1SNMPD(8)                           Net-SNMP                           SNMPD(8)
2
3
4

NAME

6       snmpd - daemon to respond to SNMP request packets.
7

SYNOPSIS

9       snmpd [OPTIONS] [LISTENING ADDRESSES]
10

DESCRIPTION

12       snmpd  is  an SNMP agent which binds to a port and awaits requests from
13       SNMP management software.  Upon receiving a request, it  processes  the
14       request(s),  collects the requested information and/or performs the re‐
15       quested operation(s) and returns the information to the sender.
16

OPTIONS

18       -a      Log the source addresses of incoming requests.
19
20       -A      Append to the log file rather than truncating it.
21
22       -c FILE Read FILE as a configuration file (or a comma-separated list of
23               configuration  files).  Note that the loaded file will only un‐
24               derstand snmpd.conf tokens, unless the  configuration  type  is
25               specified  in the file as described in the snmp_config man page
26               under SWITCHING CONFIGURATION TYPES IN MID-FILE.
27
28       -C      Do not read any configuration files except the ones  optionally
29               specified by the -c option.  Note that this behaviour also cov‐
30               ers the persistent configuration files.  This may result in dy‐
31               namically-assigned   values  being  reset  following  an  agent
32               restart, unless the relevant persistent config  files  are  ex‐
33               plicitly loaded using the -c option.
34
35       -d      Dump (in hexadecimal) the sent and received SNMP packets.
36
37       -D[TOKEN[,...]]
38               Turn  on  debugging output for the given TOKEN(s).  Without any
39               tokens specified, it defaults to printing all the tokens (which
40               is equivalent to the keyword "ALL").  You might want to try ALL
41               for extremely verbose output.  Note: You can not  put  a  space
42               between the -D flag and the listed TOKENs.
43
44       -f      Do not fork() from the calling shell.
45
46       -g GID  Change the group ID of the snmpd process into GID after opening
47               listening sockets. This overrides the agentgroup  configuration
48               file parameter.
49
50       -h, --help
51               Display a brief usage message and then exit.
52
53       -H      Display  a  list of configuration file directives understood by
54               the agent and then exit.
55
56       -I [-]INITLIST
57               Specifies which modules should (or should not)  be  initialized
58               when  the  agent starts up.  If the comma-separated INITLIST is
59               preceded with a '-', it is the list of modules that should  not
60               be  started.   Otherwise  this  is the list of the only modules
61               that should be started.
62
63               To get a list of compiled modules, run the agent with the argu‐
64               ments  -Dmib_init  -H (assuming debugging support has been com‐
65               piled in).
66
67       -L[eEfFoOsSnN]
68               Specify where logging output should be directed (standard error
69               or  output,  to  a file or via syslog).  See LOGGING OPTIONS in
70               snmpcmd(1) for details.
71
72       -m MIBLIST
73               Specifies a colon separated list of MIB  modules  to  load  for
74               this  application.   This  overrides  the  environment variable
75               MIBS.  See snmpcmd(1) for details.
76
77       -M DIRLIST
78               Specifies a colon separated list of directories to  search  for
79               MIBs.   This  overrides  the environment variable MIBDIRS.  See
80               snmpcmd(1) for details.
81
82       -n NAME Set an alternative application name (which will affect the con‐
83               figuration  files  loaded).  By default this will be snmpd, re‐
84               gardless of the name of the actual binary.
85
86       -p FILE Save the process ID of the daemon in FILE.
87
88       -q      Print simpler output for easier automated parsing.
89
90       -r      Do not require root access to run the daemon.  Specifically, do
91               not  exit  if  files only accessible to root (such as /dev/kmem
92               etc.) cannot be opened.
93
94       -u UID  Change the user ID of the snmpd process into UID (which can  be
95               given  in  numerical  or  textual form) after opening listening
96               sockets. This overrides the agentuser configuration file param‐
97               eter.
98
99       -U      Instructs  the agent to not remove its pid file (see the -p op‐
100               tion) on shutdown. Overrides the leave_pidfile token in the sn‐
101               mpd.conf file, see snmpd.conf(5).
102
103       -v, --version
104               Print version information for the agent and then exit.
105
106       -V      Symbolically dump SNMP transactions.
107
108       -x ADDRESS
109               Listens  for AgentX connections on the specified address rather
110               than the default "/var/agentx/master".  The address can  either
111               be  a  Unix domain socket path, or the address of a network in‐
112               terface.  The format is the same as the format of listening ad‐
113               dresses described below.
114
115       -X      Run as an AgentX subagent rather than as an SNMP master agent.
116
117       --name="value"
118               Allows  one  to specify any token ("name") supported in the sn‐
119               mpd.conf file and sets its value to "value". Overrides the cor‐
120               responding  token in the snmpd.conf file. See snmpd.conf(5) for
121               the full list of tokens.
122

