Transcript RMON (alarms and filtering)

RMON2
• RFC2021
• Decode packets at layer 3 through 7 of
the OSI Model
– An RMON probe can monitor traffic on the
basis of network-layer protocol
• To look beyond the LAN segment
– The probe can record traffic to and from host
for particular applications
• Can monitor application-level traffic
Network layer Visibility
• Network Manager can answer these questions
– If there is excessive load on the LAN due to incoming
router traffic, what networks or hosts account for the bulk
of incoming traffic?
– If a router is overloaded because of high amount of
outgoing traffic, what networks or hosts account for the
bulk of outgoing traffic or to what destination networks or
hosts is that traffic directed
– If there is a high load of pass-through traffic (arriving via
one router and departing via another router ), what
networks or hosts are responsible for the bulk of this traffic
Application Level Visibility
• RMON2 probe is capable of seeing above the IP
layer by reading the enclosed higher-level
headers such as TCP/UDP and viewing the
headers at the application protocol level
• This information is useful in controlling load and
maintaining performance
– NMS can be implemented that will generate charts
and graphs depicting traffic percentage by protocols
or by applications
RMON MIB (1&2)
RMON2 MIB (1)
• protocol directory – a master of directory off all
•
•
•
protocols that probe can interpret
protocol distribution – aggregate statistics on the
amount of traffic generated by each protocol per LAN
segment
address map – match each network address to a
specific MAC level address and port on an attached
device and the physical address on this subnetwork
network layer host – statistics on the amount of
traffic into and out of hosts on the basis of the
network-layer address
RMON2 MIB (2)
• network-layer matrix – statistics on the
amount of traffic between pairs of hosts on
the basis of network address
• application-layer host - statistics on the
amount of traffic into and out of hosts on the
basis of application-level address
• application-layer matrix - statistics on the
amount of traffic between pairs of hosts on
the basis of application-level address
RMON2 MIB (3)
• User history collection – periodically samples
user-specified variables and logs that data
based on user-defined parameters
– Ex. Collect data on a router-to-router connection
• Probe configuration – define standard
configuration parameters for RMON probes
– To solve interoperability problems
New features in RMON2 (1)
• Indexing with external objects
– Reduce control index object in data table
– To access instance of the data entry in RMON 1
Vs RMON2
• Rm1datavalue.Rm1controlindex.Rm1dataindex
– Rm1datavalue.2.89
– 2 – Rm1controlindex / 89 – Rm1dataindex
• Rm2datavalue.X.Rm2dataindex
– X – the value of index that specifying set of data rows by the
Xth row (external object)
– Rm2datavalue.2.89
– 2 – external object / 89 – Rm2dataindex
New features in RMON2 (2)
• Time filtering Indexing
– Typically, a network management app. is
periodically to poll all probes for the values of
objects
– It is desirable to have the probe return values
only for those objects whose value have changed
since the last poll
– No direct way in SNMP, but RMON2 has a
mechanism
Example of time filtering
FooTable
fooTable (1)
fooEntry (1)
fooTimeMark (1)
fooIndex (2)
fooCount (3)
EX1. Time filtering (1)
• Suppose fooTable has 2 values of index –
1,2
– If no fooTimeMark , a management station can
see only two counter
– With fooTimeMark, it is possible to request the
values of these counter only if they have been
updated since a given time
EX1. Time filtering (2)
• For example, current value of
– The counter associated with fooIndex = 1 is 5
and most recently updated at time 6
– The counter associated with fooIndex=2 is 9
and most recently updated at time 8
– Then, at time 10, a manager issues the request
• GetRequest(fooCounts.7.1, fooCounts.7.2)
• To get the value updated since time 7
• The agent will response fooCounts.7.2=9
EX2. Time Filtering (1)
EX2. Time Filtering (2)
• Assume that basic row 1 (fooIndex=1) was updated
as follows:
sysUptime
fooCount.*.1value
500
1
900
2
2300
3
EX2. Time Filtering (3)
• Assume that basic row 2 (fooIndex=2) was
updated as follows:
sysUptime
fooCount.*.2value
1100
1
1400
2
EX2. Time Filtering (4)
• A manager station polls a probe every 15 seconds (clock nms
records time in hundredths of second)
1 At nms=1000, the manager does the baseline poll to get
everything since the last agent restart (Timefilter =0)
