1SNMPD(8) Net-SNMP SNMPD(8)
2
3
4
6 snmpd - daemon to respond to SNMP request packets.
7
9 snmpd [OPTIONS] [LISTENING ADDRESSES]
10
12 snmpd is an SNMP agent which binds to a port and awaits requests from
13 SNMP management software. Upon receiving a request, it processes the
14 request(s), collects the requested information and/or performs the
15 requested operation(s) and returns the information to the sender.
16
18 -a Log the source addresses of incoming requests.
19
20 -A Append to the log file rather than truncating it.
21
22 -c FILE Read FILE as a configuration file (or a comma-separated list of
23 configuration files). Note that the loaded file will only
24 understand snmpd.conf tokens, unless the configuration type is
25 specified in the file as described in the snmp_config man page
26 under SWITCHING CONFIGURATION TYPES IN MID-FILE.
27
28 -C Do not read any configuration files except the ones optionally
29 specified by the -c option. Note that this behaviour also cov‐
30 ers the persistent configuration files. This may result in
31 dynamically-assigned values being reset following an agent
32 restart, unless the relevant persistent config files are
33 explicitly loaded using the -c option.
34
35 -d Dump (in hexadecimal) the sent and received SNMP packets.
36
37 -D[TOKEN[,...]]
38 Turn on debugging output for the given TOKEN(s). Without any
39 tokens specified, it defaults to printing all the tokens (which
40 is equivalent to the keyword "ALL"). You might want to try ALL
41 for extremely verbose output. Note: You can not put a space
42 between the -D flag and the listed TOKENs.
43
44 -f Do not fork() from the calling shell.
45
46 -g GID Change to the numerical group ID GID after opening listening
47 sockets.
48
49 -h, --help
50 Display a brief usage message and then exit.
51
52 -H Display a list of configuration file directives understood by
53 the agent and then exit.
54
55 -I [-]INITLIST
56 Specifies which modules should (or should not) be initialized
57 when the agent starts up. If the comma-separated INITLIST is
58 preceded with a '-', it is the list of modules that should not
59 be started. Otherwise this is the list of the only modules
60 that should be started.
61
62 To get a list of compiled modules, run the agent with the argu‐
63 ments -Dmib_init -H (assuming debugging support has been com‐
64 piled in).
65
66 -L[efos]
67 Specify where logging output should be directed (standard error
68 or output, to a file or via syslog). See LOGGING OPTIONS in
69 snmpcmd(5) for details.
70
71 -m MIBLIST
72 Specifies a colon separated list of MIB modules to load for
73 this application. This overrides the environment variable
74 MIBS. See snmpcmd(1) for details.
75
76 -M DIRLIST
77 Specifies a colon separated list of directories to search for
78 MIBs. This overrides the environment variable MIBDIRS. See
79 snmpcmd(1) for details.
80
81 -n NAME Set an alternative application name (which will affect the con‐
82 figuration files loaded). By default this will be snmpd,
83 regardless of the name of the actual binary.
84
85 -p FILE Save the process ID of the daemon in FILE.
86
87 -q Print simpler output for easier automated parsing.
88
89 -r Do not require root access to run the daemon. Specifically, do
90 not exit if files only accessible to root (such as /dev/kmem
91 etc.) cannot be opened.
92
93 -u UID Change to the user ID UID (which can be given in numerical or
94 textual form) after opening listening sockets.
95
96 -U Instructs the agent to not remove its pid file (see the -p
97 option) on shutdown. Overrides the leave_pidfile token in the
98 snmpd.conf file, see snmpd.conf(5).
99
100 -v, --version
101 Print version information for the agent and then exit.
102
103 -V Symbolically dump SNMP transactions.
104
105 -x ADDRESS
106 Listens for AgentX connections on the specified address rather
107 than the default "/var/agentx/master". The address can either
108 be a Unix domain socket path, or the address of a network
109 interface. The format is the same as the format of listening
110 addresses described below.
111
112 -X Run as an AgentX subagent rather than as an SNMP master agent.
113
114 --name="value"
115 Allows to specify any token ("name") supported in the
116 snmpd.conf file and sets its value to "value". Overrides the
117 corresponding token in the snmpd.conf file. See snmpd.conf(5)
118 for the full list of tokens.
119
121 By default, snmpd listens for incoming SNMP requests on UDP port 161 on
122 all IPv4 interfaces. However, it is possible to modify this behaviour
123 by specifying one or more listening addresses as arguments to snmpd. A
124 listening address takes the form:
125
126 [<transport-specifier>:]<transport-address>
127
128 At its simplest, a listening address may consist only of a port number,
129 in which case snmpd listens on that UDP port on all IPv4 interfaces.
130 Otherwise, the <transport-address> part of the specification is parsed
131 according to the following table:
132
133 <transport-specifier> <transport-address> format
134
135 udp (default) hostname[:port] or IPv4-address[:port]
136
137 tcp hostname[:port] or IPv4-address[:port]
138
139 unix pathname
140
141 ipx [network]:node[/port]
142
143 aal5pvc or pvc [interface.][VPI.]VCI
144
145 udp6 or udpv6 or udpipv6 hostname[:port] or IPv6-address[:port]
146
147 tcp6 or tcpv6 or tcpipv6 hostname[:port] or IPv6-address[:port]
148
149 ssh hostname:port
150
151 dtlsudp hostname:port
152
153 Note that <transport-specifier> strings are case-insensitive so that,
154 for example, "tcp" and "TCP" are equivalent. Here are some examples,
155 along with their interpretation:
156
157 127.0.0.1:161 listen on UDP port 161, but only on the loop‐
158 back interface. This prevents snmpd being
159 queried remotely. The port specification
160 ":161" is not strictly necessary since that is
161 the default SNMP port.
