FAQ

      Frequently Asked Questions (FAQ) for the UCD/Net-SNMP package
      =============================================================
		       FAQ Author: Dave Shield
			Net-SNMP Version: 5.7.1
	    Net-SNMP/UCD-SNMP Project Leader: Wes Hardaker
	     Email: net-snmp-coders@lists.sourceforge.net

TABLE OF CONTENTS
=================

 TABLE OF CONTENTS
 GENERAL
   What is it?
   Where can I get it?
   What documentation is available?
   Are there binaries available?
   What's the difference between UCD-SNMP and Net-SNMP?
   What operating systems does it run on?
   What happens if mine isn't listed?
   Does it run on Windows?
   How do I find out about new releases?
   How can I find out what other people are doing?
   How do I submit a patch or bug report?
   Can I reuse the code in my commercial application?
   What's the difference between SNMPv1, SNMPv2 and SNMPv3?
   What's the difference between SNMPv2 and SNMPv2c?
   Which versions of SNMP are supported in this package?
   Can I use SNMPv1 requests with an SNMPv2 MIB (or vice versa)?
   How can I monitor my system with SNMP?
   Where can I find more information about network management?
   What ports does SNMP use?
   Is Net-SNMP thread safe?
 APPLICATIONS
   How do I add a MIB?
   How do I add a MIB to the tools?
   Why can't I see anything from the agent?
   Why doesn't the agent respond?
   I can see the system group, but nothing else.  Why?
   Why can't I see values in the <ENTERPRISE> tree?
   The agent worked for a while, then stopped responding.  Why?
   Requesting an object fails with "Unknown Object Identifier"  Why?
   Why do I get "noSuchName" when asking for "sysUpTime" (or similar)?
   Why do I sometimes get "End of MIB" when walking a tree, and sometimes not?
   How do I use SNMPv3?
   Why can't I set any variables in the MIB?
   Variables seem to disappear when I try to set them.  Why?
   Why can't I change sysLocation (or sysContact)?
   I get an error when trying to set a negative value - why?
   I get an error when trying to query a string-indexed table value - why?
   How should I specify string-indexed table values?
   How do I send traps and notifications?
   How do I receive traps and notifications?
   How do I receive SNMPv1 traps?
   Why don't I receive incoming traps?
   My traphandler script doesn't work when run like this - why not?
   How can the agent receive traps and notifications?
   How big can an SNMP request (or reply) be?
   How can I monitor my systems (disk, memory, etc)?
   Applications complain about entries in your example 'snmp.conf' file.  Why?
   OK, what should I put in snmp.conf?
   How do I specify IPv6 addresses in tools command line arguments?
 PERL
   What is the purpose of the Perl SNMP module?
   Where can I get the Perl SNMP package?
   How do I install the Perl SNMP modules?
   But compiling this fails! Why?
   Compiling the Perl module works OK, but 'make test' fails. Why?
   Why can't mib2c (or tkmib) locate SNMP.pm?
   Why can't mib2c (or tkmib) load SNMP.so?
   Why can't tkmib locate Tk.pm?
   Why does your RPM complain about missing Perl modules?
   I've got a problem with the Net-SNMP module.  Can you help?
 MIBS
   Where can I find a MIB compiler?
   Why aren't my MIB files being read in?
   Where should I put my MIB files?
   What does "Cannot find module (XXX-MIB)" mean?
   I'm getting answers, but they're all numbers. Why?
   What does "unlinked OID" mean?
   The parser doesn't handle comments properly. Why not?
   How can I get more information about problems with MIB files?
   What's this about "too many imported symbols"?
   Do I actually need the MIB files?
 AGENT
   What MIBs are supported?
   What protocols are supported?
   How do I configure the agent?
   How do I remove a MIB from the agent?
   I've installed a new MIB file.  Why can't I query it?
   How do I add a MIB to the agent?
   What's the difference between 'exec', 'sh', 'extend' and 'pass'?
   What's the difference between AgentX, SMUX and proxied SNMP?
   What is the purpose of 'dlmod'?
   Which should I use?
   Can I use AgentX when running under Windows?
   How can I run AgentX with a different socket address?
   How can I turn off SMUX support?
   How can I combine two copies of the 'mib2' tree from separate subagents?
   What traps are sent by the agent?
   Where are these traps sent to?
   How can I send a particular trap to selected destinations?
   When I run the agent it runs and then quits without staying around. Why?
   After a while the agent stops responding, and starts eating CPU time.  Why?
   How can I stop other people getting at my agent?
   How can I listen on just one particular interface?
   The agent is complaining about 'snmpd.conf'.  Where is this?
   Why does the agent complain about 'no access control information'?
   How do I configure access control?
   How do I configure SNMPv3 users?
   The 'createUser' line disappears when I start the agent.  Why?
   What's the difference between /var/net-snmp and /usr/local/share/snmp?
   My new agent is ignoring the old snmpd.conf file. Why?
   Where should the snmpd.conf file go?
   Why am I getting "Connection refused"?
   Why can't I see values in the UCDavis 'extensible' or 'disk' trees?
   Why can't I see values in the UCDavis 'memory' or 'vmstat' tree?
   What do the CPU statistics mean - is this the load average?
   How do I get percentage CPU utilization using ssCpuRawIdle?
   What about multi-processor systems?
   The speed/type of my network interfaces is wrong - how can I fix it?
   The interface statistics for my subinterfaces are all zero - why?
   Does the agent support the RMON-MIB?
   What does "klread:  bad address" mean?
   What does "nlist err:  wombat not found" (or similar) mean?
   What does "Can't open /dev/kmem" mean?
   The system uptime (sysUpTime) returned is wrong!
   Can the agent run multi-threaded?
   Can I use AgentX (or an embedded SNMP agent) in a threaded application?
 COMPILING
   How do I control the environment used to compile the software?
   How do I control the environment used to compile the software under Windows?
   Why does the compilation complain about missing libraries?
   How can I reduce the memory footprint?
   How can I reduce the installation footprint or speed up compilation?
   How can I compile the project for use on an embedded system?
   How can I compile the project to use static linking?
   Why does 'make test' skip various tests?
   Why does 'make test' complain about a pid file?
 CODING
   How do I write C code to integrate with the agent?
   How does the agent fetch the value of a MIB variable from the system?
   Mib2c complains about a missing "mib reference" - what does this mean?
   Mib2c complains about not having a "valid OID" - what does this mean?
   Why doesn't mib2c like the MIB file I'm giving it?
   Mib2c ignores my MIB and generates a pair of 'mib-2' code files.  Why?
   What's the difference between the various mib2c configuration files?
   Which mib2c configuration file should I use?
   How can I have mib2c generate code for both scalars and tables?
   Are there any examples, or documentation for developing MIB modules?
   Where should I put the files produced by 'mib2c'?
   Why doesn't my new MIB module report anything?
   Why does the iterator call my get_{first,next} routines so often?
   How can I get the agent to generate a trap (or inform)?
   How can I get an AgentX sub-agent to generate a trap (or inform)?
   How can I get the agent to send an SNMPv1 (or SNMPv2c) trap?
   How can I get the agent to include varbinds with an SNMPv1 trap?
   How can I get the agent to send an SNMPv1 enterprise-specific trap?
   How can I get the agent to send an SNMPv3 trap (or inform)?
   Why does calling 'send_v2trap' generate an SNMPv1 trap (or vice versa)?
   How can I register a MIB module in a different (SNMPv3) context?
 MISC
   What ASN.1 parser is used?
   What is the Official Slogan of the net-snmp-coders list?


GENERAL
=======

What is it?
----------

  - Various tools relating to the Simple Network Management Protocol
    including:

	* An extensible agent
	* An SNMP library
	* tools to request or set information from SNMP agents
	* tools to generate and handle SNMP traps
	* a version of the unix 'netstat' command using SNMP
	* a graphical Perl/Tk/SNMP based mib browser

    This package is originally based on the Carnegie Mellon University
    SNMP implementation (version 2.1.2.1), but has developed significantly
    since then.



Where can I get it?
------------------

  Download:
    - http://www.net-snmp.org/download/
    - ftp://ftp.net-snmp.org/pub/sourceforge/net-snmp/
  Web page:
    - http://www.net-snmp.org/
  Sourceforge Project page:
    - http://www.net-snmp.org/project/
  Mirrors (note that sourceforge download servers are mirrored themselves):
    - US:          ftp://ftp.freesnmp.com/mirrors/net-snmp/
    - Greece:      ftp://ftp.ntua.gr/pub/net/snmp/net-snmp/


What documentation is available?
-------------------------------

	This FAQ (!)
	README and individual READMEs for various platforms
	README.thread (discusses threading issues)
	INSTALL
	PORTING
	EXAMPLE.conf
	man pages for the individual tools, files and the API
	A guide for extending the agent
	Tutorials for both ucd-snmp v4 and net-snmp v5
           at  http://www.net-snmp.org/tutorial/
           and http://www.net-snmp.org/tutorial-5/ respectively

      Most of this documentation (plus archives of the mailing lists)
	 is also available on our web page:

        	http://www.net-snmp.org/

      There is also a Wiki (including a community-maintained version
      of this FAQ) at

                http://www.net-snmp.org/wiki/



Are there binaries available?
----------------------------

  There are binaries for some versions/systems available under
  the "net-snmp binaries" package on the SourceForge "Files"
  page, which is linked to from the main project download web
  page at http://www.net-snmp.org/download.html.

  These binaries are also available on the project FTP site,
  with a link on the same web page.

  There is also a mirror at ftp://ftp.freesnmp.org/mirrors/net-snmp/



What's the difference between UCD-SNMP and Net-SNMP?
---------------------------------------------------

  Not a great deal, really.
  Although the project originally started at UC Davis (hence the name),
  and it has always been based there, most of the contributors have had
  little or no connection with this institution.

    The move to SourceForge was intended to provide a more flexible
  environment for the project, and to distribute the administrative
  workload more evenly.  The change of name simply reflects this move,
  which was the last remaining link with UC Davis.

    The 4.2.x line saw the last releases made using the ucd-snmp name,
  and all releases on this line have been been bug-fixes only.  Release
  5.0 was the first version released under the Net-SNMP name, and all
  further development is being done on the 5.x code base.  The 4.2.x
  code line is now effectively closed down, as are the older 5.x branches.

    Much of the work done for the various 5.x releases has involved
  some fairly significant changes to the code - in particular the
  architecture of the agent.  However attempts have been made to retain
  backwards compatibility as much as possible, and most code written
  for earlier releases should continue to work.  The most visible
  change from the 4.2.x UCD suite to the 5.x Net-SNMP releases was a
  restructuring of the header file organisation - not least a change
  from <ucd-snmp/xxx.h> to <net-snmp/yyy.h>.

    But given the maturity of the Net-SNMP code, this should be less
  of a consideration for most current SNMP development projects.



What operating systems does it run on?
-------------------------------------

  Both the applications and the agent have been reported as running
  (at least in part) on the following operating systems:

	* Linux (kernels 2.6 to 1.3)
	* Solaris/SPARC (11 to 2.3), Solaris/Intel (10, 9) -- see 
	  README.solaris
	* HP-UX (11.31 to 9.01) -- see README.hpux11
	* Mac OS X (10.5 to 10.1) -- see README.osX
	* NetBSD (2.0 to 1.0)
	* FreeBSD (7.0 to 2.2)
	* OpenBSD (4.0 to 2.6)
	* BSDi (4.0.1 to 2.1)
	* AIX (6.1, 5.3, 5.2, 5.1, 4.3.3, 4.1.5, 3.2.5) -- see README.aix
	* IRIX (6.5 to 5.1)
	* OSF (4.0, 3.2 and Tru64 Unix 5.1B) -- see README.tru64
	* SunOS 4 (4.1.4 to 4.1.2)
	* Ultrix (4.5 to 4.2)
	* Dynix/PTX 4.4
	* QNX 6.2.1A

  We have also been informed about a port to the Stratus VOS.
  See http://ftp.stratus.com/vos/network/network.html for details.

  See the next question but one for the status of Windows support.

  Certain systems fail to compile particular portions of the agent.
  These can usually be persuaded to compile (at the loss of some
  functionality) by omitting the modules affected.
  See the next question for more details.

  Also note that the presence of a particular configuration in this
  list does not imply a perfect or complete implementation.  This
  is simply what various people have reported as seeming to work.
 (Or more frequently, the configurations where people have reported
  problems that we think we've subsequently fixed!)



What happens if mine isn't listed?
---------------------------------

  It's probably worth trying to compile it anyway.  Unless your
  system is significantly different to the supported configurations,
  most of the code (library, applications and the agent infrastructure)
  should probably compile with little or no difficulty.  The most
  likely source of problems will be MIB modules within the agent,
  as this tends to be where the most system-specific code is found.

    If only a few modules fail to compile, try removing them from
  the agent by running "configure --with-out-mib-module=xxx,yyy",
  and re-compiling.  If a large number of modules fail, then it
  might be easier to start from a relatively bare system, using
  "configure --enable-mini-agent --with-defaults".  Then if this
  minimal agent compiles and runs successfully, try adding each of
  the missing mibgroups individually using the configure option
  '--with-mib-module'.
  
    If configure fails with "invalid configuration" messages, or
  you get completely stuck, contact the coders list for advice.
  Similarly, if you manage to get this working on a new system,
  please let us know of any code changes that you needed to make,
  together with details of the hardware you're using, and what
  versions of the operating system you've tried it on.  The entry
  'host' in the file 'config.status' should show this information.
  Oh, and congratulations!



Does it run on Windows?
----------------------

    The suite should compile and run on Win32 platforms, including
  the library, command-line tools and the basic agent framework.
  Note that the agent now includes support for the MIB-II module,
  but this requires Microsoft's Core Platform SDK.  Instructions
  for how to install this are given in README.win32.

    Pre-compiled binaries are available from the project web site.

    As of v5.4, the Net-SNMP agent is able to load the Windows SNMP
  service extension DLLs by using the Net-SNMP winExtDLL extension.

    Some other Net-SNMP MIB modules, including the UCD pass-through
  extensions, do not currently work under Windows.  Volunteers to assist
  with these missing modules are likely to welcomed with open arms :-)

    Further details of Windows support (currently Visual C++, MinGW
  and Cygnus cygwin32) is available in the file README.win32.



How do I find out about new releases?
------------------------------------

  There is a mailing list for these announcements

  	net-snmp-announce@lists.sourceforge.net

  To be added to (or removed from) this list, visit
        http://www.net-snmp.org/lists/net-snmp-announce/
  Or you can send a message to the address
        net-snmp-announce-request@lists.sourceforge.net
  with a subject line of 'subscribe' (or 'unsubscribe' as appropriate).

  Advance notice of upcoming releases are also made on the
  net-snmp-users list (for "release candidates") for a week
  or two before the full release, and on the net-snmp-coders
  list (for "pre-releases") during the period prior to this.

  Major code revisions may be announced more widely, but these
  lists are the most reliable way to keep in touch with the
  status of the package.

  Patches to fix known problems are also made available via the web site:

        http://www.net-snmp.org/patches/



How can I find out what other people are doing?
----------------------------------------------

  There is a general purpose discussion list

  	net-snmp-users@lists.sourceforge.net

  To be added to (or removed from) this list, visit
        http://www.net-snmp.org/lists/net-snmp-users/
  Or you can send a message to the address
        net-snmp-users-request@lists.sourceforge.net
  with a subject line of 'subscribe' (or 'unsubscribe' as appropriate).

  To find out what the developers are doing, and to help them
  out, please read the PORTING file enclosed with the package.

  There is also a #net-snmp IRC channel set up on the freenode.net
  chat system.  You can connect to this via chat.freenode.net.
  See http://www.freenode.net/ for more information on getting
  started with IRC.
    Several core developers hang out on this channel on a fairly
  regular basis.



How do I submit a patch or bug report?
-------------------------------------

  The best way to submit a bug report is via the bug database through
  the interface found at
         http://www.net-snmp.org/bugs/
  Be sure to include the version of the package that you've been working
  with, the output of the command 'uname -a', the precise configuration
  or command that triggers the problem and a copy of any output produced.

    Questions about using the package should be directed at the
  net-snmp-users@lists.sourceforge.net mailing list.  Note that this
  mailing list is relatively busy, and the people answering these
  questions are doing so out of the goodness of their hearts, and in
  addition to their main employment.  Please note the following:

     - use plain text mail, rather than HTML
     - don't resend questions more than once
          (even if no-one answered immediately)
     - include full details of exact commands and error messages
          ("I've tried everything, and it doesn't work" isn't much use!)
     - do *NOT* send messages to -users and -coders mailing lists
          (most developers read both anyway)
     - don't mail the developers privately - keep everything on the list

    We can't promise to be able to solve all problems, but we'll
  certainly try and help.  But remember that this is basically an
  unsupported package.  It's Open Source, so if you need something
  fixing badly enough,  fundamentally it's up to you to do the work.

    All patches should be submitted to the patch manager at
         http://www.net-snmp.org/patches/
  If possible, submit a bug report describing the patch as well
  (referencing it by its patch number) since the patch manager
  doesn't contain a decent description field.

  The best way to submit patch (diff) information is by checking out
  the current code from the development git trunk, making your changes
  and then running "git diff" or "git format-patch" after you're done.

  (Please see http://www.net-snmp.org/wiki/index.php/Git for further
  information on using git with the Net-SNMP project)

  If you're working from a source code distribution, and comparing old
  and new versions of a code file, use "diff -u OLDFILE NEWFILE" 



Can I reuse the code in my commercial application?
-------------------------------------------------

  The details of the COPYRIGHTs on the package can be found in the COPYING
  file.  You should have your lawyer read this file if you wish to use the
  code in your commercial application.  We will not summarize here what is
  in the file, as we're not lawyers and are unqualified to do so.



