You are on page 1of 13

Berry Hoekstra (215806)

SNMP & WMI


One too many?

School Hogeschool van Amsterdam


Institute Instituut voor Informatica
Business Unit Advanced System and Network Engineering
Course Network Management
Abstract
This paper is about the Simple Network Management Protocol ( SNMP ) and Windows Management
Instrumentation ( WMI ), two different methods to monitor and manage your network infrastructure.

SNMP
SNMP is the Simple Network Management Protocol. The protocol can be used to monitor devices
connected to a network. This is done through a network management system. To successfully
monitor devices connected to a network there are certain requirements:

Agent
An SNMP agent is software, it is needed on the connected device (routers, switches,
workstations ) to gather and store the device’s management information and send it to the
manager.
Manager
The manager is called a Network Management System ( NMS ), it manages all the incoming
information that is received from the device agents on the network.
Protocol
The protocol describes how all the information gathered by the agent is sent to the manager.

There are three different SNMP versions. SNMPv1 and SNMPv2 are almost the same, the only
difference is that SNMPv2 can send bulk requests in one packet, where SNMPv1 has to send multiple
packets. SNMPv3 adds more security features like users with passwords, user groups and packet
encryption.

WMI
To monitor your hardware and software using the WMI protocol, you must run a Windows operating
system. WMI comes with all modern Windows operating systems. Management information is
gathered using providers. Providers gather the information and store it in a CIM Repository.
Management Applications get the management information from the CIM Repository.

WMI has support for extensions, so new extensions can be included in Microsoft products. WMI can
provide more comprehensive information on ( Microsoft ) software than any version of SNMP.

Conclusion
SNMP is a very straight-forward protocol to manage any network device with a network cable
plugged in and an IP address.

WMI is a more extensive way to produce and process management information. Not only hardware
can be monitored using WMI, but also software.

I think I can safely conclude that both SNMP (any version) and WMI can co-exist. It depends on the
company’s needs to determine what protocol is best.

1
Table of Contents
Abstract ................................................................................................................................................... 1
Table of Contents .................................................................................................................................... 2
1. Introduction ..................................................................................................................................... 3
2. Network management and monitoring........................................................................................... 4
3. Research .......................................................................................................................................... 5
3.1. SNMP ....................................................................................................................................... 5
3.1.1. Monitoring ....................................................................................................................... 5
3.1.2. Versions ........................................................................................................................... 6
3.2. WMI ......................................................................................................................................... 7
3.2.1. Monitoring ....................................................................................................................... 7
4. Results ........................................................................................................................................... 10
4.1. SNMP ..................................................................................................................................... 10
4.2. WMI ....................................................................................................................................... 10
5. Conclusion ..................................................................................................................................... 11
6. Resources ...................................................................................................................................... 12

2
1. Introduction
This paper is about the Simple Network Management Protocol ( SNMP ) and Windows Management
Instrumentation ( WMI ), two different methods to monitor and manage your network infrastructure.

This paper is written for the course Network Management at the Hogeschool van Amsterdam. The
purpose of the paper is to research SNMP and WMI and to determine if they work well as a team or if
they are better off as a one man band.

3
2. Network management and monitoring
In the world of today, almost every company makes use of an IT infrastructure to make life easier.

E-mail solutions, central database systems, web servers, developer environments, test environments,
employee workstations, and many other company aspects are all are part of a company’s IT
infrastructure. These assets are all running on servers in a company’s network. Of course, all
companies differ from each other, but most of the time, the company network is a key business
aspect. If the network is down, the company is down also.

This makes the network very important to monitor. IT administrators of small companies can often
monitor the machines in the network by hand. But as the company grows, the network grows. And as
the network grows, the work for the IT administrators piles up. This can be solved by expanding the
IT department, or it can be solved in a different way.

Administrators need to know what’s happening on their networks at all times. This includes real-time
and historical information like CPU and memory usage, performance statistics, and status of every
device, application, and all data on the network. It is hard to do this by hand. So if you have a large
network to administer, it may be more convenient to monitor your network from a central place.

This is the domain of network monitoring, the most critical function of network management. The
only way to know if everything on your network is operating as it should, is to monitor it
continuously.

Monitoring can be done in different ways. The most common way is to make use of management
protocols. These protocols can be used to ask and send information to management tools that can
make the information readable to humans.

There are different ways to access the information for the devices to monitor. Some examples are:

SNMP
Command Line Interfaces ( CLI )
Custom XML
CMIP
Windows Management Instrumentation ( WMI )
Transaction Language 1
CORBA
Netconf
Java Management Extensions ( JMX )
WBEM
Common Information Model ( CIM )

The most used method is SNMP. And since almost every workstation and many servers are using a
Microsoft operating system, WMI is a bound to be the next popular method, although it is not widely
used, yet. Is one of these two management protocols unnecessary? I will discuss the matter in the
following chapters. [1]

4
3. Research
In this chapter I’ll look into both SNMP and WMI and look into the possible solutions both protocols
have.

