1SNMPD(8)                           Net-SNMP                           SNMPD(8)
2
3
4

NAME

6       snmpd - daemon to respond to SNMP request packets.
7

SYNOPSIS

9       snmpd [OPTIONS] [LISTENING ADDRESSES]
10

DESCRIPTION

12       snmpd  is  an SNMP agent which binds to a port and awaits requests from
13       SNMP management software.  Upon receiving a request, it  processes  the
14       request(s),  collects  the  requested  information  and/or performs the
15       requested operation(s) and returns the information to the sender.
16

OPTIONS

18       -a      Log the source addresses of incoming requests.
19
20       -A      Append to the log file rather than truncating it.
21
22       -c FILE Read FILE as a configuration file (or a comma-separated list of
23               configuration  files).   Note  that  the  loaded file will only
24               understand snmpd.conf tokens, unless the configuration type  is
25               specified  in the file as described in the snmp_config man page
26               under SWITCHING CONFIGURATION TYPES IN MID-FILE.
27
28       -C      Do not read any configuration files except the ones  optionally
29               specified by the -c option.  Note that this behaviour also cov‐
30               ers the persistent configuration files.   This  may  result  in
31               dynamically-assigned  values  being  reset  following  an agent
32               restart,  unless  the  relevant  persistent  config  files  are
33               explicitly loaded using the -c option.
34
35       -d      Dump (in hexadecimal) the sent and received SNMP packets.
36
37       -D[TOKEN[,...]]
38               Turn  on  debugging output for the given TOKEN(s).  Without any
39               tokens specified, it defaults to printing all the tokens (which
40               is equivalent to the keyword "ALL").  You might want to try ALL
41               for extremely verbose output.  Note: You can not  put  a  space
42               between the -D flag and the listed TOKENs.
43
44       -f      Do not fork() from the calling shell.
45
46       -g GID  Change  to  the  numerical group ID GID after opening listening
47               sockets.
48
49       -h, --help
50               Display a brief usage message and then exit.
51
52       -H      Display a list of configuration file directives  understood  by
53               the agent and then exit.
54
55       -I [-]INITLIST
56               Specifies  which  modules should (or should not) be initialized
57               when the agent starts up.  If the comma-separated  INITLIST  is
58               preceded  with a '-', it is the list of modules that should not
59               be started.  Otherwise this is the list  of  the  only  modules
60               that should be started.
61
62               To get a list of compiled modules, run the agent with the argu‐
63               ments -Dmib_init -H (assuming debugging support has  been  com‐
64               piled in).
65
66       -L[efos]
67               Specify where logging output should be directed (standard error
68               or output, to a file or via syslog).  See  LOGGING  OPTIONS  in
69               snmpcmd(5) for details.
70
71       -m MIBLIST
72               Specifies  a  colon  separated  list of MIB modules to load for
73               this application.   This  overrides  the  environment  variable
74               MIBS.  See snmpcmd(1) for details.
75
76       -M DIRLIST
77               Specifies  a  colon separated list of directories to search for
78               MIBs.  This overrides the environment  variable  MIBDIRS.   See
79               snmpcmd(1) for details.
80
81       -n NAME Set an alternative application name (which will affect the con‐
82               figuration files loaded).   By  default  this  will  be  snmpd,
83               regardless of the name of the actual binary.
84
85       -p FILE Save the process ID of the daemon in FILE.
86
87       -q      Print simpler output for easier automated parsing.
88
89       -r      Do not require root access to run the daemon.  Specifically, do
90               not exit if files only accessible to root  (such  as  /dev/kmem
91               etc.) cannot be opened.
92
93       -u UID  Change  to  the user ID UID (which can be given in numerical or
94               textual form) after opening listening sockets.
95
96       -U      Instructs the agent to not remove its  pid  file  (see  the  -p
97               option)  on  shutdown. Overrides the leave_pidfile token in the
98               snmpd.conf file, see snmpd.conf(5).
99
100       -v, --version
101               Print version information for the agent and then exit.
102
103       -V      Symbolically dump SNMP transactions.
104
105       -x ADDRESS
106               Listens for AgentX connections on the specified address  rather
107               than  the default "/var/agentx/master".  The address can either
108               be a Unix domain socket path,  or  the  address  of  a  network
109               interface.   The  format is the same as the format of listening
110               addresses described below.
111
112       -X      Run as an AgentX subagent rather than as an SNMP master agent.
113
114       --name="value"
115               Allows  to  specify  any  token  ("name")  supported   in   the
116               snmpd.conf  file  and  sets its value to "value". Overrides the
117               corresponding token in the snmpd.conf file.  See  snmpd.conf(5)
118               for the full list of tokens.
119

