Network Management

Download Report

Transcript Network Management 

Network Monitoring
and Management
ICMP and SNMP
ICMP
Internet Control Message Protocol
 RFC 792
 Transfer of (control) messages from
routers and hosts to hosts
 Feedback about problems

– e.g. time to live expired

Encapsulated in plain IP datagram
– Not reliable
Application
Application
Transport
ICMP
Application
Application
TCP
UDP
IGMP
Network
IP
ARP
Link
RARP
Ethernet
Driver
incoming frame
Application
FTP
server 21
TCP src port
UDP 17
ICMP
TCP
1
7
telnet
23 server
TCP dest port
25
data
header
TCP
6
IP header
protocol type
hdr
cksum
dest
addr
source
addr
data
ARP x0806
dest
addr
source
addr
SMTP
IP x0800
IP
Ethernet frame type
data
(Ethernet frame types in hex, others in decimal)
CRC
ICMP Types
ICMP


Uses IP but is a separate protocol in the network layer
ICMP messages contain
– Type
– Code
– 1st 8 bytes of “bad” datagram
IP HEADER
IP HEADER
PROTOCOL = 1
TYPE CODE CHECKSUM
IP DATA
REMAINDER OF ICMP
MESSAGE (FORMAT IS TYPE
SPECIFIC)
ICMP Message Formats
Destination Unreachable
TYPE CODE CHECKSUM
UNUSED
IP HEADER + 64 bits data from original DG
TYPE = 3
CODE
0 = Net unreachable
1 = Host unreachable
2 = Protocol unreachable
3 = Port unreachable
4 = Fragmentation needed but DF set
5 = Source route failed
6 = Dest network unknown
7 = Dest host unknown
Source Quench
TYPE CODE CHECKSUM
UNUSED
IP HEADER + 64 bits data from original DG
TYPE = 4; CODE = 0
Flow control:
• Indicates that a router has dropped the original DG
or may indicate that a router is approaching its
capacity limit.
• Correct behavior for source host is not defined.
Time Exceeded
TYPE CODE CHECKSUM
UNUSED
IP HEADER + 64 bits data from original DG
TYPE = 11
CODE
0 = Time to live exceeded in transit
1 = Fragment reassembly time exceeded
Redirect
TYPE CODE CHECKSUM
NEW ROUTER ADDRESS
IP HEADER + 64 bits data from original DG
TYPE = 5
CODE =
0 = Network redirect
1 = Host redirect
2 = Network redirect for specific TOS
3 = Host redirect for specific TOS
Redirection Concept
Internet
QUERY Message:
Echo and Echo Reply
TYPE CODE CHECKSUM
IDENTIFIER SEQUENCE #
DATA ….
TYPE = 8 = ECHO; 0 = ECHO REPLY
CODE = 0
IDENTIFIER
An identifier to aid in matching echoes and replies
SEQUENCE #
Same use as for IDENTIFIER
UNIX “ping” uses echo/echo reply
Replaced by Network Time Protocol (NTP)
ICMP Timestamp Message

Hosts on different networks who are trying to communicate
using software that requires time synchronization can
sometimes encounter problems.

The ICMP timestamp request message allows a host to ask for
the current time according to the remote host.

The remote host uses an ICMP timestamp reply message to
respond to the request.

All ICMP timestamp reply messages contain the originate,
receive and transmit timestamps.

Using these three timestamps, the host can estimate transit time
across the network by subtracting the originate time from the
transit time.
Using Ping
[wirth:~] [4:15pm] -> ping www.uakron.edu
PING arwen.uakron.edu (130.101.81.50) 56(84) bytes of data.
64 bytes from arwen.uakron.edu (130.101.81.50): icmp_seq=0 ttl=62 time=0.512 ms
64 bytes from arwen.uakron.edu (130.101.81.50): icmp_seq=1 ttl=62 time=0.449 ms
64 bytes from arwen.uakron.edu (130.101.81.50): icmp_seq=2 ttl=62 time=1.38 ms
64 bytes from arwen.uakron.edu (130.101.81.50): icmp_seq=3 ttl=62 time=0.439 ms
64 bytes from arwen.uakron.edu (130.101.81.50): icmp_seq=4 ttl=62 time=0.448 ms
64 bytes from arwen.uakron.edu (130.101.81.50): icmp_seq=5 ttl=62 time=0.496 ms
64 bytes from arwen.uakron.edu (130.101.81.50): icmp_seq=6 ttl=62 time=0.449 ms
--- arwen.uakron.edu ping statistics --7 packets transmitted, 7 received, 0% packet loss, time 6001ms
rtt min/avg/max/mdev = 0.439/0.596/1.383/0.323 ms, pipe 2
[wirth:~] [4:16pm] ->
Extended Ping
Used for path MTU discovery
IP header options can be used along with ICMP:
• route recording,
• timestamping,
• source routing
Traceroute


UNIX utility - displays router used to get to a specified
Internet Host
Operation
– router sends ICMP Time Exceeded message to source if
TTL is decremented to 0
– if TTL starts at 5, source host will receive Time Exceeded
message from router that is 5 hops away