GetRequest (sysUpTime.0,fooCounts.0.1,fooCount.0.2)
Response(sysUpTime.0=600,fooCounts.0.1=1,fooCount.0.2=0)
2 At nms=2500 (15 second later), the manager get an update
on all changes since the last report (agent time=600)
GetRequest (sysUpTime.0, fooCounts.600.1, fooCount.600.2)
Response(sysUpTime.0=2100,fooCounts.600.1=2,fooCount.600.2=2)
EX2. Time Filtering (5)
The agent received the request at a local time of 2100
; a counter 1 was incremented at time 900 counter 2
was incremented at 1100 and 1400
At nms=4000, the manager get an update on
all changes since the last report (agent
time=2100)
3
GetRequest (sysUpTime.0, fooCounts.2100.1, fooCount.2100.2)
Response(sysUpTime.0=3600,fooCounts.2100.1=3)
A counter 1 was incremented at time 2300 counter 2
has not changed since 2100 , so no value returned
EX2. Time Filtering (6)
At nms=5500, the manager get an update
on all changes since the last report (agent
time=3600)
4
GetRequest (sysUpTime.0, fooCounts.3600.1, fooCount.3600.2)
Response(sysUpTime.0=5500,)
Neither counter has been updated since time 3600 ,
so no value returned
Protocol Directory Group
• It provides a single central point for storing
•
•
information about types of protocols
One entry in the table for each protocol for which the
probe can decode and count protocol data unit (PDU)
One scalar objects
– protocolDirLastChange which contains the time of the last
table change
• One columnar object (Table)
– protocolDirTable
– The table covers MAC, network and higher layer protocols
protocolDirTable
• Fig 10.5
Protocol identification
• protocolDirID object contains a unique octet
string for a specific protocol.
• Octet string identifiers for protocols are
arranged in a tree structured hierarchy.
– Each layer is identified by 32 bit value which is
encoded as dot decimal format [a.b.c.d]
– EX. Ethernet is hexadecimal 1 which is encoded
as [0.0.0.1] and referred to symbolically as
ether2
Protocol Assignments
• Each layer is identified by a 32 bit number (four octets)
• For MAC level protocols
–
–
–
–
–
ether2 = 1 [0.0.0.1]
llc = 2 [0.0.0.2]
snap = 3 [0.0.0.3]
vsnap = 4 [0.0.0.4]
ianaAssigned = 5 [0.0.0.5]
• Protocol consideration
– network layer, use type field of Ethernet frame (IP =0.0.8.0)
– transport layer, use protocol field of IP header (UDP = 0.0.0.17)
– application layer, use port field of UDP/TCP header (0.0.0.161)
Entry in protocolDirEntry (1)
• EX. Identification of SNMP running over UDP/IP on
Ethernet
– 16.0.0.0.1.0.0.8.0.0.0.0.17.0.0.0.161
– 16 : the number of octets to follow
• So, for previous example the probe is capable of
– Interpreting all incoming Ethernet frames
– Looking past the Ethernet header and trailer and
interpreting the encapsulated IP datagram
– Looking past the IP header and interpreting the
encapsulated UDP segment
– Looking past the UDP header and interpreting the
encapsulated SNMP PDU
Entry in protocolDirEntry (2)
• A separate entry is needed for each protocol
•
that the probe can interpret and count
Then the four entries are needed in
protocolDirEntry and the protocolDirID values
would be
–
–
–
–
Ether2 (4.0.0.0.1)
Ether2.ip (8.0.0.1.0.0.8.0)
Ether2.ip.udp (12.0.0.0.1.0.0.8.0.0.0.0.17)
Ether2.ip.udp.snmp
(16.0.0.0.1.0.0.8.0.0.0.0.17.0.0.0.161)
Format of index values for
protocolDirTable
Protocol parameter (1)
• The second index object for protocolDirTable is
•
protocolDirParameters
This object instance contains information about the
probe’s capability with the respect to a particular
protocol
• The value is structured as a one-octet count field
•
followed by a set of N-octet parameters, one for
each protocol layer in protocolDirID
Each bit in the parameter octet is encoded
separately to define a particular capability
Protocol parameter (2)
• 2 LSB are reserved for all protocols
– CountFragment (bit0) : Higher-layer protocols encapsulated
within this protocol will be counted correctly even if this
protocol fragments the upper-layer PDUs into multiple
fragments
– tracksSessions (bit1) :Correctly attributes all packets of a
port-mapped protocol, that is a protocol start session on a
well-known port or socket and then transfer them to
dynamically assigned ports or sockets fpr the duration of
the session
• TFTP (Trivial File Transfer Protocol)
Protocol parameter (3)
• SNMP running over UDP/IP/Ethernet with
fragments counted correctly for IP or
above, the following encoding is for the
two objects (protocolDirID,
protocolDirParameter)
16.0.0.0.1.0.0.8.0.0.0.0.17.0.0.0.161.4.0.1.0.0
Protocol Directory Table (1)
• protocolDirType