What's the difference between SNMPv1, SNMPv2 and SNMPv3?
-------------------------------------------------------
What's the difference between SNMPv2 and SNMPv2c?
------------------------------------------------

  A full description is probably beyond the scope of this FAQ.
  Very briefly, the original protocol and admin framework was
  described in RFCs 1155-1157, and is now known as SNMPv1.

    Practical experience showed up various problems and deficiencies
  with this, and a number of revised frameworks were developed to try
  and address these problems.  Unfortunately, it proved difficult to
  achieve any sort of agreement - particularly over the details of
  the administrative framework to use.

    There was less disagreement over the proposed changes to the
  protocol operations.  These included:
        * increasing the range of errors that could be reported
        * introducing "exception values"
            (so a single missing value didn't affect
             the other varbinds in the same request)
        * a new GETBULK operation
            (a supercharged GETNEXT)
        * new notification PDUs
            (closer in structure to the other request PDUs)

  Strictly speaking, it's this revised protocol (originally defined
  in RFC 1905, and most recently in RFC 3416) that is "SNMPv2".

  The only framework based on this protocol that saw a significant
  level of use was "Community-based SNMPv2" or "SNMPv2c" (defined
  in RFC 1901). This retained the same administrative framework
  as SNMPv1 (with all of the accompanying limitations), but using
  the new protocol operations.

  More recently, a new administrative framework has been developed,
  building on the various competing SNMPv2 proposals, and using the
  same SNMPv2 protocol operations.  This is SNMPv3, which is defined
  in RFCs 3411-3418.    It addresses some of the deficiencies of the
  community-based versions, including significant improvements to
  the security of SNMP requests (like it finally has some!).
     SNMPv3 is now a full IETF standard protocol.

  Strictly speaking, SNMPv3 just defines a fairly abstract framework,
  based around the idea of "Security Models" and "Access Control Models".
  It's this combination of SNMPv3 plus accompanying models that actually
  provides a working SNMP system.
     However, the only models in common use are the "User-based Security
  Model" (RFC 3414) and the "View-based Access Control Model" (RFC 3415).
  So "SNMPv3" is frequently used to mean the combination of the basic
  SNMPv3 framework with these two particular models.
     This is also sometimes described as "SNMPv3/USM".


  So in brief:
        - SNMPv2c updated the protocol operations
                  but left the administrative framework unchanged.
        - SNMPv3  updated the administrative framework
                  but left the protocol operations unchanged.



Which versions of SNMP are supported in this package?
----------------------------------------------------

  This package currently supports the original SNMPv1 (RFC 1157),
  Community-based SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418).
    The agent will respond to requests using any of these protocols,
  and all the tools take a command-line option to determine which
  version to use.

  Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452)
  was dropped with the 4.0 release of the UCD-snmp package.



Can I use SNMPv1 requests with an SNMPv2 MIB (or vice versa)?
------------------------------------------------------------

    Yes.

    The syntax used to specify a MIB file (better referred
  to as SMIv1 or SMIv2) is purely concerned with how to define
  the characteristics of various management objects.  This is
  (almost) completely unrelated to the versions of the protocol
  used to operate on these values.  So it is quite reasonable to
  use SNMPv1 requests on objects defined using SMIv2, or SNMPv2
 (or SNMPv3) requests on objects defined using SMIv1.

    The one exception is objects of syntax Counter64, which are
  only accessible using SNMPv2 or higher.  SNMPv1 requests will
  either treat such objects as an error, or skip them completely.

  Note that SMIv1 is effectively obsolete, and all new MIBs
  should be written using SMIv2.

  

How can I monitor my system with SNMP?
-------------------------------------

  There are two main methods of using SNMP for monitoring.  One is to regularly
  query the SNMP agent for information of interest, graphing these values and/or
  saving them for later analysis.  That's not really the focus of the Net-SNMP
  project - our tools are more low-level, single-shot commands.  For this sort
  of high-level management, you're really looking at a management console
  application (such as Nagios or OpenNMS), or a data logging application
  (such as RRDtool, or one of its front-ends - MRTG, Cacti, etc).

  The other approach is to configure the SNMP agent to monitor the relevant
  information itself, and issue an alert when the values pass suitable limits.
  See the section ACTIVE MONITORING in the snmpd.conf(5) man page for details.

  Note that this entry makes no reference as to _what_ you should monitor, or
  what values might be significant.  That's because it is impossible to provide
  a universal answer to these questions.  The information to monitor, and the
  normal operating values will ultimately depend on your local environment.
  SNMP is simply a tool to _help_ you manage your systems - it isn't a magic
  panacea - you still have to think for yourself!



Where can I find more information about network management?
----------------------------------------------------------

  There are a number of sites with network management information on
  the World Wide Web.  Some of the most useful are

      http://www.simpleweb.org/
      http://www.snmplink.org/
      http://www.mibdepot.com/

  The SNMP Usenet newsgroup is now mostly defunct, but although the
  FAQ hasn't been updated for a while, it still contains a large
  amount of useful information relating to SNMP, including books,
  software, other sites, how to get an enterprise number, etc, etc.
  This is available from

      ftp://rtfm.mit.edu/pub/usenet/comp.protocols.snmp/

  or via any of the Web sites above.



What ports does SNMP use?
------------------------

  There are three main network ports (and one named socket), which are 
  typically used by SNMP.  These are:

    - UDP port 161       - SNMP requests (GET* and SET)
    - UDP port 162       - SNMP notifications  (Traps/Informs)
    - TCP port 705       - AgentX
    - /var/agentx/master - AgentX

  However, these are simply the default "well-known" ports for these purposes,
  and it is perfectly possible to accept requests on other ports.



Is Net-SNMP thread safe?
-----------------------

  Strictly speaking, no.  However, it is possible to use the library within
  a multi-threaded management application.  This is covered in detail in
  the file README.thread (shipped with the standard distribution), but can
  be summarised as follows:

    -	Call 'snmp_sess_init()' prior to activating any threads.
	This reads in and parses MIB information (which isn't thread-safe)
	as well as preparing a session structure for subsequent use.

    -	Open an SNMP session using 'snmp_sess_open()' which returns an
	opaque session handle, which is essentially independent of any
	other sessions (regardless of thread).

    -	Resource locking is not handled within the library, and is the
	responsibility of the main application.

  The Net-SNMP agent has not been designed for multi-threaded use.  It
  should be safe to use the agent library to embed a subagent within a
  threaded application as long as *all* SNMP-related activity (including
  generating traps, and parsing MIBs) is handled within a single thread.

  The command-line tools shipped as part of the Net-SNMP distribution
  are simple single-threaded applications, and are not designed for
  multi-threaded use.  Adapting these to a threaded model is left as
  an exercise for the student.
    The same holds true for the notification receiver (snmptrapd).

  Unfortunately, the SNMPv3 support was added about the same time as
  the thread support and since they occurred in parallel the SNMPv3
  support was never checked for multi-threading correctness.  It is
  most likely that it is not thread-safe at this time.


APPLICATIONS
============

How do I add a MIB?
------------------

  This is actually two separate questions, depending on whether you
  are referring to the tools, or the agent (or both).
    See the next question or the next section respectively.



How do I add a MIB to the tools?
-------------------------------

  Adding a MIB to the client-side tools has two main effects:

    -  it allows you to refer to MIB objects by name
         (rather than having to use the numeric OIDs)
    -  it allows the results to be displayed in a more immediately
       meaningful fashion.  Not just giving the object names, but
       also showing named enumeration values, and interpreting table
       indexes properly (particularly for string and OID index values).
       
  There are two steps required to add a new MIB file to the tools.
  Firstly, copy the MIB file into the appropriate location:

	cp MY-MIB.txt /usr/local/share/snmp/mibs
            (which makes it available to everyone on the system)
    or
        mkdir $HOME/.snmp
        mkdir $HOME/.snmp/mibs
	cp MY-MIB.txt $HOME/.snmp/mibs
            (which makes it available to you only)

  Note that the location of the shared MIB directory may be different
  from that given here - see the FAQ entry "Where should I put my MIB
  files?" for more information.


  Secondly, tell the tools to load this MIB:

        snmpwalk -m +MY-MIB .....
            (load it for this command only)
    or
	export MIBS=+MY-MIB
            (load it for this session only)
    or
        echo "mibs +MY-MIB" >> $HOME/.snmp/snmp.conf
            (load it every time)

  Note that the value for this variable is the name of the MIB
  module, *not* the name of the MIB file.   These are typically the
  same (apart from the .txt suffix), but if in doubt, check the contents
  of the file.  The value to use is the token immediately before the
  word DEFINITIONS at the start of the file.

  Or use the special value "all" to have the tools load all available
  MIBs (which may slow them down, particularly if you have a large
  number of MIB files.

  Note that you need *both* steps.


  Adding a MIB in this way does *not* mean that the agent will
  automatically return values from this MIB.  The agent needs to be
  explicitly extended to support the new MIB objects, which typically
  involves writing new code.
    See the AGENT section for details.

  Most of the tools (apart from 'snmptable') will work quite happily
  without any MIB files at all - although the results won't be displayed
  in quite the same way.  Similarly, the agent doesn't need MIB files
  either (other than to handle MIB object names in the configuration file).



Why can't I see anything from the agent?
---------------------------------------

  Fundamentally, there are two basic reasons why a request may go
  unanswered.  Either the management application does not like the
  request (so never sends it), or the agent does not like the request
  (so never responds).  The simplest way to distinguish between the
  two is to run the command with the command-line option '-d'.

  If this doesn't display a hex dump of the raw outgoing packet, then
  it's the client side which is dropping the request.  Hopefully you
  should also see an error message, to help identify what's wrong.

  If this displays one or more outgoing dumps (but nothing coming back),
  then the request is failing at the agent end.  See the next entry for
  more details.


    There are three further possibilities to consider:

  One is that the agent may return a response to the original query,
  but the management application may not like this response, and refuse
  to display it.  This is relatively unusual, and typically indicates
  a flaw with the remote agent.  (I hope you're not contemplating the
  suggestion that the Net-SNMP command-line tools might contain bugs!)

    The typical symptoms of this would be that the '-d' option would
  display a sequence of sending and received packet dumps, with the
  same contents each time.  Ask on the mailing list for advice.


  Alternatively, the agent may simply not support the MIB objects being
  requested.  This is most commonly seen when using the "snmpwalk" tool
  (particularly with SNMPv1).

  The symptoms here would be that '-d' would show two pairs of raw
  packet dumps - one a GETNEXT request (A1 in the sending packet),
  followed by a GET request (A0).  Repeating the same request with the
  "snmpgetnext" command-line tool should show the information (if any)
  that the agent returned, which was then discarded by snmpwalk as
  irrelevant.

  Note that this is how snmpwalk was designed to work.  It is not an error.


  Finally, it may be that the agent is simply taking too long to respond.
  The easiest way to test for this is to add the command-line options
  "-t 60 -r 0", which will send a single request (with no repetitions)
  and wait for a minute before giving up.  This ought to be long enough
  for all but the most-overloaded agent, or inefficient MIB module!

  If this turns out to be the cause, then ask on the mailing list for
  advice on options for improving the performance.



Why doesn't the agent respond?
-----------------------------

  Assuming that the tests outlined in the previous entry indicate that
  the problem lies with the agent not responding, the obvious question 
  is "why not".

  Again, there are two basic possibilities - either the agent never
  sees the request, or it receives it but is unwilling (or unable) to
  process it.  If the remote system is running the Net-SNMP agent,
  then the easiest way to distinguish between these two cases is to
  shut down the agent, and re-start it manually using the options
              -f -Le -d
  Then send the same query as before.  This should display raw dumps of
  packets seen (or sent) by the agent, just as with the client side in
  the previous entry.


  If the agent does not display anything, then it is simply not receiving
  the requests.  This may be because they are being blocked by network
  or local firewall settings ('iptables -L'),  or the agent may not be
  listening on the expected interfaces ('netstat -a').

  This is most commonly encountered when running queries from a remote
  host, particularly if the same request succeeds when run on the same
  system as the agent itself.


  If the agent displays a dump of the incoming request, but nothing going
  out, then the most likely cause is access control settings.  See the
  relevant entries in the AGENT section for details.  Note that if the agent
  receives an SNMPv1 or SNMPv2c request with a unknown community string,
  then it will not return an error response - the request is simply discarded.

  Another possibility is that the request may be rejected by settings in
  /etc/hosts.{allow,deny}.  Again, '-d' will display an incoming packet
  dump but no corresponding outgoing response.  However in this situation,
  the agent should also log a message that the request is being refused.


  Running the agent with '-d' can also help identify situations where the
  agent *is* responding to the request, but only after a long delay.  This
  would be indicated by a series of incoming packet dumps (showing various
  retries from the client side), followed by several outgoing dumps - possibly
  long after the client tool has given up in disgust.
    See the entry
      The agent worked for a while, then stopped responding.  Why?
  later in this section.



I can see the system group, but nothing else.  Why?
--------------------------------------------------

  This is almost definitely due to the access configuration of the agent.
  Many pre-configured systems (such as most Linux distributions) will only
  allow access to the system group by default, and need to be configured
  to enable more general access.

    The easiest way to test this is to try a GETNEXT request on one of
  the other standard groups
  e.g.
	snmpgetnext  .....  interfaces

  If the agent responds with "hrSystemUptime.0" or "end of MIB", then it
  is clearly configured in this way.  See the entries on access control
  in the AGENT section for more information.



Why can't I see values in the <ENTERPRISE> tree?
-----------------------------------------------

  If you can see most of the standard information (not just the system and
  hrSystem groups), but not in the vendor-specific 'enterprises' tree, then
  once again there are several possible causes.

  Firstly, it's possible that the agent does not implement this particular
  enterprise tree.  Remember that adding a MIB to the client tools does
  *not* automatically add support for these object to the agent.  See the
  AGENT section for more information.


  Alternatively, it may be that the agent does implement some or all of this
  enterprise tree, but the access control settings are configured to block
  access to it.

  The simplest way to checks whether the agent implements a given portion
  of the OID tree is to run

	snmpwalk .... nsModuleName

  and look for index values that fall in the area of interest.
  (Always assuming that you have access to this particular section
  of the Net-SNMP enterprise tree, of course!)
 
  Checking the access control settings can be done by examining the tables
  vacmAccessTable and vacmViewTreeFamilyTable.   Note that these are used
  to configure access control for *all* versions of SNMP - not just SNMPv3.


  The third possibility is that simply isn't any information in the specified
  tree.  For example, several of the tables in the UCDavis enterprise tree
  (such as prTable, extTable, dskTable and fileTable) require explicit
  configuration in the snmpd.conf file.  If you query this particular tables
  without the necessary configuration entries, then they will be empty.


  Finally, if you can't see anything from *any* enterprise-specific tree,
  then this may be down to how you are asking for the information.  By
  default, if "snmpwalk" is run without an explicitly starting OID, then
  it will display the contents of the 'mib-2' tree, containing most of the
  IETF-standard management information supported by the agent.
 
  When the agent reaches the end of this tree, it will return the first
  enterprise-specific value, 'snmpwalk' will recognise that this marks the
  end of the (implicit) requested tree, and stop.  No enterprise-specific
  information will be displayed.

    To walk the whole tree, and see *all* the information that the
  agent supports, specify a starting point of '.iso' or '.1'.
  To walk a specific enterprise subtree, specify the root of this tree
  as the starting point - e.g:

	snmpwalk -v1 -c public localhost UCD-SNMP-MIB::ucdavis
 
  There is more information about particular UCD-specific subtrees in
  the AGENT section.



The agent worked for a while, then stopped responding.  Why?
-----------------------------------------------------------

  There are three basic possibilities:
    - the agent has crashed
    - it is hanging
    - it is temporarily overloaded

  Detecting whether the agent has crashed should be fairly straighforward.
  If you can reliably reproduce this crash (e.g. by sending a particular
  SNMP request), then contact the coders list for advice.
  It's the other two cases that are probably more significant.

  To tell the difference between these two, try leaving the agent
  undisturbed for a while, and then probe it using a single 'snmpget'
  request, specifying a longer timeout (e.g. '-t 120').  If it now
  responds, then something was probably sending requests (including
  duplicate retries) faster than the agent could process them, and it
  was building up a backlog.  Try adjusting the timeout period and retry
  frequency of these client requests, or look at improving the efficiency
  of the implementation of the relevant MIB objects.

  If the agent remains unresponsive (particularly if the load on the
  system is steadily climbing), then it's probably hanging, and all
  you can really do is restart the agent.  If you can identify what
  causes this to happen, then contact the coders list for advice.



Requesting an object fails with "Unknown Object Identifier"  Why?
----------------------------------------------------------------

  If a general snmpwalk shows a particular entry, but asking for it more
  specifically gives a "sub-identifier not found:" or "Unknown Object
  Identifier" error, then that's a problem with the tool, rather than
  the agent.

  Firstly, make sure that you're asking for the object by the right name.
  Object descriptors are case-sensitive, so asking for 'sysuptime' will
  not be recognised, but 'sysUpTime' will.

  Alternatively, the object may be defined in a MIB that hasn't been
  loaded.  Try loading in all the MIB files:

	snmpget -m ALL -v1 -c public localhost sysUpTime.0

  or specify the name of the appropriate MIB explicitly:

	snmpget -v1 -c public myhost SNMPv2-MIB::sysUpTime.0

  Note that this uses the name of the *module*, not the name of the file.
  However, if 'snmpwalk' displays the object by name, this is unlikely to
  be the cause, and you should look closely at the exact object name you
  are using.  In particular, see the next entry.



