What is an SNMP Trap

The name “Simple Network Management Protocol“, also known as SNMP, sounds like this methodology is a quick but inferior alternative to a better protocol. In fact, SNMP is the universal monitoring standard for network devices and it is implemented in all of the network equipment that you buy. There is no better system.

What are the elements of an SNMP configuration?

SNMP includes three elements: a central manager, a device agent, and a management information base (MIB). Your network devices will already have an SNMP agent installed on it. The capability to use SNMP might be turned off when you first get a device, so you will have to be sure the agent is active if you want to employ SNMP for your network.

The central controller is not a standard fixture on computers. When you install a network monitoring system, this most likely employs SNMP and takes the SNMP manager role. Your new network management software is probably an interface that interprets MIB files, giving a display of the data that is gathered from the device agents.

The SNMP manager will send out information requests to all device agents periodically. Each device agent responds to this request by sending back a file, which is structured according to the MIB specifications in the Simple Network Management Protocol. While the device agent is waiting for a demand for information, it keeps updating its own copy of the MIB so the information that it returns is completely up-to-date and ready to be sent out on demand.

See also: SNMP Explained

What is an SNMP trap?

The normal operations of SNMP dictate that the device agent takes a passive role. It only sends out SNMP messages when prompted by a request from the SNMP manager. However, if the agent detects an emergency event on the device that it is monitoring, it will send out a warning message to the manager without waiting to be polled for data. This emergency message is called a trap.

Not all traps are worrisome. For example, when a printer detects that one of its toner cartridges is getting low and wants you to order a new one, the SNMP agent on that printer will treat this as a trap condition. Some very serious conditions don’t result in trap messages. For example, if the managed device gets a fatal error and stops working, it prevents the SNMP agent from operating as well. Also, if the network card on a device breaks, the SNMP agent cannot send out a trap message. In these instances, the emergency will be revealed the next time the SNMP manager sweeps the managed network for SNMP responses.

How do you set up SNMP alerts?

If you install a network monitor, you won’t see the term “trap” used anywhere in the dashboard of your software. It is a convention of network monitoring systems that traps are labeled as “alerts” instead. The total failure of a device or a network card is the only example of alerts that aren’t just displaying a trap.

The actions that can be taken on receipt of a trap message depend on the sophistication of your network monitoring software. If your monitor just reports on statuses, then you will have to use some other application to fix a problem or connect directly to the device to explore for error information, and fix the problem through its operating system. Some network monitors are actually network management systems and allow you to set up actions to perform in the event of an alert condition arising.

If the problem that is notified by a trap is physical, there isn’t anything that any software package could do to resolve it. In some cases, you wouldn’t want your network management system to go off and fix problems without waiting for your approval of the intended action. Usually, network management systems offer you the opportunity to specify in its settings what level of fault resolution automation you would like.

Trap messages can arise at all times of the day or night unless you turn all of your network equipment off in the evening when you go home. If you don’t have enough resources to sit someone in front of a console all day waiting for alert messages, you should look for a network monitor that will forward alert messages and display them in the dashboard. Some management systems can send out alert notifications by email, SMS, or chat system. You can even specify different team members to which messages should be sent according to the device type of the origin of the trap message, or the message severity level.

SNMP versions

To date, there have been three versions of SNMP. Version 1 wasn’t very widely implemented. This was released in 1988. It was replaced in 1993 by version 2. At this point, the protocol wasn’t integrated into firmware by the manufacturers of network devices. Network managers that wanted to implement the standard needed to install the SNMP agent software on their devices. SNMPv2 has backward compatibility to version 1. So, if you have a version 2 controller, it will also be able to communicate with version 1 device agents. However, that compatibility was built into the definition of SNMP manager procedures because the format of the SNMP trap changed in version 2.

SNMPv2 was not popular because it incorporated a new authentication methodology, which was difficult to implement. The authentication process specified for SNMP version 1 was much easier to use, and so a new edition of version 2 was created that used the authentication system of version 1. This and this adjustment to the definition of SNMP made it much more workable. The major network device producers decided to integrate the agent element of SNMPv2c into the firmware of their equipment. Any new entrant into the network device market had to integrate SNMP as well, otherwise, their products would not be competitive. There is another variation of version 2, which is SNMPv2u. So there are three different types of SNMPv2. Confusingly, SNMPv2c is so dominant that is often referred to as SNMPv2.

There is also an SNMPv3. The latest version of the Simple Network Management Protocol includes a different encryption method to protect transmissions of MIB files. However, the MIB structure remains the same. So a controller can communicate with either version 2 or version 3 as long as it is able to adjust the transmission security parameters that it uses. Generally, the leading network monitors are compatible with both version 2 (meaning SNMPv2c) and version 3.

SNMP trap format

The MIB contains a series of codes that represent a position in a tree structure. The entire MIB doesn’t have to be sent every time the agent reports to the central manager. A trap message contains the time time, an identifier, and a value. The identifier is an “OID” (Object Identifier). This is a code from the MIB structure denoting the trap condition’s position in the tree. Each OID represents an attribute of the device being monitored. So, the central controller can decode the OID and work out which bit of the switch or the router is being described by the trap.

