Develop Reference

IP addressing of the equipment behind the router for SNMP

I am trying to develop a Traps receiver for SNMPv1 and SNMPv2c with OpenVPN. I have used the PURESNMP and PYSNMP libraries with Python. PYSNMP can receive SNMPv1 and SNMPv2c Traps, while PURESNMP only works with SNMPv2c. My project works as follows: the OpenVPN file is loaded into a Router so that it can connect, and several devices are connected behind the Router to be monitored by SNMP.
OpenVPN Router IP: 10.8.0.18,
LAN Router IP: 192.168.2.1
Team A IP: 192.168.2.3
OpenVPN Server IP: 10.8.0.1
Client2 IP: 10.8.0.10
I manage to receive the Traps, but I cannot distinguish where the information comes from, if in the LAN behind the Router how is it possible to identify from which the alarm came. This is the Team's SNMPv1 Trap response:
Agent is listening SNMP Trap on 10.8.0.10 , Port : 162
-------------------------------------------------- ------------------------
SourceIP: ('10.8.0.18', 49181)
----------------------Received new Trap message------------------------ ---
1.3.6.1.2.1.1.3.0 = 910296
1.3.6.1.6.3.1.1.4.1.0 = 1.3.6.1.4.1.1918.2.13.0.700
1.3.6.1.6.3.18.1.3.0 = 10.168.2.3
1.3.6.1.6.3.18.1.4.0 = public
1.3.6.1.6.3.1.1.4.3.0 = 1.3.6.1.4.1.1918.2.13
1.3.6.1.4.1.1918.2.13.10.111.12.0 = 1
1.3.6.1.4.1.1918.2.13.10.111.10.0 = 3
1.3.6.1.4.1.1918.2.13.10.111.11.0 = Digital Input 1
1.3.6.1.4.1.1918.2.13.10.111.14.0 = 4
1.3.6.1.4.1.1918.2.13.10.10.40.0 = System Location
1.3.6.1.4.1.1918.2.13.10.10.50.0 = SiteName
1.3.6.1.4.1.1918.2.13.10.10.60.0 = SiteAddress
1.3.6.1.4.1.1918.2.13.10.111.13.0 = Input D01 Disconnected.
In “IP Source”, a function is used to obtain the source IP, but it shows me the IP of the Router and not of the device that is alarmed. If you look at the third line of the traps, it indicates a source IP that the SNMPV1 protocol itself has incorporated:
1.3.6.1.6.3.18.1.3.0 = 10.168.2.3
But it is not from the device or from the Router, it is as if the Router's network segment had been mixed with the device's hots segment. This is the response when receiving SNMPv2c Traps:
Agent is listening SNMP Trap on 10.8.0.10 , Port : 162
-------------------------------------------------- --------------------------
SourceIP: ('10.8.0.18', 49180)
----------------------Received new Trap message------------------------ -----
1.3.6.1.2.1.1.3.0 = 896022
1.3.6.1.6.3.1.1.4.1.0 = 1.3.6.1.4.1.1918.2.13.20.700
1.3.6.1.4.1.1918.2.13.10.111.12.0 = 1
1.3.6.1.4.1.1918.2.13.10.111.10.0 = 3
1.3.6.1.4.1.1918.2.13.10.111.11.0 = Digital Input 1
1.3.6.1.4.1.1918.2.13.10.111.14.0 = 5
1.3.6.1.4.1.1918.2.13.10.10.40.0 = System Location
1.3.6.1.4.1.1918.2.13.10.10.50.0 = SiteName
1.3.6.1.4.1.1918.2.13.10.10.60.0 = SiteAddress
1.3.6.1.4.1.1918.2.13.10.111.13.0 = Input D01 Disconnected.
