MIB OID Translation

@PhaedrusTheGreek
In your way,I had some problem too....

ruby import.rb mibs/
mibs//PHION-MIB.mib
smidump: cannot locate module `mibs//PHION-MIB.mib'
*** Import failed for: mibs//PHION-MIB.mib ***

Hi I was trying to convert this mid to yalm but get this error

Hi,

I try to convert couple CISCO LWAPP mibs and I got error.

I use that command : /usr/share/logstash/bin/ruby import.rb MIBS/

smidump: module `MIBS//CISCO-LWAPP-WLAN-SECURITY-MIB.my' contains errors, expect flawed output
*** No nodes defined in: MIBS//CISCO-LWAPP-WLAN-SECURITY-MIB.my ***

Thank you!

Hi,

I am new to SNMP Trap universe, but, I am trying to send SNMP Traps to my logstash listener. I have the same input configuration as mentioned in the post, and running logstash as root with debug logs.

input {
    snmptrap {
       type => "snmptrap"
       community => "public"
       host => "0.0.0.0"
       port => 162
       yamlmibdir => "..../logstash-5.4.0/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs"
    }
}

I tried to test my configuration using tcpreplay as mentioned in this section. I downloaded sample pcap file from here .

$ tcpreplay --intf1=eth0 c06-snmpv1-trap-app-r1.pcap
    ^C User interrupt...
    sendpacket_abort
    Actual: 253 packets (157684 bytes) sent in 10.45 seconds
    Rated: 15084.3 Bps, 0.120 Mbps, 24.20 pps
    Flows: 1 flows, 0.09 fps, 253 flow packets, 0 non-flow
    Statistics for network device: eth0
            Successful packets:        253
            Failed packets:            0
            Truncated packets:         0
            Retried packets (ENOBUFS): 0
            Retried packets (EAGAIN):  0

But, logstash is not able to capture any traps. I see no log messages inside logstash logs..
Any help appreciated !!

In my experience, tcp-replay is only useful if you rewrite the ethernet and ip headers. Have a look at what the destination IP address and mac address is of the snmp trap packets and compare that with the interface you expect to capture on.

  1. See what you've got:
 sudo tcpdump -qns 0  -r traps.pcap
  1. Rewrite the source and destination mac addresses , and the destination MAC (in this case, it's my macbooks en3 interface)
 tcprewrite --infile=traps.pcap --outfile=rewritten.pcap -D 0.0.0.0/0:192.168.0.26 -S 0.0.0.0/0:192.168.0.2 --enet-dmac=ac:87:a3:35:cf:84
  1. Fix checksums
 tcprewrite --infile=rewritten.pcap --outfile=final.pcap --fixcsum
  1. Run the sequence:
 tcpreplay --intf1=eth0 final.pcap

or select some packets if you like

 editcap -r final.pcap first-ten.pcap 1-10

Seems like a lot of unnecessary steps for such a simple task and there's probably some better way to do it, but this one works for me. BTW in my setup I am running the replay from a secondary host on the same network (192.168.0.2) with a destination of my macbook (192.168.0.26). There's probably a way to do it using loopback, but I couldn't find it.

Sorry for the late reply.
I tried above steps, but still not able to get any output or could see anything happening in logstash logs DEBUG mode. I hope logstash need to be run on destination server in this case, but I also tried running it on source as well when tcpreplay is ran on source in both cases. Still no luck. I also ran logstash as root.

I am beginning to suspect it might be port 162, which is not open on both source and destination.
tcpdump doesn't show which port it is sending from/to. But, is there any way to change the port of the traffic too, just like you have changed source/destination?

to test if the destination host is receiving the replay, run tcpdump on the destination host during the test, listening for UDP traffic : 162

sudo tcpdump -ni eth0 'udp dst port 162'

If you don't see anything, and you suspect the replay is broken, try netcat from the source host while the tcpdump is still running:

 echo "hi" | nc -cu dst.host.com 514

If you still don't see anything, you have a network / firewall problem.

Thanks for the reply.
I see that echo "hi" | nc -u dst.host.com 162 is working, as I can see messages printed onto stdout with tcpdump on destination running. Also, logstash gave this parse error:

Error handling trap: 104
~/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/lib/snmp/ber.rb:190:in `decode_sequence'
~/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/lib/snmp/pdu.rb:49:in `decode'
~/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/lib/snmp/manager.rb:707:in `process_traps'
org/jruby/RubyKernel.java:1479:in `loop'
~/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/lib/snmp/manager.rb:704:in `process_traps'
~/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/lib/snmp/manager.rb:631:in `initialize'
Received data:
"hi\n"

Also, when I ran tcpreplay on source and tcpdump on destination server, I see nothing on stdout. But, tcpdump on source server has lots of stuff being printed onto stdout.
Sample:

12:44:56.537796 IP <SRC_IP>.netarx > <DST_IP>.snmptrap:  Trap(48)  .1.3.6.1.4.1.4.1.2.21 [inetaddr len!=4]7.32.87.89.64.55.146.121.55 coldStart 1240 .1.3.6.1.2.1.2.1.0=
12:44:56.577815 IP <SRC_IP>.netarx > <DST_IP>.snmptrap:  Trap(49)  .1.3.6.1.4.1.4.1.2.21 [inetaddr len!=4]9.34.51.114.3.104.84.119.88.7 coldStart 1241 .1.3.6.1.2.1.2.1.0=
12:44:56.617829 IP <SRC_IP>.netarx > <DST_IP>.snmptrap:  Trap(49)  .1.3.6.1.4.1.4.1.2.21 [inetaddr len!=4]9.34.51.114.3.104.84.119.88.8 coldStart 1242 .1.3.6.1.2.1.2.1.0=

So, it is evident that source is trying to send something but destination server not able to receive even though 162 UDP port is open.

Seems that the destination IP or MAC address must be wrong. Try comparing:

 tcpdump -qne -r final.pcap

with the destination interface IP and MAC address:

ifconfig <intf>

Thanks so much for all the help. You are right, it was an issue with MAC address.
I had to give both --enet-dmac and --enet-smac to make it work.

hi ,
in your output , FORTINET-CORE-MIB::fortinet.101.9.3.1.0" => "40" is not showing the entire name of the oid .Could you please suggest me how to get the entire name.

That probably indicates that the MIB has no translation for that OID. The solution would be to load the appropriate MIB . Is it this OID in particular that you are interested in, or some other one?

Hello i am newbie here, i am still confuse how to import vendor MIB, for example i had ruckus mib, and all is txt type file....what should i do? am i just need to configure longstash config especially at snmptrap (yamlmibdir) only or what?

when i try to execute command ruby import.rb mibs/
there is error
smidump: module `mibs//RUCKUS-TEST.mib' contains errors, expect flawed output
*** No nodes defined in: mibs//RUCKUS-TEST.mib ***

please give me an answer, thanks