OT: query routers tables

[Mogens Kjaer]

Mogens Kjaer wrote:
...
> I wrote a C program that uses SNMP for this.

I was asked how I did this:

The code is written for
many generations of D-Link hubs and switches -
the first version of the program is nearly 10 years old. The
D-Link switches/hubs each have their own way of returning
the information I want.

So the code has ended up being very clumsy
and unreadable - sometimes even by myself :-)

To figure things out, I used snmpwalk (from net-snmp-utils):

snmpwalk -v 1 -cpublic -m ALL -Cc yourswitchname >somefile.txt

If the command doesn't return anything, you either don't have
access or the community string "public" is wrong. This is set
up on the switch.

You'll see lines like:

RFC1213-MIB::ifInOctets.1 = Counter32: 294511
RFC1213-MIB::ifInOctets.2 = Counter32: 484607327
RFC1213-MIB::ifInOctets.3 = Counter32: 629120408
RFC1213-MIB::ifInOctets.4 = Counter32: 3390066466
RFC1213-MIB::ifInOctets.5 = Counter32: 2848975069
RFC1213-MIB::ifInOctets.6 = Counter32: 0
RFC1213-MIB::ifInOctets.7 = Counter32: 72355738
RFC1213-MIB::ifInOctets.8 = Counter32: 0
...

this is the number of bytes received on the ports 1-8.

Similar ifOutOctets.

I analyse lines like:

RFC1213-MIB::ipNetToMediaPhysAddress.196609.172.20.0.1 = Hex-STRING: 00 
05 5D EF 4F 6E
RFC1213-MIB::ipNetToMediaPhysAddress.196609.172.20.0.2 = Hex-STRING: 00 
05 5D EF 4E 68
...

to get a correlation between IP: 172.20.0.1 and MAC
address: 00:05:5D:EF:4F:6E

Our NAT router runs Linux (this is also where this program
runs), so I can read the arp table in /proc/net/arp
to get the MAC/IP correlation as well.

Note, if you only get numeric responses, like:

SNMPv2-SMI::mib-2.17.4.4.1.5.24 = Counter32: 0

instead of:

BRIDGE-MIB::dot1dTpPortInDiscards.24 = Counter32: 0

it's because you're missing the relevant MIB file.

In some cases the MIB files are found on (in my case)
D-Link's home page, some MIB files are more general -
google is your friend.

Put the MIB files in a a folder and set the environment
variable MIBDIRS to point to that folder before starting
snmpwalk.

Some switches hide the relevant information in a private
section, this can be listed like:

snmpwalk -v 1 -cpublic -m ALL -Cc nameofswitch 
.iso.org.dod.internet.private.enterprises

(this is on one line).

With this information it is possible to walk all ports
on all switches and get the necessary information:

Traffic in/out
MAC address seen on port
correlate MAC address with IP number

and finally do a reverse DNS lookup to get the hostname
from the IP number.

Mogens

-- 
Mogens Kjaer, Carlsberg A/S, Computer Department
Gamle Carlsberg Vej 10, DK-2500 Valby, Denmark
Phone: +45 33 27 53 25, Fax: +45 33 27 47 08
Email: mk at crc.dk Homepage: http://www.crc.dk