In Trap SNMPv2c, you can only get the source IP but it shows the IP of the Router, but it does not work for me since there are several devices behind the Router, and there is no way to identify which one the alarm came from. I am doing the tests from an OpenVPN client, and not yet from the server, it will be uploaded to the server once it works well.
Could you help me because that can happen. Since I thought it was a problem with the libraries and I used another trap receiving software and the answer was the same.
This is the Server configuration:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh none
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd
route 192.168.0.0 255.255.0.0
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
This is the client configuration:
client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
key-direction 1
verb 3
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-crypt>
#
#
</tls-crypt>
Firewall configuration on the server:
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
This is the code to Receive SNMPv1 and SNMPv2c Traps:
from pysnmp.carrier.asynsock.dispatch import AsynsockDispatcher
#python snmp trap receiver
from pysnmp.entity import engine, config
from pysnmp.carrier.asyncore.dgram import udp
from pysnmp.entity.rfc3413 import ntfrcv
from pysnmp.proto import api
datosnmp = []
snmpEngine = engine.SnmpEngine()
TrapAgentAddress='10.8.0.10' #Trap listerner address
Port=162 #trap listerner port
print("Agent is listening SNMP Trap on "+TrapAgentAddress+" , Port : " +str(Port))
print('--------------------------------------------------------------------------')
config.addTransport(snmpEngine, udp.domainName + (1,), udp.UdpTransport().openServerMode((TrapAgentAddress, Port)))
#Configure community here
config.addV1System(snmpEngine, 'my-area', 'public')
def cbFun(snmpEngine, stateReference, contextEngineId, contextName,varBinds, cbCtx):
global datosnmp
#while wholeMsg:
execContext = snmpEngine.observer.getExecutionContext('rfc3412.receiveMessage:request')
print("IP Source: ", execContext['transportAddress']) #IP Origen del Trap
#print('snmpEngine : {0}'.format(snmpEngine))
#print('stateReference : {0}'.format(stateReference))
#print('contextEngineId : {0}'.format(contextEngineId))
#print('contextName : {0}'.format(contextName))
#print('cbCtx : {0}'.format(cbCtx))
print('{0}Received new Trap message{0}\n'.format('-' * 40))
for oid, val in varBinds:
datosnmp.append(val.prettyPrint())
print('%s = %s' % (oid.prettyPrint(), val.prettyPrint())) #name = OID, val = contenido de la OID
#print(datosnmp)
ntfrcv.NotificationReceiver(snmpEngine, cbFun)
snmpEngine.transportDispatcher.jobStarted(1)
try:
snmpEngine.transportDispatcher.runDispatcher()
except:
snmpEngine.transportDispatcher.closeDispatcher()
raise
Could you please help me if it could be a configuration error of the OpenVPN server, or maybe something else needs to be added. Have you seen a similar lake?
Any comment is appreciated.