LISTENING ADDRESSES

121       By default, snmpd listens for incoming SNMP requests on UDP port 161 on
122       all IPv4 interfaces.  However, it is possible to modify this  behaviour
123       by specifying one or more listening addresses as arguments to snmpd.  A
124       listening address takes the form:
125
126              [<transport-specifier>:]<transport-address>
127
128       At its simplest, a listening address may consist only of a port number,
129       in  which  case  snmpd listens on that UDP port on all IPv4 interfaces.
130       Otherwise, the <transport-address> part of the specification is  parsed
131       according to the following table:
132
133           <transport-specifier>       <transport-address> format
134
135           udp (default)               hostname[:port] or IPv4-address[:port]
136
137           tcp                         hostname[:port] or IPv4-address[:port]
138
139           unix                        pathname
140
141           ipx                         [network]:node[/port]
142
143           aal5pvc or pvc              [interface.][VPI.]VCI
144
145           udp6 or udpv6 or udpipv6    hostname[:port] or IPv6-address[:port]
146
147           tcp6 or tcpv6 or tcpipv6    hostname[:port] or IPv6-address[:port]
148
149           ssh                         hostname:port
150
151           dtlsudp                     hostname:port
152
153       Note  that  <transport-specifier> strings are case-insensitive so that,
154       for example, "tcp" and "TCP" are equivalent.  Here are  some  examples,
155       along with their interpretation:
156
157       127.0.0.1:161           listen  on  UDP port 161, but only on the loop‐
158                               back  interface.   This  prevents  snmpd  being
159                               queried   remotely.   The   port  specification
160                               ":161" is not strictly necessary since that  is
161                               the default SNMP port.
162
163       TCP:1161                listen on TCP port 1161 on all IPv4 interfaces.
164
165       ipx:/40000              listen on IPX port 40000 on all IPX interfaces.
166
167       unix:/tmp/local-agent   listen  on  the  Unix domain socket /tmp/local-
168                               agent.
169
170       /tmp/local-agent        is identical  to  the  previous  specification,
171                               since  the  Unix domain is assumed if the first
172                               character of the <transport-address> is '/'.
173
174       PVC:161                 listen on the AAL5  permanent  virtual  circuit
175                               with  VPI=0  and VCI=161 (decimal) on the first
176                               ATM adapter in the machine.
177
178       udp6:10161              listen on port 10161 on all IPv6 interfaces.
179
180       ssh:127.0.0.1:22        Allows connections from the snmp  subsystem  on
181                               the  ssh  server  on  port  22.  The details of
182                               using SNMP over SSH are defined below.
183
184       dtlsudp:127.0.0.1:9161  Listen for connections over DTLS  on  UDP  port
185                               9161.    The   snmp.conf  file  must  have  the
186                               defX509ServerPub,    defX509ServerPriv,     and
187                               defX509ClientCerts     configuration     tokens
188                               defined.
189
190       Note that not all the transport domains listed  above  will  always  be
191       available; for instance, hosts with no IPv6 support will not be able to
192       use udp6 transport addresses, and attempts to do so will result in  the
193       error  "Error  opening  specified  endpoint".  Likewise, since AAL5 PVC
194       support is only currently available on Linux, it  will  fail  with  the
195       same error on other platforms.
196

