<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Devangana,<br>
<br>
I see that you use AES for encryption. There was a related bug in
the snmp library:<br>
<a class="moz-txt-link-freetext" href="http://erlang.org/pipermail/erlang-bugs/2014-August/004551.html">http://erlang.org/pipermail/erlang-bugs/2014-August/004551.html</a><br>
<br>
I don't know if it's fixed in newer snmp library versions. I
attached the patch that we used to fix snmp 4.25.1.<br>
Or maybe you can live with DES encryption?<br>
<br>
Best<br>
Dominik<br>
<br>
<div class="moz-cite-prefix">On 14.09.2016 20:41, Devangana Tarafdar
wrote:<br>
</div>
<blockquote
cite="mid:CAHfHLPVvraYjyMjGn+p8igxE3=XTd_FQ=-H4cvnK=Lr9XsjfeA@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Dominik,
<div><br>
</div>
<div>So I was able look at the wireshark stream decoded after
entering snmp credentials (that was very helpful, thanks !)
and compared the 2 streams : One from the snmp get tool and
the other from the erlang script.</div>
<div><br>
</div>
<div>Wireshark is not able to decode the encrypted pdu in the
erlang stream but it can decode the snmpget stream.</div>
<div><br>
</div>
<div>The message is clear enough I suppose but I don't know what
I am doing wrong with the key.</div>
<div><br>
</div>
<div>I changed my local key generation to :</div>
<div><br>
</div>
<div>
<div> %Priv_key_local = snmp:passwd2localized_key(sha,
Priv_key , Agent_engine_id),</div>
<div><br>
</div>
<div> % since auth protocol is SHA</div>
<div> Priv_key_local =
lists:sublist(snmp:passwd2localized_key(sha, Priv_key ,
Agent_engine_id),16),</div>
</div>
<div><br>
</div>
<div>but it did not help.</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>msgData: encryptedPDU (1)</div>
<div> encryptedPDU:
8a3e7fc633c531d2747782a6fc8d89187c452929426e4b6e...</div>
<div> Decrypted data not formatted as expected,
wrong key?</div>
<div> [Expert Info (Warn/Malformed): Decrypted
data not formatted as expected]</div>
<div> [Message: Decrypted data not
formatted as expected]</div>
<div> [Severity level: Warn]</div>
<div> [Group: Malformed]</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>Attaching good wireshark trace from snmpget and a bad
one from erlang.</div>
<div><br>
</div>
<div>Also tried putting a context name but did not work but
snmpget does not put one and it works. </div>
<div><br>
</div>
<div>Thanks,<br>
Devangana</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sun, Sep 11, 2016 at 4:09 PM,
Devangana Tarafdar <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:devangana@gmail.com"
target="_blank">devangana@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<p dir="ltr">Hi Dominik,</p>
<p dir="ltr">I have not looked into the context. Will check
all the items that you mention. I have been able to
connect to the agent using snmpwalk and snmpget though I
have not studied the wireshark output of those in detail.