SOLVED - Debug Darkice to understand why is not connecting to shoutcast

I'm trying to connect to a shoutcast server from a darkice client using Ubuntu. This is my configuration:
#this section describes general aspects of the live streaming session
[general]
duration = 0 # duration of encoding, in seconds. 0 means forever
bufferSecs = 10 # size of internal slip buffer, in seconds
reconnect = yes # reconnect to the server(s) if disconnected
realtime = no # run the encoder with POSIX realtime priority
rtprio = 3 # scheduling priority for the realtime threads
# this section describes the audio input that will be streamed
[input]
device = hw:CARD=PCH,DEV=0
sampleRate = 44100 # sample rate in Hz. try 11025, 22050 or 44100
bitsPerSample = 16 # bits per sample. try 16
channel = 2 # channels. 1 = mono, 2 = stereo
# this section describes a streaming connection to an IceCast2 server
# there may be up to 8 of these sections, named [icecast2-0] ... [icecast2-7]
# these can be mixed with [icecast-x] and [shoutcast-x] sections
[shoutcast-0]
bitrateMode = cbr
format = mp3
bitrate = 96
quality = 1.0
server = xxxxxxxxxxxxxxx
port = 8020
password = xxxxxxxxxxxxxxx
name = Radio website
url = https://www.mywebsite.it
genre = live
public = no
But when I run
darkice -v 10 -c /etc/darkice-shoutcast.cfg
It only shows this, without errors or similar, but there is no streaming at the url. Using BUTT it works. I've also tested with 8021 instead of 8020 for port (8020 it's the port number given by the provider) but no luck.
DarkIce 1.4 live audio streamer, http://code.google.com/p/darkice/
Copyright (c) 2000-2007, Tyrell Hungary, http://tyrell.hu/
Copyright (c) 2008-2013, Akos Maroy and Rafael Diniz
This is free software, and you are welcome to redistribute it
under the terms of The GNU General Public License version 3 or
any later version.
Using config file: /etc/darkice-shoutcast.cfg
18-May-2021 12:02:28 Using ALSA DSP input device: hw:CARD=PCH,DEV=0
18-May-2021 12:02:28 buffer size: 1764000
18-May-2021 12:02:28 encoding
18-May-2021 12:02:28 MultiThreadedConnector :: transfer, bytes 0
18-May-2021 12:02:28 MultiThreadedConnector :: ThreadData :: threadFunction, was (thread, priority, type): 0x5568a502c010 0 SCHED_OTHER
18-May-2021 12:02:28 MultiThreadedConnector :: ThreadData :: threadFunction, now is (thread, priority, type): 0x5568a502c010 0 SCHED_OTHER
ADDENDUM
I've used tcpdump to understand what could be and I just see something similar to "invalid password"
: Flags [P.], cksum 0xc379 (correct), seq 1:19, ack 3090, win 294, options [nop,nop,TS val 3348978428 ecr 531576376], length 18
E..F1O#.1.3'.}.......T.Jq.k.D......&.y.....
..Z...68Invalid Passwor
Suggestions on how to better debug or fix this?
SOLVED
It seems the error is related to the password and wrong parsing of the config file, so I've written it without spaces
[shoutcast-0]
bitrateMode = cbr
format = mp3
bitrate = 96
quality = 1.0
server = xxxxxxxxxxxxxxx
port = 8020
password=xxxxxxxxxxxxxxx
name = Radio website
url = https://www.mywebsite.it
genre = live
public = no

parse nmap results string using python 3.x

Im automating nmap using python , i like to get some specific value from the results, which is a string
PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=*.google.com/organizationName=Google LLC/stateOrProvinceName=California/countryName=US
| Subject Alternative Name: DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DNS:*.g.co, DNS:*.gcp.gvt2.com, DNS:*.gcpcdn.gvt1.com, DNS:*.ggpht.cn, DNS:*.gkecnapps.cn, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlecnapps.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic.com, DNS:*.gstaticcnapps.cn, DNS:*.gvt1.com, DNS:*.gvt2.com, DNS:*.metric.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.wear.gkecnapps.cn, DNS:*.youtube-nocookie.com, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.youtubekids.com, DNS:*.yt.be, DNS:*.ytimg.com, DNS:android.clients.google.com, DNS:android.com, DNS:developer.android.google.cn, DNS:developers.android.google.cn, DNS:g.co, DNS:ggpht.cn, DNS:gkecnapps.cn, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlecnapps.cn, DNS:googlecommerce.com, DNS:source.android.google.cn, DNS:urchin.com, DNS:www.goo.gl, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation.com, DNS:youtubekids.com, DNS:yt.be
| Issuer: commonName=GTS CA 1O1/organizationName=Google Trust Services/countryName=US
| Public Key type: unknown
| Public Key bits: 256
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-03-03T09:45:25
| Not valid after: 2020-05-26T09:45:25
| MD5: bda3 4bfa 9f3d 5091 14a2 4a0e 992b 183f
|_SHA-1: 12b0 59d4 f6fb cd67 5013 a49e 44cf 053f d773 a07f
my method return issuer,public key and public key bit and signature algorithm but with the rest of string output
def run_command():
command ="nmap -p 443 --script ssl-cert google.com"
output = subprocess.getoutput(command)
Issuer= output.split("Issuer: ",1)[1]
public_key = output.split("Public Key type: ",1)[1]
public_key_bit= output.split("Public Key bits: ",1)[1]
singature_algor = output.split("Signature Algorithm: ",1)[1]
print(Issuer,public_key,public_key_bit,singature_algor)
the wanted results, just to print the value of each of these values bellow
Issuer: commonName=GTS CA 1O1/organizationName=Google Trust Services/countryName=US
Public Key type: unknown
Public Key bits: 256
Signature Algorithm: sha256WithRSAEncryption