Why do I get "noSuchName" when asking for "sysUpTime" (or similar)?
------------------------------------------------------------------

  Assuming that you do have access to this object, the most likely cause
  is forgetting the instance subidentifier.

  If you try walking the 'system' group (or any other part of the MIB tree),
  you should notice that all of the results have a number after the object
  name.  This is the "instance subidentifier" of that particular MIB instance.

  For values in tables (such as the sysORTable), this acts as an index into
  the table - a very familiar concept.  But *all* SNMP values will display an
  instance number, whether or not they are part of a table.  For non-table
  objects ("scalars"), this instance subidentifier will always be '0',
  and it *must* be included when making a GET request.

     Compare the following:

	$ snmpget -v1 -c public localhost sysUpTime
	Error in packet
	Reason: (noSuchName) There is no such variable name in this MIB.
	This name doesn't exist: system.sysUpTime

	$ snmpget -v1 -c public localhost sysUpTime.0
	system.sysUpTime.0 = Timeticks: (69189271) 8 days, 0:11:32.71

  This is a little less obscure when using SNMPv2c or v3 requests:

	$ snmpget -v 2c -c public localhost sysUpTime
	system.sysUpTime = No Such Instance currently exists



Why do I sometimes get "End of MIB" when walking a tree, and sometimes not?
--------------------------------------------------------------------------

  This depends on which MIB modules are supported by the agent you are
  querying and exactly what you're asking for.

  Note that a tree is walked by repeatedly asking for "the next entry" until
  all the values under that tree have been retrieved.  However, the agent has
  no idea that this is what's happening - all it sees is a request for "the
  next entry after X".

  If the object X happens to be the last entry in a sub-tree, the agent will
  provide the next object supported (as requested) even though this will be
  in a different subtree.  It's up to the querying tool to recognise that
  this last result lies outside the area of interest, and simply discard it.

  If the object X happens to be the last entry supported by the agent, it
  doesn't have another object to provide, so returns an "end of MIB"
  indication.  The Net-SNMP tools report this with the message above.

  But in either case, the actual information provided will be the same.



How do I use SNMPv3?
-------------------

  The simplest form of SNMPv3 request is unauthenticated and unencrypted
  (noAuthNoPriv).  It simply requires a user name, and would look something
  like:

	snmpget -v 3 -l noAuthNoPriv -u dave localhost sysUpTime.0

  However this approach foregoes the security protection which is the
  main advantage of using SNMPv3 (and the agent must also be explicitly
  configured to allow unauthenticated requests from that user).

  The most common form of SNMPv3 request is authenticated but not encrypted
  (authNoPriv).  This specifies the pass phrase to authenticate with:

	snmpget -v 3 -l authNoPriv -u dave -A "Open the Door"
				localhost sysUpTime.0

  A fully secure (i.e. encrypted) request (authPriv) would also specify
  the privacy pass phrase:

	snmpget -v 3 -l authPriv -u dave -A "Open the Door"
			-X "Bet you can't see me"  localhost sysUpTime.0

  In practise, most of these would probably be set via configuration
  directives in a personal $HOME/.snmp/snmp.conf file (note, *not* the
  agent's snmpd.conf file).
    The equivalent settings for the third example would be:

	defSecurityName		dave
	defSecurityLevel	authPriv
	defAuthPassphrase	"Open the Door"
	defPrivPassphrase	"Bet you can't see me"

  If the AuthPassphrase and the PrivPassphrase are the same, then you
  can use the single setting
		defPassphrase	"Open the Door and see me"
  instead.

  See the AGENT section for how to configure the agent for SNMPv3 access.
 


Why can't I set any variables in the MIB?
----------------------------------------

  There are three possible reasons for this:

  Many MIB objects are defined as "read-only" and inherently cannot be
  changed via SET requests.  Attempts to do so will typically be rejected
  by the 'snmpset' command without ever being sent to the agent.

  Of those objects that can in principle be changed, the agent may not
  include the code necessary to support SET requests.  (GET and GETNEXT
  are much easier to handle - particularly for objects relating to the
  internals of the underlying operating system).

  Even if SET support has been implemented, the agent may not be configured
  to allow write access to this object.

    Ready-installed distributions (such as those shipped with Linux) tend
  to be configured with read-only access to part of the mib tree (typically
  just the system group) and no write access at all.

  To change this, you will need to set up the agent's access control
  configuration.  See the AGENT section for more details.

    Note that neither the community string "public" nor "private" can be
  used to set variables in a typical default configuration.



Variables seem to disappear when I try to set them.  Why?
--------------------------------------------------------

  This is actually the same as the previous question - it just isn't
  particularly obvious, particularly when using SNMPv1.  A typical
  example of this effect would be

	$ snmpget -v1 -c public localhost sysLocation.0
	sysLocation.0 = somewhere nearby

	$ snmpset -v1 -c public localhost sysLocation.0 s "right here"
	Error in packet.
	Reason: (noSuchName) There is no such variable name in this MIB.
	This name doesn't exist: sysLocation.0

  Trying the same request using SNMPv2 or above is somewhat more informative:

	$ snmpset -v 2c -c public localhost sysLocation.0 s "right here"
        Error in packet.
        Reason: notWritable

  The SNMPv1 error 'noSuchName' actually means:

	"You can't do that to this variable"

  rather than "this variable doesn't exist".
  It may be the case that it doesn't exist at all.  It may exist but you
  don't have access to it (although different administrative credentials
  might be accepted).  Or it may exist, but you simply can't perform that
  particular operation (e.g. changing it).
    Similarly, the SNMPv2 error 'notWritable' means "not writable in this
  particular case" rather than "not writable under any circumstances".

  If you are sure that the object is both defined as writable, and has been
  implemented as such, then you probably need to look at the agent access
  control. See the AGENT section for more details.
    But see the next entry first.



Why can't I change sysLocation (or sysContact)?
----------------------------------------------

  There is one final possibility to consider for why a SET request might
  be rejected.

  The values for certain MIB objects (including 'sysLocation' and 'sysContact')
  can be configured via the snmpd.conf file.  If this is done, then these
  particular objects become read-only, and cannot be updated via SET commands,
  even if the access control settings would otherwise allow it.

  This may seem perverse, but there is good reason for it.  If there is a
  configuration setting for one of these objects, then that value will be
  used whenever the agent re-starts.  If the object was allowed to be updated
  using SET, this new value would be forgotten the next time the agent was
  re-started.

  Hence the Net-SNMP agent rejects such requests if there's a value configured
  via the 'snmpd.conf' file.  If there isn't such a config setting, then the
  write request will succeed (assuming suitable access control settings), and
  the new value will be retained the next time the agent restarts.



I get an error when trying to set a negative value - why?
--------------------------------------------------------

    This is a different problem.  What's happening here is that the
  routine that parses the arguments to the 'snmpset' command is seeing
  the '-' of the new value, and treating it as a command-line option.
  This normally generates an error (since digits typically aren't valid
  command line options).

    The easiest way to solve this is include the "end-of-option"
  indicator '--' in the command line, somewhere before the new value
  (but after all of the options, obviously).  For example:

	snmpset -v 2c -c public localhost -- versionRestartAgent.0 i -1

  (This command will still fail, since -1 isn't an acceptable value for
  this particular object, but that's not the point here!)



I get an error when trying to query a string-indexed table value - why?
----------------------------------------------------------------------

  The Net-SNMP library will normally try to interpret string-based
  index values, and display them in a meaningful manner:

      $ snmpgetnext .... vacmGroupName
      vacmGroupName.3."dave" = theWorkers

  The command-line tools will also accept string-valued indexes within
  an OID, and convert them into the appropriate numeric form before
  sending an SNMP request.  However the Unix shell will typically
  swallow the quotes around the string index value, before the SNMP
  tools can get a chance to interpret them.

  The answer is to escape the quotes, to protect them from the shell,
  and allow them to be passed through to the OID parser:

      snmpget ....   vacmGroupName.3.\"dave\"
  or
      snmpget ....  'vacmGroupName.3."dave"'


  Another alternative is to avoid trying to specify the index value as
  a string, and provide the numeric subidentifiers directly:

      snmpget .... vacmGroupName.3.4.100.97.118.101

  (where '3' indicates SNMPv3, '4' is the length of the string index,
  followed by the ASCII values of the individual characters).

  The command-line option '-Ob' will display the results of querying
  a string-indexed table in this format:

      $ snmpgetnext -Ob .... vacmGroupName
      vacmGroupName.3.4.100.97.118.101 = theWorkers



How should I specify string-indexed table values?
------------------------------------------------

  There's one other aspect of string-indexed tables that can cause
  problems - the difference between implicit- and explicit-length
  strings, and how to represent these when making an SNMP query.

  The most common style of string index uses an explicit length,
  followed by the individual ASCII character values:

      "dave"  =  4.'d'.'a'.'v'.'e'

  (as shown in the previous entry).

  However if the string index is defined in the MIB file as IMPLIED
  (or if it has a fixed length, such as a physical ethernet address),
  then the length subidentifier is omitted, and the index simply
  consists of the character values:

      "dave"  =  'd'.'a'.'v'.'e'

  Note that IMPLIED index objects can only appear as the *last* index
  for a table.
 
  The Net-SNMP library uses double quotes (i.e. "dave) to indicate an
  explicit length string index value, and single quotes (i.e. 'dave')
  to indicate an implicit length one.  If you use the wrong style of
  quotes, then the resulting OID will be incorrect, and you'll get
  confusing results to your query.



How do I send traps and notifications?
---------------------------------------

    Traps and notifications can be sent using the command 'snmptrap'.
  The following examples generate the generic trap 'warmStart(1)' and a
  (dummy) enterprise specific trap '99' respectively:

	snmptrap -v 1 -c public localhost "" "" 1 0  ""
	snmptrap -v 1 -c public localhost "" "" 6 99 ""
  
  The empty parameters "" will use suitable defaults for the relevant 
  values (enterprise OID, address of sender and current sysUptime).

    An SNMPv2 or SNMPv3 notification (either trap or inform) takes
  the OID of the trap to send:

	snmptrap -v 2c -c public localhost "" UCD-SNMP-MIB::ucdStart
	snmptrap -v 2c -c public localhost "" .1.3.6.1.4.1.2021.251.1

  (These two are equivalent ways of specifying the same trap).  Again,
  the empty parameter "" will use a suitable default for the relevant
  value (sysUptime).

  Any of these commands can be followed by one or more varbinds,
  using the same (OID/type/value) syntax as for 'snmpset':

	snmptrap -v 2c -c public localhost "" ucdStart sysContact.0 s "Dave"

  Generating traps from within the agent, or other applications, is
  covered in the AGENT and CODING sections.

  You should also read the snmptrap tutorial at
        http://www.net-snmp.org/wiki/index.php/TUT:snmptrap
  which will help you understand everything you need to know about traps.



How do I receive traps and notifications?
----------------------------------------

    Handling incoming traps is the job of a "notification receiver".
  The Net-SNMP suite include the tool 'snmptrapd' to act in this role.
  This can log traps to a file or via the syslog mechanism, forward them
  to another notification receiver and/or invoke a specified command
  whenever a particular notification is received.

  Logging notifications would be done by starting snmptrapd as:
	snmptrapd -Ls 7		(log to syslog using 'LOCAL7')
  or
	snmptrapd -f -Lo        (log to standard output)

  Invoking a command to process a received notification uses one or
  more 'traphandle' directives in the configuration file 'snmptrapd.conf'.
  A typical configuration might look something like:

	traphandle .1.3.6.1.6.3.1.5.1       /path/to/page_me up
	traphandle .1.3.6.1.4.1.2021.251.1  /path/to/page_me up
	traphandle .1.3.6.1.4.1.2021.251.2  /path/to/page_me down
	traphandle default                  /path/to/log_it

  where 'page_me' and 'log_it' are the commands to be run.

  Forwarding notifications to another receiver would be done using
  similar 'snmptrapd.conf' directives:

        forward .1.3.6.1.4.1.8072.4.0.3  10.0.0.1
        forward default                  10.0.0.2

  There's a tutorial with more details on the web site at
        http://www.net-snmp.org/wiki/index.php/TUT:snmptrap



How do I receive SNMPv1 traps?
-----------------------------

  Directives in the 'snmptrapd.conf' file use the (SNMPv2) snmpTrapOID
  value to identify individual notifications.  This applies to *all*
  versions of SNMP - including SNMPv1 traps.  See the co-existence spec
  (RFC 2576) for details of mapping SNMPv1 traps to SNMPv2 OIDs.

  Note that the first traphandle directive in the previous entry uses
  the OID corresponding to the SNMPv1 'coldStart' trap. 



Why don't I receive incoming traps?
----------------------------------

  Starting with net-snmp 5.3, snmptrapd will no longer automatically
  accept all incoming traps. It must be configured with authorized
  SNMPv1/v2c community strings and/or SNMPv3 users. Non-authorized
  traps/informs will be dropped.
    Please refer to the snmptrapd.conf(5) manual page for details.



My traphandler script doesn't work when run like this - why not?
---------------------------------------------------------------

    If a traphandler script works fine when run manually from the
  command line, but fails or generates an error when triggered by
  an incoming notification, then there are two likely causes.

    Firstly, the interactive shell environment may not be precisely
  the same as that for programs executed by the snmptrapd daemon.
  In particular, it's quite possible that the PATH environmental
  variable may not include all the additional directories that are
  commonly set up for a personal login configuration.  To avoid this
  problem (particularly for traphandler shell scripts), it's worth
  giving the full path to all programs used within the script.

    Secondly, the snmptrapd daemon may not always recognise the
  appropriate interpreter to use for a particular trap handler.
  If this is the case, then you can specify this interpreter
  explicitly as part of the trap handle directive:

	traphandle default /usr/bin/perl /usr/local/bin/log_it

    In this case, it's almost certain that you'll also
  need to give the full path to the traphandle script (as shown)



How can the agent receive traps and notifications?
-------------------------------------------------

  It can't.

  The primary purpose of an SNMP agent is to handle requests for
  information from management applications.  In SNMP terminology,
  it acts as a "command responder".

  It may also issue traps to report significant events or conditions
  ("notification generator").  But responding to such notifications
  is a significantly different role, and this is handled by a separate
  application ('snmptrapd').  Note that it is perfectly possible (even
  normal) for both agent and trap receiver to run on the same host.



How big can an SNMP request (or reply) be?
-----------------------------------------

    The protocol definition specifies a "minimum maximum" packet size
  (484 bytes for UDP), which all systems must support, but does not
  attempt to define an upper bound for this maximum size.  This is left
  to each individual implementation.

    The UCD software used a fixed size buffer of 1472 bytes to hold the
  encoded packet, so all requests and responses had to fit within this.
  The Net-SNMP releases handle packet buffers rather differently, and
  are not subject to the same fixed restrictions.



How can I monitor my systems (disk, memory, etc)?
------------------------------------------------

    In general, the Net-SNMP suite consists of relatively low-level
  tools, and there is nothing included that is designed for high-level,
  long-term monitoring of trends in network traffic, disk or memory
  usage, etc.

    There are a number of packages available that are designed for this
  purpose.  Two of the most widely used are MRTG (http://www.mrtg.org/)
  and RRDtool (http://oss.oetiker.ch/rrdtool/).  There are also several
  frontends built on top of RRDtool, including Cacti (http://www.cacti.net/)
  and Cricket (http://cricket.sourceforge.net/).  There are details of
  how to set up Cricket to monitor some of the UCD extensions at
  http://www.afn.org/~jam/software/cricket/

     We have also set up a page that describes in detail how MRTG
  can be set up to monitor disk, memory and cpu activity at
  http://www.net-snmp.org/tutorial-5/mrtg/index.html

    There is also a web-based network configuration system "Net-Policy",
  based upon SNMP.  This is not strictly connected to the Net-SNMP project,
  but a number of the core developers are also involved with that system.
  See http://net-policy.sourceforge.net for more details.



Applications complain about entries in your example 'snmp.conf' file.  Why?
--------------------------------------------------------------------------

  There *is* no example 'snmp.conf' shipped with the standard distribution.
  
  The configuration file 'EXAMPLE.conf' is designed as a config for
  the agent, and should be installed as 'snmpd.conf' (note the 'd').
  The file 'snmp.conf' is intended for general configuration options,
  applicable to all applications (via the SNMP library).
    Rename (or merge) the 'snmp.conf' file to 'snmpd.conf', and this
  should fix the problem.

  See the AGENT section or the 'snmpd.conf(5)' man page for more information
  about what should go in this file.



OK, what should I put in snmp.conf?
----------------------------------

    This is used to set common configuration values for most of the
  applications, to avoid having to specify them every time.  Examples
  are the SNMPv3 settings mentioned above, defaults for which MIBs to
  load and where from (see the second entry in this section),
  and the default SNMP version, port and (if appropriate) community
  string to use.

    Some of these (such as MIB information), might be best put in a
  shared snmp.conf file (typically /usr/local/share/snmp/snmp.conf or
  /etc/snmp/snmp.conf) to apply to all users of the system.  Others
  (particularly the SNMPv3 security settings), are more likely to refer
  to a particular user, and should probably go in a personal snmp.conf
  file (typically $HOME/.snmp/snmp.conf).

    See 'snmpget -H' and/or the snmp.conf(5) man page for more details.

    You can also use the "snmpconf" command to help you generate your
  snmp.conf configuration file (just run it and answer its questions).



