I'm using the net-snmp for gather system information in linux.
but I found there is problem.
when I check port usage of Net-SNMP by netstat, I found net-snmp using 3 UDP port.
Here is the result.
[root# snmp]# netstat -anp | grep snmp
tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN 6392/snmpd
udp 0 0 0.0.0.0:49005 0.0.0.0:* 6392/snmpd
udp 0 0 0.0.0.0:161 0.0.0.0:* 6392/snmpd
udp 0 0 0.0.0.0:44837 0.0.0.0:* 6392/snmpd
as you can see, the snmpd using 2 more udp port without 161.
also I found why the 2 udp ports are randomly occupied by snmp.
those ports are using for sending snmp trap.
when I remove the tran2sink and informsink option, the 2 UDP ports are no more appear.
this is my part of configuration of snmpd.conf
###########################################################################
# SECTION: Trap Destinations
#
# Here we define who the agent will send traps to.
# trap2sink: A SNMPv2c trap receiver
# arguments: host [community] [portnum]
trap2sink 192.168.1.4
# informsink: A SNMPv2c inform (acknowledged trap) receiver
# arguments: host [community] [portnum]
informsink 192.168.1.4 NMS_COM
# trapcommunity: Default trap sink community to use
# arguments: community-string
trapcommunity NMS_COM
# authtrapenable: Should we send traps when authentication failures occur
# arguments: 1 | 2 (1 = yes, 2 = no)
authtrapenable 1
my program have to use 40000~50000 udp port.
so I want to use those trap options and change the ports.
how can I fix the ports?
You can try to set port for the directives as below:
trap2sink 1.1.1.1:port_num e.g. trap2sink 1.1.1.1:162
I hope I understood your question and this would help.
These are SNMP Ephemeral ports. Here is a quote from a Microsoft support page on them:
While SNMP service is running it may be noticed via the netstat
Command Line utility that in addition to the well known ports for
sending and receiving SNMP traps (161/162) that a random ephemeral
port has been created by the service as well.
The random port usage is intended behavior and is opened for the
purpose of sending "management" traps
...
This port will remain in
the system while the SNMP service is running, but is not actively used
unless a management trap is to be sent outbound. Since SNMP does not
listen for inbound packets on this random port, this does not present
a security vulnerability.
Related
I have 2 linux machines, both of them have rsyslog. I need to send logs from client machine to server machine. I have done these steps but still I am not able to send the message. What am I doing wrong? I am using UDP port 514
SERVER MACHINE : (192.16.72.239)
updated /etc/rsyslog.conf, uncommented 2 lines after comment
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
`restarted rsyslog`
executed below commands as well:
[root#mysystem/]# iptables -A INPUT -p udp --dport 514 -j ACCEPT
[root#mysystem/]#nc -l -p 514 -4
Ncat: bind to 0.0.0.0:514: Address already in use. QUITTING.
CLIENT MACHINE :
added this rule(third line) at the end of the file:
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* ##remote-host:514
*.* ##192.16.72.239:514
# ### end of the forwarding rule ###
now I am using command on client machine logger "sending message from client to server". But I can see above message is present in client's /var/log/messages but it is not present in server's /var/log/messages.
Am I doing anything wrong?
tcp 0 0 :::111 :::* LISTEN
Above is the output of netstat -nl | grep 111What is the meaning of :::111 segment?
technet.microsoft.com says that:
Displays active TCP connections, ports on which the computer is
listening, Ethernet statistics, the IP routing table, IPv4 statistics
(for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for
the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used
without parameters, netstat displays active TCP connections.
So you can find which addresses and ports are used and listening. for example you want to run a Tomcat server on port 8080. but it used. so you can run:
netstat -ano | find "8080"
output will be something like:
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 1185
TCP [::]:8080 [::]:0 LISTENING 1185
It says that process number 1185 is using this port. If it is necessary to use this port you can shutdown the app that use this port and run your server on it by this command:
taskkill /F /PID 1185
#echo off
:myline
netstat -nob
echo.
echo.
ping 127.0.0.1 > %temp%\pingio.txt
goto myline
Put this in a batch file and run it as Administrator to monitor network processes.
