Re: [nv-l] Trap source
2004-08-10 16:36:49
I'm not sure what has made you think
that trapd will do something special with non-NetView traps, but he doesn't.
All SNMP traps contain two addresses,
one for the destination (which is the NetView box) and one for the sender
(also called the agent).
The trap source is whatever the sending
agent has encoded in the trap it sends.
Now what does trapd do with the trap
when it's received?
For internal NetView traps, we replace
the sender's address (which would always be the NetView box and not very
helpful) with address of the device the trap is about, which is why a NetView
Interface Down or Node Down, appears to have been sent by the device itself.
it shows up in the event window and trapd.log with address of the
device which owns the "down" interface(s).
But we do no such modification for traps
from any other source. Traps from outside the box are shown with
whatever source IP Address the sender encoded in the trap itself.
To see this you would have to enable the -x option on trapd (hex
dump all packets) and then get a trapd.trace of the incoming trap. Then
you have to decode the hex yourself. Look for a string in the first
few lines which begins "40 04 xx xx xx xx" . The
hex "40" means what follows is an IP Address and the length
is 04.
The bottom line is that if your Cisco
trap is shown with a source of 10.18.109.46,
that's what Cisco sent us.
James Shanks
Level 3 Support for Tivoli NetView for UNIX and Windows
Tivoli Software / IBM Software Group
bill.kellam AT worldspan DOT com
Sent by: owner-nv-l AT lists.us.ibm DOT com
08/10/2004 04:03 PM
|
To
| "nv-l " <nv-l AT lists.us.ibm DOT com>
|
cc
|
|
Subject
| [nv-l] Trap source |
|
Hi,
I'm running NV 7.1.4 on AIX 5.2
I thought I understood something about how a trap source was logged in
trapd.log but I've seen something that challenges my understanding. I have
a router with a loopback interface and 5 frame relay interfaces like so.
Name resolution is shown in parenthesis:
router1.domain.net (192.168.14.1) Cisco Router
192.168.14.1 (router1.domain.net)
Loopback0 -- Software
Loopback
10.11.1.254 () Serial0/0.1 --
Frame Relay
10.11.3.254 () Serial0/1.1 --
Frame Relay
10.12.100.254 () Serial0/0.2
-- Frame Relay
10.12.102.254 () Serial0/1.2
-- Frame Relay
10.18.109.46 () Serial1/0.1
-- Frame Relay
I seem to recall determining empirically that even if a trap was sent by
this router with the source as one of the serial interfaces, the trap would
be logged with a source of router1.domain.net. Recently I have been seeing
traps from this device with a source of 10.18.109.46. Is my understanding
as described here wrong? Will the trap source always be recorded just as
it
was received?
Thanks,
Bill Kellam
Enterprise Integration and Management
|
|
|