LISTENING ADDRESSES

124       By default, snmpd listens for incoming SNMP requests on UDP port 161 on
125       all  IPv4 interfaces.  However, it is possible to modify this behaviour
126       by specifying one or more listening addresses as arguments to snmpd.  A
127       listening address takes the form:
128
129              [<transport-specifier>:]<transport-address>
130
131       At its simplest, a listening address may consist only of a port number,
132       in which case snmpd listens on that UDP port on  all  IPv4  interfaces.
133       Otherwise,  the <transport-address> part of the specification is parsed
134       according to the following table:
135
136           <transport-specifier>       <transport-address> format
137
138           udp (default)               hostname[:port] or IPv4-address[:port]
139
140           tcp                         hostname[:port] or IPv4-address[:port]
141
142           unix                        pathname
143
144           ipx                         [network]:node[/port]
145
146           aal5pvc or pvc              [interface.][VPI.]VCI
147
148           udp6 or udpv6 or udpipv6    hostname[:port] or IPv6-address[:port]
149
150           tcp6 or tcpv6 or tcpipv6    hostname[:port] or IPv6-address[:port]
151
152           ssh                         hostname:port
153
154           dtlsudp                     hostname:port
155
156       Note that <transport-specifier> strings are case-insensitive  so  that,
157       for  example,  "tcp" and "TCP" are equivalent.  Here are some examples,
158       along with their interpretation:
159
160       127.0.0.1:161           listen on UDP port 161, but only on  the  loop‐
161                               back  interface.   This  prevents  snmpd  being
162                               queried  remotely.   The   port   specification
163                               ":161"  is not strictly necessary since that is
164                               the default SNMP port.
165
166       TCP:1161                listen on TCP port 1161 on all IPv4 interfaces.
167
168       ipx:/40000              listen on IPX port 40000 on all IPX interfaces.
169
170       unix:/tmp/local-agent   listen  on  the  Unix  domain  socket  /tmp/lo‐
171                               cal-agent.
172
173       /tmp/local-agent        is  identical  to  the  previous specification,
174                               since the Unix domain is assumed if  the  first
175                               character of the <transport-address> is '/'.
176
177       PVC:161                 listen  on  the  AAL5 permanent virtual circuit
178                               with VPI=0 and VCI=161 (decimal) on  the  first
179                               ATM adapter in the machine.
180
181       udp6:10161              listen on port 10161 on all IPv6 interfaces.
182
183       ssh:127.0.0.1:22        Allows  connections  from the snmp subsystem on
184                               the ssh server on port 22.  The details of  us‐
185                               ing SNMP over SSH are defined below.
186
187       dtlsudp:127.0.0.1:9161  Listen  for  connections  over DTLS on UDP port
188                               9161.   The  snmp.conf  file  must   have   the
189                               serverCert, configuration tokens defined.
190
191       Note  that  not  all  the transport domains listed above will always be
192       available; for instance, hosts with no IPv6 support will not be able to
193       use  udp6 transport addresses, and attempts to do so will result in the
194       error "Error opening specified endpoint".   Likewise,  since  AAL5  PVC
195       support  is  only  currently  available on Linux, it will fail with the
196       same error on other platforms.
197

Transport Specific Notes

199       ssh     The SSH transport, on the server side, is actually just a  unix
200               named pipe that can be connected to via a ssh subsystem config‐
201               ured in the main ssh server.  The pipe  location  (configurable
202               with    the    sshtosnmpsocket    token    in   snmp.conf)   is
203               /var/net-snmp/sshtosnmp.  Packets should be submitted to it via
204               the sshtosnmp application, which also sends the user ID as well
205               when starting the connection.  The TSM security model should be
206               used when packets should process it.
207
208               The  sshtosnmp  command  knows  how to connect to this pipe and
209               talk to it.  It should be configured in the OpenSSH  sshd  con‐
210               figuration  file  (which is normally /etc/ssh/sshd_config using
211               the following configuration line:
212
213
214                      Subsystem snmp /usr/local/bin/sshtosnmp
215
216               The sshtosnmp  command  will  need  read/write  access  to  the
217               /var/net-snmp/sshtosnmp  pipe.   Although  it  should be fairly
218               safe to grant access to the average user  since  it  still  re‐
219               quires  modifications  to  the ACM settings before the user can
220               perform operations, paranoid administrators may  want  to  make
221               the  /var/net-snmp directory accessible only by users in a par‐
222               ticular group.  Use the sshtosnmpsocketperms snmp.conf  config‐
223               ure  option to set the permissions, owner and group of the cre‐
224               ated socket.
225
226               Access control can be granted to the user "foo" using the  fol‐
227               lowing style of simple snmpd.conf settings:
228
229
230                      rouser -s tsm foo authpriv
231
232               Note that "authpriv" is acceptable assuming as SSH protects ev‐
233               erything that way (assuming you have a non-insane setup).   sn‐
234               mpd  has  no  notion of how SSH has actually protected a packet
235               and thus the snmp agent assumes all packets passed through  the
236               SSH transport have been protected at the authpriv level.
237
238       dtlsudp The  DTLS  protocol,  which  is based off of TLS, requires both
239               client and server certificates to establish the connection  and
240               authenticate  both sides.  In order to do this, the client will
241               need to configure the snmp.conf file with the  clientCert  con‐
242               figuration  tokens.   The  server  will  need  to configure the
243               snmp.conf file with the  serverCert  configuration  tokens  de‐
244               fined.
245
246               Access control setup is similar to the ssh transport as the TSM
247               security model should be used to protect the packet.
248

CONFIGURATION FILES

250       snmpd checks for the existence of and parses the following files:
251
252       /etc/snmp/snmp.conf
253             Common  configuration  for  the  agent  and   applications.   See
254             snmp.conf(5) for details.
255
256       /etc/snmp/snmpd.conf
257
258       /etc/snmp/snmpd.local.conf
259             Agent-specific  configuration.   See  snmpd.conf(5)  for details.
260             These files are optional and may be used to configure access con‐
261             trol, trap generation, subagent protocols and much else besides.
262
263             In  addition  to  these two configuration files in /etc/snmp, the
264             agent will read any files with the names snmpd.conf and snmpd.lo‐
265             cal.conf  in a colon separated path specified in the SNMPCONFPATH
266             environment variable.
267
268       /usr/share/snmp/mibs/
269             The agent will also load all files in this directory as MIBs.  It
270             will  not,  however,  load any file that begins with a '.' or de‐
271             scend into subdirectories.
272

SEE ALSO

274       (in recommended reading order)
275
276       snmp_config(5), snmp.conf(5), snmpd.conf(5)
277
278
279
280V5.9.1                            30 Jun 2010                         SNMPD(8)
Impressum