162
163 TCP:1161 listen on TCP port 1161 on all IPv4 interfaces.
164
165 ipx:/40000 listen on IPX port 40000 on all IPX interfaces.
166
167 unix:/tmp/local-agent listen on the Unix domain socket /tmp/local-
168 agent.
169
170 /tmp/local-agent is identical to the previous specification,
171 since the Unix domain is assumed if the first
172 character of the <transport-address> is '/'.
173
174 PVC:161 listen on the AAL5 permanent virtual circuit
175 with VPI=0 and VCI=161 (decimal) on the first
176 ATM adapter in the machine.
177
178 udp6:10161 listen on port 10161 on all IPv6 interfaces.
179
180 ssh:127.0.0.1:22 Allows connections from the snmp subsystem on
181 the ssh server on port 22. The details of
182 using SNMP over SSH are defined below.
183
184 dtlsudp:127.0.0.1:9161 Listen for connections over DTLS on UDP port
185 9161. The snmp.conf file must have the
186 defX509ServerPub, defX509ServerPriv, and
187 defX509ClientCerts configuration tokens
188 defined.
189
190 Note that not all the transport domains listed above will always be
191 available; for instance, hosts with no IPv6 support will not be able to
192 use udp6 transport addresses, and attempts to do so will result in the
193 error "Error opening specified endpoint". Likewise, since AAL5 PVC
194 support is only currently available on Linux, it will fail with the
195 same error on other platforms.
196
198 ssh The SSH transport, on the server side, is actually just a unix
199 named pipe that can be connected to via a ssh subsystem config‐
200 ured in the main ssh server. The pipe location (configurable
201 with the sshtosnmpsocket token in snmp.conf) is /var/net-
202 snmp/sshtosnmp. Packets should be submitted to it via the ssh‐
203 tosnmp application, which also sends the user ID as well when
204 starting the connection. The TSM security model should be used
205 when packets should process it.
206
207 The sshtosnmp command knows how to connect to this pipe and
208 talk to it. It should be configured in the OpenSSH sshd con‐
209 figuration file (which is normally /etc/ssh/sshd_config using
210 the following configuration line:
211
212
213 Subsystem snmp /usr/local/bin/sshtosnmp
214
215 The sshtosnmp command will need read/write access to the
216 /var/net-snmp/sshtosnmp pipe. Although it should be fairly
217 safe to grant access to the average user since it still
218 requires modifications to the ACM settings before the user can
219 perform operations, paranoid administrators may want to make
220 the /var/net-snmp directory accessible only by users in a par‐
221 ticular group. Use the sshtosnmpsocketperms snmp.conf config‐
222 ure option to set the permissions, owner and group of the cre‐
223 ated socket.
224
225 Access control can be granted to the user "foo" using the fol‐
226 lowing style of simple snmpd.conf settings:
227
228
229 rouser -s tsm foo authpriv
230
231 Note that "authpriv" is acceptable assuming as SSH protects
232 everything that way (assuming you have a non-insane setup).
233 snmpd has no notion of how SSH has actually protected a packet
234 and thus the snmp agent assumes all packets passed through the
235 SSH transport have been protected at the authpriv level.
236
237 dtlsudp The DTLS protocol, which is based off of TLS, requires both
238 client and server certificates to establish the connection and
239 authenticate both sides. In order to do this, the client will
240 need to configure the snmp.conf file with the
241 defX509ServerCerts, defX509ClientPriv, and defX509ClientPub
242 configuration tokens. The server will need to configure the
243 snmp.conf file with the defX509ServerPub, defX509ServerPriv,
244 and defX509ClientCerts configuration tokens defined.
245
246 Access control setup is similar to the ssh transport as the TSM
247 security model should be used to protect the packet.
248
250 snmpd checks for the existence of and parses the following files:
251
252 /etc/snmp/snmp.conf
253 Common configuration for the agent and applications. See
254 snmp.conf(5) for details.
255
256 /etc/snmp/snmpd.conf
257
258 /etc/snmp/snmpd.local.conf
259 Agent-specific configuration. See snmpd.conf(5) for details.
260 These files are optional and may be used to configure access con‐
261 trol, trap generation, subagent protocols and much else besides.
262
263 In addition to these two configuration files in /etc/snmp, the
264 agent will read any files with the names snmpd.conf and
265 snmpd.local.conf in a colon separated path specified in the SNMP‐
266 CONFPATH environment variable.
267
268 /usr/share/snmp/mibs/
269 The agent will also load all files in this directory as MIBs. It
270 will not, however, load any file that begins with a '.' or
271 descend into subdirectories.
272
274 (in recommended reading order)
275
276 snmp_config(5), snmp.conf(5), snmpd.conf(5)
277
278
279
2804th Berkeley Distribution 23 Jun 2005 SNMPD(8)