<br>
Thanks again for all these tips and I will get back to you
.</p>
<span class="HOEnZb"><font color="#888888">
<p dir="ltr">Devangana</p>
</font></span>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sep 11, 2016 3:08 PM,
"Dominik Pawlak" <<a moz-do-not-send="true"
href="mailto:dominik_pawlak@yahoo.co.uk"
target="_blank">dominik_pawlak@yahoo.co.uk</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hello
Devangana,<br>
Hard to tell, but I see that you haven't
specified any context in your sync_get. Are you
sure it is not needed? I would also double check
the engine id and security configuration.<br>
Have you managed to connect to that agent from
something other than OTP (say snmpb, snmpget)?<br>
If so, you can compare in Wireshark, the snmp
requests from erlang and from that tool. You can
even enter your snmp credentials in Wireshark
and it will decode encrypted messages.<br>
I hope any of this helps.<br>
<br>
Best<br>
Dominik<br>
<br>
<div>On 11.09.2016 16:46, Devangana Tarafdar
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello Dominik,
<div><br>
</div>
<div>Thanks you for the reply.</div>
<div><br>
</div>
<div>I sent another sync_get after the
first as you suggested. The wireshark
trace shows the manager has updated the <span
style="font-size:12.8px">'msgAuthoritativeEngineBoo<wbr>ts'
and 'msgAuthoritativeEngineTime' to the
values sent by the Agent as you pointed
out. But now the agent does not respond
at all and the sync_get fails with a
timeout. I tried adding a second's sleep
between the 2 gets as well. I don't have
access currently to the agent's logs or
configuration but have you seen this
before ?</span></div>
<div><span style="font-size:12.8px"><br>
</span></div>
<div><span style="font-size:12.8px">Thanks !</span></div>
<div><span style="font-size:12.8px">Devangana</span></div>
<div><span style="font-size:12.8px"><br>
</span></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sat, Sep 10,
2016 at 6:09 PM, Dominik Pawlak <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:dominik_pawlak@yahoo.co.uk" target="_blank">dominik_pawlak@yahoo.co.uk</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hello Devangana,<br>
Basically, you just have to perform
the sync_get once more. I observed
similar behavior in OTP 17.1 (snmp
4.25.1). The first request will always
fail because the manager is not fully
configured to communicate with the
agent (more on that below).<br>
<br>
A longer explanation:<br>
<br>
In snmp v3 there is a process called
'discovery', which should be performed
before secure communication with the
agent can be established. It is
described here:<br>
<br>
<a moz-do-not-send="true"
href="https://tools.ietf.org/html/rfc3414#section-4"
rel="nofollow" target="_blank">https://tools.ietf.org/html/rf<wbr>c3414#section-4</a><br>
<br>
The snmp library in OTP does not
implement that process (at least not
as described in the RFC). <br>
This process has two steps:
'snmpEngineID discovery' and 'time
synchronization'.<br>
The first step is skipped altogether
in OTP - you have to provide engine id
upfront.<br>
The second step is performed by the
first request - it will always fail
with the 'usmStatsNotInTimeWindows'
error report message, but it will set
the required
'msgAuthoritativeEngineBoots' and
'msgAuthoritativeEngineTime' in the
manager.<br>
<br>
Best,<br>
Dominik
<div>
<div><br>
<br>
<div>On 10.09.2016 06:48,
Devangana Tarafdar wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Hello,
<div><br>
</div>
<div>I am trying to connect to
a third party SNMP agent,
using snmp manager (snmp v3)
( in the erlang 19 release
snmp 5.2.3) and I am running
into a problem where the
agent is returning this
error on the manager calling
sync_get:</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>*** [2016:09:08
21:26:00 830] SNMP
M-SERVER TRACE ***</div>
<div> handle_snmp_report
-> entry with</div>
<div> Domain:
snmpUDPDomain</div>
<div> Addr:
{{xx,xxx,xxx,xxx},161}</div>
<div> ReqId: 37078226</div>
<div> Rep:
{invalid_sec_info,[{sec_level,<wbr>3,1},</div>
<div>
{request_id,37078226,<a
moz-do-not-send="true"