Traceroute sends a series of probes with different
TTL values… and records the source address of the
ICMP Time Exceeded message for each
 Probes are formatted so that the destination host will
send an ICMP Port Unreachable message
Traceroute and ICMP (2)

Trace the route of an IP packet
Source
Router 1
Timeline:
Router 2
TTL=1
Router 1 known
Router 2 known
Destination known
TTL=2
TTL=3
Destination
Traceroute and ICMP (3)

Trace the route of an IP packet
– Upon reaching destination,
• No “Time exceeded” message generated
• How do you know when final destination is
reached?
– Traceroute sends to unused UDP port
(>30000), generating an ICMP “destination
unreachable” message
• With code “port unreachable”
Taceroute
mymachine:~% traceroute www.cis.ksu.edu
traceroute to polaris.cis.ksu.edu (129.130.10.93), 30 hops max, 40 byte packets
1 wraith.facnet.mcs.kent.edu (131.123.46.1) 0.878 ms 0.620 ms 0.553 ms
2 ghost.uis-mcs.mcs.kent.edu (131.123.40.1) 6.000 ms 3.366 ms 2.632 ms
3 lib2-255x248-e37-lib.gate.kent.edu (131.123.255.254) 7.170 ms 3.552 ms 4.477 ms
4 twcneo-cw.neo.rr.com (204.210.223.3) 9.515 ms 15.167 ms 18.687 ms
5 bordercore4-hssi1-0.NorthRoyalton.cw.net (166.48.233.253) 17.864 ms 10.971 ms
14.652 ms
6 core4.WillowSprings.cw.net (204.70.4.73) 23.438 ms 22.099 ms 17.397 ms
7 wsp-sprint2-nap.WillowSprings.cw.net (206.157.77.94) 18.367 ms 22.854 ms 20.267 ms
8 sl-bb11-chi-2-1.sprintlink.net (144.232.10.157) 23.518 ms 24.528 ms 18.757 ms
9 sl-bb12-chi-5-1.sprintlink.net (144.232.10.6) 21.197 ms 31.452 ms 15.050 ms
10 sl-bb10-kc-7-1.sprintlink.net (144.232.9.117) 46.752 ms * 40.125 ms
11 sl-gw5-kc-0-0-0.sprintlink.net (144.232.2.62) 38.360 ms 48.002 ms 44.795 ms
12 sl-uok-1-0-0.sprintlink.net (144.232.132.14) 93.256 ms 67.070 ms 61.727 ms
13 ks-1-ks-ksu.r.greatplains.net (164.113.232.193) 77.743 ms 64.566 ms 67.117 ms
14 164.113.212.250 (164.113.212.250) 59.988 ms 46.188 ms 55.616 ms
15 129.130.252.9 (129.130.252.9) 68.211 ms 67.881 ms 75.441 ms
16 polaris.cis.ksu.edu (129.130.10.93) 76.462 ms 54.838 ms *
PMTU-D
TCP: pathMTU
discovery
SNMP

Where did it come from ?
– Internet Engineering Task Force
• Network Management Area
– SNMP v1
– MIBv1, MIBv2
– SNMP v2 (?)
– SNMP v3 (?)
SNMPv1 History

RFC 1157, 1990:
– “A Simple Network Management Protocol
(SNMP)”

RFC 1155, 1158, 1213, 1990:
– Specification of the MIBv2

Written in ASN.1
Protocol context of SNMP
SNMPv1 Protocol
Five Simple Messages:
 get-request
 get-next-request
 get-response
 set-request
 trap
SNMP - SNMP Message Handling GetRequest
SNMP Manager
(What is the value of MIB?)
GetResponse (The value is XXXX!)
GetNextRequest
(What is the next value of MIB Tree ?)
GetResponse
SetRequest
(The value is XXXX!)
(Modify the value of OID)
GetResponse (The value is XXXX!)
Trap
(Problem happened!)
SNMP Agent
SNMPv1: UDP ports
get_request
get_response
port 161
get_response
port 161
get_next_request
Manager
Agent
set_request
get_response
port 162
trap
port 161
port 161
SNMPv1 Packet Format
UDP
PDU Request Error Error
Version Community
name value name ...
Header
Type ID Status Index


SNMP version (0 is for version 1)
Community (read-only, read-write):
– Shared “password” between agent and manager

PDU: Specifies request type
 Request ID
 Error Status
 Error Index
Community Names
Community names are used to define where an SNMP
message is destined for.
•Set up your agents to belong to certain communities.
•Set up your management applications to monitor and
receive traps from certain community names.
RFC 1065 (MIB Structure)
“Structure and Identification of Management
Information for TCP/IP-based Internets (SMI)”
 Uses Abstract Syntax Notation 1 (ASN.1)
 Types of information

–
–
–
–
–
–

Network Address
IP Address
Counter (32 bit monotonically increasing)
Gauge (32 bit variable)
Timeticks (time in hundredths of a second)
Opaque (arbitrary syntax for text data)
Adopted as a full standard in RFC 1155
(basically unchanged)
MIB definitions