– extensible(0) if the agent or manager may extend
this table by creating entries that are children of
this protocol
– addressRecognitionCapable(1) indicates that the
probe can not only count packets for this protocol
but can also recognize source and destination
address fields for finer-grained counting
Protocol Directory Table (2)
• protocolDirAddressMapConfig
– notSupported(1) : if not capable of performing
address mapping
– If capable then the value may be set to
supportedOff(2) or supportedOn(3)
• protocolDirHostConfig
– It may be set to notsupported(1), supportedOff(2) or
supportOn(3) with the respect to the network-layer
and application layer host table for this protocol
Protocol Directory Table (3)
• protocolDirMatrixConfig
– It may be set to notSupported (1) ,
supportedOff(2), supportedON (3) with the
respect to the network-layer and application
layer matrix tables for this protocol
Protocol Distribution Group (1)
• It summarizes how many octets and packets
have been sent from each of the protocols
supported
• protocolDistControlTable – controls collection
of basic statistics for all supported protocols
• protocolDistStatsTable – records the data
Protocol Distribution Group (2)
• Each row in protocolDistControlTable
refers to a unique network interface for
this probe and controls a number of rows
of protocolDistStatsTable, one for each
protocol recognized on that interface
Protocol Distribution Group (3)
• protocolDistControlTable consists of
– protocolDistControlIndex : an integer that uniquely
identifies a row in the protocolDistControlTable
– protocolDistControlDatasource : identifies the
interface that is th source of the data for this row
– protocolDistControlDroppedFrames : total number of
received frames for this interface that the probe
chose not to count (out of resources)
– protocolDistControlCreateTime : the value of
sysUptime when this control entry was activated
Protocol Distribution Group (4)
• The protocolDistStatsTable includes one
row for each protocol in protocolDirTable
for which at least one packet has been
seen
• It is indexed by protocolDistControlIndex
and by protocolDirLocalIndex
Protocol Distribution Group (5)
• protocolDistStatsTable consists of
– protocolDistStatsPkts: the number of packets
received for this protocol
– protocolDistStatsOctets: the number of octets
transmitted to this address since it was added
to nlHostTable
Address Map Group (1)
• It matches each network address to a specific
MAC-level address
• It is helpful in node discovery and network
topology applications for pinpointing the
specific path of the network traffic
• 3 scalars objects, one control table
(addressMapControlTable) and one data table
(addressMapTable)
Address Map Group (1)
• 3 scalar objects are
– addressMapInserts : the number of times an addressmapping entry has been inserted into the data table
– addressMapDeletes: the number of times an addressmapping entry has been deleted into the data table
– addressMapMaxDesiredEntries : the desired maximum
number of entries in addressMapTable (if this value is
set to -1, the probe may create any number of entries
in addressMapTable)
Data table size = addressMapInserts - addressMapDeletes
Address Map Group (2)
• The addressMapControlTable consists of
– addressMapControlIndex: an integer that uniquely
identifies a row in the addressMapControlTable
– addressMapcontrolDatasource : identifies the
interface that is the source of the data for this row
and that this row is configured to analyze
– addressMapControlDroppedFrames: total number of
received frame for this interface that the probe chose
not to count (out of resources)
Address Map Group (3)
• The addressMapTable will collect address
•
mapping based on source MAC and network
addresses seen in error-free MAC frames
The table will create entries for all protocols in
the protocol directory table whose value of
protocolDirAddressMapConfig is equal to
supportedOn(3)
Address Map Group (4)
• The addressMapTable consists of
– addressMapTimeMark : a time filter for this entry
– addressMapNetworkAddress : the network address for
this entry
– addressMapSource : the last interface which the
associated network address was seen
– addressMapPhysicalAddress : the last source MAC
address on which the associated network address was
seen
– addressMapLastChange : the value of sysUpTime at
the time this entry was most recently updated
Network-layer Host Group (1)
• nlHost group enables users to decode
packets based on their network-layer
address
• This group consists of 2 Tables
