Introduction
SNMP (Simple Network Management Protocol) is the standard protocol for monitoring and managing network devices, servers, and applications. In 2026, with the rise of IoT and hybrid data centers, SNMP remains essential for collecting metrics like CPU usage, memory, or network interfaces.
This beginner tutorial walks you through installing and configuring net-snmp on Ubuntu/Debian, the go-to open-source implementation. We'll cover v2c (simple community-based) and v3 (secure with authentication/encryption). Think of SNMP as an 'intercom' for your machines: an agent listens for queries and returns precise stats via MIBs (Management Information Bases).
Why it matters: Tools like Zabbix, Nagios, or Prometheus rely on it for real-time alerts. By the end, you'll be monitoring a server in 15 minutes. (142 words)
Prerequisites
- Ubuntu 24.04 LTS or Debian 12+ system (root or sudo access)
- Internet connection for packages
- Basic Linux terminal knowledge
- A test server (VM recommended for safety)
Installing net-snmp
sudo apt update
sudo apt install -y snmp snmpd snmp-mibs-downloader
touch /var/lib/snmp/snmpd.conf
sudo systemctl stop snmpd
sudo systemctl disable snmpdThis command updates packages, installs the SNMP agent (snmpd), client tools (snmp), and standard MIBs. We stop and disable the service first for safe configuration. Don't skip the MIBs, or OIDs won't be human-readable.
Understanding Basic Configuration
The main file is /etc/snmp/snmpd.conf. It defines the agent:
- rocommunity: Read-only access with a password (v2c).
- sysLocation/sysContact: Descriptive info.
Copy the default file and edit it. By default, snmpd listens on UDP 161, restricted to localhost for security.
Basic SNMP v2c Configuration
# System information
sysLocation "Data Center Paris"
sysContact "admin@example.com"
# Read-only community (replace 'public' with a secret!)
rocommunity monsecret 127.0.0.1
rocommunity monsecret DEFAULT
# Allow localhost and your monitoring IP
agentAddress udp:127.0.0.1:161,udp:192.168.1.0/24:161
# Enable traps (optional)
trap2sink montrapserver.example.com montrapscret
# End of minimal configThis file sets up a 'monsecret' community for read access (rocommunity). Restrict IPs for security. 'agentAddress' limits listening. Save and test: a common pitfall is forgetting to replace 'public' with a strong secret.
Activating and Restarting the Service
sudo cp /etc/snmp/snmpd.conf.sample /etc/snmp/snmpd.conf.bak
sudo systemctl enable snmpd
sudo systemctl start snmpd
sudo systemctl status snmpdBackup the sample config, then enable and start snmpd. 'status' confirms it's listening on 161/udp without errors. If 'inactive', check logs with journalctl -u snmpd.
Testing v2c Configuration
Use snmpget for a single OID (e.g., sysDescr.0) and snmpwalk for a subtree. OID 1.3.6.1.2.1.1.1.0 is the system description.
If it works, your agent is responding! Analogy: snmpget is a precise question, snmpwalk is a full inventory.
Testing with snmpget and snmpwalk
snmpget -v2c -c monsecret localhost 1.3.6.1.2.1.1.1.0
snmpwalk -v2c -c monsecret localhost 1.3.6.1.2.1.1
snmpwalk -v2c -c monsecret localhost 1.3.6.1.2.1.25.1snmpget tests sysDescr, snmpwalk explores sysUpTime and hostResources. Replace 'localhost' with a remote IP if allowed. 'No Such Object' error? Check installed MIBs and community.
Python SNMP Client Script
from pysnmp.hlapi import *
iterator = getCmd(SnmpEngine(),
CommunityData('monsecret', mpModel=1),
UdpTransportTarget(('localhost', 161)),
ContextData(),
ObjectType(ObjectIdentity('1.3.6.1.2.1.1.1.0')))
for errorIndication, errorStatus, errorIndex, varBinds in iterator:
if errorIndication:
print(errorIndication)
break
elif errorStatus:
print('%s at %s' % (errorStatus.prettyPrint(),
errorIndex and varBinds[int(errorIndex) - 1][0] or '?'))
break
else:
for varName, varValue in varBinds:
print('%s = %s' % (varName.prettyPrint(), varValue.prettyPrint()))Install pysnmp (pip install pysnmp). This script queries sysDescr via v2c. Copy-paste ready and handles errors. Great for automation; use v1=0, v2c=1 in mpModel.
Upgrading to SNMP v3 for Security
v3 adds authentication and encryption (USM). Create a user with passlib/md5 or sha/aes. Much safer than v2c for production.
SNMP v3 Configuration
createUser monuser MD5 monmotdepasse AES monclechiffre
rouser monuser authPriv
# Or without encryption: rouser monuser auth
# Test OID
sysLocation "Serveur v3"
sysContact "admin@example.com"
agentAddress udp:127.0.0.1:161Add these lines to snmpd.conf and restart. 'createUser' generates keys on the fly. authPriv means auth + encryption. Test with -v3 -u monuser -a MD5 -A monmotdepasse -x AES -X monclechiffre.
Testing SNMP v3
snmpget -v3 -u monuser -l authPriv -a MD5 -A monmotdepasse -x AES -X monclechiffre localhost 1.3.6.1.2.1.1.1.0
snmpwalk -v3 -u monuser -l authPriv -a MD5 -A monmotdepasse -x AES -X monclechiffre localhost 1.3.6.1.2.1.1-l authPriv enforces auth + priv. 'Unknown user'? Restart snmpd after createUser. Store credentials securely, not in plain text.
Best Practices
- Always use v3 in production: Avoid v1/v2c over the internet (sniffable).
- Restrict IPs: Use agentAddress + rocommunity IP/mask.
- Strong secrets: 16+ chars, rotate yearly.
- Custom MIBs: Add your OIDs for specific apps.
- Enable logs: Include 'syslog' in snmpd.conf for debugging.
Common Errors to Avoid
- Port 161 blocked: ufw allow from IP_MONITOR to any port 161 proto udp.
- Default 'public' community: Change it immediately!
- Service not restarted: Always systemctl restart snmpd after editing conf.
- Missing MIBs: snmptranslate -mALL -IR sysUpTime fails without snmp-mibs-downloader.
Next Steps
- Official docs: net-snmp.org
- Advanced tools: Zabbix SNMP, Prometheus snmp_exporter
- MIB browser: iReasoning MIB Browser