Implementing SNMP

The MIB encoding system is so complicated and obscure that it is impossible to try to capture SNMP messages and traps and interpret them manually. The availability of network monitors that integrate SNMP functions makes it very easy to implement the protocol in a sophisticated software package. There are several SNMP-based network monitors that are free to use. Others offer free versions for small networks or a free trial for an introductory period. So, the cost of implementing SNMP on your network can be very economical.

What is a granular trap?

The MIB structure contains two methods for reporting problems with a device. Each element in the reporting tree structure is labeled with an identifier, called an OID. In many cases, a device element OID has child OIDs that specifically express a problem.

If a message arrives at the SMNP manager and it has one of those OIDs activated, the referencing of the OID automatically tells the manager where the problem is and what is its nature. The OID that signifies a problem is called a “granular trap.”

The second method for notifying problems doesn’t have a specific name – it is just a “trap,” or could be identified as a “standard trap.” In this scenario, the trap message will contain an OID that indicates a specific component of the monitored device and that will have a value associated with it – a variable instantiated by the device controller. The information contained in that field will indicate a problem with that device element.

So a granular trap cuts out the need for the device agent to write in that there is a problem because the presence of the OID itself already gives that information.

What is a trap category?

Traps are warnings about problems with specific elements of a device. A trap category is a grouping of possible trap codes according to the element to which they refer. So, category examples include CPU, Fan, shelf, and so on.

How to use SNMP trap messages

The benefit of SNMP traps is that they report device failure very quickly. However, they don’t give a complete picture of your network. You will notice that most of the tools in this list of recommended SNMP tools also blend in other information sources, such as NetFlow for traffic data and Syslog for system events.

As all of these tools offer free trials or free versions, you will be able to try out a candidate without risk. You might even try a couple of those SNMP tools that tempt you most.

Do you use an SNMP tool right now? Do you find that you focus more on the alerts raised by SNMP traps, or are Syslog messages more relevant to your network administration responsibilities? Leave a message in the Comments section below to share your experience.

The best SNMP trap network monitoring tools

You can get a full description of recommended network monitoring tools in the article, SNMP Explained and Best SNMP Monitoring Tools. However, you can read summaries of these tools here:

  1. SolarWinds Network Performance Monitor EDITOR’S CHOICE Automatically scans the network and lists all devices on install using SNMP. As devices are added and removed from the network the software updates the network map. Start a 30-day free trial.
  2. SolarWinds Log Analyzer (FREE TRIAL) Acts as an SNMP receiver and detects status change messages in real-time. Built-in alert system. Start a 30-day free trial.
  3. Site24x7 SNMP Trap Processing (FREE TRIAL) A network, server, application, and website monitoring package that used SNMP to monitor device statuses. This is a cloud-based service. Start a 30-day free trial.
  4. ManageEngine OpManager (FREE TRIAL) Comprehensive network performance monitor for Windows and Linux. Uses SNMP for detecting network changes. Start a 30-day free trial.
  5. Paessler PRTG Network Monitor (FREE TRIAL) Automatically maps the devices on your network at install and offers a range of map visualizations. Start a 30-day free trial.
  6. SysAid Monitoring Help Desk and IT service management system that uses SNMP to track device changes on the network.
  7. Kaseya Network Monitor Maps network devices and transposes them onto a geographical map. The dashboard also includes helpful graphs, charts, and dials.
  8. Atera Network monitoring system that integrates well with a Help Desk. Data can also be used for staff time log tracking and invoicing.
  9. Spiceworks Network Monitor Free, ad-supported network monitoring system for Windows.
  10. Pulseway IT Management Software Uses SNMP to create a real-time inventory of managed devices on the network.
  11. LogicMonitor Cloud-based service that uses collectors that can run on Windows, Mac OS, and Linux. The dashboard is cloud-based and can be accessed remotely.
  12. Event Sentry Security-based network event tracker that can be used to alert of unauthorized use and detect malicious activities.
  13. Progress WhatsUp Gold Acts as an SNMP manager and runs on Windows server environments.


How are alarms encoded in SNMP traps?

A trap contains an OID that indicates a device element followed by a status message, which can be automatically posted to the screen for the user to interpret. An alternative message format is the “granular trap” where the OID itself is an error code, which the SNMP manager just has to look up in order to derive the error message.

Is SNMP polling the same as SNMP traps?

SNMP polling refers to the SNMP manager sending out a request message. This is broadcast, so any device agent that is active and connected to the network will respond to this request with a status report. A trap is sent out by the device agent without waiting for a request.

What are SNMP trap filters?

A trap filter is an instruction to the SNMP manager that tells it what to do when it receives a trap message. The SNMP manager can either process a trap into an alert for the attention of the system user, it can send a request back to the device controller for more details, or it can just drop the message and do nothing about it.

Network management systems usually have a default of processing all trap messages into alerts. However, there is usually a settings section of the user interface in the network manager that allows the user to adjust these actions. For example, it is possible to tell the SNMP manager to drop all messages with lower severity, such as warnings.