I have three MySQL database sockets running on a Linux machine. By the cmd "sudo netstat -npl|grep mysql", I can find the ports and db sockets. But I need to match them one to one by using pid.
Is there any cmd I can use to show the port number of a db socket directly in Linux?
The output looks like this:
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 3886/mysqld
The PID of the mysqld process is the number before /mysqld, i.e. 3886.
There's several different ways to do it, but for your purposes, I suggest simply looking at the output of the command you're already running.
$ sudo netstat -npl|grep mysql
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1124/mysqld
unix 2 [ ACC ] STREAM LISTENING 8713 1124/mysqld /var/run/mysqld/mysqld.sock
This is telling me that process 1124 is listening on 3306 and /var/run/mysqld/mysqld.sock
I have installed snmpd on my Ubuntu server via apt-get install snmpd snmp. Then I changed the line in /etc/default/snmpd
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid 0.0.0.0'
After that, I restarted the snmpd server(/etc/init.d/snmpd restart). However, when I ran netstat -an | grep "LISTEN ", I don't see snmpd is listening on port 161.
I don't have any firewall which blocks that port.
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
User "nos" is correct; UDP bindings do not show up as "LISTEN" under "netstat". Instead, you will see a line or two like the following, showing that "snmpd" is indeed ready to receive data on UDP port 161:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:161 0.0.0.0:* 1785/snmpd
udp6 0 0 ::1:161 :::* 1785/snmpd
The "netstat" manpage has this to say about the "State" column:
The state of the socket. Since there are no states in raw mode and usually no states used in UDP, this column may be left blank.
Thus, you would not expect to see the word "LISTEN" here.
From a practical perspective, however, there is one more thing that I'd like to note. Often, the default Net-SNMP "snmpd.conf" configuration file limits incoming connections to only local processes.
Default /etc/snmp/snmpd.conf
# Listen for connections from the local system only
agentAddress udp:127.0.0.1:161
# Listen for connections on all interfaces (both IPv4 *and* IPv6)
#agentAddress udp:161,udp6:[::1]:161,tcp:161,tcp6:[::1]:161
Usually, the point of setting up "snmpd" is so that another machine can monitor it. To accomplish this, make sure that the first line is commented out and that the second line is enabled.
Looks like it is listening on 161/UDP. From the man page:
By default, snmpd listens for incoming SNMP requests on UDP port 161 on all IPv4 interfaces. However, it is possible to modify this behaviour by specifying one or more listening addresses as arguments to snmpd. A listening address takes the form: [<transport-specifier>:]<transport-address>
Read the man page for more details
In a Linux specific way, how can I get the list of all open UDP ports and all TCP ports currently accepting connections in some interface?
The most common way is to use netstat console utility with the following flags:
netstat -plan
where:
-p : Show the PID and name of the program to which each socket belongs;
-l : Show only listening sockets;
-a : Show both listening and non-listening sockets;
-n : Show numerical addresses instead of trying to determine symbolic host, port or user names.
For additional output options and flags please check man pages man netstat. Based on your particular needs, only TCP or UDP (for example) protocol connections can be examined:
netstat -4 --tcp --udp --all
Alternatively, lsof -i might be helpful.
Most likely you are interested in the following information (special /proc filesystem):
/proc - Mount point for the proc filesystem, which gives access to kernel status information via the following files:
/proc/net/dev - device information
/proc/net/raw - raw socket information
/proc/net/tcp - TCP socket information
/proc/net/udp - UDP socket information
/proc/net/igmp - IGMP multicast information
/proc/net/unix - Unix domain socket information
/proc/net/ipx - IPX socket information
/proc/net/ax25 - AX25 socket information
/proc/net/appletalk - DDP (appletalk) socket information
/proc/net/nr - NET/ROM socket information
/proc/net/route - IP routing information
/proc/net/ax25_route - AX25 routing information
/proc/net/ipx_route - IPX routing information
/proc/net/nr_nodes - NET/ROM nodelist
/proc/net/nr_neigh - NET/ROM neighbours
/proc/net/ip_masquerade - masqueraded connections
/proc/net/snmp - statistics
List all listening processes and what port they are listening too. Running without sudo will list only user processes.
sudo ss -tlpn
explanation:
-t tcp
-l listening
-p show process
-n numeric, don't replace port numbers with their "popular" name.