Is there a way to get NPM trap viewer to decode Cisco mac-notification SNMP traps?
SolarWinds has solved the problem in NPM 10.1.2
The OIDValue has now the form:
0100.5E00.237D.4A64.3D00.2E00
where 005E is the VLAN in hex (-> 94 dec), 00.237D.4A64.3D is the MAC and 002E is the interface number in hex (-> 46 dec)
The following SQL statement lists the entries from the NetPerfMon database:
SELECT TOP 10 Traps.TrapID, Traps.[DateTime], Traps.[NodeID], Nodes.Caption AS Node, substring(TrapVarbinds.OIDValue, 3, 2) + substring(TrapVarbinds.OIDValue, 6, 2) AS VLAN_hex, dbo.hex2int(substring(TrapVarbinds.OIDValue, 3, 2) + substring(TrapVarbinds.OIDValue, 6, 2)) AS VLAN, substring(TrapVarbinds.OIDValue, 23, 2) + substring(TrapVarbinds.OIDValue, 26, 2) AS Port_hex, dbo.hex2int(substring(TrapVarbinds.OIDValue, 23, 2) + substring(TrapVarbinds.OIDValue, 26, 2)) AS Port, substring(TrapVarbinds.OIDValue, 8, 15) AS MAC FROM [NetPerfMon].[dbo].[TrapVarbinds] INNER JOIN [NetPerfMon].[dbo].[Traps] ON [NetPerfMon].[dbo].[Traps].TrapID = [NetPerfMon].[dbo].[TrapVarbinds].TrapID INNER JOIN [NetPerfMon].[dbo].[Nodes] ON [NetPerfMon].[dbo].[Traps].NodeID = [NetPerfMon].[dbo].[Nodes].NodeID WHERE TrapVarbinds.OIDName = 'cmnHistMacChangedMsg.1' ORDER BY Traps.[DateTime] DESC
Where hex2int is:
CREATE function [dbo].[hex2int](@s varchar(16)) --Convert hex to bigint RETURNS bigint -- e.g. select dbo.hex2int('7ff2a5')ASBEGIN SET @s=upper(@s) DECLARE @i int, @len int, @c char(1), @result bigint SET @len = len(@s) SET @i = @len SET @result = CASE WHEN @len>0 THEN 0 END WHILE (@i>0) BEGIN SET @c = substring(@s, @i, 1) SET @result = @result + (ASCII(@c) - (CASE WHEN @c between 'A' and 'F' THEN 55 ELSE CASE WHEN @c between '0' and '9' THEN 48 END END)) * power(16., @len-@i) SET @i = @i-1 END -- while RETURN @resultEND -- function
Thomas
Could you post a the details of one of the traps the way you see it in the Trap Viewer?
The latest Orion MIB db contains the CISCO-MAC-NOTIFICATION-MIB mib.
Yann
snmpTrapEnterprise = CISCO-MAC-NOTIFICATION-MIB:cmnMIBNotificationPrefix experimental.1057.1 = <ip address of switch deleted> cmnHistMacChangedMsg.27 = AQAyABX5YFBwAAcA snmpTrapOID = CISCO-MAC-NOTIFICATION-MIB:cmnMIBNotifications.1 sysUpTime = 3178811706
I think the data I'm looking for (MAC address, port number, etc...) is in the third line (cmnHistMacChangedMsg). But I don't know how to get those values from that string.
Yust a me too message! Would be great to have these decoded to mac / port=InterfaceIndex.
snmpTrapOID=CISCO-MAC-NOTIFICATION-MIB:cmnMIBNotifications.1
cmnHistMacChangedMsg=AQFNABVYhArWAAkBAU0AGk1WB24AGAEBTQAaoJN7SAACAQFNABqgk4D6ABMBAU0AoMWI+sUACgECZQAwGgGv9QACAQKaABadJ9jAABMBApoAGVXdtgAAAgEO2QACmxhyYQAFAQ7ZAAgC17vJAAIBAmUAMBoBr/UAAgECZQAwGgGv9QACAQJlADAaAa/1AAIBARYADM7xpxEAAwEMsAAdoe8bHgABAQABABadEPsIAAUBAAEAGVXdtgEAAgEARAAKzQsgAgAFAQBEAAwpv1icAAUBARYABV43iN8AEwEBFgAFXnzZbAATAQEWAAzO8acRAAMBARYAMJTCYysADgA=
experimental.1057.1=<IP Removed>
snmpTrapEnterprise=CISCO-MAC-NOTIFICATION-MIB:cmnMIBNotificationPrefix
I do not know yet how to decode that string but here is what it means as per the Cisco SNMP Object Locator:
cmnHistMacChangedMsg OBJECT-TYPE SYNTAX OCTET STRING (SIZE(1..254)) MAX-ACCESS read-only STATUS current DESCRIPTION "This object contains the information of a MAC change notification event. It consists of several tuples packed together in the format of ' < tuple1 > < tuple2 >...'. Each tuple consist of 11 octets in the format of ' < operation > < VLAN > < MAC > < dot1dBasePort > ' where < operation > is of size 1 octet and supports the following values 0 - End of MIB object. 1 - MAC learnt. 2 - MAC removed. < VLAN > is vlan number of the VLAN which the MAC address is belonged to and has size of 2 octet. < MAC > is the Layer2 Mac Address and has size of 6 octets. < dot1dBasePort > is the value of dot1dBasePort for the interface from which the MAC address is learnt and has size of 2 octets." ::= { cmnHistoryEntry 2 }