RFC 1066 - MIB definitions using RFC 1065
(RFC 1155) (Rose & McCloghrie)
First version of the MIB now called MIB-I
Adopted as a full standard in RFC 1156
(essentially unchanged from 1066)
RFC 1158 - extends MIB-I and defines MIB-II
Adopted as a full standard in RFC 1213
Vendor extensions to MIB

RFC 1156 (MIB-I) allowed for vendor specific
extensions to be included in the MIB
 Allows for additional management information
about devices not provided for in the standard
MIB
 For example: CPU utilisation
 Normal for devices to support all of MIB-II
PLUS have their own vendor-specific
extensions
SNMP NAMES
SNMP Name St ructure
1 - iso
3 - o rg
6 - d od
1 - In tern et
1 - d irecto ry
2 - mgmt
3 - exp t
1 - mib
1 - system
1 - sysDescr
1 - Enterp rise
2 - in terfaces
2 - sysOb jectID
4 - p rivate
9 - cisco
1 - ifTabl e
1 - ifEn try
1 - ifIn dex
2 - ifDescr
3 - ifType
.. .... ..
10 - ifIn Octets
OSI
Object
Identifier
Tree
SNMP - MIB Tree 
Objects are managed by the tree
 Expressed in a row of values divided by the period
root
iso(1)
ccitt(0)
Joint-iso-ccitt(2)
org(3)
dod(6)
Internet(1)
directory(1)
mgmt(2)
mib-2(1)
Standard MIBs
exprimental(3)
private(4)
enterprise(1)
Vendor-specific MIBs
SNMP Naming
question: how to name every possible standard
object (protocol, data, more..) in every possible
network standard??
answer: ISO Object Identifier tree:
– hierarchical naming of all objects
– each branchpoint has name, number
1.3.6.1.2.1.7.1
ISO
ISO-ident. Org.
US DoD
Internet
udpInDatagrams
UDP
MIB2
management
SNMP - OID 
OID Expression
– iso(1). org(3). dod(6). internet(1). mgmt(2). mib2(1)
-> .1.3.6.1.2.1
e.g. sysDscr = .1.3.6.1.2.1.1.1 = mib-2.1.1 = system.1
Subtree
Name
OID
Description
system
1.3.6.1.2.1.1
Defines a list of objects that pertain to system operation, such as the system uptime, system contact, and system name.
interfaces
1.3.6.1.2.1.2
Keeps track of the status of each interface on a managed entity. The interfaces group monitors which interfaces are up or down and tracks
such things as octets sent and received, errors and discards, etc.
at
1.3.6.1.2.1.3
The address translation (at) group is deprecated and is provided only for backward compatibility. It will probably be dropped from MIB-III.
ip
1.3.6.1.2.1.4
Keeps track of many aspects of IP, including IP routing.
icmp
1.3.6.1.2.1.5
Tracks things such as ICMP errors, discards, etc.
tcp
1.3.6.1.2.1.6
Tracks, among other things, the state of the TCP connection (e.g., closed, listen, synSent, etc.).
udp
1.3.6.1.2.1.7
Tracks UDP statistics, datagrams in and out, etc.
egp
1.3.6.1.2.1.8
Tracks various statistics about EGP and keeps an EGP neighbor table.
transmission
1.3.6.1.2.1.10
There are currently no objects defined for this group, but other media-specific MIBs are defined using this subtree.
snmp
1.3.6.1.2.1.11
Measures the performance of the underlying SNMP implementation on the managed entity and tracks things such as the number of SNMP
packets sent and received.
SNMP - MIB & OID 
SNMP Manager can acquire the management information
defined by MIB(Management Information Base) from
Agent
– Current version : MIBv2 RFC 1213
– MIB is the aggregate of object (information) on the
equipment which SNMP Agent holds
– Identifier is defined for each object = OID
– MIB performed by Agent is roughly divided into:
• MIBv2 : standard, public, specified by IETF
• Enterprise MIB : private, specified by vendor company
SNMP MIB
MIB module specified via SMI
MODULE-IDENTITY
(100 standardized MIBs, more vendor-specific)
MODULE
OBJECT TYPE:
OBJECT TYPE:OBJECT TYPE:
objects specified via SMI
OBJECT-TYPE construct
SMI: Object, module examples
MODULE-IDENTITY:
OBJECT-TYPE:
ipInDelivers
ipInDelivers OBJECT TYPE
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
“The total number of input
datagrams successfully
delivered to IP userprotocols (including ICMP)”
::= { ip 9}
ipMIB
ipMIB MODULE-IDENTITY
LAST-UPDATED “941101000Z”
ORGANZATION “IETF SNPv2
Working Group”
CONTACT-INFO
“ Keith McCloghrie
……”
DESCRIPTION
“The MIB module for managing IP
and ICMP implementations, but
excluding their management of
IP routes.”
REVISION “019331000Z”
………
::= {mib-2 48}
MIB example: UDP module
Object ID
Name
Type
Comments
1.3.6.1.2.1.7.1
UDPInDatagrams Counter32 total # datagrams delivered
at this node
1.3.6.1.2.1.7.2
UDPNoPorts
Counter32 # underliverable datagrams
no app at portl
1.3.6.1.2.1.7.3
UDInErrors
Counter32 # undeliverable datagrams
all other reasons
1.3.6.1.2.1.7.4
1.3.6.1.2.1.7.5
UDPOutDatagrams Counter32 # datagrams sent
udpTable
SEQUENCE one entry for each port
in use by app, gives port #
and IP address
ASN.1: Abstract Syntax Notation 1