href="tel:2147483647"
value="+12147483647"
target="_blank">21474836<wbr>47</a>}]}</div>
<div> Pdu:
{pdu,report,<a
moz-do-not-send="true"
href="tel:2147483647"
value="+12147483647"
target="_blank">2147483647</a>,noError<wbr>,0,</div>
<div>
[{varbind,[1,3,6,1,6,3,15,1,1<wbr>,2,0],'Counter32',33,1}]}</div>
<div>*** [2016:09:08
21:26:00 830] SNMP
M-SERVER DEBUG ***</div>
<div> handle_snmp_report
-> found corresponding
request:</div>
<div> reply to sync
request</div>
<div> Ref:
#Ref<0.0.4.210></div>
<div> ModRef:
#Ref<0.0.4.211></div>
<div> From:
{<0.3.0>,#Ref<0.0.4.202>}</div>
<div>*** [2016:09:08
21:26:00 830] SNMP
M-SERVER TRACE ***</div>
<div>
handle_snmp_pdu(get-response)
-> Remaining: 4979</div>
<div>*** [2016:09:08
21:26:00 830] SNMP
M-SERVER TRACE ***</div>
<div> handle_snmp_report
-> deliver reply</div>
<div><br>
</div>
<div>{error,{invalid_sec_info,[{sec<wbr>_level,3,1},{request_id,370782<wbr>26,<a
moz-do-not-send="true"
href="tel:2147483647"
value="+12147483647"
target="_blank">2147483647</a>}],{noError,0,[{v<wbr>arbind,[1,3,6,1,6,3,15,1,1,2,0<wbr>],'Counter32',33,1}]}}}</div>
<div><br>
</div>
<div>*** [2016:09:08
21:26:00 831] </div>
</div>
<div><br>
</div>
Where [1,3,6,1,6,3,15,1,1,2,0]
maps to
"usmStatsNotInTimeWindows"
(from <a
moz-do-not-send="true"
href="http://www.oid-info.com/"
target="_blank">http://www.oid-info.com/</a><wbr>)
<div><br>
</div>
<div>I have attached a
wireshark trace for the
snmp part of this exchange.</div>
<div><br>
</div>
<div>I am invoking the snmpm
module functions through a
basic script as follows
(using tips from the
tutorial at</div>
<div><a moz-do-not-send="true"
href="https://erlangcentral.org/wiki/index.php?title=SNMP_Quick_Start"
target="_blank">https://erlangcentral.org/wiki<wbr>/index.php?title=SNMP_Quick_St<wbr>art</a>
)<br>
</div>
<div>.........</div>
<div>..........</div>
<div>
<pre style="color:rgb(0,0,0)"> ok = application:start(crypto),
ok = application:start(snmp),
Userid = "snmp3user",
Agent_target = "testagent",
Agent_engine_id = [128,0,0,8,2,0,0,26,84,40,108,<wbr>176],
Agent_ip = {xx,xxx,xxx,xxx},
Agent_port = 161 ,
Secure_name= Userid,
Security_level = 'authPriv',
Security_model = 'usm',
Agent_version = 'v3',
Auth_protocol = 'usmHMACSHAAuthProtocol',
Priv_protocol = 'usmAesCfb128Protocol',
% this is 16 in length
Priv_key_local = snmp:passwd2localized_key(md5, Priv_key , Agent_engine_id),
% this is 20 in length
Auth_key_local = snmp:passwd2localized_key(sha, Auth_key , Agent_engine_id),
ok = snmpm:register_user(Userid,snm<wbr>pm_user_default,[]), </pre>
<pre style="color:rgb(0,0,0)"> ok = snmpm:register_usm_user(Agent_<wbr>engine_id, Userid, [
{auth, Auth_protocol},
{auth_key,Auth_key_local},
{priv, Priv_protocol},
{priv_key,Priv_key_local },
{sec_name, Secure_name}
]),
ok = snmpm:register_agent(Userid, Agent_target ,[
{engine_id,Agent_engine_id},
{address, Agent_ip},
{port, Agent_port},
{version,Agent_version},
{sec_model,Security_model},
{sec_name,Secure_name},
{sec_level, Security_level}</pre>
<pre style="color:rgb(0,0,0)"> ]),
Res0 = snmpm:sync_get(Userid, Agent_target, [[1,3,6,1,4,1,9,10,19,1,1,9,1,<wbr>3,7,2]]),
<span style="font-family:arial,sans-serif;color:rgb(34,34,34)"> ........................</span></pre>
<pre style="color:rgb(0,0,0)"><span style="font-family:arial,sans-serif;color:rgb(34,34,34)"> ........................</span></pre>
<pre>Can anyone please tell me what I am doing wrong here ? Any tips would be appreciated !<font color="#000000">
</font></pre>
</div>
<div>
</div>
<div>
</div>
<div>Thanks,
Devangana</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<div>
</div>
</div>
<fieldset></fieldset>
</div></div><pre>______________________________<wbr>_________________
erlang-questions mailing list
<a moz-do-not-send="true" href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a>
<a moz-do-not-send="true" href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/list<wbr>info/erlang-questions</a>
</pre>
</blockquote>
</div>
</blockquote></div>
</div>
</blockquote>
</div></blockquote></div></div>
</div></div></blockquote></div>
</div>
</blockquote>
</body></html>