How do I specify IPv6 addresses in tools command line arguments?
---------------------------------------------------------------

    IPv6 addresses pose a particular problem for the Net-SNMP command
  line tools, which parse host names into pieces. In particular, normally
  if you specify a simple host name, it assumes you want UDP in IPv4 on
  port 161.   By default, these two commands are actually the same:

            snmpget     127.0.0.1     sysUpTime.0
            snmpget udp:127.0.0.1:161 sysUpTime.0

  However, for IPv6 this causes a problem because IPv6 addresses also use
  a colon to separate addressing parts. Thus you need to enclose the address
  in square brackets ( [ and ] ).
     Because most shells use these brackets too, you also likely need to quote it:

            snmpget 'udp6:[::1]:161' sysUpTime.0



PERL
====

What is the purpose of the Perl SNMP module?
-------------------------------------------

  Short, comprehensive (but ultimately unhelpful) anwer - to provide a
  perl interface for SNMP operations.

  Longer, incomplete (but more useful) answer - there are probably two
  main uses for the Perl SNMP module.  The first is for developing client
  management applications, using perl to send SNMP requests, and manipulating
  or displaying the results.  As such, this is a straight alternative to
  various other SNMP toolkits currently available (for both perl and other
  programming languages).

  The second is as a means for extending the functionality of the Net-SNMP
  agent, by implementing new MIB modules.  This is an alternative to the
  other script-based extension mechanisms, but is more tightly bound to the
  Net-SNMP agent (and hence more efficient), while still avoiding the need
  to write C code.

  It is also possible to use the perl SNMP module in the snmpd.conf file,
  or to process incoming notifications,  but the above are probably the
  two primary uses.



Where can I get the Perl SNMP package?
-------------------------------------

  Joe Marzot's excellent Perl 'SNMP' module, is included in the Net-SNMP
  source releases.  It can be found located in the perl/SNMP subdirectory
  of the source tree.  This is accompanied by a number of Perl modules
  grouped together under the NetSNMP namespace.

  The basic SNMP module (though not the NetSNMP additions), can also
  be found at any Comprehensive Perl Archive Network (CPAN) mirror site,
  under modules/by-module/SNMP.  To find the CPAN site nearest you,
  please see http://www.cpan.org/SITES.html.

  These Perl modules need to be used in conjunction with a compatible
  version of the Net-SNMP library.  Consult the README file in the SNMP
  Perl distribution to find out which version of the library it needs.



How do I install the Perl SNMP modules?
--------------------------------------

  Assuming you have a reasonably new (and properly configured) Perl system,
  this should be simply:

        cd perl
	perl Makefile.PL
	    (press RETURN when prompted for host and community)
	make
	make test
	make install  (probably as root)


  It might be possible to install the basic module using 

	perl -MCPAN -e shell ; "install SNMP"

  but this has not been reliably tested, and very much relies on
  having the correct version of the Net-SNMP library.

  There may also be appropriate pre-compiled versions of the Perl modules
  available from the Net-SNMP project website, or your O/S vendor.



But compiling this fails! Why?
-----------------------------

  The Perl module tends to delve quite deeply into the internals of the
  main Net-SNMP library, and so is quite sensitive to changes within the
  library.  It's important to use the correct version of the module, that
  corresponds to the version of the library you have installed.  If you're
  working with a Net-SNMP source distribution, the appropriate versions of
  the Perl modules are shipped as part of the source code, but you *must*
  have run "make install" on the main Net-SNMP distribution *first*.

  If you're working with a ready-installed version of the library, make
  sure you obtain a compatible version of the Perl module.

    Note that the Perl modules will be compiled using the compiler
  (and compiler settings) used for compiling the original perl binary,
  *not* those used for compiling the Net-SNMP (or UCD) library.
  If these are different (e.g. 'gcc' used for one and 'cc' for the other)
  then this may well cause problems.  It's much safer to use a consistent
  environment for both.  This issue is discussed in greater detail in
  the README.solaris file.

    Also note that the v5 Net-SNMP suite *must* be configured to provide
  shared libraries in order for the Perl modules to work correctly.  This
  is not necessary with the v4 UCD-SNMP libraries.



Compiling the Perl module works OK, but 'make test' fails. Why?
--------------------------------------------------------------

  That's difficult to answer in general.
  Some of the Perl tests are rather picky, so this may simply be
  some minor inconsistency between your precise setup, and the
  expectations of the test environment.

    Check that you are working with the Perl distribution that matches
  the SNMP libraries (use the 'perl/SNMP' in preference to CPAN), and
  that you have installed the main libraries successfully (uninstall
  any old versions if you're having trouble).

    If all this looks OK, and if most of the tests pass, then it's
  probably safe to run 'make install' anyway.   Probably.



Why can't mib2c (or tkmib) locate SNMP.pm?
-----------------------------------------

  That's probably because the SNMP Perl module hasn't been installed.
  It's not part of the standard Perl distribution, nor is it included
  in the default Fedora Linux installation (for example).
  You'll need to install it yourself.

  See the second entry in this section.



Why can't mib2c (or tkmib) load SNMP.so?
---------------------------------------

    This is probably the same problem.  Either the SNMP module
  hasn't been installed, or it's the wrong version.  See the
  previous questions.



Why can't tkmib locate Tk.pm?
----------------------------

  Tk.pm is another Perl package that needs to be installed before tkmib
  will run.  It's also available on Perl CPAN.  We suggest using version
  "Tk800.011" or later.  It can be installed by issuing the command:

		perl -MCPAN -e shell ; "install Tk"



Why does your RPM complain about missing Perl modules?
-----------------------------------------------------

  This has been particularly noted on RedHat 9, complaining about the
  module "perl(Term::ReadKey)" - even if this is actually present (e.g.
  having been installed directly from CPAN).  In fact, this is not
  specific to Perl modules - the same issue can potentially arise with
  other RPM dependencies.

  The problem is that the RPM mechanism keeps a local database of what
  software packages have been installed, and checks this for any other
  features that this RPM requires.  If software is installed "manually"
  rather than via rpm packages, then it will not appear in this database.
  Attempting to install another RPM that rely on this functionality will
  then complain about the "missing" package, because the RPM system doesn't
  know that's it's actually available.

  The ideal solution is to *always* install software using a consistent
  mechanism (which may involve building RPMs locally, or looking for a
  suitable pre-built version).

  Failing this, it's possible to tell the "rpm" command to ignore such
  dependencies, and install the package anyway.  Try:

              rpm -i --nodeps {package}

  In this situation, it's then up to you to make sure that any other
  necessary packages *are* actually present on the system.



I've got a problem with the Net-SNMP module.  Can you help?
----------------------------------------------------------

  Sorry, despite the similar-sounding name, the Net-SNMP (or Net::SNMP)
  module is nothing to do with this package, or the NetSNMP modules.
  Net::SNMP is a "pure-perl" implementation of SNMP support, developed
  by David Town.  The developers of the (C-based) Net-SNMP suite do
  not have any significant experience in using this particular module,
  and you'll probably be better off asking for help via CPAN or some
  other perl-related forum.



MIBS
====

Where can I find a MIB compiler?
-------------------------------

  That depends what you mean by a "MIB compiler".  There are at least two
  types of tool that are commonly referred to by this name.

  The first is a tool to check MIB files for validity.  With the Net-SNMP
  software, this functionality is mostly integrated within the MIB parser,
  and hence included in all the applications.  The tool 'snmptranslate' is
  probably the most appropriate for this purpose.

  Note that the parser is fairly forgiving (see 'What ASN.1 parser is used'
  below), so this should not be regarded as a stamp of approval.  For a
  more rigourous validation, use a tool such as 'smilint', or the on-line
  interface at http://wwwsnmp.cs.utwente.nl/ietf/mibs/validate/

    The second type of "MIB compiler" is one to turn a MIB specification
  into C code, specifically one designed to aid agent implementation.  The
  command 'mib2c' is an example of such a tool for the Net-SNMP agent.  
  See the CODING section for more information.



Why aren't my MIB files being read in?
-------------------------------------

  There are two basic likely causes - either the library isn't attemping to
  load these particular MIB files, or it's trying to load them but can't
  locate them.

  By default, the Net-SNMP library loads a specific subset of MIB files.
  This list is set when the suite is first configured and compiled, and
  basically corresponds to the list of modules that the agent supports.
    (This is a simplification, but is a reasonable first approximation).

  In order to load additional MIB files, it is necessary to add them to this
  default list.  See the FAQ entry "How do I add a MIB to the tools?" for
  more information about how to do this.


  Alternatively, the tools may be looking in the wrong place.  The directory
  where the library looks for MIB files is also set when the software is
  first configured and compiled.  If you put new MIB files in the wrong
  location, then the library won't be able to find them (and will complain).

  This problem may arise when switching from a vendor-supplied distribution
  to one compiled from source (or vice versa).
    See the next entry for more information.



Where should I put my MIB files?
-------------------------------

  If you've compiled the package from source (or are using binaries
  from the project website), then you should probably put new MIB
  files in the directory /usr/local/share/snmp/mibs

  If you are using vendor-supplied binaries, then the MIB files
  may well be located somewhere else (e.g. /usr/share/snmp/mibs,
  /opt/snmp/mibs, or /etc/sma/snmp/mibs).  Have a look for where
  existing MIB files are installed, and try adding your MIBs to
  the same directory.

  If you compiled the source yourself, but specified a different
  --prefix value when running configure, then the location of the
  MIB directory will be {prefix}/share/snmp/mibs.

  If you're still not sure where to put your MIB files, try running
  the command

     snmpget  -Dparse-mibs  2>&1 | grep directory

  This will display the location(s) where the library is looking
  for MIB files.



What does "Cannot find module (XXX-MIB)" mean?
---------------------------------------------

    If this error is only generated for one or two modules, then it's
  likely that the named modules are not being found - perhaps they're
  not installed in the correct location, are not readable, or the
  name being used is incorrect.  See the previous entries and the entry
  "How do I add a MIB to the tools?" for more details.

  Note that the name reported is the name of the MIB *module*, which is
  not necessarily the same as the name of the file.


    If there are a large number of such errors, then it's more likely
  that either the MIB files haven't been installed at all.  If you are
  compiling from source, then it is necessary to run "make install" in
  order to set up the full run-time environment.

  Otherwise, see the previous entry to check whether the MIBs are installed
  in the correct location for the tools to find them.



I'm getting answers, but they're all numbers. Why?
-------------------------------------------------

  This is related to the previous questions.  Remember, the results that
  you receive from an agent do not depend on which MIBs are loaded by the
  client tools - purely on how the agent was compiled and configured.

  Because the tools don't necessarily read in every MIB file they can find
  (and the relevant MIB file may not be available anyway), it is quite
  possible for results from an agent to refer to modules that have not
  been loaded (particularly with GETNEXT requests, or when walking a tree).

  The results will be reported correctly, but won't be translated to use
  named identifiers (or display the values in the most appropriate manner).
  To fix this, add the missing MIB files to the list of MIBs to be loaded.
  See the previous entries and the entry "How do I add a MIB to the tools?"
  for more information.



What does "unlinked OID" mean?
-----------------------------

    This means that the library has been able to find the MIB module,
  and parse the individual objects defined in it, but is having problems
  linking them together into a consistent tree.  In particular, it
  can't find an object corresponding to the name within the braces
  (i.e. the 'xxx' in '{xxx 99}').

    This is probably due either to a typo in this name (remember that
  names are case sensitive, so a reference to 'xxx' will *not* match
  a definition of 'Xxx'), or else the name is defined in another MIB
  file, and this dependency is missing from the IMPORT clause of this
  MIB file.



The parser doesn't handle comments properly. Why not?
----------------------------------------------------

  The way that comments are handled in a MIB file is subtly different
  to the equivalent syntax in most typical programming languages, and
  this difference can catch out the unwary.  In particular, there are
  two common situations which can lead to problems.

  The first scenario is where the MIB designer has attempted to "comment
  out" an unwanted line that already contains a comment:

	--   broken ::= { myMIB 1 }   -- This isn't working yet

  The assumption here is that a comment continues to the end of the line.
  Unfortunately, this is not correct.  A comment will continue either to
  the end of the line, *or* the next occurance of a pair of dashes.

    Thus in this case, the definition of "broken" is commented out (as
  intended) but the following text ("This isn't working yet") is treated
  as an active part of the MIB, and will generate an error.


  The second scenario is where a line of dashes has been used to mark
  out separate parts of a MIB file.  Depending on the exact number of
  dashes used, this may still result in a syntactically valid MIB file,
  but has a 1-in-4 possibility of triggering an error.  This means that
  this particular situation can be particularly difficult to spot!


    Most of the Net-SNMP applications have a command-line option (-Pc) which
  will work around this problem by treating the whole line as a comment.
  But this is not strictly legal, and the offending MIB file should really
  be corrected.



How can I get more information about problems with MIB files?
------------------------------------------------------------

  The command 'snmptranslate' is used to translate between numeric
  and symbolic forms of OIDs.  It uses the same MIB parsing routines
  as the commands that actually communicate with a network management
  agent, but can be used standalone.  As such, it is a useful tool
  for identifying problems with reading in MIB files.

    In particular, the following options may be useful in
  identifying problems:
	-Pw  warns about conflicting symbols
	-PW  prints more verbose warnings about other problems as well
		(in both cases, ignore the 'xmalloc' reports)
	-T   provides sub-options for various views of these entries

  There are other '-P' options to control various aspects of MIB parsing.
  See the 'snmptranslate(1)' and 'snmpcmd(1)' man pages for more details,
  or the tutorial at
	http://www.net-snmp.org/tutorial-5/commands/snmptranslate.html

  For a more rigourous validation, use a tool such as 'smilint', or the
  on-line interface at http://wwwsnmp.cs.utwente.nl/ietf/mibs/validate/



What's this about "too many imported symbols"?
---------------------------------------------

  Any MIB file starts with an (optional) list of identifiers that
  it "imports" from other files.  The parser handles this using
  a fixed size buffer to hold the import information.
    There are two circumstances in which this can result in the
  error message shown above.

    Firstly, if the MIB file refers to an unusually large number
  of external identifiers.  Handling this case requires a (trivial)
  patch to the parsing code.  Contact the coders list for advice.
     (This is extremely rare - the only example that
      we've come across is the Cabletron Trap MIB).

    Much more common is a syntax error in the IMPORTS clause of the
  MIB file in question.  In particular, check that this section ends
  in a semicolon, before going on to the main MIB object definitions.



Do I actually need the MIB files?
--------------------------------

  Probably not.
  The MIB files play two main roles - they are used to translate
  between numeric OIDs and the corresponding textual names, and
  they define the structure and syntax of the relevant MIB objects.

    This second role is perhaps best thought of in terms of a design
  document.  It's vital while developing an application (typically
  the MIB module or handler within the agent), since it defines
  what the application (MIB) must actually do.  But once the code
  has been written, the design document becomes redundent.
  The agent then has the same information hardcoded into it
  (literally!), and no longer needs the MIB file.

    The translation task is not strictly necessary - SNMP will
  operate fine without any MIB files at all, as long as you're
  happy to work with numeric OIDs throughout, and know which MIB
  objects you're interested in.  But it's much easier to work with
  the (hopefully) meaningful names, enumeration tags and the like,
  and to view the description of a particular object.
  This requires having the relevant MIB files installed and loaded.


  Since the agent needs MIBs the least and some systems are memory
  restricted, it is possible to completely disable loading these MIBs
  as well as remove the code that does the parsing by using the
  --disable-mib-loading flag to configure.

  However, note that certain snmpd.conf tokens actually make use
  of mib information so they won't be as easily usable. 



AGENT
=====

What MIBs are supported?
-----------------------

  The following MIBs are supported (at least in part and on some systems):

	- MIB-2  General network statistics
                (RFC 1213 and subsequent revisions)
	- Host Resources (RFC 1514 and 2790)
	- SNMPv3 framework (RFCs 2571-5, 3411-3418)
		(including USM, VACM, Target
		 and Notification MIBs)
	- DisMan Event and Schedule MIBs
	- MTA-MIB (sendmail)
	- private UCD/Net-SNMP agent extensions
		(monitor specified processes and disks,
		 memory, CPU, load average, + extending
		 the agent using shell commands)

  See README.agent-mibs for details.

  Not all MIB modules are included by default on all systems.  Some of
  these may need to be explicitly requested when the software is first
  configured and built, while others may not be available on all
  architectures.

  There are a few other MIB implementations distributed as part of the
  source tarball, but these are basically unsupported and most of the
  core developers have little or no experience with using them.



What protocols are supported?
----------------------------

  The agent supports all three current versions of SNMP (v1, v2c and v3),
  over both UDP and TCP transports, as well as acting as a SMUX (RFC 1227)
  master agent, AgentX (RFC 2741) in both master and subagent roles, and
  SNMP proxying.



How do I configure the agent?
----------------------------

  That's a somewhat ambiguous question, as there are two very different
  stages where it is possible to "configure" the agent.

  Firstly, you can determine what capabilities and defaults are included
  within the library and agent, at the time that the software is first
  built.  This uses suitable flags to the 'configure' script, before
  compiling the source.
    As far as the agent is concerned, the most significant option is
  '--with-mib-modules' (or '--with-out-mib-modules') to control which
  MIBs will be supported by the agent.  See the next few entries for
  details.

    You can also control various aspects of the agent behaviour (and the
  information it returns) at run time, via the 'snmpd.conf' configuration
  file.  Various aspects of this are touched on throughout this FAQ.  Or
  see the snmpd.conf(5) manual page for full details.
    The "snmpconf" script can help in creating this config file.
  Start off with 'snmpconf -g basic_setup' to get you going.