Transport Specific Notes

198       ssh     The  SSH transport, on the server side, is actually just a unix
199               named pipe that can be connected to via a ssh subsystem config‐
200               ured  in  the main ssh server.  The pipe location (configurable
201               with the  sshtosnmpsocket  token  in  snmp.conf)  is  /var/net-
202               snmp/sshtosnmp.  Packets should be submitted to it via the ssh‐
203               tosnmp application, which also sends the user ID as  well  when
204               starting the connection.  The TSM security model should be used
205               when packets should process it.
206
207               The sshtosnmp command knows how to connect  to  this  pipe  and
208               talk  to  it.  It should be configured in the OpenSSH sshd con‐
209               figuration file (which is normally  /etc/ssh/sshd_config  using
210               the following configuration line:
211
212
213                      Subsystem snmp /usr/local/bin/sshtosnmp
214
215               The  sshtosnmp  command  will  need  read/write  access  to the
216               /var/net-snmp/sshtosnmp pipe.  Although  it  should  be  fairly
217               safe  to  grant  access  to  the  average  user  since it still
218               requires modifications to the ACM settings before the user  can
219               perform  operations,  paranoid  administrators may want to make
220               the /var/net-snmp directory accessible only by users in a  par‐
221               ticular  group.  Use the sshtosnmpsocketperms snmp.conf config‐
222               ure option to set the permissions, owner and group of the  cre‐
223               ated socket.
224
225               Access  control can be granted to the user "foo" using the fol‐
226               lowing style of simple snmpd.conf settings:
227
228
229                      rouser -s tsm foo authpriv
230
231               Note that "authpriv" is acceptable  assuming  as  SSH  protects
232               everything  that  way  (assuming  you have a non-insane setup).
233               snmpd has no notion of how SSH has actually protected a  packet
234               and  thus the snmp agent assumes all packets passed through the
235               SSH transport have been protected at the authpriv level.
236
237       dtlsudp The DTLS protocol, which is based off  of  TLS,  requires  both
238               client  and server certificates to establish the connection and
239               authenticate both sides.  In order to do this, the client  will
240               need    to    configure    the    snmp.conf   file   with   the
241               defX509ServerCerts,  defX509ClientPriv,  and   defX509ClientPub
242               configuration  tokens.   The  server will need to configure the
243               snmp.conf file with  the  defX509ServerPub,  defX509ServerPriv,
244               and defX509ClientCerts configuration tokens defined.
245
246               Access control setup is similar to the ssh transport as the TSM
247               security model should be used to protect the packet.
248

CONFIGURATION FILES

250       snmpd checks for the existence of and parses the following files:
251
252       /etc/snmp/snmp.conf
253             Common  configuration  for  the  agent  and   applications.   See
254             snmp.conf(5) for details.
255
256       /etc/snmp/snmpd.conf
257
258       /etc/snmp/snmpd.local.conf
259             Agent-specific  configuration.   See  snmpd.conf(5)  for details.
260             These files are optional and may be used to configure access con‐
261             trol, trap generation, subagent protocols and much else besides.
262
263             In  addition  to  these two configuration files in /etc/snmp, the
264             agent  will  read  any  files  with  the  names  snmpd.conf   and
265             snmpd.local.conf in a colon separated path specified in the SNMP‐
266             CONFPATH environment variable.
267
268       /usr/share/snmp/mibs/
269             The agent will also load all files in this directory as MIBs.  It
270             will  not,  however,  load  any  file  that  begins with a '.' or
271             descend into subdirectories.
272

SEE ALSO

274       (in recommended reading order)
275
276       snmp_config(5), snmp.conf(5), snmpd.conf(5)
277
278
279
2804th Berkeley Distribution         23 Jun 2005                         SNMPD(8)
Impressum