Clear View

Routers, switches, servers, printers – data networks contain many complex components, and if you want to manage them with the least possible organizational and financial overhead, all you need is a Raspberry Pi and the Simple Network Management Protocol (SNMP). The latter can be used to query values such as data throughput and CPU load temperature of the device, or even to reconfigure the system.

SNMP is the successor to the Simple Gateway Management Protocol (SGMP). Its specification was approved by the Internet Engineering Task Force (IETF) in 1990, and it has seen several revisions since then. The current version is version 3. In contrast to its predecessors, SNMPv3 supports encrypted communication and secure authentication; however, many devices you can purchase today still only support SNMPv1 or SNMPv2.

Protocol Brief

SNMP uses UDP port 161 by default. Communications rely on agents and managers; the agents run on the individual devices and wait for queries or instructions from the managers. There are also SNMP traps, which cause the device to push a message to a manager when specific events occur. The message typically reaches the manager on port 162.

SNMP reads values from various network components known as managed objects. A managed object can be the status of a network interface, CPU, or device memory. To establish a standard here, the SNMP Management Information Base (MIB) was developed. The properties of many managed objects are described in the MIB tree structure. The descriptions contain the name, or OID (object identifier), and the permissible data types for an object. The OID can be numeric or humanly readable; for example, iso.org.dod.internet.mgmt and 1.3.6.1.2 refer to the same object, and they can be used as equivalents in queries.

SNMPv1 and SNMPv2 use what are known as "communities" to establish connections that are trusted by managers and agents. To allow this to happen, community names exist for Read-only , Read-write , and Trap . The community names replace passwords; however, because they are transferred in the clear, an attacker can quite easily sniff them.

Various activities can be handled using community names. With the Read-only community string, which most manufacturers default to public, you can only query data from a device. The Read-write community string, which is typically set to private for most devices in the as-delivered state, also lets you make changes to the device. For example, you can set counters or change the router configuration. Finally, the Trap community string is only needed so that managers can accept trap messages from the agents.

The two latter community strings are not often seen on devices for end users. However, SNMPv3, which encrypts the entire communication and forces participants to authenticate at regular intervals, is even less common.

The Scenario

I will be referring in this article to the example of a complex of buildings whose users sporadically complain about slow Internet connections. It should be possible to query some device values with the Net-SNMP tools [1] and log anything suspicious. On this basis, I can collect information about what is happening on the network and make decisions for improving the infrastructure.

Hochlland [2] is an educational institution in Potsdam, Germany, comprising three multistory buildings regularly visited by school classes and education groups. The three buildings share an Internet connection and are connected by wireless and cable links of various quality. WLAN service for guests is currently provided by eight access points (APs), although there are plans to increase this number to 14 when the network is next expanded.

The educational institute pursues a policy of self-organization, which means that the groups use the buildings totally autonomously. Staff is not always on site, so problems with what is typically a stable Internet connection are difficult to understand in retrospect. Many groups arrive and leave on their own – and it can occasionally happen that an access point leaves with them. Additionally, some neighbors have discovered the access credentials of the semi-public house and like to make extensive use of the network. The idea is also to make this kind of access more difficult.

Preparations

To identify problems that occur in good time, I installed a Raspberry Pi as a monitoring system in the building. Its job is to monitor the devices, query additional values in case of selected events, and, if needed, notify staff. The Rasp Pi runs the Darkbasic Raspbian minimal image [3]; I added the Raspberry Pi package sources (Listing 1, lines 1 through 3); updated (lines 4 and 5); installed the required applications (line 6), in particular from the packages snmp and snmp-mibs-downloader ; and performed a firmware update (lines 7-9).

01 $ sudo echo "deb http://archive.raspberrypi.org/debian wheezy main" >> \
   /etc/apt/sources.list
02 $ sudo wget http://archive.raspberrypi.org/debian/raspberrypi.gpg.key \
   -O raspberrypi.gpg.key
03 $ sudo apt-key add raspberrypi.gpg.key
04 $ sudo apt-get update
05 $ sudo apt-get upgrade
06 $ sudo apt-get install vim vim-runtime aria2 ntpdate anacron msmtp-mta \
   bsd-mailx raspi-config less screen snmp snmp-mibs-downloader
07 $ sudo curl -L --output /usr/bin/rpi-update \
   https://raw.githubusercontent.com/Hexxeh/rpi-update/master/rpi-update && \
   chmod +x /usr/bin/rpi-update
08 $ sudo rpi-update
09 $ sudo reboot

I enabled SNMP agents on all the access points used here with DD-WRT [4] (Figure 1) or Ubiquiti airOS [5] (Figure 2). The existing WLAN zoo does not lend itself to a standardized solution, and I needed to set static routes on some routers and the Rasp Pi to allow the nanocomputer to reach all the devices. Listing 2 shows how to set routes statically with route. Once everything is working, you can add the corresponding entries below the matching network interface in the /etc/network/interfaces configuration file to avoid losing them when you reboot (Listing 3).

# /etc/network/interfaces
up route add -net 192.168.100.0/24 gw 192.168.2.2 dev eth0
up route add -net 192.168.13.0/24 gw 192.168.2.2 dev eth0

$ sudo route add -net 192.168.100.0/24 gw 192.168.2.2
$ sudo route add -net 192.168.13.0/24 gw 192.168.2.2

Figure 1: The SNMP agent in the free router firmware DD-WRT is quickly enabled and accepts read and write access.

Figure 2: Many commercially available network devices come with an SNMP agent.