Here are a couple of communication protocols I learned today on a system at work.
SNMP
SNMP stands for Simple Network Management Protocol. It runs over UDP (User Datagram Protocol: a lightweight method of sending data that doesn’t require a back-and-forth connection handshake) on ports 161 and 162 (specific numbered channels that network services listen on) and is used to discover and monitor devices on a network. Say you have a dozen devices on your network and one drops off, SNMP sends a notification to the central server letting you know that device is unreachable.
When an SNMP manager (the central software that monitors everything) polls a device, it gets back structured data organized by OIDs (Object Identifiers: unique dotted-number addresses that each point to one specific piece of data on a device). These OIDs are organized in a tree structure called a MIB (Management Information Base: a map of all the data a device can report). Here’s roughly what that looks like:
OID Value
─────────────────────────────────────────
1.3.6.1.2.1.1.1.0 "Cisco IOS v15.2" (system description)
1.3.6.1.2.1.1.3.0 84729100 (uptime in hundredths of a second)
1.3.6.1.2.1.1.5.0 "core-router-01" (hostname)
1.3.6.1.2.1.2.2.1.10.1 5765214890 (bytes received on interface 1)
1.3.6.1.2.1.2.2.1.16.1 3298107654 (bytes sent on interface 1)
1.3.6.1.2.1.2.2.1.7.1 1 (interface 1 admin status: 1=up)
1.3.6.1.2.1.25.3.3.1.2.1 47 (CPU usage: 47%)
The first six numbers are always the same (1.3.6.1.2.1) because every standard SNMP query starts at the same root: ISO > identified-organization > DoD > internet > management > MIB-II. After that, the numbers branch into data categories: 1 for system info, 2 for interfaces (the physical or virtual network connections on a device), 25 for host resources like CPU and memory.
So when the value next to the OID changes from 1 (up) to 2 (down), that’s in the value column, that means interface 1 went offline. That’s what triggers a trap (an unsolicited alert that an SNMP agent sends to the manager without being asked) on port 162 to alert you something is wrong.
ICMP
ICMP stands for Internet Control Message Protocol. It operates at the network layer (Layer 3 of the OSI model: the layer responsible for routing packets between devices across networks). ICMP uses type/code pairs to identify messages (the most common are type 8 for echo request and type 0 for echo reply. That’s what ping uses). It’s how you do network diagnostics, error reporting, and troubleshooting. It’s also the protocol behind DoS (Denial of Service) ping flood attacks, where an attacker overwhelms a target by sending massive amounts of ICMP traffic.
A common use case would be if you’re trying to reach a website and it’s not loading, you can open a terminal and run ping google.com. If you get replies back with round-trip times (the number of milliseconds it takes a packet to travel to the destination and back), you know your network connection is fine and the problem is somewhere else. If you get “Request timed out” or “Destination host unreachable,” that tells you the issue is between you and the server. Maybe your router is down, maybe your ISP is having problems. That’s ICMP doing its job under the hood.
Top comments (0)