ISO standard X.680
– used extensively in Internet
– like eating vegetables, knowing this “good for you”!

defined data types, object constructors
– like SMI

BER: Basic Encoding Rules
– specify how ASN.1-defined data objects to be
transmitted
– each transmitted object has Type, Length, Value
(TLV) encoding
ASN.1 Syntax

SYNTAX
– Data-type: eg. Integer, Gauge, Counter,
PhysAddress, ...

ACCESS
– read-only, read-write, write-only, notaccessible

STATUS
– mandatory, optional, obsolete
Syntax

uses ASN.1 (Abstract Syntax Notation)
– binary encoding
02 01 06 is a 1 byte integer, value 6

Primitive Types
INTEGER, OCTECT STRING, OBJECT IDENTIFIER, NULL

Constructor Types
SEQUENCE <primitive-type> ...
SEQUENCE OF <primitive-type> ...
ie. a record
ie. an array
Syntax

Defined Data Types
IpAddress
Counter
Gauge
TimeTicks
what you expect
non-negative integer that wraps
non-negative integer that latches
time in hundredths of seconds
TLV Encoding
Idea: transmitted data is self-identifying
– T: data type, one of ASN.1-defined types
– L: length of data in bytes
– V: value of data, encoded according to ASN.1
standard
Tag Value
1
2
3
4
5
6
9
Type
Boolean
Integer
Bitstring
Octet string
Null
Object Identifier
Real
TLV
encoding:
example
Value, 259
Length, 2 bytes
Type=2, integer
Value, 5 octets (chars)
Length, 5 bytes
Type=4, octet string
SNMP - SNMP Message Handling 2 
Command examples
GetRequest
inetapan@tools:~> snmpget -v2c -c xxxx tpr2.jp.apan.net
IF-MIB::ifMtu.136 = INTEGER: 9192
.1.3.6.1.2.1.2.2.1.4.136
GetNextRequest
inetapan@tools:~> snmpget -v2c -c xxxx tpr2.jp.apan.net system
SNMPv2-MIB::system = No Such Object available on this agent at this OID
inetapan@tools:~> snmpwalk -v2c -c xxxx tpr2.jp.apan.net system
SNMPv2-MIB::sysDescr.0 = STRING: m20 internet router, kernel 6.2R3.10
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.2
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (423280751) 48 days, 23:46:47.51
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: tpr2
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 4
SetRequest
inetapan@tools:~> snmpset –v2c –c xxxx tppr.jp.apan.net system.sysLocation.0
system.sysLocation.0 = ""
inetapan@tools:~> snmpset –v2c –c yyyy tppr.jp.apan.net system.sysLocation.0 s “Tokyo, JP“
system.sysLocation.0 = “Tokyo, JP"
inetapan@tools:~> snmpset –v2c –c xxxx tppr.jp.apan.net system.sysLocation.0
system.sysLocation.0 = “Tokyo, JP"
SNMP - Trap Message 
The way for Agent to inform Manager about event of something
undesirable
 Trap originates from Agent and is sent to the trap destination, as
configured within Agent itself
 When Manager receives a trap, it needs to know how to interpret it
 PDU
– Enterprise
• vendor identification (OID) for the agent
– AgentAddress
• The IP address of the node where the trap was generated.
– Trap Type
• Generic / Specific (not used)
– Timestamp
• The length of time between the last re-initialization of the agent that issued a trap and the moment at
which the trap was issued
SNMP

SNMP Traps
– unsolicited notification of events
– can include variable list
– ColdStart, WarmStart
– LinkUp, LinkDown
– Authentication Failure
– EGP Neighbour Loss
– Enterprise Specific
Traps

Forwarded automatically from agent to
station(s) in response to an event with the
device
 Traps defined in MIB-II
–
–
–
–
–
–
–
Cold-start of system
Warm-start of system
Link down
Link up
Failure of authentication
Exterior Gateway Protocol (EGP) neighbour loss
Enterprise specific
SNMPv2 History
RFC 1441, 1993: “Introduction to
version 2 of the Internet-standard
Network Management Framework”
 RFC 1446, 1993: “Security Protocols for
version 2 of the Simple Network
Management Protocol”
 Written to address security and feature
deficiencies in SNMPv1

