snmpd manpage

Search topic Section

SNMPD(8)			   Net-SNMP			      SNMPD(8)

       snmpd - daemon to respond to SNMP request packets.


       snmpd  is  an SNMP agent which binds to a port and awaits requests from
       SNMP management software.  Upon receiving a request, it	processes  the
       request(s),  collects  the  requested  information  and/or performs the
       requested operation(s) and returns the information to the sender.

       -a      Log the source addresses of incoming requests.

       -A      Append to the log file rather than truncating it.

       -c FILE Read FILE as a configuration file (or a comma-separated list of
	       configuration  files).	Note  that  the	 loaded file will only
	       understand snmpd.conf tokens, unless the configuration type  is
	       specified  in the file as described in the snmp_config man page

       -C      Do not read any configuration files except the ones  optionally
	       specified by the -c option.  Note that this behaviour also cov-
	       ers the persistent configuration files.	 This  may  result  in
	       dynamically-assigned  values  being  reset  following  an agent
	       restart,	 unless	 the  relevant	persistent  config  files  are
	       explicitly loaded using the -c option.

       -d      Dump (in hexadecimal) the sent and received SNMP packets.

	       Turn  on	 debugging output for the given TOKEN(s).  Without any
	       tokens specified, it defaults to printing all the tokens (which
	       is equivalent to the keyword "ALL").  You might want to try ALL
	       for extremely verbose output.  Note: You can not	 put  a	 space
	       between the -D flag and the listed TOKENs.

       -f      Do not fork() from the calling shell.

       -g GID  Change  to  the	numerical group ID GID after opening listening

       -h, --help
	       Display a brief usage message and then exit.

       -H      Display a list of configuration file directives	understood  by
	       the agent and then exit.

       -I [-]INITLIST
	       Specifies  which	 modules should (or should not) be initialized
	       when the agent starts up.  If the comma-separated  INITLIST  is
	       preceded	 with a '-', it is the list of modules that should not
	       be started.  Otherwise this is the list	of  the	 only  modules
	       that should be started.

	       To get a list of compiled modules, run the agent with the argu-
	       ments -Dmib_init -H (assuming debugging support has  been  com-
	       piled in).

	       Specify where logging output should be directed (standard error
	       or output, to a file or via syslog).  See  LOGGING  OPTIONS  in
	       snmpcmd(5) for details.

       -m MIBLIST
	       Specifies  a  colon  separated  list of MIB modules to load for
	       this application.   This	 overrides  the	 environment  variable
	       MIBS.  See snmpcmd(1) for details.

       -M DIRLIST
	       Specifies  a  colon separated list of directories to search for
	       MIBs.  This overrides the environment  variable	MIBDIRS.   See
	       snmpcmd(1) for details.

       -n NAME Set an alternative application name (which will affect the con-
	       figuration files loaded).   By  default	this  will  be	snmpd,
	       regardless of the name of the actual binary.

       -p FILE Save the process ID of the daemon in FILE.

       -q      Print simpler output for easier automated parsing.

       -r      Do not require root access to run the daemon.  Specifically, do
	       not exit if files only accessible to root  (such	 as  /dev/kmem
	       etc.) cannot be opened.

       -u UID  Change  to  the user ID UID (which can be given in numerical or
	       textual form) after opening listening sockets.

       -U      Instructs the agent to not remove its  pid  file	 (see  the  -p
	       option)	on  shutdown. Overrides the leave_pidfile token in the
	       snmpd.conf file, see snmpd.conf(5).

       -v, --version
	       Print version information for the agent and then exit.

       -V      Symbolically dump SNMP transactions.

       -x ADDRESS
	       Listens for AgentX connections on the specified address	rather
	       than  the default "/var/agentx/master".	The address can either
	       be a Unix domain socket path,  or  the  address	of  a  network
	       interface.   The	 format is the same as the format of listening
	       addresses described below.

       -X      Run as an AgentX subagent rather than as an SNMP master agent.

	       Allows  to  specify  any	 token	("name")  supported   in   the
	       snmpd.conf  file	 and  sets its value to "value". Overrides the
	       corresponding token in the snmpd.conf file.  See	 snmpd.conf(5)
	       for the full list of tokens.

       By default, snmpd listens for incoming SNMP requests on UDP port 161 on
       all IPv4 interfaces.  However, it is possible to modify this  behaviour
       by specifying one or more listening addresses as arguments to snmpd.  A
       listening address takes the form:


       At its simplest, a listening address may consist only of a port number,
       in  which  case	snmpd listens on that UDP port on all IPv4 interfaces.
       Otherwise, the <transport-address> part of the specification is	parsed
       according to the following table:

	   <transport-specifier>       <transport-address> format

	   udp (default)	       hostname[:port] or IPv4-address[:port]

	   tcp			       hostname[:port] or IPv4-address[:port]

	   unix			       pathname

	   ipx			       [network]:node[/port]

	   aal5pvc or pvc	       [interface.][VPI.]VCI

	   udp6 or udpv6 or udpipv6    hostname[:port] or IPv6-address[:port]

	   tcp6 or tcpv6 or tcpipv6    hostname[:port] or IPv6-address[:port]

	   ssh			       hostname:port

	   dtlsudp		       hostname:port

       Note  that  <transport-specifier> strings are case-insensitive so that,
       for example, "tcp" and "TCP" are equivalent.  Here are  some  examples,
       along with their interpretation:	       listen  on  UDP port 161, but only on the loop-
			       back  interface.	  This	prevents  snmpd	 being
			       queried	 remotely.   The   port	 specification
			       ":161" is not strictly necessary since that  is
			       the default SNMP port.