3.1. SNMP
SNMP is the Simple Network Management Protocol. It is part of the Internet Protocol Suite, a set of
communication protocols used for networks like the internet. [3,4] The SNMP protocol can be used
to monitor devices connected to a network. This is done through a network management system.

According to RFC3411, SNMP consists of a set of standards for network management, including an
Application Layer protocol, a database schema, and a set of data objects. These standards are used
to gather the information needed to monitor network devices successfully. [8]

3.1.1. Monitoring
To successfully monitor devices connected to a network there are certain requirements:

Agent
An SNMP agent is software, it is needed on the connected device to gather and store the
device’s management information and send it to the manager in a SNMP compatible format.
Devices can be any device, like routers, hubs, switches, workstations, printers and VoIP
phones. [3]
Manager
The manager is called a Network Management System ( NMS ), it manages all the incoming
information that is received from the device agents on the network. This is done using a
protocol. [5]
Protocol
The protocol describes how all the information gathered by the agent is sent to the manager.
SNMP uses SMI, the Structure of Management Information. SMI defines managed objects in
a Management Information
Base ( MIB ). A MIB stores
collections of objects in a
( virtual ) database. This
database is used to manage
devices connected in a
network. [6,7]

If all three requirements are met,


devices can be successfully
administered and monitored. The
SNMP agent is collecting the data
from a device in a network in a SNMP
compatible format. The SNMP MIB
stores the objects in the database,
while SMI defines these objects so
that the management data is available
to the Network Management System.

5
3.1.2. Versions
Not every company has the same management needs. SNMP is used in many different networks,
varying in size and complexity. Some network environments may require a different approach.
Therefore there are different versions of SNMP designed to address specific management problems,
like the level of security in a specific company.

The SNMP architecture is designed to evolve. The purpose of this is so new models can be designed
to add functionality to, or replace, the existing ones. However, the interactions between different
models could result in problems like incompatibility and security issues.

RFC3584 ( this RFC obsoletes RFC2576 ) describes the "Coexistence between Version 1, Version 2,
and Version 3 of the Internet-Standard Network Management Framework". [9,10]

So SNMP comes in three different versions, SNMPv1, SNMPv2 and SNMPv3.

SNMPv1 & SNMPv2


The first two versions are very much alike. They both use the same method to detect SNMP
packets in the network packet stream. A string is attached to each SNMPv1 and SNMPv2
packet to identify it. The string is called a community string. The SNMP agent uses this packet
to determine if it should be processed or discarded. [11]

The difference between the first two versions is that SNMPv2 protocol has a few more
features available. Features like putting a large number of SNMP request in one SNMP
packet, this was not possible in the initial version. The first version also uses an older version
of the SMI, while SNMPv2 uses SMIv2. This is a version that has a lot more data types like 64-
bit counters. The end user will probably not notice the difference between the two versions,
as the differences are mainly internal. [13]

SNMPv3
SNMPv3 was designed to fix the weak security in the first two version of the SNMP protocol.
SNMPv3 also uses SMIv2 to define managed objects, as it is based on SNMPv2. As stated
above, SNMPv1 and SNMPv2 use community strings to identify the SNMP packets. These
strings are attached to the packet in plain text, this method is not very secure. SNMPv3 is
designed to make the protocol more secure by using an authentication method with users
and passwords, and by adding the possibility to encrypt the SNMP packets. It also defines
user groups and MIB-views which enable an SNMP agent to control the access to its MIB
objects. A MIB-view is a subset of the MIB. You can use MIB-views to define what part of the
MIB a user can read (SNMP GET/GETNEXT) or write (SNMP SET). The SNMPv3 framework can
also be used with V1 and V2 but it was defined for SNMPv3. [13]

6
3.2. WMI
WMI stands for Windows Management Instrumentation. It is developed by Microsoft for its
Windows operating systems. It is an implementation of Web-based Enterprise Management
(WBEM), which is a standard technology for accessing management information over a network.
WMI uses the Common Information Model (CIM) industry standard to represent systems,
applications, networks, devices, and other managed components. The WMI interfaces are based on
the Component Object Model (COM) type of middleware. [14]

The Windows Management Instrumentation (WMI) protocol is used to gather management


information about hardware, software, and operating system components. WMI can be used in all
Windows-based applications, and is most useful in enterprise applications and administrative scripts.
It can be used to monitor both software and hardware and to automate tasks in a Windows
environment. [14,15]

3.2.1. Monitoring
To monitor your hardware and software using the WMI protocol, you must run a Windows operating
system. WMI is preinstalled in Windows 2000, 2003 and 2008 (including Windows ME). For older
operating systems like Windows 95 and Windows 98, it is available as a download. [14]

If WMI is installed, enabled and running on your Windows machine, it can provide a management
application with the management information that has been collected. The collecting of
management information is done by a provider. A provider monitors a managed object like a hard
disk, and provides WMI with the data it collected. The collected management information is stored in
the CIM repository. The CIM repository acts as a storage area for the management information
collected by the various providers. I will discuss more on this later on in the paper.

