nv-l
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [nv-l] Trap source

from [James Shanks] [Permanent Link][Original]
To: nv-l@lists.us.ibm.com
Subject: Re: [nv-l] Trap source
From: James Shanks <jshanks@us.ibm.com>
Date: Tue, 10 Aug 2004 16:20:41 -0400
Delivery-date: Tue, 10 Aug 2004 21:36:49 +0100
Envelope-to: nv-l-archive@lists.skills-1st.co.uk
In-reply-to: <OFE9EB8C1B.CBB9220E-ON85256EEC.006E49C0-85256EEC.006E2595@worldspan.com>
Reply-to: nv-l@lists.us.ibm.com
Sender: owner-nv-l@lists.us.ibm.com

I'm not sure what has made you think that trapd will do something special with non-NetView traps, but he doesn't.

All SNMP traps contain two addresses, one for the destination (which is the NetView box) and one for the sender (also called the agent).
The trap source is whatever the sending agent has encoded in the trap it sends.  
Now what does trapd do with the trap when it's received?

For internal NetView traps, we replace the sender's address (which would always be the NetView box and not very helpful) with address of the device the trap is about, which is why a NetView Interface Down or Node Down, appears to have been sent by the device itself.  it shows up in the event window and trapd.log with address of the device which owns the "down" interface(s).

But we do no such modification for traps from any other source.  Traps from outside the box are shown with whatever source  IP Address the sender encoded in the trap itself.   To see this you would have to enable the -x option on trapd (hex dump all packets) and then get a trapd.trace of the incoming trap.  Then you have to decode the hex yourself.  Look for a string in the first few lines which begins  "40 04 xx xx xx xx" .  The  hex "40" means what follows is an IP Address and the length is 04.  

The bottom line is that if your Cisco trap is shown with a source of 10.18.109.46, that's what Cisco sent us.  

James Shanks
Level 3 Support  for Tivoli NetView for UNIX and Windows
Tivoli Software / IBM Software Group


bill.kellam@worldspan.com
Sent by: owner-nv-l@lists.us.ibm.com

08/10/2004 04:03 PM
Please respond to
nv-l
To
"nv-l " <nv-l@lists.us.ibm.com>
cc
Subject
[nv-l] Trap source





Hi,

I'm running NV 7.1.4 on AIX 5.2

I thought I understood something about how a trap source was logged in
trapd.log but I've seen something that challenges my understanding. I have
a router with a loopback interface and 5 frame relay interfaces like so.
Name resolution is shown in parenthesis:

router1.domain.net (192.168.14.1) Cisco Router
            192.168.14.1 (router1.domain.net) Loopback0 -- Software
Loopback
            10.11.1.254 () Serial0/0.1 -- Frame Relay
            10.11.3.254 () Serial0/1.1 -- Frame Relay
            10.12.100.254 () Serial0/0.2 -- Frame Relay
            10.12.102.254 () Serial0/1.2 -- Frame Relay
            10.18.109.46 () Serial1/0.1 -- Frame Relay

I seem to recall determining empirically that even if a trap was sent by
this router with the source as one of the serial interfaces, the trap would
be logged with a source of router1.domain.net. Recently I have been seeing
traps from this device with a source of 10.18.109.46. Is my understanding
as described here wrong? Will the trap source always be recorded just as it
was received?

Thanks,
Bill Kellam
Enterprise Integration and Management
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [nv-l] Trap source, Alan E. Hennis
Next by Date:  [nv-l] maps not saving?, Mike
Previous by Thread:  [nv-l] Trap source, bill . kellam
Next by Thread:  Re: [nv-l] Trap source, Alan E. Hennis
Indexes:  [Date] [Thread] [Top] [All Lists]

Archive operated by Skills 1st Ltd

See also: The NetView Web