Help decoding UDPSocket trap data

[jackster the jackle]

Hi Ruby Forum,

I have a script that opens a UDPSocket on port 162 and listens for traps
which are then sent to STDOUT for now.

I am seeing data strings coming in that are in a format that I need to
decode somehow. I have read through all the doco on UDPSocket and
BasicSocket and Socket and don't see any way to decode the data being
sent in the traps.

Here is an example of what I'm seeing from my Cisco devices:

["0\201\351\002\001\000\004\02087", ["AF_INET", 51709, "10.1.1.1",
"10.1.1.1"]]

The first numbers enclosed in the first set of parenthesis contain the
data in the trap.

Does anyone know how I would go about decoding these?

Thanks in advance

jackster.mobi

 

[yermej]

Hi Ruby Forum,

I have a script that opens a UDPSocket on port 162 and listens for traps
which are then sent to STDOUT for now.

I am seeing data strings coming in that are in a format that I need to
decode somehow. I have read through all the doco on UDPSocket and
BasicSocket and Socket and don't see any way to decode the data being
sent in the traps.

Here is an example of what I'm seeing from my Cisco devices:

["0\201\351\002\001\000\004\02087", ["AF_INET", 51709, "10.1.1.1",
"10.1.1.1"]]

The first numbers enclosed in the first set of parenthesis contain the
data in the trap.

Does anyone know how I would go about decoding these?

Thanks in advance

jackster.mobi

I'm not sure, but the data format is probably dependent on the Cisco
devices. I would check their documentation for more info.

You might also want to check out Ruby SNMP - http://snmplib.rubyforge.org/
- rather than writing your own socket routines.

 

[jackster the jackle]

I'm not sure, but the data format is probably dependent on the Cisco
devices. I would check their documentation for more info.

You might also want to check out Ruby SNMP -
http://snmplib.rubyforge.org/
- rather than writing your own socket routines.

Good call yermej...thanks.

I copied the basic TrapListener script as follows and am receiving traps
that are readable:
-----------code one ---------------
require 'snmp'
require 'logger'

log = Logger.new(STDOUT)
m = SNMP::TrapListener.new do |manager|
manager.on_trap_default do |trap|
log.info trap.inspect
puts "------------------"
puts logger.value
end
end
m.join
----------------------------------

Interestingly enough, if I change the code a bit and print out
"logger.value",
you see the exact type of trap formatting that I originally asked about
in my initiail request:
-------------code two ----------------
log = Logger.new(STDOUT)
m = SNMP::TrapListener.new do |manager|
manager.on_trap_default do |trap|
log.info trap.inspect
puts logger.value
end
end
m.join
----------------------------------
What is the best way to get my logger values out if "code one" listed
above so that I can manipulate them? I'd like to be able to access this
output from "code one" for instance:
----------------------code three ------------
@value="Interface GigabitEthernet7/12, changed state to down",

 

[yermej]

Good call yermej...thanks.

I copied the basic TrapListener script as follows and am receiving traps
that are readable:
-----------code one ---------------
require 'snmp'
require 'logger'

log = Logger.new(STDOUT)
m = SNMP::TrapListener.new do |manager|
manager.on_trap_default do |trap|
log.info trap.inspect
puts "------------------"
puts logger.value
end
end
m.join
----------------------------------

Interestingly enough, if I change the code a bit and print out
"logger.value",
you see the exact type of trap formatting that I originally asked about
in my initiail request:
-------------code two ----------------
log = Logger.new(STDOUT)
m = SNMP::TrapListener.new do |manager|
manager.on_trap_default do |trap|
log.info trap.inspect
puts logger.value
end
end
m.join
----------------------------------
What is the best way to get my logger values out if "code one" listed
above so that I can manipulate them? I'd like to be able to access this
output from "code one" for instance:
----------------------code three ------------
@value="Interface GigabitEthernet7/12, changed state to down",
---------------------------------------------

thanks

jackster.mobi

Sorry, but I'm not seeing much difference between one & two. Where is
the local variable logger defined? If "log.info trap.inspect" is
printing the type of data you want, I would think that trap.inspect is
what you would want to operate on.

 

[jackster the jackle]

Sorry, but I'm not seeing much difference between one & two. Where is
the local variable logger defined? If "log.info trap.inspect" is
printing the type of data you want, I would think that trap.inspect is
what you would want to operate on.

if you do:
puts logger.value

you will see the encoding I'm talking about.

I was able to get some of the specifics out with:
trap.source_ip
and
trap.timestamp

if I do:
trap.value

I get the encoding again.

 

[Gary Wright]

if I do:
trap.value

I get the encoding again.

Well I just perused the documentation at: <http://
snmplib.rubyforge.org/doc/index.html>

It looks like a trap object holds a collection of snmp variables you
could get at the info like this:

trap.each_varbind { |v|
puts v.name
puts v.value
puts v.value.asn1_type # or maybe v.asn1_type
}

or something close to that. I'm just reading the docs, not running
the software.

Gary Wright

 

[jackster the jackle]

Well I just perused the documentation at: <http://
snmplib.rubyforge.org/doc/index.html>

It looks like a trap object holds a collection of snmp variables you
could get at the info like this:

trap.each_varbind { |v|
puts v.name
puts v.value
puts v.value.asn1_type # or maybe v.asn1_type
}

or something close to that. I'm just reading the docs, not running
the software.

Gary Wright

thank alot Gary...that works...

jackster.mobi

 

[Joao Pompei]

Hi guys,

I know that isn't the thread to ask this, but this is the closest I got
after reading the forum for several hours.

I am trying to use the trap listener and had no success so far. I have
no clue about what is going on here.

My code so far:

require 'rubygems'
require 'snmp'
require 'logger'

log = Logger.new(STDOUT)
m = SNMP::TrapListener.newPort => 1062) do |manager|
manager.on_trap_default do |trap|
trap.each_varbind { |v|
puts v.name
puts v.value
}
end
end
m.join

I tried many others codes from the internet and cannot make any
progress. I get a "while true" script that shows me nothing.

The equipment here is from my company so I am not using any loaded mib
(it has a different mib). I tested it with a java traps_listener made
with "SNMP4J" (plus wireshark) and the traps are there on port 1062.

Jackster or anyone else, do you see the traps coming with this code?

thanks

 

[jackster the jackle]

I was able to get my version to work but I have to look back now and
find the exact code.

The first thing I notice is that you are listening on port 1062 and it
should be 162, please try and change that and see if that helps.

jackster

 

[Joao Pompei]

I was able to get my version to work but I have to look back now and
find the exact code.

The first thing I notice is that you are listening on port 1062 and it
should be 162, please try and change that and see if that helps.

jackster

Hello!

We got the things going here. Thanks all.

Jackster, I can configure witch port I want to use (default is 162, but
in linux only the root user has access to that port).

The problem was the ip address. I believe that linux by default doesn't
address 'localhost' to eth2 (localhost binds with some line in some
/etc/net/config.blabla) and because of that I wasn't receiving any
messages.

Here is the code that I am using now. Note the exact ip address on it:

m = SNMP::TrapListener.newHost => '192.168.31.5', ort => 2062) do
|manager|
manager.on_trap_default do |trap|
trap.each_varbind { |v|
puts 'OID: ' + v.name.to_s + ' Value: ' + v.value.to_s
}
end
end
m.join

This code give me this answer:

OID: 1.3.6.1.6.3.1.1.4.1.0 Value: 1.3.6.1.4.1.xxxx.6.1.2.2.13.7
OID: 1.3.6.1.2.1.1.5 Value: Equip_name
OID: 1.3.6.1.4.1.xxxx.6.1.2.2.3.3.1.2 Value: 2
OID: 1.3.6.1.4.1.xxxx.6.1.2.2.3.3.1.3 Value: 2
OID: 1.3.6.1.2.1.1.3.0 Value: 5 days, 01:17:22.37
OID: 1.3.6.1.6.3.1.1.4.1.0 Value: 1.3.6.1.4.1.xxxx.6.1.2.2.13.15

Where xxxx is the company register on IANA.

Thanks guys. Ruby forums are a very good source of solutions.

Joao Pompei

 

[Chandra Sekhar]

Hi,

I am new to ruby.
With above example, tried Trap Listener on windows machine. However I
didn' see the traps.

My code given below:

require "rubygems"
require 'snmp'
require 'logger'


m = SNMP::TrapListener.newHost => 'myPcIp', ort => 162) do
|manager|
manager.on_trap_default do |trap|
trap.each_varbind { |v|
puts 'OID: ' + v.name.to_s + ' Value: ' + v.value.to_s
}
end
end
m.join

Can anybody help on this?

Note: My PC runs on windows XP

 

[Brian Candler]

Chandra Sekhar wrote in post #991736:

I am new to ruby.
With above example, tried Trap Listener on windows machine. However I
didn' see the traps.

(1) Are the trap packets arriving? Run Wireshark to look for them.

(2) You probably need to set up your TrapListener with a community
string, and your trap sender to use that same community string (for SNMP
v2c anyway).

The example in the source code at
http://snmplib.rubyforge.org/svn/trunk/lib/snmp/manager.rb
suggests you need to add something like :Community=>"public"