 237 0660
-- <URL: http://www.westhawk.co.uk>

More information about the snmp mailing list