SNMPv2 Protocol
Extension to SNMPv1
 Provided security model
 2 new commands

– get-bulk-request
– inform-request
SNMPv2 Protocol continued...
privDst
authInfo
dstParty
srcParty
context
PDU
srcParty
context
PDU
srcParty
context
PDU
context
PDU
General Format
privDst 0-length OCTET STRING dstParty
Nonsecure Message
privDst digest dstTime srcTime dstParty
Authenticated, not encrypted
privDst 0-length OCTET STRING
dstParty
srcParty
Private, not authenticated
privDst digest dstTime srcTime dstParty
srcParty
Private and authenticated
context
PDU
Format of SNMPv1 messages
Version Community PDU Request
String
type
ID
0
0
Name X Value X …
Get-Request, Get-Next-Request, Set-Request
Version Community PDU Request Error Error Name X Value X …
String
type
ID
status index
Get-Response
Version Community PDU Enter- Agent Generic Specific Time Name X Value X
String
type prise Addr trap
trap
Trap
Coexistence by Means of
Proxy Agent
SNMPv2 environment
SNMPv1 environment
GetRequest
GetRequest
GetNextRequest
GetNextRequest
SetRequest
SetRequest
GetBulkRequest
GetNextRequest
SNMPv2 manager-to-agent
PDUs
SNMPv2
manager
SNMPv2 agent-tomanager PDUs
Response
SNMPv2-Trap
SNMPv1 manager-to-agent
PDUs
Proxy
Agent
SNMPv1 agent-tomanager PDUs
SNMPv1
agent
GetResponse
Trap
65
SNMPv2C Protocol
SNMPv2 additional PDU types
 SNMPv1 Community based
authentication
 UDP transport
 All the features of SNMPv2 with the
security of SNMPv1

SNMPv1 and SNMPv2





SNMPv1 is a subset of SNMPv2
Managers usually can send requests in either
format depending on the capability of the agents
Requires an update of the agent and manager
software to migrate from SNMPv1 to SNMPv2
Many manufacturers are resisting SNMPv2 for a
variety of reasons leading to an SNMPv3
specification
Almost all manufacturers currently support
SNMPv1
Network Monitoring Tools
Ways of Monitoring
 Classified
into three monitoring ways
– In Internal Network (mostly)
– Via External Network
– Non-network (Emergency case)
1, Monitoring in internal
Network (mostly)
3, Independent access
(Emergency case)
- ISDN, PSTN
External network
Internal network
Monitoring
Machine
2, Monitoring via External
Network
- via Peering Network
- via the Internet
Network Management Software

SNMP Agents
– provided by all router vendors
– many expanded (enterprise) MIBs
– bridges, wiring concentrators, toasters
Network Management Software

Public Domain
– Application Programming Interfaces
available from CMU and MIT
– include variety of applications
Network Management Software

Commercially
– many offerings, UNIX and PC based
•
•
•
•
HP OpenView
SunNet Manager
Cabletron Spectrum
*MANY* others
Commercial SNMP Applications
•http://www.hp.com/go/openview/
HP OpenView
•http://www.tivoli.com/
IBM NetView
•http://www.novell.com/products/managewise/
Novell ManageWise
•http://www.sun.com/solstice/
Sun MicroSystems Solstice
•http://www.microsoft.com/smsmgmt/
Microsoft SMS Server
•http://www.compaq.com/products/servers/management/
Compaq Insight Manger
•http://www.redpt.com/
SnmpQL - ODBC Compliant
•http://www.empiretech.com/
Empire Technologies
•ftp://ftp.cinco.com/users/cinco/demo/
Cinco Networks NetXray
•http://www.netinst.com/html/snmp.html
SNMP Collector (Win9X/NT)
•http://www.netinst.com/html/Observer.html
Observer
•http://www.gordian.com/products_technologies/snmp.html
Gordian’s SNMP Agent
•http://www.castlerock.com/
Castle Rock Computing
•http://www.adventnet.com/
Advent Network Management
•http://www.smplsft.com/
SimpleAgent, SimpleTester
Monitoring Targets

Target suitable for checking normality of network
service
– Router
 Dead or Alive?
 Status?
 Performance? Routing?
– Server
 Dead or Alive?
 Status?
 Damon? Service Port?
– Traffic, etc.
 Increase or decrease?
 Dos Attack? Performance? Environment?
Monitoring Method

How to monitor the target
– Active monitor or Passive monitor
• Polling = Monitoring machines give message in watching target
– Useful for checking the current status
ICMP/SNMP polling…
• Receive trap message from target
– Useful for detecting the status change
SNMP trap, syslog…
• Statistics data
– Useful for grasping the trend and transition
– Select the Monitoring Tool
• Ping (ICMP), SNMP, Monitoring Tool, Original Tool, etc.
– Check the monitoring Route to Target
• Internal or External network
- ICMP/Ping Polling 1 
Check IP reachability by ICMP echo/reply
– Additional information
• RTT (Round Trip Time)
• Packet Loss
• TTL (Time to Live)

Most standard way of checking node activity
 Time series RTT/Packet loss data becomes important
information when measuring link performance
RTT: xx msec
Packet Loss: xx %
TTL: xx
ICMP echo
ICMP echo reply
UDP/TCP polling