Part of WMI is the Windows Management service, or the CIM Object Manager. It acts as an
intermediary between the providers, management applications, and the CIM repository, placing
information from a provider into the repository. The Windows Management service also accesses the
CIM repository in response to queries and instructions from management applications.

A management application queries the Windows Management service for information regarding a
managed object and instructs the Windows Management service to send instructions to a managed
object.

7
When installing a Microsoft product like SQL Server, Microsoft Office or Exchange Server, an
extension of the CIM object model is installed along with the product. The CIM object model is used
by management applications to read the management information. The extension is called a WMI
class. This class will allow the gathering of management information on the specific product it
installed along with. The newly installed WMI class allows the provider to access the information
gathered by the WMI class. A provider is just a simple DLL file using COM middleware objects.
Because a provider is designed to access some specific management information, the CIM repository
is also logically divided into several areas called namespaces. Each namespace contains a set of
providers with their related classes specific to a management area (i.e. RootDirectoryDAP for Active
Directory, RootSNMP for SNMP information or RootMicrosoftIISv2 for Internet Information Services
information. The figure below shows how the CIM repository is divided.

As you can see in the CIM repository image above, in the WMI CIM Repository is a namespace called
RootSNMP. This namespace contains SNMP providers that act as gateways to systems and devices
that use the SNMP protocol for management. SNMP MIB object variables can be read and written.
SNMP traps can be automatically mapped to WMI events. The SNMP Provider includes the following
components:

Class
Instance
Event Provider

These components integrate the SNMP information modeling and processing into WMI. These SNMP
providers map the collected management information to property values of CIM class instances. An

8
SNMP information module compiler is used to compile native SNMP schema information into the
format that CIM uses. [2]

With all these providers, a huge amount of management information is available in the CIM
repository. It is the job of the management application to locate the right information. To do this,
Microsoft implemented a database language called the WMI Query Language. This query language is
based on the SQL database language.

Scripting languages like VBScript or Windows PowerShell can also be used in conjunction with WMI
to manage Microsoft Windows personal computers and servers, this can be done both locally and
remotely. Microsoft also provides a command line interface to WMI called Windows Management
Instrumentation Command-line (WMIC). [14,15]

9
4. Results
This chapter discusses the results of the research.

4.1. SNMP
The three different SNMP versions are not that different after all. SNMPv1 and SNMPv2 are almost
the same, the only difference is that SNMPv2 can send bulk requests in one packet, where SNMPv1
has to send multiple packets. SNMPv3 adds more security features like users with passwords, user
groups and packet encryption. Not every enterprise needs this degree of security. All versions are
compatible with each other.

4.2. WMI
WMI is Microsoft’s own management protocol. It has support for extensions, so new extensions can
be included in new Microsoft products. WMI can provide more comprehensive information on
( Microsoft ) software than any version of SNMP. It also has support for SNMP, so if SNMP is already
used in a network, WMI can be easily added as a management protocol.

10
5. Conclusion
SNMP is a very straight-forward protocol to manage any network device with a network cable
plugged in and an IP address. It is called the Simple Network Management Protocol, right .

WMI is a more extensive way to produce and process management information. Not only hardware
can be monitored using WMI, but also software. Microsoft’s implementation also includes support
for SNMP, which makes it easier for network engineers to implement WMI into a network
infrastructure.

I think I can safely conclude that both SNMP (any version) and WMI can co-exist. It depends on the
company’s needs to determine what protocol is best. If a company has a large Microsoft
environment set up, it is best to install both WMI and SNMP on the machines.

If a company decides that only some of the network elements need monitoring, it is not necessary to
implement both methods in the infrastructure. Also, if software monitoring is important, WMI can
provide more comprehensive management information. To monitor the network infrastructure
completely, it is best to install both.

11
6. Resources
A list of the resources used during the research can be found below.

General
1. http://en.wikipedia.org/wiki/Network_management
2. http://charlesconradvaz.wordpress.com/2004/09/22/wmi-and-snmp/

SNMP
3. http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
4. http://en.wikipedia.org/wiki/Internet_Protocol_Suite
5. http://en.wikipedia.org/wiki/Network_management_system
6. http://en.wikipedia.org/wiki/Structure_of_Management_Information
7. http://en.wikipedia.org/wiki/Management_information_base
8. http://tools.ietf.org/html/rfc3411
9. http://tools.ietf.org/html/rfc2576
10. http://tools.ietf.org/html/rfc3584
11. http://tools.ietf.org/html/rfc1157
12. http://tools.ietf.org/html/rfc2578
13. http://support.ipswitch.com/kb/WG-20041105-DM01.htm

WMI
14. http://en.wikipedia.org/wiki/Windows_Management_Instrumentation
15. http://msdn.microsoft.com/en-us/library/aa394582.aspx

12