SNMP Traps in Windows Server

SNMP Traps in Windows Server

  • Comments 7
  • Likes

What is an SNMP Trap?

It’s nothing but an alert message with abstract information about an event sent from an SNMP agent to its configured SNMP manager. It notifies the administrators about an event that occurred in the SNMP agent. There is separate service called SNMP Trap service which runs in Microsoft operating systems and listens for traps on UDP port 162 by default.

How to install it?

When you install the SNMP service on any Microsoft Windows operating system except Windows Vista and Windows Server 2008, the SNMP Trap service is installed along with the SNMP Service. In Windows Vista and Windows Server 2008, the SNMP Trap service is by default installed but set to manual and is thus in a stopped state.

The SNMP Trap service runs using the Local Service account in Windows. The SNMP Trap service was dependent on the Event Log service up until Windows Server 2003 but since Windows Vista and Windows Server 2008, the SNMP Trap service has been independent.

I want my SNMP manager to listen for SNMP Traps on a different UDP port. Is this possible?

Yes, open the file named “Services”, which is located in %systemroot%\system32\drivers\etc.

Edit the port number on the following line on the file with your customized port numbers.

snmptrap 162/udp snmp-trap #SNMP trap

Save the file as it was with no extension. Restart the SNMP Trap service. Run the following command in a Command Prompt: Netstat -ano and you should see the SNMP Trap service listening on the new port number.

What does “Send Authentication Trap” mean?

An SNMP agent sends Authentication traps to its configured trap destination List in the following situations:

  • When an SNMP query is sent from an SNMP manager which is not listed in the Permitted Manager's list of SNMP agent.
  • When an SNMP query is sent from an SNMP manager which is listed in the Permitted Manager's list but the community name in the SNMP query doesn't match the agent's community name configured on the security tab of the SNMP agent, like when the community name is misspelled (it is case sensitive).
  • When both of the above conditions are true in a given situation.

An agent traps all the trap destinations of all the communities, provided these community names are configured in the Security tab of an agent. So if multiple trap destinations are configured with multiple community names, then a trap message is sent to all the destinations of all the communities specified on the trap tab. This happens three times in succession after each access violation. However a trap message to a trap destination will have the community name specified in the SNMP agent for that trap destination.

Make sure of following things:

  • The name configured in the security tab is case sensitive which means that it should be in the same case as that of the community name that is received in the query. But the community names configured in the trap tab is not case sensitive, meaning for example if a community name called "TEST" is configured in the security tab then the equivalent name "test" can be configured in trap tab for sending traps to the specified trap destinations.
  • The “SNMP Agent Service” is not in a disabled state on the SNMP agent device.
  • UDP Port 162 is open on any firewalls involved. In Windows Vista one exception rule is pre-defined in the firewall configuration settings for SNMP trap, but it is disabled by default. It needs to be enabled.

How do I test if my SNMP Manager is able to receive SNMP Traps?

You may have 3rd party applications which make use of the built-in SNMP trap service to receive traps and then react to the trap. If you find that your SNMP manager application is not receiving traps, first make sure the built in SNMP Trap Service is able to receive traps. If the SNMP Trap service is able to receive traps then it’s the application which is not working the way it should.

To check the functionality of the built-in SNMP Trap service, do the following:

  1. Create a new folder under any drive (For example: C:\snmputil) on the SNMP Manager machine which is configured to listen for the traps.
  2. Copy the “snmputil.exe” utility to the newly created folder.
    Snmputil.exe is available from the Windows 2000 and Windows Server 2003 Resource Kits.
  3. Open up a Command Prompt and change to the directory where you have the snmputil.exe (in our example it is C:\snmputil) and run the following command: “Snmputil trap”.
    You will see the following output:
           snmputil: listening for traps...
               Let the command run and do not close the Command Prompt window.
  4. Stop and Restart the SNMP Service on any SNMP Agent which is configured to send traps to the SNMP Manager mentioned in step 1 above.
  5. If the test is successful, you should see the below output in the SNMP Manager Command Prompt window on the SNMP manager machine. This will show that traps generated by the agent are being received.
    Refer http://support.microsoft.com/kb/323340 to learn more about snmputil.exe.

snmputil: listening for traps...
Incoming Trap:
generic = 0
specific = 0
enterprise = .iso.org.dod.internet.private.enterprises.microsoft.software.syst
ems.os.windowsNT.server
agent = 10.10.10.100
source IP = 10.10.10.100
community = public
Incoming Trap:
generic = 3
specific = 0
enterprise = .iso.org.dod.internet.private.enterprises.microsoft.software.syst
ems.os.windowsNT.server
agent = 10.10.10.100
source IP = 10.10.10.100
community = public
variable = interfaces.ifTable.ifEntry.ifIndex.1
value = Integer32 1
Incoming Trap:
generic = 3
specific = 0
enterprise = .iso.org.dod.internet.private.enterprises.microsoft.software.syst
ems.os.windowsNT.server
agent = 10.10.10.100
source IP = 10.10.10.100
community = public
variable = interfaces.ifTable.ifEntry.ifIndex.262147
value = Integer32 262147

Below are different types of traps that are built-in and are enabled by default in Windows:

  • Coldstart or Warmstart: The agent reinitialized its configuration tables.
  • Linkup or Linkdown: A network interface card (NIC) on the agent either fails or reinitializes.
  • Authentication fails: This happens when an SNMP agent gets a request from an unrecognized community name.
  • egpNeighborloss: Agent cannot communicate with its EGP (Exterior Gateway Protocol) peer.
  • Enterprise specific: Vendor specific error conditions and error codes.

Refer http://support.microsoft.com/kb/172879 for some more information on SNMP traps.

- Arun Kumar (P)

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Are traps always sent in SNMPv1 form?

    Maybe you could write about the level of SNMPv2/SNMpv3 support in Windows.  I haven't been watching closely to see if anything has changed recently. :-)

  • Hello Friends,

    I work with a very large network's Server Management Team. Our servers are configured with default SNMP strings. Some of our Servers are sending snmp requests to some devices on the network even if the SNMP Services (SNMP Service and SNMP Trap Service) are disabled. I could find no resolution. Any help would greatly be appreciated.

    Regards,

    Sid.

  • Arun,

    Can a SNMP agent specify different trap destinations for different traps? Say I have created two communities, machine-hardware-community and apps-community. So can I send hardware issue related traps to some trap destinations (under machine-hardware-community) and any software issue related traps to another set of destination (under apps-community).

  • Arun,

    Can a SNMP agent specify different trap destinations for different traps? Say I have created two communities, machine-hardware-community and apps-community. So can I send hardware issue related traps to some trap destinations (under machine-hardware-community) and any software issue related traps to another set of destination (under apps-community).

  • Yes the traps are always sent V1 Form.Windows supports SNMP V2C and SNMP V3 is not yet supported.

    Can a SNMP agent specify different trap destinations for different traps?

    No this is not possible with avilable default features. but yes progrmatically possible.

  • Does the trap destination include port?

    Can a SNMP agent send trap to port 8000?

  • Yes traps are destined to UDP port 162 and it cannot be changed, unless you have a 3rd party SNMP client which does this.