Effective in monitoring service ports of server
– Using client for service
•
DNS - nslookup
– Using telnet
•
WWW,SMTP,POP
– Using tool
•
Radius - radping
bash-2.05$ telnet ns.jp.apan.net 80
Trying 203.181.248.3...
Connected to ns.jp.apan.net.
Escape character is '^]'.
get
<!DOCTYPE HTML PUBLIC "-//IETF//DTD
HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
:
Telnet with service port
reply
Monitoring Software - HP OpenView 
HP OpenView Network Node Manager ®
http://www.openview.hp.com/products/nnm/index.html

Overview
–
–
–
–
–
–
–
–
–
Auto discovery and mapping
Drill-down views (Hierarchy Map)
Fault monitoring : ICMP / SNMP polling
Event monitoring : Trap receiving/Event configuration
SNMP tools : Status polling
MIB Browser
Web-based reports
Extended software is enhanced
Platform : Windows 2000/XP, Solaris 8/9, HP-UX
Monitoring Software
- HP OpenView Sample 1
OpenView Contracture
Event log
Network map
ICMP polling for
connectivity check
Network sub-map
Router map
Monitoring Software
- HP OpenView Sample 2
OpenView Tools
Event configuration
Snmp configuration for polling
- parameters
- community
Data collection & Thresholds for SNMP
Monitoring Software
- Nagios Overview Nagios ®
– Freely available from http://www.nagios.org
 Overview
– A host and service monitor designed to
inform you of network and end system problems
– Provides simple ping availability of resources on the
network
– Works with a set of “plugins” to provide local and remote
host service status
– Custom “plugins” are relatively easy to develop
– Web-based monitoring system
– Platform : Linux, UNIX
Monitoring Software
- Nagios Sample 1Service Overview For All Host Groups
Service Status Details For All Hosts
Monitoring Software
- Nagios Sample 2 Nagios
Network Map For All Hosts
Event log
MRTG (Multi-Router Traffic Grapher)

Overview
– Monitors the load of network equipment using SNMP, mainly used for
creation of traffic graph
– Excellent graphing tool developed by Tobias Oetiker
– Plots graph with any two variables against time, It is graph-ized with PNG
format on HTML page
– Able to create scripts to feed data into MRTG
– Implements data collection, image, web-page collection
– Very widely deployed in large networks and still being actively developed
– Platform : UNIX system / Windows NT
– Supports SNMPv2 : able to read 64bit counters
– http://people.ee.ethz.ch/~oetiker/webtools/mrtg/
MRTG - Workflow 
Display of graph
 Green
area typically represents incoming
maximum bits per second
 Blue line typically represents outgoing
maximum bits per second

