Nagios Support Forum

I have a interesting possible issue going on. I am running nagiosxi monitoring a few servers and switch's on the same networking I am running snort on a different box. Everything seems to coexist and work fine except I am seeing in snort a TON of udp packets coming from nagiosxi going to 1 particular switch. Over night I had a extra 70,000+ alerts added in snort and 85% of those are the udp packets coming from nagiosxi.

The alerts displayed are SNMP public access udp and SNMP request udp.

Any ideas on why its constantly requesting snmp access every 2-3 seconds to a switch or is this the general nature of the snmp request's coming from nagios?

I'm not terribly familiar with Snort, so could you perhaps show us the actual packets you're talking about?

Yes This is the Base homepage showing how many snort alerts there are and how many are tcp/udp ect ect.


This screen shot s shows the Ip address of our nagios server and the destination ip address which is a swich we monitor. It might be hard to read but you can see the time stamps and there are quite a few every second and this goes on all day long.



Is this normal behavior monitoring from nagios via snmp?

Sorry, I appear to have been misunderstood. I'm hoping for the actual packet content, as in the raw IP traffic, ideally in PCAP format. You can collect this with a tool such as WireShark (graphical) or TCPDump (command line). That way I can see exactly what requests we're working with, and have a better chance of being able to answer your question.

The second screen shot is all of the tcp data coming through snort it does the same thing as wireshark/tcpdump.

I can get you the payload data of the packets in pcap format from snort in just a second.

Ok attached in a .rar archive are 2 .pcap files. One should be the SNMP public access udp and the other should be the SNMP Request udp.

I'm really just interested if this is normal snmp monitoring behavior between nagios and a switch because if it is I have no problem suppressing the alerts, But it seems like to me it's an excessive amount of requests so I didn't know if there was something I could configure to reduce it?

I notice that both of the packets you attached have invalid IP header checksums, which I would imagine would make the IP subsystem of the OS continually request a re-send of the packet until it got a good one. Perhaps there's something wrong with the switch or a cable somewhere?