KBI 310304 TCP And UDP Port Status Via SNMP
Version
Argent Advanced Technology – All Versions
Argent Extended Technology – All Versions
Date
10 Apr 2012
Summary
This article covers checking the status of TCP and UDP ports via SNMP in a format similar to how netstat formats the data.
You may be interested seeing the netstat output of remote machines to track down issues on the network.
Running netstat via a remote command or shell, parsing the data and then evaluating it is a resource-intensive method of gathering this data.
SNMP actually provides this information and is a much more lightweight approach.
Here’s how to do it with Argent for SNMP.
Technical Background
Most administrators are familiar with the netstat command.
Example: A “netstat /n /a” command shows open and listening ports without doing a DNS lookup on the IP addresses.
It is possible to monitor these ports via SNMP.
Argent for SNMP’s OID Browser:
Observe the output of the this SNMP branch that shows TCP connections.
Notice the ports that are open.
Start with the first line of the output below.
This corresponds to port 135 listening on 0.0.0.0 in the above screenshot.
Note:
Some OIDs are not available for ports clearly open from the netstat.exe perspective such as port 80 and 445;
more research is needed to discover the reason for this.
Setup the rule to get the OID value.
In Argent AT, to check a single OID in this branch, it would look something like the below image.
In this example, we are checking to ensure that port 3100 is listening on all interfaces.
Notice how it corresponds to the Netstat output:
To monitor a group of OIDs, you would enumerate the OIDs below the tcpConnState branch that match a certain pattern (seen the pattern in the second red box).
Notice how we use the ? and * characters to match a single character (?) or groups of characters (*) and place a dot after the two ?’s to specify we want five digit numbers that start with 565.
Here is the trace log output from the above rule:
Rule: SNMP_NETSTAT_SNMP_DEMO
Server: AG07
Result: Not Broken
.1.3.6.1.2.1.6.13.1.1.127.0.0.1.56531.127.0.0.1.56532 = 5.00
.1.3.6.1.2.1.6.13.1.1.127.0.0.1.56532.127.0.0.1.56531 = 5.00
.1.3.6.1.2.1.6.13.1.1.127.0.0.1.56533.127.0.0.1.56534 = 5.00
.1.3.6.1.2.1.6.13.1.1.127.0.0.1.56534.127.0.0.1.56533 = 5.00
The $INDEX variable corresponds to the portion of the OID after the root OID branch you are walking within.
An example is the first OID on the list in the trace log.
The root is .1.3.6.1.2.1.6.13.1.1 and the $INDEX is 127.0.0.1.56531.127.0.0.1.56532.
You use root.$INDEX to join them together.
The $INDEX variable is updated to contain a different index as each enumerated OID is evaluated.
Reference:
The SNMP OID branches you will be interested in include:
For TCP:
1.3.6.1.2.1.6.13.1.1 – tcpConnState
1.3.6.1.2.1.6.13.1 – tcpConnEntry
1.3.6.1.2.1.6.13 – tcpConnTable
1.3.6.1.2.1.6 – tcp
1.3.6.1.2.1 – SNMP MIB-2
1.3.6.1.2 – IETF Management
1.3.6.1 – OID assignments from 1.3.6.1 – Internet
1.3.6 – US Department of Defense
1.3 – ISO Identified Organization
1 – ISO assigned OIDs
For UDP:
1.3.6.1.2.1.7.5.1.1 – udpLocalAddress
1.3.6.1.2.1.7.5.1 – udpEntry
1.3.6.1.2.1.7.5 – udpTable
1.3.6.1.2.1.7 – udp
1.3.6.1.2.1 – SNMP MIB-2
1.3.6.1.2 – IETF Management
1.3.6.1 – OID assignments from 1.3.6.1 – Internet
1.3.6 – US Department of Defense
1.3 – ISO Identified Organization
1 – ISO assigned OIDs
Resolution
N/A