Workflow
1.Read configuration file
2.Collect graphing data from network equipment, based on configuration
3.Update database file and generate graph
4.If required, generate HTML file
– MRTG performs above workflow then completes
– Since MRTG collects data of the past 5 minutes (default value of source code),
it is desirable to set “crontab” for every 5 minutes
MRTG - Data Storage Data
Storage
– Keeps 5 minute data only for 2.5 days.
The data is thrown away afterward.
Daily grafh/5min
• There is no referring to historical data with
high resolution
• Keeps 1-day data for approx. 2 years
Weekly grafh/30min
Monthly grafh/2hours
Rougher
Resolution
Yearly grafh/1day
Interval
Num of record
Storage
period
Graph
5 minutes
600
2.5 days
daily
30 minutes
600
12.5 days
Weekly
2 hours
600
50 days
Monthly
1 day
731
2 years
Yearly
MRTG - Configuration 1 
MRTG Configuration
–cfgmaker
• Helps to create configuration file form
• Example
cfgmaker -global ‘WorkDir: /home/httpd/html/mrtg’ \
-global "Options[_]: bits,growright’ \
-output /home/httpd/html/mrtg/cfg/mrtg.cfg \n
[email protected]
Graph & log data: /home/httpd/html/mrtg
Configuration file: /home/https/html/cfg/mrtg.cfg
Option : unit = bits(bps), Horizontal axis = grow right way
• Detailed information
http://people.ee.ethz.ch/~oetiker/webtools/mrtg/cfgmaker.html
MRTG - Configuration 2 
Target Configuration
– Target Expression
• Target[<target name>]:<target kind>:<community>@<address>
–
–
–
–
<target name> : Identify equipment
<target kind> : Measurement item
<community> : SNMP community string
<address> : Hostname or IP address of equipment
– SNMP data collection specification method
• Basic / Port (ifindex)
Target[myrouter]: 2:[email protected]
• Explicit OIDs / MIB Variables
Target[myrouter]: 1.3.6.1.2.1.2.2.1.14.1&1.3.6.1.2.1.2.2.1.20.1:public@myrouter
Target[myrouter]: ifInErrors.1&ifOutErrors.1:public@myrouter
You can use cfgmaker to generate references with the options
-- ifref=?
•
•
•
•
ifref=ip: Interface by IP
ifref=descrf: Interface by Description
ifref=name: Interface by Name
ifref=eth: Interface by Ethernet Address
MRTG - Configuration 3  Example
of Configuration
Target[la]: ifHCInOctets\so-2/0/0&ifHCOutOctets\so-2/0/0:[email protected]:::::2
MaxBytes[la]: 300000000
Title[la]: Traffic Analysis of TransPAC LA Link
PageTop[la]: <H1>Traffic Analysis of TransPAC LA link</H1>
WithPeak[la]: ymw
Directory[la]: tpr2
Options[la]: bits, growright
Target[la-err]: ifInErrors\so-2/0/0&ifOutErrors\so-2/0/0:[email protected]
MaxBytes[la-err]: 300000000
Title[la-err]: Packet Error for TransPAC LA link
PageTop[la-err]: <H1>Packet Error for TransPAC LA link</H1>
Directory[la-err]: tpr2
Options[la-err]: growright, integer, nopercent
YLegend[la-err]: Number of Error Packets
ShortLegend[la-err]: n
Legend1[la-err]: Number of Error Packets for Incoming Traffic
Legend2[la-err]: Number of Error Packets for Outgoing Traffic
Legend3[la-err]: Peak of Number of Error Packets for Incoming Traffic
Legend4[la-err]: Peak of Number of Error Packets for Outgoing Traffic
LegendI[la-err]: &nbsp;In:
LegendO[la-err]: &nbsp;Out:
WithPeak[la-err]: w
MRTG - Comments 
Comments / Disadvantages
– If you are to monitor a lot of devices (1000s), it is better to have a fast
disk
– If using external monitoring scripts, a fast processor and a lot of
memory is necessary
– Not particularly fast when compared to other data retrieval and
storage schemes (Flat text files can slow down processing.)
– MRTG can’t customize graphing periods
– Flat text files are difficult to process when scripting against the data
– Use 64bit counters with SNMPv2 for OC3-OC192 speed interface,
GbE if it is 115Mbps traffic can wrap 32bit counters around in 5
minutes
– MRTG can’t modify collected data which is summarized
– Only two variables are available in processing a graph
RRDtool (Round Robin Database
Tool)
 Overview
– Successor to MRTG
– Developed by the same developer of MRTG : Tobias Oetiker
– Tool group for RRD can flexibly define data item, time interval, data
amount, graph depiction, etc.
– Binary file format that can store data at any interval for any length of
time
•
File does not grow in size over time
– Ability to make custom graphs across user-defined intervals
•
Ability to graph multiple variables on a single graph
– Additional scripts are necessary in creating graphs and web-page
•
25-30 percent faster than MRTG
– Does not have the function to collect data
– http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/
RRDtool - Architecture 
Comparison of architecture between MRTG and RRD
SNMP
engine
Graph
Firewall
router
Index
ATM Switch
log
Frontend
Program
router
Frontend
Program
Frame Relay
Switch
Graph
Firewall
server
Frame Relay
Switch
Frame Relay
Switch
RRD
text
Frame Relay
Switch
Index
RRDtool - Basic Usage 
Basic usage of RRD tools
–Set up new Round Robin (RRD) ・・・①
• Define RRD used as vessel of data
• Command : rrdtool create filename
–Store new set of values into RRD periodically ・・・②
• Write the data collected by frontend program in RRD
• Command : rrdtool update filename
–Generate Graph ・・・③
• Create graph from data stored in one or several RRDs
• Command : rrdtool graph filename (specify the graph name to generate)
・・・・・ data
data
data ②
③
①
RRD
Graph
RRDtool - Practice  Example
– Object
•
Gigabit Ethernet Switch
– Definition
•
Definition of RRD record
Interval
•
Num of
RRD file
Storage
Period
Graph
1 minute
360
6 hours
4 hours
5 minutes
576
2 days
Daily
2 hours
600
50 days
Monthly
1 day
731
2 years
Yearly
4 days
915
10 years
10 years
Ability to describe peak graph from data of 1-day to 10-years
RRDtool - Create Set
up a new Round Robin Database (RRD)
Command Example
/usr/local/rrdtool-1.0.46/bin/rrdtool create \
/home/httpd/html/traffic/traffic_vlan.rrf \
–step 60 \
DS:vlan2in:counter60:0:125000000 \
DS:vlan2out:counter60:0:125000000 \
DS:vlan7in:counter60:0:125000000 \
DS:vlan7out:counter60:0:125000000 \
:
RRA:AVERAGE:0.5:1:360 \
RRA:AVERAGE:0.5:5:576 \
RRA:AVERAGE:0.5:120:600 \
RRA:AVERAGE:0.5:1440:731 \
RRA:AVERAGE:0.5:5760:915 \
RRA:MAX:0.2:5:576 \
RRA:MAX:0.1:120:600 \
RRA:MAX:0.1:440:731 \
RRA:MAX:0.1:5760:915 \

DS : Define the data item
 COUNTER: continuous increasing counters
 60 : if no new data is supplied for more than 60
sec, it is considered as “unknown”
 0 : minimum acceptable value (byte)
 125000000 : maximum acceptable value (byte)

