Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


solaris 10 constant activity

Posted on 2013-05-18
Medium Priority
Last Modified: 2013-05-22
I have a sun blade 2500 machine running Solaris 10. recently I have noticed that there is always about 25 to 30 % of cpu activity and disk access. This was not the case before for sure for years.

I ran top and see that snmpd process always using about 25-30% of cpu and its status changes between sleep/run/cpu1.

The change that I did recently (and I noticed this issue after) was changing a hard drive on the machine. The hard drive had data only and OS hard drive did not change.

Every thing seems to be working fine, however, this change bothers me and I don't know if some set up went incorrect since I did not used to see this before.

What is the use of snmpd? What happens if I become root and kill this process?

This constant activity on machine is becoming annoying. Any idea how to stop this activity as I am sure it was not there before.
Question by:faridsaleh
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +2
LVL 40

Expert Comment

ID: 39178644
If you aren't using SNMP, killing the process should not have a harmful effect. But, the extra activity of snmpd could be a sign of some underlying problem. Determining why snmpd is doing this would be the best approach.

Author Comment

ID: 39179311
Could you please describe to me what is the SNMP. I read about it on the web but all descriptions was not clear to me. I felt I need more back ground ti understand this. I am just an application user of the Unix environment with limited sysadmin knowledge to just get my machines running at minimum requirement.
LVL 40

Expert Comment

ID: 39179365
SNMP is a monitoring and reporting system for the hardware and OS. Excessive cpu use by snmpd could be a sign that it is seeing aberrant behavior of something. The first action should be to look through the system logs for warnings or odd behavior/activity.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 39179426
Thanks; I looked at the latest syslog (file attached) and see this strange email attempts. there are other syslog.# files with similar entries and previous dates almost form the time I notice constant activity.

Have no idea where they are coming from. Is this could be the reason for activities?  Note that this machine has a static IP on the net so I can login to it remotely.

Any suggestion as how to stop these activities? Have not yet killed snmpd process. If I kill this process does it interfere with my network connection?
LVL 40

Expert Comment

ID: 39179440
Sendmail is running, though it looks like it might be misconfigured. Those log entries are spammers trying to use this system as a relay. You could disable sendmail, but the OS uses it for internal messages. The better approach would be to install a firewall and block inbound traffic on port 25. And since there could be other ports open to the Internet above and beyond what the server requires, the firewall should be configured to only allow network traffic on the necessary ports.

Oh yeah, if only a few individuals ssh into the system, move ssh to some non-standard port to discourage ssh probes.

Author Comment

ID: 39179995

While I generally understand your directions, I don't know how to do this. Would installing firewall means activating ipf? If yes, I looked at the ipf.conf file and it is empty. Can you send me an example of the ipf.conf file that blocks inbound traffic. Does that prevent other network activities. This server need to do the following on the network.
- For some applications check license on a PC. PC is the license server.
- Need to see the other machines file system.
- Need to share some of its file systems with other machines.
- Should be able to communicate with ExpanDrive running on a PC to see its file system. and I guess ExpanDrive uses ssh.

LVL 62

Expert Comment

ID: 39180678
Do you use some enterprise monitoring software? That might query e.g oracle status via SNMP...
LVL 22

Expert Comment

ID: 39180823
The proper way to disable snmp is to run this command:

svcadm disable svc:/application/management/snmpdx:default

What does the email messages in the syslog say? Maybe snmp is just trying to send you an alert about something and can't do it.

Author Comment

ID: 39186545
Thanks for the comments. Sorry I was busy at work and did not get to this.

In response to gheist; No, I don't use and monitoring software, unless something started on the machine that I don't know. This machine is at my home office and is not part of a large network. I ran engineering applications on it.

In response to blu; I ran the command, but it does not seem to stop the snmpd. It is still running. I have a copy of syslog file attached to my previous comments if you would like to look at. based on syslog it seems that machine is trying to relay some emails that I do not know the sender or receiver.
LVL 22

Accepted Solution

blu earned 2000 total points
ID: 39186653
I missed one service. Run this command:

svcadm disable svc:/application/management/sma:default
LVL 27

Expert Comment

ID: 39187711
Can you send me an example of the ipf.conf file that blocks inbound traffic.

# ipf sample dummy conf

 # allow outgoing traffic from the machine
pass out all

# allow incoming ssh from everywhere, log first packet of each session
pass in log first quick from any to 0/32 port = 22 keep state

# allow network traffic from lan 10
pass in from 10/8 to 0/32 keep state

# explicitely forbid email traffic from the WAN
# useless but i add it so you have the syntax for interface matching
# this is more secure than using ip addresses
# the interface name is the same as in ifconfig
block in on WANIFACE from any to any port = 25

# block everything else
block in all

Open in new window


but then such a volume of email is by no way what makes snmpd run wild

if you block the snmp port in the firewall without stopping the process, you'll be able to determine if some external device are polling snmp info or if snmp is going wild by itself

it would be very interesting to run a trace on the snmp process to know what is wrong, but if you do not need it (which i assume if you do not know about it), you can safely kill and disable it. wether you use it or not, the network will most definitely not die if you kill it

Author Comment

ID: 39189783
Thanks blu the command worked and stopped the activity. How it was enabled I have no idea.

Thanks skullnobrains too. I will keep the copy of the ipf.conf. May come handy sometime.

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap ( Version 1.2 2.      Jpcap( Version 0.6 Prerequisite: 1.      GCC …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question