NAME

netsnmp-pcap - SNMP extension which captures network traffic and reports the number of packets captured, and the throughput

SYNOPSIS

    netsnmp-pcap [--config /etc/snmp/pcap.conf] [--debug [n]]
    netsnmp-pcap { --help | --man | --version }

OPTIONS

Program options

-B, --base-oid OID: Specify the base OID to server the table from. Default to the same as bsnmpd-pcap, .1.3.6.1.4.1.12325.1.1112
-c, --config path: Specify the path to the configuration file. Default to /etc/snmp/pcap.conf
-d, --debug [level]: Enable debug mode, i.e., traces POE events.
-D, --detach: Tell the program to detach itself from the terminal and become a daemon. Use --no-detach to prevent this.
-p, --pidfile path: Specify the path to a file to write the PID of the daemon.

Help options

-h, --help: Print a short usage description, then exit.
--man: Print the manual page of the program, then exit.
-V, --version: Print the program name and version, then exit.

DESCRIPTION

This program is a port of bsnmpd-pcap, the pcap plugin for FreeBSD's bsnmpd, as an AgentX for Net-SNMP, written in Perl. It allows you to measure arbitrary network traffic, in packets or octets, using the pcap(3) library. Multiple flows of traffic can be measured by setting as many network monitors, with different filters.

MIBS

The counters are available as a table under the same OID as bsnmpd-pcap, but this can be changed using the --base-oid option:

    .1.3.6.1.4.1.12325.1.1112

The following entries are provided, where N is the index:

pcapCount(1): the number of network monitors present
pcapTable(2).pcapEntry(1).pcapIndex(0).N: the index of the network monitor
pcapTable(2).pcapEntry(1).pcapDescr(1).N: a human description of the netowrk monitor (may be empty)
pcapTable(2).pcapEntry(1).pcapDevice(2).N: the network device that traffic is being monitored on
pcapTable(2).pcapEntry(1).pcapFilter(3).N: the pcap(3) filter used to select certain network packets for monitoring
pcapTable(2).pcapEntry(1).pcapOctets(4).N: the number of octets seen by the monitor
pcapTable(2).pcapEntry(1).pcapPackets(5).N: the number of packets seen by the monitor

CONFIGURATION

The configuration format is the same as bsnmpd-pcap, where you define the network monitors by setting the corresponding SNMP functions. Here is an example which defines three network monitors:

    %pcap
    pcapDescr.1  = "ARP, ICMP and VRRP traffic"
    pcapDevice.1 = "eth0"
    pcapFilter.1 = "arp or icmp or vrrp"

    pcapDescr.2  = "DNS traffic"
    pcapDevice.2 = "eth0"
    pcapFilter.2 = "port domain"

    pcapDescr.3  = "HTTP traffic"
    pcapDevice.3 = "eth0"
    pcapFilter.3 = "port http or port https"

and the corresponding result from snmpwalk:

    # snmpwalk -v2c -On -c public localhost .1.3.6.1.4.1.12325.1.1112
    .1.3.6.1.4.1.12325.1.1112.1 = INTEGER: 3
    .1.3.6.1.4.1.12325.1.1112.2.1.0.1 = INTEGER: 1
    .1.3.6.1.4.1.12325.1.1112.2.1.0.2 = INTEGER: 2
    .1.3.6.1.4.1.12325.1.1112.2.1.0.3 = INTEGER: 3
    .1.3.6.1.4.1.12325.1.1112.2.1.1.1 = STRING: "ARP, ICMP and VRRP traffic"
    .1.3.6.1.4.1.12325.1.1112.2.1.1.2 = STRING: "DNS traffic"
    .1.3.6.1.4.1.12325.1.1112.2.1.1.3 = STRING: "HTTP traffic"
    .1.3.6.1.4.1.12325.1.1112.2.1.2.1 = STRING: "eth0"
    .1.3.6.1.4.1.12325.1.1112.2.1.2.2 = STRING: "eth0"
    .1.3.6.1.4.1.12325.1.1112.2.1.2.3 = STRING: "eth0"
    .1.3.6.1.4.1.12325.1.1112.2.1.3.1 = STRING: "arp or icmp or vrrp"
    .1.3.6.1.4.1.12325.1.1112.2.1.3.2 = STRING: "port domain"
    .1.3.6.1.4.1.12325.1.1112.2.1.3.3 = STRING: "port http or port https"
    .1.3.6.1.4.1.12325.1.1112.2.1.4.1 = Counter32: 56
    .1.3.6.1.4.1.12325.1.1112.2.1.4.2 = Counter32: 1347
    .1.3.6.1.4.1.12325.1.1112.2.1.4.3 = Counter32: 29137
    .1.3.6.1.4.1.12325.1.1112.2.1.5.1 = Counter32: 2
    .1.3.6.1.4.1.12325.1.1112.2.1.5.2 = Counter32: 15
    .1.3.6.1.4.1.12325.1.1112.2.1.5.3 = Counter32: 53
    End of MIB

CAVEATS

Because this program is based on POE::Component::NetSNMP::agent, it suffers from the same problem, which is that when the snmpd daemon it is connected to dies, the default POE loop will spin over the half-closed Unix socket, eating 100% of CPU until the daemon is restarted and the sub-agent has reconnected. A workaround is to use an alternative event loop: POE::Loop::AnyEvent, POE::Loop::EV and POE::XS::Loop::EPoll have been tested to not expose this problem.

To select the event loop, set the POE_EVENT_LOOP environment variable to its name: POE_EVENT_LOOP=POE::Loop::AnyEvent

AUTHOR

Sebastien Aperghis-Tramoni (sebastien@aperghis.net)

To install netsnmp-pcap, copy and paste the appropriate command in to your terminal.

cpanm

cpanm netsnmp-pcap

CPAN shell

perl -MCPAN -e shell
install netsnmp-pcap

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)