RRA (Round Robin Archive) : Define the
data consolidations
 AVARAGE/MAX: average /maximum of consolidated of data
 0.5 : consolidation interval is be made up from *UNKNOWN*
data while the consolidated value is still regarded as known.
- Average 50%. MAX 20% or 10%
 1: consolidated data point where the data then goes into the
archive
 360 : how many generations of data values are kept in RRA
RRDtool - Update 
Stores a new set of values into RRD periodically
– Data collection
•
Collect the data from targets using frontend program
–
–
–
–
Original tool
Cricket - http://cricket.sourceforge.net/
Orca - http://www.orcaware.com/orca/
SNAPP - http://sourceforge.net/projects/snapp/
– Updating an RRD
•
Feed collected data into a RRD database using following commands
Command Example
rrdtool update
/home/httpd/html/traffic/traffic_vlan.rrd \
--template in:out N:11222:1
DS1: DS2
The data sources are defined in the RRD
The name of the RRD you want to update.
‘N’=Update time is set to be the current time
RRDtool - Graph 1  Generating
Graph -1-
Command Example
rrdtool graph /home/httpd/html/traffic/traffic.png -s -4h –w 800 –h 800 –a PNG \
–t “VLAN Traffic” –v “bit/s” \
DEF:vlan2in_ave=/home/httpd/html/traffic/traffic_vlan.rrd:vlan2in:AVERAGE \
DEF:vlan2out_ave=/home/httpd/html/traffic/traffic_vlan.rrd:vlan2out:AVERAGE \
DEF:vlan7in_ave=/home/httpd/html/traffic/traffic_vlan.rrd:vlan7out:AVERAGE \
DEF:vlan7in_ave=/home/httpd/html/traffic/traffic_vlan.rrd:vlan7out:AVERAGE \
CDEF:vlan2in_ave_bit=vlan2in_ave,8 * \
CDEF:vlan7in_ave_bit=vlan7in_ave,8 * \
CDEF:vlan2out_ave_bit=vlan2out_ave,-8 * \
CDEF:vlan7out_ave_bit=vlan7out_ave,-8 * \
AREA:vlan2in_ave_bit#ff5e5e:VLAN2-in \
STACK:vlan7in_ave_bit#5eff5e:VLAN7-in \
AREA:vlan2out_ave_bit#aa0101:VLAN2-out \
STACK:vlan7out_ave_bit#0101aa:VLAN7-out \
Options
-s: start time (default : seconds), -e: end seconds (default : seconds),
-w,h : width and height pixels, -a : image format GIF|PNG, -t : Graph title,
-v vertical-label text
RRDtool - Graph 2 
Generating a Graph -2– DEF
• Define virtual name for data source
– DEF:<vname>=<RRDfilename>:<DS-name>:CF
CF: consolidation function
select AVARAGE, MAX, MIN, LAST ( Newest data)
– CDEF
• Create new virtual data source by evaluating mathematical expression
– CDEF:<vname>=rpn-expression (Reverse Polish Notation)
– Graph depiction parameter
– <Style>:<vname>#<color>:<legend>
LINE : Plot for the request data, using the color specified
AREA : Area between 0 line and the graph line will be filled with the color specified
STACK : Graph gets stacked on top of the previous LINE, AREA, or STACK graph
– By updating graph generation periodically using “crontab”, you can see
updated graphs on the Web
RRDtool - Sample -
http://mrtg.jp.apan.net/cricket/router-interfaces/
Netflow - Overview Overview
– Enables IP traffic flow analysis without probes
– Invented and patented by Cisco
• Juniper (called cflowd), Foundry, ・・・ many venders are supporting
– Flow cash data on routers is exported
to a flow tool, so that traffic flow is to be analyzed
Enable NetFlow
flow Definition:
Traffic
Source IP address
Destination IP address
Source port
Destination port
Layer 3 protocol type
TOS byte (DSCP)
Input logical interface
(ifIndex)
Core Network
UDP
NetFlow
Export
Packets
Collector
(Solaris, HP-UX, or Linux)
Application GUI
Netflow - Flow Data  Flow data export
– Enable NetFlow on the router
• There is difference in architecture between Cisco and Juniper routers
• Take care! the load of a router does not become high!
- Check CPU, memory, bandwidth, sampling rate
 Flow data collection & Analysis
– Prepare the software for receiving flow-export data
• flow-tools http://www.splintered.net/sw/flow-tools/
• cflowd http://www.caida.org/tools/measurement/cflowd/
• Cisco : NetflowCollector
– Analyze traffic from raw data with software
• flow-scan http://net.doit.wisc.edu/~plonka/FlowScan/
(If you want to graph-ize analysis data, I recommend you to use RRDtool)
• Cisco : CiscoWorks
– Source and destination IP address
– Source and destination TCP/UDP ports
– Packet and byte counts
– Routing information (next-hop address, source autonomous system (AS) number,
destination AS number, source prefix mask, destination prefix mask)
Netflow - Example  Netflow
Example