Catching unusual SNMP-trap messages in an unusual way

We have a large number of D-Link switches in our network, on access.

There is a need to take SNMP traps. But it turned out not so simple, because a huge number of switches were from the DES-1228 / 1210-28 / 1210-52 series. These switches seem to be able to send traps, but the server did not want to catch them. It turned out that traps can catch only an application under Windows, and its name is Smart Console Utility.

Those. Automate the process of collecting traps, as conceived by the vendor, does not work.
However, packets with SNMP traps, still go to the trap server and have to do something about it.
')
Without thinking twice, they raised xinetd on the ramp server and began to receive packets with messages. They came to UDP port 64514. And what was surprising and interesting was that the messages were sent at the end of the packet, in plain text, all that was needed was to cut off the binary unreadable headers.

By the way, inetd / xinetd is also called the “super-Internet server”, this is a network service that listens for sockets and sends incoming network packets to your application for analysis / storage / and for anything. Those. in * nix system, you can write your network service with “bare hands”. This is truly awesome!

Xinetd configuration (/etc/xinetd.d/trap-handler-scu):

service smart-console-utility { disable = no id = trap-handler-scu type = UNLISTED flags = IPv4 protocol = udp socket_type = dgram user = root wait = yes server = /services/snmp/trap-handler-scu.php port = 64514 # log_type = FILE /var/log/xinetd-trap-handler-scu.log # log_on_success = PID HOST # log_on_failure = HOST } 

The code to which each incoming UDP packet will be transmitted (/services/snmp/trap-handler-scu.php):
Written in PHP, because runs quickly, and after that you can add the ability to add trap messages to the database.

 #!/usr/bin/php5 <?php set_time_limit(5); error_reporting(0); $logging = true; // Global logging $debug_logging = false; // Logging debug messages $dump_requests = false; // Save requests $request_buffer_size = 1024; // 1024 Bytes - Maximum request size $log_file = '/var/log/smart-console-utility/smart-console-utility.log'; $req_id = preg_replace(array('/\./', '/(\-)([0-9]{1}$)/', '/(\-)([0-9]{2}$)/', '/(\-)([0-9]{3}$)/'), array('-', '$1---$2', '$1--$2', '$1-$2'), array_sum(explode(' ', microtime()))); $dump_dir = '/tmp/smart-console-utility'; $dump_request_file = $dump_dir.'/'.$req_id.'.request'; // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - function write_log($message) { global $log_file, $logging, $req_id; if ($logging) {$logging = (file_put_contents($log_file, date('Ymd H:i:s ').'['.$req_id.' '.sprintf('%-14s', $_SERVER['REMOTE_HOST']).'] '.$message."\n", FILE_APPEND) !== false);} } // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - if ($debug_logging) {write_log('Start');} if ($read_handle = fopen('php://stdin', 'r')) { if (($dump_requests) && (!is_dir($dump_dir))) { mkdir($dump_dir, 644, true); $dump_requests = is_dir($dump_dir); } // Read client request if ($request = fread($read_handle, $request_buffer_size)) { // Get trap message preg_match('/[\w\d\s\-\(\)\.]+$/', $request, $matches); if ($matches) { $trap_message = preg_replace(array('/\([\d]+\)/', '/[\.]+$/'), '', preg_replace('/[ ]{2,}/', ' ', preg_replace('/^.DES/', 'DES', trim(end($matches)) ) ) ); } else {$trap_message = '';} if ($logging) {write_log($trap_message);} if ($debug_logging) {write_log('Handle request, size('.strlen($request).")\t-> ".$trap_message);} if ($dump_requests) {file_put_contents($dump_request_file, $request, FILE_APPEND);} // Parse trap message } else {write_log('Null request');} fclose($read_handle); } else {write_log('Unable to open STDIN!');} if ($debug_logging) {write_log('End');} ?> 

As a result, the following journal entries will be obtained:

 2014-09-12 06:25:50 SCU--1410485150-0287 10.X.0.26 DES-1210-28 Port 2 copper link up 2014-09-12 06:25:50 SCU--1410485150-3536 10.X.0.18 DES-1210-52 Port 9 copper link up 2014-09-12 06:25:50 SCU--1410485150-7605 10.X.0.31 DES-1210-52 Port 48 copper link up 2014-09-12 06:25:52 SCU--1410485152-9745 10.X.0.104 DES-1210-28 Port 10 copper link up 2014-09-12 06:25:55 SCU--1410485155-5064 10.X.0.11 DES-1210-52 Port 28 copper link up 2014-09-12 06:25:55 SCU--1410485155-7615 10.X.0.31 DES-1210-52 Port 48 copper link up 2014-09-12 06:25:58 SCU--1410485158-7782 10.X.0.31 DES-1210-52 Port 48 copper link up 2014-09-12 06:26:01 SCU--1410485161-4395 10.X.0.31 DES-1210-52 Port 48 copper link up 2014-09-12 06:26:04 SCU--1410485164-0377 10.X.0.31 DES-1210-52 Port 48 copper link up 2014-09-12 06:26:04 SCU--1410485164-3473 10.X.0.18 DES-1210-52 Port 9 copper link up 2014-09-12 06:26:06 SCU--1410485166-0395 10.X.0.31 DES-1210-52 Port 48 copper link up 2014-09-12 06:26:07 SCU--1410485167-1539 10.X.0.31 DES-1210-52 Port 47 copper link up 2014-09-12 06:26:07 SCU--1410485167-2226 10.X.0.128 DES-1210-28 Port 2 copper link up 

By the way, this conclusion shows the “collapse” of the port (port-flapping), the line “DES-1210-52 Port 48 copper link up” is repeated many times. It indicates that something is wrong with the port or cable.

Defect on the port is found - the task is completed.