How do I remove a MIB from the agent?
------------------------------------

  Deleting the text file for a MIB does not affect the agent (other than
  to prevent it from recognising MIB object names in the config files).
  It's necessary to tell the agent not to activate the relevant code that
  actually implements these objects.  There are three ways to do this:
                                                                                
    1) re-run 'configure' to exclude the given MIB module(s) from the
       build configuration, then recompile and reinstall:

	  ./configure --with-out-mib-modules=path/to/unwanted   ....
	  make
	  make install

       This specifies the path to the module code file, relative to
       the 'agent/mibgroup' directory.  Clearly, this approach is
       only possible if you are working with a source distribution.
 
    2) disable the MIB at runtime

	  snmpd -I -unwanted

       Note that this relies on knowing which modules are used to
       implement the relevant MIB objects.  If you're not sure,
       you could try walking the 'nsModuleName' MIB object, which
       indicates the module responsible for each particular range
       of OIDs.
       You can also check which MIB modules are loaded by getting
       the agent to report them as they are initialised:

	  snmpd -Dmib_init -H

       From this information, it should then be fairly obvious which
       modules to disable.

    3) use access control to exclude the mib from the view used to
       query the agent:

          view    almostEverything  included   .1
          view    almostEverything  excluded   unwantedMib

          rocommunity  public  default  -V almostEverything

       This approach can also be used with the full com2sec/group/access
       configuration directives (e.g. with versions earlier than 5.3,
       which don't support the above mechanism).



I've installed a new MIB file.  Why can't I query it?
----------------------------------------------------

  Installing a new MIB file will not magically enable the agent to know
  what values to report for the objects defined in that MIB.  It's
  necessary to have some code which can provide the relevant information.
  The next few entries, and the CODING section address this issue in more
  detail.



How do I add a MIB to the agent?
-------------------------------

  Adding a MIB essentially involves writing some code to implement the
  objects defined in the new MIB.  There are three basic approaches that
  can be used to do this:

    -  The agent can invoke an external command or shell script to
       return the necessary information.  There are several possible
       variations on this approach - see the next entry for details.

    -  The agent can pass the request off to another (sub-)agent,
       which already implements the required MIB.  Again, there are
       several ways of doing this - including AgentX, SMUX and
       proxied SNMP.  See the next entry but one for details.

    -  You can write code to implement the new MIB objects, and
       include this within the agent.  This is most commonly C
       (or C++) code, although the agent can also support MIB modules
       implemented in perl.
         See the next section (CODING) for more details.

  Note that there is no visible difference between external commands,
  subagents, and modules implemented within the main agent itself.
  Tools querying the agent will see a single MIB structure.
 


What's the difference between 'exec', 'sh', 'extend' and 'pass'?
---------------------------------------------------------------

  'exec' will run the specified command and return the exit status and
  output.  Any arguments are passed directly to the command, with no
  special interpretation.

  'sh' is similar, but invokes a shell to run the command line given.
  This means that quoted arguments will be recognised as such, and also
  allows redirection, and other similar shell interpretation.  The results
  are returned in exactly the same way.

  'extend' is also similar, but provides a richer and more flexible MIB
  framework - both for configuring the exact command to be run, and for
  displaying the results.

  None of these mechanisms require the command to have any knowledge of
  SNMP, or the fact that they are being used in this manner.  But the
  output is returned in a fixed format, and it is up to the receiving
  application to interpret this appropriately.

  Note that the "relocatable" form of the 'exec' directive ('exec OID ....')
  produces MIB output that is not strictly valid. For this reason, support
  for this has been deprecated in favour of 'extend OID ...', which produces
  well-formed MIB results (as well as providing fuller functionality).
  The most recent releases of the agent don't include support for "relocatable
  exec" by default. This needs to be explicitly included when the agent is
  first compiled, by including the module 'ucd-snmp/extensible' instead of
  'agent/extend'.


  'pass' is a more general mechanism for implementing arbitrary MIB
  objects.  The specified command will be invoked for any request within
  the named MIB subtree, and passed details of the requested OID.  It
  should return the information relevant to the requested OID.

    'pass-persist' is similar, but the command will continue running
  even after the initial request has been answered.  These two mechanisms
  can be used to implement a particular MIB, following the correct MIB
  structure (as opposed to the fixed format of exec/sh/extend).

  All of these mechanisms are described in the 'snmpd.conf(5)' man page,
  in the section entitled "Extending Agent Functionality".

  

What's the difference between AgentX, SMUX and proxied SNMP?
-----------------------------------------------------------

    All three are protocols that can be used to make two or more agents
  appear as one to the querying application.  In each case, one agent
  takes the role of "master", and delegates requests to one of the others
  as and where this is appropriate.  The differences between them mainly
  relate to how data is represented, and the mechanisms for communication
  between master and subagents.

    SMUX and proxy SNMP both essentially use the standard SNMP packet format.
  The main difference is that a proxy SNMP subagent need not be aware that
  it is acting in such a role.  It typically listens on a non-standard port,
  and simply receives requests as usual, forwarded from the master agent
  (rather than directly).  The main issue to be aware of is that such requests
  will appear to come from the local host, and this may affect how the access
  control mechanisms need to be set up.

    SMUX uses a similar packet format, but the subagent "registers" with
  the master agent, providing a suitable password.  The Net-SNMP (and UCD)
  agent includes the possibility of acting as a SMUX master agent, but the
  suite does not include a subagent API.   Note that support for SMUX is not
  included by default, and needs to be explicitly enabled by running:

		--with-mib-modules=smux

  before re-compiling the agent.
    See the file 'agent/mibgroup/README.smux' for details.

    AgentX uses a more compact (and simpler) packet format, with a richer
  range of administrative commands, and provides a more flexible and reliable
  extension mechanism.  The Net-SNMP agent can be used in both master and
  subagent roles, and the agent library can also be used to embed an AgentX
  subagent within another application.
    See the file 'README.agentx' for details.

  AgentX support is included by default, but needs to be explicitly
  activated in the master agent.  Do this by adding the line

		master agentx

  to the snmpd.conf file before starting the agent.



What is the purpose of 'dlmod'?
------------------------------

  Most of the MIB information supplied by the Net-SNMP agent is provided
  by C-coded implementation modules, and the choice of which modules to
  include is usually made when the agent is first built.  Adding new
  MIB modules would therefore require re-compiling the agent.  This is
  not always convenient - particularly when working with a production
  system, and/or pre-installed binaries.
  
  Dynamically loaded modules are a means of including a MIB implementation
  module within the main SNMP agent (or an AgentX subagent) without needing
  to re-compile and re-link the agent binary.  Instead, details of the
  module(s) to load are specified in the configuration file, and the agent
  locates the files listed, and merges them in at run time.

  See http://www.net-snmp.org/tutorial-5/toolkit/dlmod/ for more information.



Which extension mechanism should I use?
--------------------------------------

  That's not easy to answer in general.

  If there's an existing agent that already implements the desired new
  MIB, then it makes sense to re-use that, via whatever extension protocol
  that agent might support.  Note that the SMUX protocol has essentially
  been superceded by AgentX, which provides a fuller and more reliable
  mechanism than either SMUX or proxied SNMP.  So ideally, this would
  be the preferred extension approach.
  But if the target subagent only supports SMUX or basic SNMP, then that
  would dictate the extension protocol to use.

  Implementing the module in C within the main agent (directly or via
  dlmod) is probably the most efficient and reliable, closely followed
  by embedded perl (or python) extensions.  These have the advantage of
  minimal overheads between the code implementing the MIB module, and
  the agent framework, and no inter-process communication issues.  But
  this does assume that there's a suitable mechanism for retrieving the
  necessary information.

  If the new MIB is monitoring or managing some other subsystem, external
  to the agent, then it may be necessary to embed a subagent within the
  subsystem itself - particularly if there's no suitable public API to
  retrieve the necessary information.  In this case, AgentX is probably
  the most appropriate way forward.
    Alternatively, you could implement the missing public management API
  for that subsystem, and develop a module within the main agent instead.



Can I use AgentX when running under Windows?
-------------------------------------------

  Yes, but there are a couple of things to be aware of.

  Firstly, by default the AgentX master listens on the Unix domain
  socket '/var/agentx/master', which doesn't work under Windows.
  You'll need to tell it to listen on a TCP port, either by using
  the command-line option "-x localhost:705",  or by adding the
  directive "agentxSocket localhost:705" to the snmpd.conf file.

  Secondly, be aware that the security of AgentX connectivity is not
  particularly strong.  The examples given here would allow any process
  running on the local machine to register as an AgentX subagent.  The
  more obvious settings "-x 705" or "agentxSocket 705" would allow
  a system *anywhere* on the network (or even from remote networks) to
  register as an AgentX subagent.  This could potentially be used to
  hijack the agent, or provide false information.



How can I run AgentX with a different socket address?
----------------------------------------------------

  There are two sides to an AgentX connection, and they need to
  agree about which socket address to use.  So if you want to use
  a different socket, you need to configure both parties accordingly.

  The socket that the Net-SNMP master agent uses to listen for AgentX
  registrations (and send appropriate requests) can be specified using
  the option '-x'.
    The command
		"snmpd -x tcp:localhost:705 ...."
  would start the agent listening on the TCP port 705 for connections
  from the local system.
    The same effect can also be obtained by adding the line
		agentxsocket localhost:705
  to the file 'snmpd.conf'.

  The same option can be used with the Net-SNMP agent when running in
  This also holds when the Net-SNMP agent is running in
  "subagent" mode, to specify the socket to register with (and receive
  requests from).
    So a subagent might connect to the master agent above (both running
  on the same host), using: 
		"snmpd -X -x tcp:localhost:705 ...."

  A subagent running embedded within some other application will
  typically not understand the same command-line options, so would
  need to set the same configuration programmatically:

     netsnmp_ds_set_string(NETSNMP_DS_APPLICATION_ID,
                           NETSNMP_DS_AGENT_X_SOCKET, "tcp:localhost:705");

  With the example subagent code from the Net-SNMP tutorial, this line
  would be added immediately before the 'init_agent' call.

  The same approach can also be used to listen on a different named
  socket, using:
		agentxsocket /tmp/agentx
		agentxperms 770 770 myuser mygroup
  or
		snmpd -x /tmp/agentx ....
  or
     netsnmp_ds_set_string(NETSNMP_DS_APPLICATION_ID,
                           NETSNMP_DS_AGENT_X_SOCKET, "/tmp/agentx");
  as appropriate.



How can I turn off SMUX support?
-------------------------------

  Normally, you would use the command-line option '-I -{module}' to
  disable the initialisation of a particular MIB module within the
  agent.  Unfortunately, it's not currently possible to turn off SMUX
  support this way.

  The safest approach is to run
	configure --with-out-mib-modules=smux
  and recompile the agent.

  If this is not possible, an alternative workaround might be to have
  the agent bind the SMUX socket to an invalid IP address, using a
  snmpd.conf line such as:

	smuxsocket  1.0.0.0

  The agent may complain at startup, but it won't accept any incoming
  SMUX requests.

  If the agent complains about not recognising the "smuxsocket"
  token, then you're out of luck.  You'll either have to recompile
  from source, or use local firewall rules to block connections
  to port 199.



How can I combine two copies of the 'mib2' tree from separate subagents?
-----------------------------------------------------------------------

  This is the purpose of the SNMPv3 'context' field.  Register the MIB
  module a second time in a non-default context (see the relevant entry
  in the CODING section for details), and specify this context when
  querying the agent.  The MIB module can use this context information
  to determine which set of information to report.
    Or you could register two completely different handlers for the same
  OID (using different contexts), and the agent will invoke the appropriate
  code.  This holds for both MIB modules implemented within the main agent,
  or AgentX subagents - the same approach will work for both.

  Contexts can also be used with proxied SNMP requests - just specify
  the option '-Cn {context}' as part of the "proxy" entry.  See the
  'snmpd.conf(5)' man page for details.

  It's currently not possible to support parallel MIB trees when using
  SNMPv1 or SNMPv2c.  In principle, it should be possible to use the
  community string in a similar way, but this has not (yet) been implemented.

  This mechanism is only available with the v5 Net-SNMP agent. The v4
  UCD agent does not support contexts at all.  Sorry about that.

    Another way to handle this would be to tweak one of the subagents to
  use a different set of (non-standard) OID assignments - perhaps by
  relocating the whole of the subtree to another (private) OID.  This
  is not ideal, but should work with all configurations.



What traps are sent by the agent?
--------------------------------

  The Net-SNMP agent sends a 'coldStart(0)' trap when it first starts up,
  and an enterprise-specific trap 'nsNotifyShutdown' when it stops.  It
  generates an enterprise-specific trap 'nsNotifyRestart' (rather than
  the standard 'coldStart(0)' or 'warmStart(1)' traps) on receiving a HUP
  signal - typically after being re-configured.  It can also be configured
  to send an 'authenticationFailure(4)' trap when it receives an SNMPv1 
  (or SNMPv2c) request using an unknown community name.

    The agent does not send 'linkUp' or 'linkDown' traps by default. It can
  be configured to do this using the directive 'linkUpDownNotifications'.
  See the 'snmpd.conf(5)' man page (under ACTIVE MONITORING) for details.

    Similarly, it does not generate traps by default when one of the
  monitored characteristics (disk usage, running processes, etc) enters or
  leaves an error state.  This can be configured using the 'defaultMonitors'
  directive (again documented under ACTIVE MONITORING).



Where are these traps sent to?
-----------------------------

  With all these alerts, the agent needs to be told where to send them,
  specifying the type of notification (v1 or v2 trap, or v2 inform) and
  the community name to use.  This uses the snmpd.conf directives 'trapsink',
  'trap2sink' and 'informsink' for the destination type, and 'trapcommunity'
  for the community name.  SNMPv3 destinations can be configured using the
  directive 'trapsess'.   See the 'snmpd.conf(5)' man page for details.

    Note that the type of trap generated is totally determined by these
  directives - irrespective of which API call was used to trigger sending
  the trap.  See the trap-related entries in the CODING section for details.

  Note also that you typically only want *one* of the settings:

        trapsink   localhost
        trap2sink  localhost
        informsink localhost

  Including two (or all three) of these lines in the snmpd.conf file will
  will result in multiple copies of every notifications being sent for
  each call to 'send_easy_trap()' (or 'send_v2trap()').
    This is probably not what was intended!
 


How can I send a particular trap to selected destinations?
----------------------------------------------------------

  This is not currently possible.  All notifications will be sent to
  all configured destinations.  The agent does not (currently) support
  notification filtering.

    There is a preliminary implementation of the snmpNotifyFilterTable
  which is designed to allow this sort of selective trap direction.
  However this is not currently active.  (The tables are present and
  can be manipulated and updated, but the information is not consulted)
  Documentation on how to use this mechanism will appear once the
  functionality is working properly.



When I run the agent it runs and then quits without staying around. Why?
-----------------------------------------------------------------------

  Firstly, are you certain that this is what is happening?

  The normal operation of the agent is to 'fork' itself into the background,
  detaching itself from the controlling terminal so that it will continue
  running even when you log out, and freeing the command line for subsequent
  use.  This looks at first sight as if the agent has died, but using 'ps'
  to show all processes should reveal that the agent is still running.

  To prevent this behaviour (such as when attempting to debug the agent),
  you can start it with the '-f' flag.  This suppresses the fork, and the
  agent will run as a 'normal' command.  It's also often useful to use the
  '-Le' (or '-L') flag, to log messages to stderr.

  On the other hand, if 'ps' shows that the agent is not running, then
  this is an error, and probably show that something went wrong in
  starting the agent up.  Check the agent log file for any error messages,
  or run it with '-f -Le' and see what it reports.

  One possible cause might be an existing agent (or some other process)
  that's already listening on the SNMP port.  Trying to start a second
  agent will fail with an error about "opening the specified endpoint".

  If you're starting the agent as a non-root user, then this may also
  fail with the very same error.  By default, the agent (and trap handler)
  will attempt to listen on the standard SNMP port 161 (or 162 for the
  trap handler).  These are defined as "privileged ports", and processes
  will need to be running as root in order to open them.

  One way to tackle this is to start the agent as root, but use the -u
  option to switch to run as another user once the port has been opened.
  Alternatively, you can specify a different port to use instead.
  Anything greater than 1024 is available to non-root users.  In this case,
  you'll also need to specify the same port when issuing client commands.



After a while the agent stops responding, and starts eating CPU time.  Why?
--------------------------------------------------------------------------

  This is basically the same problem described in the APPLICATIONS
  section, in the entry
   The agent worked for a while, then stopped responding.  Why?

  See that entry for details.



How can I stop other people getting at my agent?
-----------------------------------------------

  Firstly, are you concerned with read access or write access?

  As far as changing things on the agent is concerned, there is relatively
  little that can actually be altered (see the entry "Why can't I set
  any variables in the MIB?" above).

    If you are using the example config file, this is set up to allow
  read access from your local network, and write access only from the
  system itself (accessed as 'localhost'), both using the community name
  specified.  You will need to set appropriate values for both NETWORK
  and COMMUNITY in this file before using it.
    This mechanism can also be used to control access much more precisely.
  (see the next few questions for details)

  Other options include:
	- Blocking access to port 161 from outside your organisation
		(using filters on network routers)
	- Using kernel-level network filtering on the system itself
		(such as IPTables)
	- Configuring TCP wrapper support ("--with-libwrap")
		This uses the TCP 'libwrap' library (available separately)
		to allow/deny access via /etc/hosts.{allow,deny}

  For strict security you should use only SNMPv3, which is the secure
  form of the protocol.  However, note that the agent access control
  mechanisms does not restrict SNMPv3 traffic by location - an SNMPv3
  request will be accepted or rejected based purely on the user
  authentication, irrespective of where it originated.  Source-based
  restrictions on SNMPv3 requests would need to use one of the "external"
  mechanisms listed above.