I manage to find a way
def verify_certificate(self,to_check):
command ="nmap -p 443 --script ssl-cert google.com"
output = subprocess.getoutput(command)
line = re.findall(to_check+":.*$", output, re.MULTILINE)
for x in line:
results = x.split(to_check+":",1)[1]
print(results)
output
commonName=GTS CA 1O1/organizationName=Google Trust Services/countryName=US
and by changing to_check value, I get the other values as well without duplicate code.

snmp cisco switch oid for multiVlans

I'm using snmp to go through a switch and get some info.
i use:
for searching Names :
Oid: iso.3.6.1.2.1.2.2.1.2
for searching a Single Vlan:
Oid: iso.3.6.1.4.1.9.9.68.1.2.2.1.2
What i want is for multiple Vlans what is the oid.
Does anyone knows?

The Cisco OID referred to in your post will give you the VLAN-id associated on each interface on the device. For example snmpwalk yields following (so you can get all VLANs associated with the interfaces on the device)
# snmpwalk -v2c -c public 172.23.219.36 1.3.6.1.4.1.9.9.68.1.2.2.1.2
..
SNMPv2-SMI::enterprises.9.9.68.1.2.2.1.2.436217344 = INTEGER: 101
Taking ifIndex from VLAN 101 one can find the associated interface
# snmpwalk -v2c -c public 172.23.219.36 1.3.6.1.2.1.2.2.1.2.436217344
..
IF-MIB::ifDescr.436217344 = STRING: Ethernet1/20
However if you are only interested in getting VLANs on the system you may want to consider looking at Q-BRIDGE-MIB (https://www.rfc-editor.org/rfc/rfc4363). Any of these OIDs will get all the VLANs on the system whether associated with an interface or not via Q-BRIDGE MIB (dot1qFdbTable)
snmpwalk -v2c -c public 172.23.219.36 1.3.6.1.2.1.17.7.1.2
SNMPv2-SMI::mib-2.17.7.1.2.1.1.2.1 = Counter32: 0
SNMPv2-SMI::mib-2.17.7.1.2.1.1.2.101 = Counter32: 0
SNMPv2-SMI::mib-2.17.7.1.2.1.1.2.201 = Counter32: 0
SNMPv2-SMI::mib-2.17.7.1.2.1.1.2.301 = Counter32: 0

Understanding the Scapy "Mac address to reach destination not found. Using broadcast." warning

If I generate an Ethernet frame without any upper layers payload and send it at layer two with sendp(), then I receive the "Mac address to reach destination not found. Using broadcast." warning and frame put to wire indeed uses ff:ff:ff:ff:ff:ff as a destination MAC address. Why is this so? Shouldn't the Scapy send exactly the frame I constructed?
My crafted package can be seen below:
>>> ls(x)
dst : DestMACField = '01:00:0c:cc:cc:cc' (None)
src : SourceMACField = '00:11:22:33:44:55' (None)
type : XShortEnumField = 0 (0)
>>> sendp(x, iface="eth0")
WARNING: Mac address to reach destination not found. Using broadcast.
.
Sent 1 packets.
>>>

Most people encountering this issue are incorrectly using send() (or sr(), sr1(), srloop()) instead of sendp() (or srp(), srp1(), srploop()). For the record, the "without-p" functions like send() are for sending layer 3 packets (send(IP())) while the "with-p" variants are for sending layer 2 packets (sendp(Ether() / IP())).
If you define x like I do below and use sendp() (and not send()) and you still have this issue, you should probably try with the latest version from the project's git repository (see https://github.com/secdev/scapy).
I've tried:
>>> x = Ether(src='01:00:0c:cc:cc:cc', dst='00:11:22:33:44:55')
>>> ls(x)
dst : DestMACField = '00:11:22:33:44:55' (None)
src : SourceMACField = '01:00:0c:cc:cc:cc' (None)
type : XShortEnumField = 0 (0)
>>> sendp(x, iface='eth0')
.
Sent 1 packets.
At the same time I was running tcpdump:
# tcpdump -eni eth0 ether host 00:11:22:33:44:55
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:33:47.774570 01:00:0c:cc:cc:cc > 00:11:22:33:44:55, 802.3, length 14: [|llc]