       TCP:1161		       listen on TCP port 1161 on all IPv4 interfaces.

       ipx:/40000	       listen on IPX port 40000 on all IPX interfaces.

       unix:/tmp/local-agent   listen  on  the	Unix domain socket /tmp/local-

       /tmp/local-agent	       is identical  to	 the  previous	specification,
			       since  the  Unix domain is assumed if the first
			       character of the <transport-address> is '/'.

       PVC:161		       listen on the AAL5  permanent  virtual  circuit
			       with  VPI=0  and VCI=161 (decimal) on the first
			       ATM adapter in the machine.

       udp6:10161	       listen on port 10161 on all IPv6 interfaces.

       ssh:	       Allows connections from the snmp	 subsystem  on
			       the  ssh	 server	 on  port  22.	The details of
			       using SNMP over SSH are defined below.

       dtlsudp:  Listen for connections over DTLS	 on  UDP  port
			       9161.	The   snmp.conf	 file  must  have  the
			       defX509ServerPub,    defX509ServerPriv,	   and
			       defX509ClientCerts     configuration	tokens

       Note that not all the transport domains listed  above  will  always  be
       available; for instance, hosts with no IPv6 support will not be able to
       use udp6 transport addresses, and attempts to do so will result in  the
       error  "Error  opening  specified  endpoint".  Likewise, since AAL5 PVC
       support is only currently available on Linux, it	 will  fail  with  the
       same error on other platforms.

Transport Specific Notes
       ssh     The  SSH transport, on the server side, is actually just a unix
	       named pipe that can be connected to via a ssh subsystem config-
	       ured  in	 the main ssh server.  The pipe location (configurable
	       with the	 sshtosnmpsocket  token	 in  snmp.conf)	 is  /var/net-
	       snmp/sshtosnmp.	Packets should be submitted to it via the ssh-
	       tosnmp application, which also sends the user ID as  well  when
	       starting the connection.	 The TSM security model should be used
	       when packets should process it.

	       The sshtosnmp command knows how to connect  to  this  pipe  and
	       talk  to	 it.  It should be configured in the OpenSSH sshd con-
	       figuration file (which is normally  /etc/ssh/sshd_config	 using
	       the following configuration line:

		      Subsystem snmp /usr/local/bin/sshtosnmp

	       The  sshtosnmp  command	will  need  read/write	access	to the
	       /var/net-snmp/sshtosnmp pipe.  Although	it  should  be	fairly
	       safe  to	 grant	access	to  the	 average  user	since it still
	       requires modifications to the ACM settings before the user  can
	       perform	operations,  paranoid  administrators may want to make
	       the /var/net-snmp directory accessible only by users in a  par-
	       ticular	group.	Use the sshtosnmpsocketperms snmp.conf config-
	       ure option to set the permissions, owner and group of the  cre-
	       ated socket.

	       Access  control can be granted to the user "foo" using the fol-
	       lowing style of simple snmpd.conf settings:

		      rouser -s tsm foo authpriv

	       Note that "authpriv" is acceptable  assuming  as	 SSH  protects
	       everything  that	 way  (assuming	 you have a non-insane setup).
	       snmpd has no notion of how SSH has actually protected a	packet
	       and  thus the snmp agent assumes all packets passed through the
	       SSH transport have been protected at the authpriv level.

       dtlsudp The DTLS protocol, which is based off  of  TLS,	requires  both
	       client  and server certificates to establish the connection and
	       authenticate both sides.	 In order to do this, the client  will
	       need    to    configure	  the	 snmp.conf   file   with   the
	       defX509ServerCerts,  defX509ClientPriv,	and   defX509ClientPub
	       configuration  tokens.	The  server will need to configure the
	       snmp.conf file with  the	 defX509ServerPub,  defX509ServerPriv,
	       and defX509ClientCerts configuration tokens defined.

	       Access control setup is similar to the ssh transport as the TSM
	       security model should be used to protect the packet.

       snmpd checks for the existence of and parses the following files:

	     Common  configuration  for	 the  agent  and   applications.   See
	     snmp.conf(5) for details.


	     Agent-specific  configuration.   See  snmpd.conf(5)  for details.
	     These files are optional and may be used to configure access con-
	     trol, trap generation, subagent protocols and much else besides.

	     In	 addition  to  these two configuration files in /etc/snmp, the
	     agent  will  read	any  files  with  the  names  snmpd.conf   and
	     snmpd.local.conf in a colon separated path specified in the SNMP-
	     CONFPATH environment variable.

	     The agent will also load all files in this directory as MIBs.  It
	     will  not,	 however,  load	 any  file  that  begins with a '.' or
	     descend into subdirectories.

       (in recommended reading order)

       snmp_config(5), snmp.conf(5), snmpd.conf(5)

4th Berkeley Distribution	  23 Jun 2005			      SNMPD(8)