How can I listen on just one particular interface?
-------------------------------------------------

    Normally, the agent will bind to the specified port on all interfaces
  on the system, and accept requests received from any of them.  However,
  if a particular port (or ports) is specified when the agent is first
  started, then it will only listen for requests on these particular
  ports.
     For example:
			snmpd 127.0.0.1:161

  would listen (on the standard port) on the loopback interface only, and:

			snmpd 10.0.0.1:6161

  would listen on port 6161, on the (internal network) interface with
  address 10.0.0.1.   To listen on both of these interfaces (and no others)
  provide a list of all the desired addresses:

			snmpd 127.0.0.1:161 127.0.0.1:6161

  The AgentX port option ('-x') works in much the same way.



The agent is complaining about 'snmpd.conf'.  Where is this?
-----------------------------------------------------------

  It doesn't exist in the distribution as shipped.  You need to
  create it to reflect your local requirement.
    To get started, you can either just create this file manually,
  or run snmpconf to help you create one.  At the very least, you
  will need some form of access control configuration, if the agent
  is to be of any use whatsoever.  This can be as simple as:

       rocommunity public

    See the snmpd.conf(5) manual page or relevant entries in this
  FAQ for further details.



Why does the agent complain about 'no access control information'?
-----------------------------------------------------------------

  Although an SNMP agent may support a wide range of management
  information, it is not necessarily appropriate to report the whole
  of this to every SNMP management station who asks for it.  Some
  information may be sensitive, and should restricted to authorized
  administrators only.   SNMP therefore includes mechanisms for
  controlling who has access to what information - both in terms of
  what can be seen, and (even more importantly) what can be changed.

  By default, the Net-SNMP agent starts up with a completely empty
  access control configuration.  This means that *no* SNMP request
  would be successful.  It is necessary to explicitly configure
  suitable access control settings, based on who should be granted
  access in that particular environment.

  If there are no access control entries configured (perhaps because
  no snmpd.conf configuration file has been loaded, or it contains no
  access control settings), then the agent will not respond to any
  SNMP requests whatsoever.  This is almost certainly not what was
  intended, so the agent reports this situation.

  See the next entry for how to configure access control settings.



How do I configure access control?
---------------------------------

    The simplest way is to use the configure directives:

		rocommunity public	(for SNMPv1/2c)
		rwcommunity private
  or
		rouser user1		(for SNMPv3)
		rwuser user2

  These specify the community names or security names to accept for
  read-only and read-write access to the whole of the supported MIB tree.
  (Obviously you should change these names to match your requirements -
  which is a particularly good idea in the case of 'rwcommunity'!)

  Note that you should *not* specify the same community name for both
  rocommunity and rwcommunity directives.  The rwcommunity setting
  automatically provides read access, and having both lines (with the
  same community name) may result in unexpected behaviour.
  Only use both settings when specifying *different* community names.
    The same holds true for rouser and rwuser.

  The two community directives can be restricted to only allow requests
  from particular sources, and all four can be restricted to a particular
  subtrees or (from v5.3) a named view.  See 'snmpd.conf(5)' for details.



How do I configure SNMPv3 users?
-------------------------------

  There are three ways to configure SNMPv3 users:

  1) Stop the agent, and add the line

	createUser {myUser} MD5 {myPassword} DES

    to the file /var/net-snmp/snmpd.conf (where {myUser} and
    {myPassword} are the appropriate values for username and password,
    _without_ the braces!).  Then re-start the snmpd agent.

  2) Stop the agent, run the command

        net-snmp-config --create-snmpv3-user

     and follow the prompts given.  This will create an entry
     in the /var/net-snmp/snmpd.conf file similar to the above.
     Then re-start the snmpd agent.

  3) Make sure the agent is running, and will respond to an SNMPv3
     request (using an existing user with the desired authentication
     and privacy protocols).  Then use the 'snmpusm' command to clone
     this template user, and change the password.


  See the access control entries above and the file 'README.snmpv3'
  for more details about how to use SNMPv3 users,

  Note that simply having a 'rouser' or 'rwuser' line does *not*
  automatically create the corresponding SNMPv3 user.  You will need
  the above 'createUser' line (or an equivalent 'usmUser') as well.



The 'createUser' line disappears when I start the agent.  Why?
-------------------------------------------------------------

  This is deliberate.

  The agent removes the (human-readable) 'createUser' directive, and
  replaces it with an equivalent 'usmUser' entry.  This contains the
  same information, but in a form that's only meaningful internally.
  Not only is the passphrase no longer visible in the config file, it
  has actually been converted to a key that is only valid on this
  particular system.  If someone stole the configuration file, they
  could not use the information from the usmUser entry to access any
  of your other agents (even if the usernames and passwords were the same).



What's the difference between /var/net-snmp and /usr/local/share/snmp?
---------------------------------------------------------------------

    The /var/net-snmp location is primarily used for information set
  during the running of the agent, which needs to be persistent between
  one run of the agent and the next.   Apart from "createUser" (see
  the previous entry), you shouldn't need to touch this file.

  All other user-provided configuration should go in the traditional
  location (typically /usr/local/share/snmp/snmpd.conf or /etc/snmp).



My new agent is ignoring the old snmpd.conf file. Why?
-----------------------------------------------------

    The most likely explanation is that the new version of the agent is
  looking in a different location than the previous one.  This is commonly
  experienced when replacing a ready-installed version (e.g. from a vendor
  distribution), with the current release installed from the source.

  Try moving the old config file to the new location, and restart the agent.
  If you're not sure where this should go, see the next entry.



Where should the snmpd.conf file go?
-----------------------------------

    The default location for this file with the basic distribution is
  /usr/local/share/snmp/snmpd.conf (or PREFIX/share/snmp/snmpd.conf).
  Ready-installed versions often look for the file as /etc/snmpd.conf,
  or /etc/snmp/snmpd.conf.

  If you are still not sure, try running the command

      snmpd -f -Le -Dread_config 2>&1 | grep "config path"

  The first line of output will display the list of locations where
  the agent is looking for configuration information.



Why am I getting "Connection refused"?
-------------------------------------

    This is actually nothing to do with the access control mechanism
  (though that's an understandable mistake).  This is the result of
  the TCP wrapper mechanism using the files 'hosts.allow' and 'hosts.deny'
  to control access to the service.  Some distributions may come with
  this enabled automatically - otherwise you need to explicitly activate
  this by running
         configure --with-libwrap
  and recompiling the agent.

  If TCP wrappers are enabled, and both hosts.allow and hosts.deny are
  empty, then all requests will be rejected (with "Connection refused").
  The simplest way to avoid this problem and allow incoming requests is
  to add the line

		snmpd: ALL

  to the file /etc/hosts.allow.  Be aware that doing this removes one
  level of protection and allows anyone to try and query your agent.
  The agent's own access control mechanisms can still be used to restrict
  what - if anything - they can see.

  If you do wish to use the TCP wrappers to restrict access, it's sensible
  to have an explicit entry:

		snmpd: ALL

  in the file /etc/hosts.deny, which makes it crystal clear that access
  to the SNMP agent has been denied.  This mechanism can also be used to
  restrict access to specific management hosts, using a hosts.deny entry
  such as:

		snmpd: ALL EXCEPT 127.

  which will allow connections from localhost, and nothing else.

  Note that personal firewalls, such as the Linux iptables mechanism,
  may have a similar effect (though typically this won't be logged).
  See the earlier entry
    Requests always seem to timeout, and don't give me anything back.  Why?


 
Why can't I see values in the UCDavis 'proc' or 'disk' trees?
------------------------------------------------------------------

  Both these trees are designed to report precisely those things that
  have been explicitly configured for monitoring.  If there are no
  relevant configuration entries in the snmpd.conf file, then these
  tables will be empty.  See the snmpd.conf manual page and the
  EXAMPLE.conf file for details on configuring the agent.

  Optionally, run snmpconf -g monitoring to help you set up this
  section of the snmpd.conf file.



Why can't I see values in the UCDavis 'memory' or 'vmstat' trees?
----------------------------------------------------------------

  These trees do not need any explicit configuration, and should
  be present automatically.

  However the C code necessary to implement these particular MIB
  modules are not supported on all operating systems.  These trees
  will be omitted on any system for which there is no underlying
  code.   Currently, they are only supported on Linux, HP-UX (memory
  only), Solaris, BSDi (vmstat on BSDi4 only), Dynix, FreeBSD, NetBSD
  and OpenBSD.
    If you want to help port it to other systems, let us know.

  Note that these subtrees only report the current usage when
  explicitly queried.  They do *not* automatically generate traps
  when the usage strays outside the configured bounds.
  See the earlier FAQ entry
    What traps are sent by the agent?
  or the snmpd.conf section on active monitoring, for more information.



What do the CPU statistics mean - is this the load average?
----------------------------------------------------------

  No.  Unfortunately, the original definition of the various CPU
  statistics was a little vague.  It referred to a "percentage",
  without specifying what period this should be calculated over.
  It was therefore implemented slightly differently on different
  architectures.

  The 5.4 release has clarified the situation, and standardised on
  calculating these percentages over a minute.  The relevant MIB
  descriptions have been updated to make the desired behaviour
  more explicit.

  The Net-SNMP agent also includes "raw counters", which can be used
  to calculate the percentage usage over any desired period.  This is
  the "right" way to handle things in the SNMP model.  The original
  percentage objects have been deprecated, and may possibly be removed
  in a future release of the agent.

    Note that this is different from the Unix load average, which is
  available via the loadTable, and is supported on all architectures.



How do I get percentage CPU utilization using ssCpuRawIdle?
-----------------------------------------------------------

  This one of the "raw counters" mentioned in the previous entry.
  You need to take two readings of this object and look at the
  difference between them.  That difference divided by the total
  number of 'ticks' between the two readings (where one tick is
  probably 0.01 seconds) will give you the percentage utilization
  over that period.



What about multi-processor systems?
----------------------------------

  The CPU objects (both percentages and raw counters) were designed to
  monitor the overall CPU activity of a system, and typically reflect
  whatever the underlying operating system reports for the (single)
  CPU statistics information.  How these are handled for a multi-CPU
  system will differ from one O/S to another, and will need
  to be investigated for each system individually.

  The htProcessorTable was designed to handle monitoring multi-CPU
  machines, but the Net-SNMP implementation has up to now treated
  most systems (with the honourable exception of Solaris, and more
  recently Linux) as implicitly single-CPU.

  With the 5.4 release, there is now a cleaner framework for reporting
  on multi-CPU equipment, and it is hoped that an increasing number
  of systems will be able to report suitable processor information.
  Also with the 5.4 release, for the first time the agent will report
  the hrProcessorLoad value properly, which should provide some simple
  per-CPU statistics.



The speed/type of my network interfaces is wrong - how can I fix it?
-------------------------------------------------------------------

    Some operating systems will provide a mechanism for determining
  the speed and type of network interfaces, but many do not.  In such
  cases, the agent attempts to guess the most appropriate values,
  usually based on the name of the interface.

  The snmpd.conf directive "interface" allows you to override these
  guessed values, and provide alternative values for the name, type
  and speed of a particular interface.  This is particularly useful
  for fast-ethernet, or dial-up interfaces, where the speed cannot be
  guessed from the name.

    See the snmpd.conf(5) man page for details.
  


The interface statistics for my subinterfaces are all zero - why?
----------------------------------------------------------------

    Unfortunately, most kernels that support multiple logical
  interfaces on a single physical interface, don't keep separate
  statistics for each of these.  They simply report the overall
  statistics for the physical interface itself.

    There's no easy way around this problem - the agent can only
  report such information as is available.  If the kernel doesn't
  keep track of these figures, the agent can't report them.

    Sorry!



Does the agent support the RMON-MIB?
-----------------------------------

    Not really.

    There is an "Rmon" code module included within the agent source
  code tree, but this is best thought of as a template for the
  RMON-MIB statistics groups, rather than a full implementation.

    With most MIBs, the hardest part of implementing the MIB is often
  getting hold of the data to report.  This is definitely true of the
  RMON-MIB, which relies on gathering (and analysing) a potentially
  large quantity of network traffic.   The Rmon code distributed with
  the Net-SNMP agent code avoids this problem, by using random data.

    Some of the functionality of the RMON-MIB, such as the alarm and
  event groups, has since been superseded by the work of the DisMan
  IETF working group.  The Net-SNMP agent does implement these (more
  general) MIB modules.  But the statistics gathering aspects of
  the RMON-MIB are not readily available.

    Note too that none of the core developers have any significant
  experience with this code, and the person who originally wrote it
  is no longer active on the mailing lists.  So there's no point in
  asking on the lists whether these modules work or not.  You've got
  the source - how badly do you need this functionality?



What does "klread:  bad address" mean?
-------------------------------------

  This means that the agent was unable to extract some of the
  necessary information from the kernel structures.  This is
  possibly due to:
	- either looking in the wrong place for kernel information
		(check the value of KERNEL_LOC)
	- an error in the implementation of part of the MIB tree
		for that architecture.  Try and identify which
		OID is generating the error, and contact the
		list 'net-snmp-coders@lists.sourceforge.net'
		Remember to tell us what architecture you have!



What does "nlist err:  wombat not found" (or similar) mean?
----------------------------------------------------------

  This means that the agent wasn't able to locate one of the
  kernel structures it was looking for.  This may or may not
  be important - some systems provide alternative mechanisms
  for obtaining the necessary information - Solaris, for example,
  can produce a whole slew of such messages, but still provide
  the correct information.
    This error only occurs if you have used the flag
  '--enable-debugging' as part of the initial configuration.
  Reconfigure the agent with '--disable-debugging' and these
  messages will disappear.  (It won't fix the underlying problem,
  but at least you won't be nagged about it).



What does "Can't open /dev/kmem" mean?
-------------------------------------

  This device is normally restricted to just being accessible by root
  (or possibly by a special group such as 'kmem' or 'sys').  The agent
  must be able to read this device to obtain the necessary information
  about the running system.
    Check that the agent was started by root, and is running with UID 0
  (or suitable GID if appropriate).  The agent will normally continue
  to run without this level of access permission, but won't be able to
  report values for many of the variables (particularly those relating
  to network statistics).

 

The system uptime (sysUpTime) returned is wrong!
-----------------------------------------------

  Oh no it's not.
  The defined meaning of 'sysUpTime' is
	"the time ... since the *network management*
	 portion of the system was re-initialized."

  In other words, when the snmp agent was started, not when the
  system itself last booted.  This latter information is available
  in the Host Resources MIB as "hrSystemUpTime.0"
  Note that even if the full Host Resources is not supported on
  your system, it's worth configuring in the system portion using

		'--with-mib-modules=host/hr_system'

  and recompiling.  This particular group is reasonably likely to work,
  even if some of the other more architecture-specific groups don't.



Can the agent run multi-threaded?
--------------------------------

  Short answer - no.
  Longer answer - not easily.

  Net-SNMP within a single thread of an threaded application is fine,
  as long as *all* snmp code is kept within the same thread. This lets
  you add SNMP support to an existing threaded application.

  If you are concerned with the time taken for to process requests for
  a particular agent, object or subtree, and you want the agent to
  continue to respond to other requests in the meantime, there are
  two options.

  The first method is using AgentX sub-agents. If you have several
  tables, each implemented by a separate subagent, then a single
  request for entries from each of the tables will be processed
  in parallel (and the agent will continue to respond to other
  requests while it waits for the subagents to return the necessary
  information).  But a request for several objects from the same
  table will be passed off to the relevant subagent, where it will
  (normally) be processed serially.

  The second method is to use delegated requests + IPC to another
  process.  If takes a long time to retrieve a value for a given object,
  then the object handler could do whatever necessary to start or
  communicate with another (non-SNMP) process/thread to actually
  retrieve the value, and mark the request as delegated.
    The main agent (or subagent) can then receive and process other
  requests while waiting for the delegated request to finish.
  Dealing with resource contention is all up to you.

  All of this only applies to the GET family of requests.  A SET
  request will block until all pending GET requests have finished,
  and then will not accept new requests until the SET is complete.

  Adding full multi-thread support directly to the agent would be
  nice.  We just need someone with time/money to do/sponsor the work.



Can I use AgentX (or an embedded SNMP agent) in a threaded application?
-----------------------------------------------------------------------

  With care.

  As mentioned in the earlier "thread-safe" FAQ entry, the Net-SNMP
  agent (including the AgentX subagent) has not been designed for
  threaded operation.  In particular, it makes use of various global
  variables without attempting to protect them against simultaneous
  use.  This means that it is *NOT* safe to have SNMP or AgentX
  related processing in two separate threads.  This also applies to
  handling GET (and SET) processing in one thread, and generating traps
  in another.  This is still vulnerable to the usual threading problems.

    However, as long as *all* of the SNMP-related activity is limited
  to the one thread, then there should be no reason why this cannot
  safely communicate with other threads within the same application,
  using private (thread-safe) mechanisms.

    But in terms of the Net-SNMP-provided code, the agent (and AgentX
  subagent) should *not* be regarded as thread-safe.



COMPILING
=========

How do I control the environment used to compile the software?
-------------------------------------------------------------

  The basic mechanism for compiling the Net-SNMP project software is to
  run "configure", followed by "make" (to compile it), "make test" (to
  check that it's working properly) and then "make install" (to install
  the files into the correct locations - which typicalyl needs to be done
  as root.

  The primary role of "configure" is to determines various aspects about
  the system that the software is being compiled on.  However there are
  also a number of options to configure which can be used to control
  various aspects of the compilation environment.

  The most common options are "--with-mib-modules" and "--with-out-mib-modules"
  which control the set of MIB module code files that are included within
  the agent binary.  Adding or removing these modules will affect what MIB
  information the agent can return.
     See the entry "How do I add a MIB to the agent?" for more details.

  
  The configure script can also specify the compiler to use for compiling
  the source code  (e.g. "configure --with-cc=cc"), the flags passed to
  this compiler (e.g. "configure --with-cflags=-g"), or to the linker
  (e.g. "configure --with-ldflags=-Bstatic"), and various other aspects of
  the build environment.
     Run "configure --help" for a full list.
 


How do I control the environment used to compile the software under Windows?
---------------------------------------------------------------------------

  If you are compiling the project within the MinGW or Cygwin environments,
  then these use the same "configure" mechanism as Unix-based systems.  See
  the previous entry for more information.

  If you are compiling the project from within Visual Studio, then this does
  not use the standard configure mechanism.  Instead, there is a separate
  "Configure" script within the 'win32' directory.  This can be used enable
  or disable various aspects of the build environment, such as support for
  encryption or IPv6.
    Run "Configure --help" for more information

  Note that this script does not include an equivalent of "--with-mib-modules"
  for extending the MIB information supported by the agent.  Instead, this
  needs to be done by tweaking the build environment manually.  See the file
  README.win32 for more details of this, and various other aspects of building
  the project on Windows systems.



Why does the compilation complain about missing libraries?
---------------------------------------------------------

  This has been seen in a number of guises over the years - most commonly
  on Linux systems (although the problem may also occur elsewhere).  The
  underlying problem is that typical installation may not always include
  the full set of library links required for building the Net-SNMP software.

  This problem can usually be fixed by installing the missing packages
  (typically the development version of a package that is already there).

  Examples of this that we have come across include:

     -lelf       elfutils-devel      (later renamed to elfutils-libelf-devel)
     -lbz2       bzip2-devel
     -lselinux   libselinux-devel
     -lcrypto    openssl/openssl-devel
     -lbeecrypt  libbeecrypt/beecrypt/beecrypt-devel.

  These are the names of the RedHat/Fedora RPMs.  Other distributions
  or O/S's may use different names, but the basic idea should be the
  same.

  If the compilation is complaining about a missing .so file, then an
  alternative quick fix is to add the missing symbolic link, using
  something like:
          ln -s libelf.so.1 /usr/lib/libelf.so

  giving the appropriate generic library name from the error message,
  and the correct number for whichever version of this library you
  have installed.

  If the compilation is complaining about a .la file, then you should
  install the relevant development package, as listed above.



How can I reduce the memory footprint?
--------------------------------------

  In order to reduce the memory footprint (for instance, to
  embed the snmpd into a device), the following configure options
  could be used.

  '--disable-debugging'
     This turns off the compilation of all debugging statements.

  '--enable-mini-agent' '--with-out-mib-modules=examples/ucdDemoPublic'
     This creates an agent with just the essential MIB modules included.
     NOTE: If you need additional MIB modules, then simply add them
     using the option '--with-mib-modules=...' but this will of course
     increase the memory footprint.

  '--with-transports=UDP'
     This option specifies the transport domains to include.
     For a simple standalone agent, just UDP should be sufficient.
     (Although the 'disman' and 'agentx' modules may require the
      Callback, TCP and/or Unix transport domains as well).

   '--without-kmem-usage'
     This can be used in order to omit the code that operates on the
     /dev/kmem interface. Clearly, this option cannot be used when
     one of the configured MIB modules depends on it.

   '--with-mibdirs=' and '--with-mibs='
     These options tell the agent not to load any MIB modules. 
     This doesn't affect the size of libraries or application
     binaries, but will reduce the memory footprint during runtime.

   '--disable-mib-loading'
     This can be used in order to omit the code that loads and
     parses the MIB files altogether.  This will reduce both the
     runtime memory footprint, and the binary sizes.

  Once the agent (snmpd) has been linked, you might also try running
  'strip snmpd' to remove un-necessary debug/symbol information.



How can I reduce the installation footprint or speed up compilation?
-------------------------------------------------------------------

  The following configure options may also be useful:
                                                                                
  --disable-agent                 Do not build the agent (snmpd).
  --disable-applications          Do not build the apps (snmpget, ...).
  --disable-manuals               Do not install the manuals.
  --disable-scripts               Do not install the scripts (mib2c, ...).
  --disable-mibs                  Do not install the mib files.
  --disable-mib-loading           Do not include code that parses and
                                  manipulates the mib files.



How can I compile the project for use on an embedded system?
-----------------------------------------------------------

  Although this is definitely a Frequently Asked Question on the project
  mailing lists, it hasn't really been a Frequently _Answered_ Question.
  The basic problem is that none of the core development team have much
  involvement or experience with embedded systems.  And although we have
  repeatedly put out a plea for implementation reports and advice, this
  has not so far been particularly successful.  So the first thing to say
  is that the following suggestions should be treated with a greater than
  usual level of suspicion.

  The second thing to say is that compiling the Net-SNMP project for use
  on an embedded system typically means compiling the *agent* (rather than
  the trap receiver, or command-line tools).  So that is what this entry
  will concentrate on.

  There are three main aspects to consider:
     - how to compile the code,
     - *what* code to compile, and
     - how to install the resulting agent binary.

  The Net-SNMP project uses the standard "configure" mechanism, so the
  usual cross-compilation options are available - in particular "--host"
  and "--target".  It is also possible to specify the compiler and linker
  to use ("--with-cc" and "--with-ld"), and any special flags to pass
  to them ("--with-cflags" and "--with-ldflags").   There shouldn't be
  anything particularly special about compiling the Net-SNMP code, so
  see the documentation for your target environment for more information.
  (And please let us know if there *is* anything special that should be
  mentioned here!)

  If the aim is simply to generate an SNMP agent to run on the target
  system, it's probably not necessary to compile the command-line tools
  or trap receiver.  The configure option "--disable-applications" will
  omit these elements.  See the previous entry for other potentially
  relevant useful options.

  Unfortunately, the SNMP agent (and in particular, the code for individual
  MIB modules) is the most system-specific part of the Net-SNMP software.
  It may prove necessary to disable particular MIB modules if they do not
  compile successfully, or attempt to use the wrong system-specific APIs.
  This can be done using the configure option "--with-out-mib-modules".
  Alternatively, the option "--enable-mini-agent" will omit all but the
  core MIB module code.  Additional modules can then be added individually
  using "--with-mib-modules".

  Further information about how to deal with problems with individual MIB
  modules is reliant on suitable reports being forthcoming from the wider
  Net-SNMP community.  The ball is in your court!

  Finally, installing the agent binary is _not_ simply a matter of copying
  the "snmpd" file onto the target system.  The agent typically relies on
  a number of additional libraries (and possibly the presence of assorted
  MIB files, unless this has been explicitly omitted).  It is normally
  necessary to run "make install", before copying the installed framework
  to the target system.

  If the install destination needs to be different to the eventual location
  on the target system, this can be handled using the configure options
  "--prefix" (for the target location) and "--with-install-prefix" (for the
  temporary install location).  Alternatively, this can be handled as part
  of the install command:
       make install prefix={target location} INSTALL_PREFIX={temp location}

  Alternatively, if the agent is compiled with static linking (and no MIB
  files), then it may be possible to simply copy the agent binary across to
  the target system.  See the next entry for details.


  
How can I compile the project to use static linking?
---------------------------------------------------

  For totally static net-snmp executables, use
	configure --with-ldflags=-Bstatic

  To compile your application with static libraries (eg for easier
  debugging), and to link to a non-installed build directory, try the
  following Makefile fragment:
                                                                                
     NETSNMPDIR=/usr/local/build/snmp/full-clean-cvs-V5-1-patches
     NETSNMPCONFIG=$(NETSNMPDIR)/net-snmp-config

     NETSNMPBASECFLAGS := $(shell $(NETSNMPCONFIG) --base-cflags)
     NETSNMPINCLUDES := $(shell $(NETSNMPCONFIG) --build-includes $(NETSNMPDIR))
     # base flags after build/src include, in case it has /usr/local/include
     NETSNMPCFLAGS=$(NETSNMPINCLUDES) $(NETSNMPBASECFLAGS)

     NETSNMPBASELIBS := $(shell $(NETSNMPCONFIG) --base-agent-libs)
     NETSNMPEXTLIBS := $(shell $(NETSNMPCONFIG) --external-agent-libs)
     NETSNMPLIBDIRS := $(shell $(NETSNMPCONFIG) --build-lib-dirs $(NETSNMPDIR))
     NETSNMPLIBDEPS := $(shell $(NETSNMPCONFIG) --build-lib-deps $(NETSNMPDIR))
     LIB_DEPS=$(NETSNMPLIBDEPS)
     LIBS=$(NETSNMPLIBDIRS) -Wl,-Bstatic $(NETSNMPBASELIBS) -Wl,-Bdynamic $(NETSNMPEXTLIBS)

     STRICT_FLAGS = -Wall -Wstrict-prototypes
     CFLAGS=-I. $(NETSNMPCFLAGS) $(STRICT_FLAGS)
                                                                                
  This replaces the standard Makefile section, which will used installed
  libraries:
                                                                                
     NETSNMPCONFIG=net-snmp-config
                                                                                
     # uncomment this if you have GNU make
     #NETSNMPCFLAGS := $(shell $(NETSNMPCONFIG) --base-cflags)
     #NETSNMPLIBS := $(shell $(NETSNMPCONFIG) --agent-libs)
     NETSNMPCFLAGS=`$(NETSNMPCONFIG) --base-cflags`
     NETSNMPLIBS=`$(NETSNMPCONFIG) --agent-libs`

     LIBS=$(NETSNMPLIBS)



Why does 'make test' skip various tests?
---------------------------------------

  Some of the tests are only relevant to particular operating systems,
  or rely on specific areas of functionality.  The test framework will
  check whether the relevant elements are available before running the
  relevant tests, and will skip them if these modules have been omitted
  from the build environment (or do not apply to the current system).

  One example of this are the tests T053agentv1trap, T054agentv2ctrap,
  T055agentv1mintrap, T056agentv2cmintrap and T113agentxtrap,  which
  rely upon functionality from the NET-SNMP-EXAMPLES-MIB implementation.
  This module is not included in the default agent configuration, so the
  test framework will skip these tests.
    To include them, run
        "configure --with-mib-modules=examples/example"
  and re-compile.



Why does 'make test' complain about a pid file?
-----------------------------------------------

    Typically it says something like:

    cat:  cannot open /tmp/snmp-test-1-8694/*pid*

    It's trying to tell you the port is blocked - typically because
  another copy of the agent is still running, left over from from a
  previous testing run.

  If you type 'ps -ef' you should notice an orphaned process like:

  snmpd -d -r -U -P /tmp/snmp-test-5-27295/snmpd.pid...

  Kill this process.

  This could be happening for several reasons including:

    1.  You are trying to do concurrent runs of 'make test'.

    2.  On a slow machine, the agent might be taking too long to
      start up. Try changing the value of the variable SNMP_SLEEP
      in testing/RUNTESTS from 1 to something higher - say 3 or 5.



CODING
======

How do I write C code to integrate with the agent?
-------------------------------------------------

  There are three main methods for integrating external C code
  within the agent.  The code can be compiled directly into the
  agent itself, it can be loaded dynamically while the agent is
  running, or it can be compiled into a separate application
  (a "subagent") which communicates with the main master agent.
  All three approaches have been touched on elsewhere within this FAQ.

    As far as the module code is concerned, all three mechanisms
  use exactly the same module API.  So a module developed for use
  directly within the agent, could also be included within a subagent,
  or loaded dynamically with no (or minimal) code changes needed.

    Most of this section is concerned with more detailed aspects
  of developing such code - including the 'mib2c' tool, which can
  handle generating a basic code framework for implementing a
  given set of MIB objects.



How does the agent fetch the value of a MIB variable from the system?
--------------------------------------------------------------------

  That's typically the hardest bit of implementing a new MIB module,
  and is the one thing that 'mib2c' can't help with.  It very much
  depends on the MIB variable concerned (and often the underlying
  operating system as well).

  Relatively few MIB modules are completely self-contained, with all
  the information held internally within the agent, and all updates
  being done via SNMP requests.  Such MIB modules can be implemented
  fairly easily.

  More commonly, the agent needs to provide an SNMP-based interface to
  information held elsewhere, perhaps in the operating system kernel or
  some other application.  Handling this is much more complex - since
  a lot depends on what mechanisms are provided for retrieving (and
  possibly updating) this information.  The mib2c tool can generate code
  for processing SNMP requests, based on some internal cache of management
  information, but it cannot help with populating this cache with the
  underlying data.  That is up to the MIB implementer.

  See the existing MIB modules in the Net-SNMP source tree for various
  examples of assorted approaches to this task.



Mib2c complains about a missing "mib reference" - what does this mean?
---------------------------------------------------------------------

    This basically means that it hasn't loaded the MIB file containing
  the definition of the MIB subtree you're trying to implement.  This
  might be because it hasn't been installed, the name is wrong, or
  (most likely), because it isn't in the default list.  See the MIBS
  section for more details, or the next entry for suitable invocations
  of 'mib2c'.



Mib2c complains about not having a "valid OID" - what does this mean?
---------------------------------------------------------------------

    This probably means that you gave it the name of a MIB file (or
  module), rather than the name of an object defined in that file.
  Mib2c expects the name of a 'root' object, and will generate a
  template for the sub-tree starting from there.

    If you've got a file 'MY-MIB.txt', defining the MIB module
  'MY-MIB' which contains a subtree based on the object 'myMib',
  then you should invoke mib2c as
            "mib2c .... myMib"
  rather than
            "mib2c .... MY-MIB.txt"
  or        "mib2c .... MY-MIB"

    Note that you'll probably also have to add your MIB to the list of
  MIBs that are loaded automatically, in order for mib2c to recognise
  the name of this object.  So the command would typically be
            "MIBS=+MY-MIB mib2c .... myMib"
  or        "MIBS=ALL     mib2c .... myMib"



Why doesn't mib2c like the MIB file I'm giving it?
-------------------------------------------------

  This is most likely the same problem as the previous entry.  Mib2c
  takes the name of a MIB _object_, not the name of a file (or MIB
  module).  Try using the name of the MODULE-IDENTITY definition.

    Another possibility is that the MIB may contain syntax errors.
  Try running it through 'snmptranslate' or a dedicated SMI
  validation tool (such as 'smilint' or the on-line interface at
  http://wwwsnmp.cs.utwente.nl/ietf/mibs/validate/)



Mib2c ignores my MIB and generates a pair of 'mib-2' code files.  Why?
---------------------------------------------------------------------

    This is usually a sign of the same problem as the previous entries,
  giving mib2c the name of the file containing the MIB (or of the MIB
  itself), rather than an object within it.

  Earlier versions of mib2c didn't detect this situation, and merrily
  constructed a template for a default starting point of the mib-2 node.

  More recent versions complain about not having a valid OID instead.



What's the difference between the various mib2c configuration files?
-------------------------------------------------------------------

    Most of the mib2c config files are concerned with implementing
  MIB tables, and generate various alternative code templates.
  These basically fall into four distinct categories.

    'mib2c.raw-table.conf' is the lightest of the templates, and
  just provides a fairly basic table framework.  Most of the work
  of implementing the table - detecting which row is required for a
  given request, retrieving or updating the relevant column values,
  and interacting with the underlying subsystem - are all left to
  the MIB programmer.

    The second group of templates - 'table_data', 'container' and
  'tdata' - all share the same basic model (although the internal
  details are rather different).  The MIB implementer should define a
  data structure to represent a row of the table, and the helper then
  takes care of holding the table internally, as a collection of such
  per-row data structures.  This includes identifying which row is
  required for a given request.  Retrieving or updating the appropriate
  column value is left to the MIB programmer, although the generated
  framework includes most of the necessary code.
    Allied to this is a fourth "internal data" mib2c configuration 
  file ('create-dataset') which handles the individual columns as
  well.  This is the closest to a Plug-and-Play configuration, and
  the MIB implementer only needs to be concerned with any special
  processing, such as linking the table with the underlying subsystem.

    The third style of mib2c config assumes that the table data is
  held externally to the helper - either within the MIB module code
  itself, or in the external subsystem.  The generated code framework
  includes routines to "iterate" through the rows of the table, with
  the iterator helper simply deciding which row is required for a
  particular request.  Once again, the MIB programmer must handle
  retrieving or updating the appropriate column value, although the
  generated framework includes most of the necessary code.
    There is a variant of this config ('iterate_access') which works
  in basically the same way. However this tries to separate out the
  standard processing, from the code that needs to be amended by the
  programmer for retrieving and updating the individual column values.

    This is also the idea behind the final table-oriented mib2c config
  template - 'mib2c.mfd.conf' (or "MIBs for Dummies").  This is a much
  more flexible framework, which can be used with either internally
  held data, or iterating through an external representation.  The
  distinguishing feature of this framework is that it separates out
  standard and table-specific processing, at a much finer level of
  detail than the others.


    The other mib2c config templates are concerned with implementing
  scalar objects ('scalar', 'int_watch'), code to generating traps
  ('notify'), and various specialised requirements.  There is also a
  template ('old-api') to generate code suitable for the previous v4
  UCD agent - though this is not particularly complete or reliable.
  It's probably better to use a pure v4 mib2c environment (or switch
  wholeheartedly to the v5 style).



Which mib2c configuration file should I use?
-------------------------------------------

    The answer to that heavily depends on the characteristics of the
  MIB objects being implemented.  Of the handler-based table frameworks,
  'tdata' is more appropriate for tables that can be stored (or a copy
  cached) within the agent itself, while 'iterate' is more relevant to
  reporting data from outside the agent.
    The raw interface is only suitable in very specific circumstances,
  so it's probably sensible to start with one of the other frameworks
  first, and only look at this if none of the alternatives seem to work.

    The decision between the handler-based configs and MfD is more a
  matter of the style of programming to use.  Most of the frameworks
  define a single handler routine to process an incoming request, so
  all of the code is listed together, with the MIB programmer inserting
  table-specific processing into this single block of code.
    The MfD provides a series of individual object-specific routines,
  each concerned with one very specific task, and hides as much as
  possible from the programmer.

    If you like to understand the broad thrust of what's happening,
  then one of the handler-based approaches would be the best choice.
  If you prefer to concentrate on the nitty-gritty of a given table,
  and are happy to trust that the rest of the processing will work
  correctly, then the MfD framework would be more appropriate.

    For implementing a group of scalar objects, then the choice is
  simple - use 'mib2c.scalar.conf'.  Similarly, for generating traps
  or informs, use 'mib2c.notify.conf'.  But note that this only assists
  with the code to actually generate the trap.  It does not address the
  issue of _when_ to send the trap.  See the FAQ entry "How can I get
  the agent to generate a trap?" for more information.



How can I have mib2c generate code for both scalars and tables?
--------------------------------------------------------------

    This uses a very powerful tool called a "text editor" :-)

    The mib2c tool uses separate configuration files to generate code
  for scalar objects, and for tables.  This means that it's not possible
  to automatically generate a single code file that supports both scalars
  and tables.

    Instead, the two code files need to be generated separately, and
  then combined manually.  This will typically mean copying the handler
  routines for the scalar object(s) into the table file, and adding the
  code to register these handler(s) to the table initialisation routine.



Are there any examples, or documentation for developing MIB modules?
-------------------------------------------------------------------

    Many of the MIB modules shipped with the Net-SNMP agent still
  use the v4 "traditional" MIB module API, but an increasing number
  use one of the newer v5 helper-based handlers.  All of these can
  be found under 'agent/mibgroup'

    The 'tdata' helper is used in the new DisMan Event, Expression
  and Schedule MIB modules (see 'disman/{event,expr,schedule}/*').
  The similar 'dataset' helper is used in the older DisMan Event
  MIB implementation (see 'disman/mteEvent*') and the Notification
  Log MIB (see 'notification-log-mib/*'), used by 'snmptrapd' to
  log incoming traps.
 
    The basic iterator handler is used in the TCP and UDP table
  implementations (mibII/tcpTable & mibII/udpTable), VACM context
  handling (mibII/vacm_context) and various tables relating to agent
  internals (agent/*).  These show a number of different approaches
  to using the iterator helper, so it's worth comparing them.

    The two examples/netSnmpHostsTable* modules provide a contrast
  between the iterator and iterator_access helpers.

    There are several examples based on the MfD framework (see
  '{if,ip,tcp,udp}-mib/').  Much of this code is not intended to
  be viewed directly, but individual files are clearly commented
  to distinguish between internal implementation and public code.

    The Net-SNMP agent does not currently include any MIB modules
  using the array-user container-based helper.  The best examples
  of this are to be found in the net-policy project.
  See http://net-policy.sourceforge.net/



Where should I put the files produced by 'mib2c'?
------------------------------------------------

  If you're using the main source tree to compile your new module, then
  put these two files (mymib.[ch]) in the directory 'agent/mibgroup'.
  You should then re-run configure to add in your new module
        configure --with-mib-modules=mymib
  and recompile.

    If you've got a number of new modules to add, it might be
  sensible to put them all into a single subdirectory of 'mibgroup'.
  Then create a header file, listing the individual components.
  This might look something like:

		config_require(mymib/myObjects)
		config_require(mymib/myTable)
		config_require(mymib/myOtherTable)

  If this was saved as the file 'mymib.h', then the same configure
  line given above, would pull in all three modules.  See the current
  contents of 'agent/mibgroup' for examples of this.  Note that the
  MfD framework will generate a similar grouping automatically.



Why doesn't my new MIB module report anything?
---------------------------------------------

    There are probably four main reasons why a new MIB module isn't working.
  Either it hasn't been included in the running agent,  the code is present
  but hasn't been initialised,  the module has been initialised but the
  handler isn't being called, or there's a problem with the module code itself.

  To check whether the code files are being compiled, the easiest approach is
  simply to look at the directory where the code is located.  When the agent is
  compiled, this should produce .o files (and probably .lo files) corresponding
  to the C code files for this module.  Alternatively, run 'nm' (or 'strings')
  on the MIB module library (libnetsnmpmibs), and look for the names of the
  initialisation routines or handlers (or the text of any messages displayed by
  the module code).

  One other thing to check is whether you have multiple copies of the software
  installed on the system.  This is a particular problem when compiling from
  source (to include your new module), without first removing any vendor-supplied
  version of the agent (which won't include this new code).


  Assuming that you have confirmed that the module code is present in the agent,
  the next step is to check whether the initialisation routine is being called
  to register the MIB objects.  The simplest way to do this is to include a
  suitable debugging statement within the initialisation routine, and start
  the agent with the corresponding '-Dtoken'.  Alternatively, try walking the
  nsModuleName column object, and look for mention of the new MIB module.


  Assuming the module has been registered, the next step is to check whether
  the handler is being called, when the agent receives a suitable SNMP request.
  Again, the simplest way to do this is to include debugging statements within
  the handler routine, and start the agent with the corresponding '-Dtoken'.
  Then issue an "snmpget" request for an instance within the new MIB module.
  (This command is preferable to the usual "snmpwalk" command, as it is more
  closely focused on the MIB module in question).

  If this indicates that the handler routine isn't being called, then there are
  two main likely causes.  Firstly, check the access control settings.  If these
  are configured to block access to this portion of the OID tree, then the MIB
  handler will never be called.  Secondly, several of the table helpers are
  designed to know which rows of the table are valid, and will call the main
  MIB handler with information about the relevant row.  If the requested row is
  not valid (or the table is empty), then the handler will not be called.


  Finally, if the handler _is_ being called, but is still not returning any
  information, then the cause probably lies with your MIB module code.  In which
  case, it's really up to you to find the problem and fix it!  Either activate
  any debugging code that you have included within the handler routine, or run
  the agent under a source code debugger, and step through the handler processing.
  In either case, it's much easier to debug these problems when processing an
  "snmpget" request, rather than "snmpgetnext" or "snmpwalk".

  Remember that 'mib2c' simply generates template code for your MIB module.
  It's up to you to fill in the details, to report the actual information from
  whatever underlying subsystem is being monitored.   Mib2c cannot help with
  the semantics of the MIB module - it's purely there to provide an initial
  code framework, based on the _syntax_ of the MIB module objects.



Why does the iterator call my get_{first,next} routines so often?
-----------------------------------------------------------------------

    The first thing to realise is that the 'get_first' and 'get_next'
  hook routines are concerned with processing a single SNMP request, not
  with walking the whole table.  A full "snmpwalk" command will typically
  involve a series of individual 'GetNext' requests, and every one of
  these will trigger a separate 'get_first/get_next/get_next/....' cycle.

    It's usually more efficient to use 'snmptable' which will walk
  each column in parallel (as well as displaying the results in a
  more natural manner).

    Secondly, the iterator helper was originally designed to handle
  unsorted data, so will look at every row of the internal table for
  each request.  If the data is actually held in the correct order,
  then it's worth setting the NETSNMP_ITERATOR_FLAG_SORTED flag:
      iinfo = SNMP_MALLOC_TYPEDEF(netsnmp_iterator_info);
      iinfo->flags |= NETSNMP_ITERATOR_FLAG_SORTED;
  This will help the situation somewhat.

    But the iterator helper is inherently a relatively inefficient
  mechanism, and it may be worth looking at one of the other helpers,
  particularly if the data will be held within the agent itself.



How can I get the agent to generate a trap (or inform)?
------------------------------------------------------

    There are two aspects to having the agent generate a trap -
  knowing *how* to do this, and knowing *when* to do so.

    Actually generating a trap is reasonably simple - just call one
  of the trap API routines ('send_easy_trap()' or 'send_v2trap()')
  with the relevant information (generic and specific trap values,
  or a varbind list respectively).

    The 'mib2c.notify.conf' configuration file can be used to
  construct a suitable template routine for generating a trap,
  including building the variable list from the MIB trap
  definition.  These variables can then be given suitable values,
  before invoking the 'send_v2trap()' call to actually send the trap.
  See the 'snmp_trap_api(3)' man page for further details.

    Note that these APIs are only available within the agent (or
  subagents), and are not available to stand-alone applications.
  The code for 'snmptrap' shows an approach to use in such a case.


    Determining *when* to generate the trap (either directly or
  via the mib2c-generated routine) is often harder.  If the trap
  is generated in response to some action within the agent, (e.g.
  as the result of a SET), then this isn't too much of a problem.

    But if the trap is intended to report on a change of status
  (e.g. a network interface going up or down, or a disk filling up),
  then actually detecting this is non-trivial.   Unless the underlying
  system can signal this situation to the agent, then it's typically
  necessary to poll the value(s) on a regular basis, save the results
  and compare them with the new values the next time round.

    The simplest way to handle this is via the DisMan Event MIB,
  which is designed for exactly this purpose.  As long as you can
  specify a MIB object to monitor, and the value or thresholds
  that should trigger a notification, then this module can check
  these values regularly, and automatically send a suitable trap
  when appropriate.  See the 'snmpd.conf(5)' man page (under
  ACTIVE MONITORING) for details.
  
    Otherwise, you'd need to use the routines documented in
  'snmp_alarm(3)' to regularly invoke a monitoring routine. This
  would check the necessary conditions (which need not be MIB
  objects), and call the 'send_xxx_trap()' routine (as generated
  by 'mib2c.notify.conf') when appropriate.



How can I get an AgentX sub-agent to generate a trap (or inform)?
----------------------------------------------------------------

  This is done in exactly the same manner as with the main SNMP agent.
  Calling one of the routines described in 'snmp_trap_api(3)' will cause
  the AgentX sub-agent to send a notification to the master agent, which
  will then pass this on to the configured trap destination(s).
  
  One of the original design aims of the Net-SNMP AgentX support was that
  the agent (or subagent) framework should be transparent to a MIB module
  implementer. The interface between the agent framework and a MIB module
  should be independent of the protocol used to receive the original request.
  So the exact same MIB module code could be used within a traditional
  SNMP-only agent, or an AgentX subagent, with no changes needed.

    This also holds for sending traps.



How can I get the agent to send an SNMPv1 (or SNMPv2c) trap?
-----------------------------------------------------------

    It doesn't make any difference whether you use the v1-style
  API call 'send_easy_trap()' or the v2-style 'send_v2trap()'.
  What matters is the directive(s) in the snmpd.conf file.

    If this file contains 'trapsink', then the agent will send
  an SNMPv1 trap.  If this file contains 'trap2sink', then the
  agent will send an SNMPv2c trap.  And if this file contains
  both, then the agent will send *two* copies of this trap.

  See the entry
     Where are these traps sent to?
  in the AGENT section for details.



How can I get the agent to include varbinds with an SNMPv1 trap?
---------------------------------------------------------------

    There are two ways to do this.  You can either use the
  'send_v2trap()' call and give a varbind list, starting with
  the v2-equivalent of the SNMPv1 trap, followed by the
  additional varbinds.

    Alternatively, you can use the API call 'send_trap_vars()'
  which takes the same generic/specific trap values as
  'send_easy_trap()', plus the list of additional varbinds.

    In either case, you also need to have 'trapsink' in the
  snmpd.conf file.  The resulting trap will be identical,
  whichever approach is used.



How can I get the agent to send an SNMPv1 enterprise-specific trap?
------------------------------------------------------------------

    There are two ways to do this.  You can either use the
  'send_v2trap()' call and give a varbind list, starting
  with the v2-equivalent of the SNMPv1 trap, followed by the
  additional varbinds.

    Alternatively, you can use the (undocumented) API call
  'send_enterprise_trap_vars()' which takes the same parameters
  as 'send_trap_vars()', plus the enterprise OID to use (in the
  usual name/length form).  See the code file 'agent_trap.c'

    In either case, you also need to have 'trapsink' in the
  snmpd.conf file.  The resulting trap will be identical,
  whichever approach is used.



How can I get the agent to send an SNMPv3 trap (or inform)?
----------------------------------------------------------

    It doesn't matter which API call you use to specify the
  trap - 'send_easy_trap()', 'send_v2trap()' or one of the other
  calls mentioned above.  Generating an SNMPv3 notification
  (rather than a community-based one) is controlled by the
  snmpd.conf file.
  
    To send an SNMPv3 trap, this file should contain a
  'snmpsess' directive, specifying the version, security
  level, user name and passphrases (if applicable), as
  well as the destination address.  This is basically
  the same as the command line required for sending the
  trap manually, using 'snmptrap'.

    Note that (unlike 'snmptrap') this directive does *not*
  read default settings from an 'snmp.conf' file, so these
  must be specified explicitly in the 'snmpsess' line.



Why does calling 'send_v2trap' generate an SNMPv1 trap (or vice versa)?
----------------------------------------------------------------------

    The two versions of the trap API calls are concerned with how
  the trap is represented when it is passed *in* to the API, not
  the version of the trap PDU that will actually be generated by
  the agent.  That is determined by the configuration token used
  to set up the trap destination.

    Remember that in general, all traps are sent to all destinations.
  This means that a trap specified using the SNMPv1 trap syntax
  needs to be converted to the SNMPv2 format before it can be sent
  to an SNMPv2 (or SNMPv3) destination.  Similarly, a trap specified
  using the SNMPv2 syntax needs to be converted to the SNMPv1 format
  before it can be sent to an SNMPv1 sink.

    Essentially, the API call to use depends on what you asking for,
  which is not necessarily what the recipients will actually get!
  See 'snmp_trap_api(3)' for a fuller explanation.



How can I register a MIB module in a different (SNMPv3) context?
---------------------------------------------------------------

    Contexts are a mechanism within SNMPv3 (and AgentX) whereby
  an agent can support parallel versions of the same MIB objects,
  referring to different underlying data sets.  By default, a MIB
  module registrations will use the default empty context of "".
  But it's also possible to provide MIB information using a different
  (non-default) context.

    There are three aspects involved in doing this.  Firsly, it's necessary
  to register the MIB module in this non-default context.  With the v4 API,
  this uses the call 'register_mib_context()' rather than the REGISTER_MIB
  macro.  This is significantly more detailed, but most of the additional
  parameters can take fixed values, if all that's needed is to change the
  registration context.

  Instead of the macro call:
        REGISTER_MIB("my_token", my_variables, variable1, my_variables_oid);
  use the function call:
        register_mib_context( "my_token",
                               my_variables, sizeof(variable1),
                               sizeof(my_variables)/sizeof(variable1),
                               my_variables_oid,
                               sizeof(my_variables_oid)/sizeof(oid),
                               DEFAULT_MIB_PRIORITY, 0, 0, NULL,
                               "my_context", -1, 0);

    Things are much easier with the v5 helper-based API.  Having
  created the registration structure, this just requires setting the
  'contextName' field before actually registering the MIB module:
        netsnmp_handler_registration *reg;
        reg = netsnmp_create_handler_registration(.....);
        reg->contextName = strdup("my_context");
        netsnmp_register_handler(reg);


  Secondly, it is necessary to configure the access control settings to allow
  access to information in the new context.  This is handled automatically
  when using the simple "rouser" or "rwuser" directives.  But if access control
  is configured using the fuller com2sec/group/view/access mechanism, then the
  "access" line must specify the appropriate context(s), either explicitly:

	access {group} "my_context" any noauth exact  ......

  or using a single entry to cover all possible contexts:

	access {group} ""           any noauth prefix ......


  Finally, the SNMP request used to retrieve (or update) the information
  must also specify the required context.  With SNMPv3 requests, the context
  is part of the protocol, so this can be done using a command-line option:

      snmpwalk -v 3 -n my_context .....

  With community-based requests (SNMPv1 and SNMPv2c), things aren't so simple.
  Although the "rocommunity" and "rwcommunity" settings also configure access
  for all possible contexts, there's no way to specify a non-default context
  as part of the request.

  The only way to handle non-default contexts with community-based SNMP requests
  is to set up a mapping from the community string to the desired context.  This
  uses the "com2sec" directive, with an additional "-Cn" parameter.   Note that
  this also means that the access control must be configured using the full
  com2sec/group/view/access mechanism.  The short-form access control directives
  do not handle the mapping of community strings to non-default contexts.



MISC
======

What ASN.1 parser is used?
-------------------------

  The parser used by both the agent and client programs is coded by hand.
  This parser has recently been re-vamped to allow control of which of 
  the available MIBs should be included, and to handle duplicate object
  subidentifiers.
    The source code can be found in the snmplib directory (in 'parse.c'),
  and the parser is usually bundled into the library 'libnetsnmp.a'

    Note that the parser attempts to be fairly forgiving of some common
  errors and incompatibilities in MIB files.  The Net-SNMP tools accepting
  a MIB file without complaint does *not* imply that the MIB is strictly
  correct.
    Certain MIBs may need some amendments to allow them to be read
  correctly by the parser.  Contact the coders' list for advice.



What is the Official Slogan of the net-snmp-coders list?
-------------------------------------------------------

  "The current implementation is non-obvious and may need to be improved."
	(with thanks to Rohit Dube)

  And an alternate, added 26-Apr-2000:
  
  "In theory, it shouldn't be that hard, but it just needs to be done."