[NTLUG:Discuss] snmptrap not appearing

Chris Cox cjcox at acm.org
Sun Sep 8 16:22:02 CDT 2002 

jeremyb at univista.com wrote:
>  
> hey folks,
>   I'm tinkering with ettercap and have been watching traffic between my
> web server and
> the Linksys router I've got in front of this LAN.  I'm seeing an
> snmp-trap datagram
> every couple of seconds originating from the  router to the web server.
> I'm not converned about why the router is doing this at the moment...
> what I'm curious about is why I can't see ANY trace of these connections
> on the web server.

My LinkSys sends snmp traps to a desginated host for record keeping
of hits to the firewall.  Go to Log on the LinkSys tab'd menu.
I run snmptrapd to capture the messages on the host I designated
on the Log setup.

> I've tried the following commands:
> 
> netstat -an --inet
> netstat -an
> lsof | grep IPv4
> lsof | grep 162
> lsof | less

Not sure what you are looking for.  You can snoop the traffic with
something like tcpdump.

> 
> Here's a snip of what ettercap is showing me:
> 
> 101)     192.168.1.1:2395    <-->     192.168.1.2:162   ?   UDP  ?
> snmptrap 

I'm guessing that 192.168.1.2 is being setup as the
recipient of the access traps coming from the router.

> 
> Here are corosponding entries in /var/log/messages:
> 
> Sep  8 10:40:22 localhost kernel: Suspect short first fragment.
> Sep  8 10:40:22 localhost kernel: eth0 PROTO=1 192.168.1.1:0
> 192.168.1.2:0 L=20 S=0x00 I=0 F=0x0000 T=150 (#0)
> 
> For every ettercap snmptrap entry there are two messages entries like
> those above.
> Is this really snmp-trap or just some junk that the router is coughing
> up because it's
> got issues?  My next step is to bind port 162 using a little Perl script
> and just see what's what.  ...may do that just for kicks anyhow :)
> 

I'd run snmptrapd and capture the results so you can see everyone
who is pounding on your router.... an interesting experience.

Maybe I'm just not understanding the issue.

Ettercap is a great way to arp spoof your local switch (allowing
you to sniff traffic on the switch)... for more fun you could
try arp spoofing AT&T's switch... but since many abused this
recently, don't expect to be an AT&T customer very long if
you do this.  Still you can see what ports on the AT&T switch
are listening to your traffic... also an eye opening experience.
(as mentioned, probably not your neighbor, but AT&T doing this)

Have fun!
Chris

More information about the Discuss mailing list