Catching unusual SNMP-trap messages in an unusual way



In our network, on access, a large number of D-Link switches are used.

There is a need to accept SNMP traps. But it was not so simple, because a huge number of switches were from the DES-1228 / 1210-28 / 1210-52 series. These switches seem to be able to send ladders, but the server did not want to catch them. It turned out that traps can be caught exclusively by an application for Windows, and its name is Smart Console Utility.

Those. Automate the process of collecting ladders, according to the vendor, does not work.
However, packets with SNMP traps still go to the trap server and something needs to be done.

Without thinking twice, they raised xinetd on the trap server and began to receive message packets. They came to UDP port 64514. And what was surprising and interesting - the messages went at the end of the package, in plain text, you just had to trim the binary unreadable headers.

By the way, inetd / xinetd is also called the “Internet super-server”, it is such a network service that listens on sockets and sends incoming network packets to your application for analysis / saving / and generally for anything. Those. in a * nix system, you can write your network service with your bare hands. This is really cool!

Xinetd configuration (/etc/xinetd.d/trap-handler-scu):

service smart-console-utility
{
        disable         = no
        id              = trap-handler-scu
        type            = UNLISTED
        flags           = IPv4
        protocol        = udp
        socket_type     = dgram
        user            = root
        wait            = yes
        server          = /services/snmp/trap-handler-scu.php
        port            = 64514
#       log_type        = FILE /var/log/xinetd-trap-handler-scu.log
#       log_on_success  = PID HOST
#       log_on_failure  = HOST
}


Code to which each incoming UDP packet will be transmitted (/services/snmp/trap-handler-scu.php): It is
written in PHP, because performed quickly, and after it can be given the ability to add ladder messages to the database.

#!/usr/bin/php5
 ".$trap_message);}
		if ($dump_requests) {file_put_contents($dump_request_file, $request, FILE_APPEND);}
		// Parse trap message
	}
	else
	{write_log('Null request');}
	fclose($read_handle);
}
else
{write_log('Unable to open STDIN!');}
if ($debug_logging) {write_log('End');}
?>


The result is approximately the following journal entries:

2014-09-12 06:25:50 SCU--1410485150-0287 10.X.0.26     DES-1210-28 Port 2 copper link up
2014-09-12 06:25:50 SCU--1410485150-3536 10.X.0.18      DES-1210-52 Port 9 copper link up
2014-09-12 06:25:50 SCU--1410485150-7605 10.X.0.31      DES-1210-52 Port 48 copper link up
2014-09-12 06:25:52 SCU--1410485152-9745 10.X.0.104    DES-1210-28 Port 10 copper link up
2014-09-12 06:25:55 SCU--1410485155-5064 10.X.0.11      DES-1210-52 Port 28 copper link up
2014-09-12 06:25:55 SCU--1410485155-7615 10.X.0.31      DES-1210-52 Port 48 copper link up
2014-09-12 06:25:58 SCU--1410485158-7782 10.X.0.31      DES-1210-52 Port 48 copper link up
2014-09-12 06:26:01 SCU--1410485161-4395 10.X.0.31      DES-1210-52 Port 48 copper link up
2014-09-12 06:26:04 SCU--1410485164-0377 10.X.0.31      DES-1210-52 Port 48 copper link up
2014-09-12 06:26:04 SCU--1410485164-3473 10.X.0.18      DES-1210-52 Port 9 copper link up
2014-09-12 06:26:06 SCU--1410485166-0395 10.X.0.31      DES-1210-52 Port 48 copper link up
2014-09-12 06:26:07 SCU--1410485167-1539 10.X.0.31      DES-1210-52 Port 47 copper link up
2014-09-12 06:26:07 SCU--1410485167-2226 10.X.0.128     DES-1210-28 Port 2 copper link up


By the way, in this conclusion you can see the port “flapping” (port-flapping), the line “DES-1210-52 Port 48 copper link up” is repeated many times. It shows that something is wrong with the port or cable.

Port defect found - task completed.

Also popular now: