Mogens Kjaer wrote:
...
I wrote a C program that uses SNMP for this.
I was asked how I did this:
The code is written for
many generations of D-Link hubs and switches -
the first version of the program is nearly 10 years old. The
D-Link switches/hubs each have their own way of returning
the information I want.
So the code has ended up being very clumsy
and unreadable - sometimes even by myself :-)
To figure things out, I used snmpwalk (from net-snmp-utils):
snmpwalk -v 1 -cpublic -m ALL -Cc yourswitchname >somefile.txt
If the command doesn't return anything, you either don't have
access or the community string "public" is wrong. This is set
up on the switch.
You'll see lines like:
RFC1213-MIB::ifInOctets.1 = Counter32: 294511
RFC1213-MIB::ifInOctets.2 = Counter32: 484607327
RFC1213-MIB::ifInOctets.3 = Counter32: 629120408
RFC1213-MIB::ifInOctets.4 = Counter32: 3390066466
RFC1213-MIB::ifInOctets.5 = Counter32: 2848975069
RFC1213-MIB::ifInOctets.6 = Counter32: 0
RFC1213-MIB::ifInOctets.7 = Counter32: 72355738
RFC1213-MIB::ifInOctets.8 = Counter32: 0
...
this is the number of bytes received on the ports 1-8.
Similar ifOutOctets.
I analyse lines like:
RFC1213-MIB::ipNetToMediaPhysAddress.196609.172.20.0.1 = Hex-STRING: 00
05 5D EF 4F 6E
RFC1213-MIB::ipNetToMediaPhysAddress.196609.172.20.0.2 = Hex-STRING: 00
05 5D EF 4E 68
...
to get a correlation between IP: 172.20.0.1 and MAC
address: 00:05:5D:EF:4F:6E
Our NAT router runs Linux (this is also where this program
runs), so I can read the arp table in /proc/net/arp
to get the MAC/IP correlation as well.
Note, if you only get numeric responses, like:
SNMPv2-SMI::mib-2.17.4.4.1.5.24 = Counter32: 0
instead of:
BRIDGE-MIB::dot1dTpPortInDiscards.24 = Counter32: 0
it's because you're missing the relevant MIB file.
In some cases the MIB files are found on (in my case)
D-Link's home page, some MIB files are more general -
google is your friend.
Put the MIB files in a a folder and set the environment
variable MIBDIRS to point to that folder before starting
snmpwalk.
Some switches hide the relevant information in a private
section, this can be listed like:
snmpwalk -v 1 -cpublic -m ALL -Cc nameofswitch
.iso.org.dod.internet.private.enterprises
(this is on one line).
With this information it is possible to walk all ports
on all switches and get the necessary information:
Traffic in/out
MAC address seen on port
correlate MAC address with IP number
and finally do a reverse DNS lookup to get the hostname
from the IP number.
Mogens
--
Mogens Kjaer, Carlsberg A/S, Computer Department
Gamle Carlsberg Vej 10, DK-2500 Valby, Denmark
Phone: +45 33 27 53 25, Fax: +45 33 27 47 08
Email: mk@xxxxxx Homepage: http://www.crc.dk
