Re: [nv-l] Trap source

2004-08-10 16:36:49
Subject: Re: [nv-l] Trap source
From: James Shanks <jshanks AT us.ibm DOT com>
To: nv-l AT lists.us.ibm DOT com
Date: Tue, 10 Aug 2004 16:20:41 -0400

I'm not sure what has made you think that trapd will do something special with non-NetView traps, but he doesn't.

All SNMP traps contain two addresses, one for the destination (which is the NetView box) and one for the sender (also called the agent).
The trap source is whatever the sending agent has encoded in the trap it sends.  
Now what does trapd do with the trap when it's received?

For internal NetView traps, we replace the sender's address (which would always be the NetView box and not very helpful) with address of the device the trap is about, which is why a NetView Interface Down or Node Down, appears to have been sent by the device itself.  it shows up in the event window and trapd.log with address of the device which owns the "down" interface(s).

But we do no such modification for traps from any other source.  Traps from outside the box are shown with whatever source  IP Address the sender encoded in the trap itself.   To see this you would have to enable the -x option on trapd (hex dump all packets) and then get a trapd.trace of the incoming trap.  Then you have to decode the hex yourself.  Look for a string in the first few lines which begins  "40 04 xx xx xx xx" .  The  hex "40" means what follows is an IP Address and the length is 04.  

The bottom line is that if your Cisco trap is shown with a source of, that's what Cisco sent us.  

James Shanks
Level 3 Support  for Tivoli NetView for UNIX and Windows
Tivoli Software / IBM Software Group

bill.kellam AT worldspan DOT com
Sent by: owner-nv-l AT lists.us.ibm DOT com

08/10/2004 04:03 PM
Please respond to

"nv-l " <nv-l AT lists.us.ibm DOT com>
[nv-l] Trap source


I'm running NV 7.1.4 on AIX 5.2

I thought I understood something about how a trap source was logged in
trapd.log but I've seen something that challenges my understanding. I have
a router with a loopback interface and 5 frame relay interfaces like so.
Name resolution is shown in parenthesis:

router1.domain.net ( Cisco Router
   (router1.domain.net) Loopback0 -- Software
   () Serial0/0.1 -- Frame Relay
   () Serial0/1.1 -- Frame Relay
   () Serial0/0.2 -- Frame Relay
   () Serial0/1.2 -- Frame Relay
   () Serial1/0.1 -- Frame Relay

I seem to recall determining empirically that even if a trap was sent by
this router with the source as one of the serial interfaces, the trap would
be logged with a source of router1.domain.net. Recently I have been seeing
traps from this device with a source of Is my understanding
as described here wrong? Will the trap source always be recorded just as it
was received?

Bill Kellam
Enterprise Integration and Management

<Prev in Thread] Current Thread [Next in Thread>