– nlHostControlTable : control table
– nlHostTable : data table
• Fig 10.11
Network-layer Host Group (2)
• Each row in control table refers to a unique
•
interface of the monitor
nlHostControlTable
– nlhostControlIndex : an integer that uniquely
identifies a row in the nlHostControlTable
– nlHostControlDataSource : identifies the interface that
is the source of the data for the data tableentries
defined by this row
– nlHostControlNlDroppedFrames : total number of
received frames for this interface that the probe
chose not to count for the associated nlHost entries
Network-layer Host Group (3)
– nlHostControlNlInserts : the number of times
an nlHost entry has been inserted into the
nlHostTable data table
– nlHostControlNldeletes : the number of times
an nlHost entry has been deleted from the
nlHostTable data table
– nlhostControlNlMaxDesiredEntries : the
desired maximum number of entries in
nlHostTable
Network-layer Host Group (4)
– nlHostControlAlDroppedFrames : total number of
received frames for this interface that the probe
chose not to count for the associated alHost entries
– nlHostControlAlInserts : the number of times an
alHost entry has been inserted into the alHostTable
data table
– nlHostControlAldeletes : the number of times an
alHost entry has been deleted from the alHostTable
data table
– nlhostControlAlMaxDesiredEntries : the desired
maximum number of entries in alHostTable
Network-layer Host Group (5)
• nlHostTable will create entries for all network-
•
layer protocols in the protocol directory table
whose value of protocolDirNlHostConfig is equal
to supportedOn(3)
nlHostTable
– nlHostTimeMark : a time filter for this entry
– nlHostAddress : the network address for this entry
– nlHostInPackets : the number of error-free packets
transmitted to this address since it was added to the
table
Network-layer Host Group (6)
– nlHostOutPackets : the number of error-free
packets transmitted from this address since it
was added to the table
– nlHostInOctets : the number of octets (errorfree packets) transmitted to this address since
it was added to the table
– nlHostOutOctets : the number of octets
(error-free packets) transmitted from this
address since it was added to the table
Network-layer Host Group (7)
– nlHostCreateTime : the value of sysUpTime
when this control entry was activated
– nlHostOutMacNonUnicastPkts : the number of
packets transmitted by this address that were
directed to the MAC broadcast address or ti
any MAC multicast address since this entry
was added to the table
Network-layer Host Group (7)
• nlHostTable is indexed by four objects:
– nlHostControlIndex : define interface
– nlHostTimeMark : a time filter
– protocolDirLocalIndex : the identity of the
protocol
– nlHostAddress : the network address
Application-Layer Host Group (1)
• The nlHostControlTable also controls alHostTable
• Only alHostTable in application-layer host group
• alHostTable will create entries for all applicationlevel protocols in the protocol directory table
whose value of protocolDirALHostConfig is equal
to supportedOn(3)
Application-Layer Host Group (2)
• alHostTable
– alHostTimeMark : a time filter for this entry
– alHostInPackets : the number of error-free
packets of this protocol type transmitted to
this address since it was added to the table
– alHostOutPackets : the number of error-free
packets of this protocol type transmitted from
this address since it was added to the table
Application-Layer Host Group (3)
– alHostInOctets : the number of octets (errorfree packets) of this protocol type transmitted
to this address since it was added to the table
– alHostOutOctets : the number of octets
(error-free packets) of this protocol type
transmitted from this address since it was
added to the table
– alHostCreateTime : the value of sysUpTime
when this control entry was activated
Application-Layer Host Group (4)
• alHostTable is indexed by five objects:
– nlHostControlIndex : define interface
– alHostTimeMark : a time filter
– protocolDirLocalIndex : the identity of the
network layer protocol
– nlHostAddress : the network address
– protocolDirLocalIndex : the identity of the
application layer protocol
Network Layer Matrix Group (1)
• It gathers statistics based on source and destination
•
network-layer address
For network layer statistic consists of one control
table and 2 data tables
– nlMatrixControlTable : control table for network layer
matrix group and application layer matrix group
– nlMatrixSDTable : stores statistics on traffic from a
particular source network-layer address to a number of
destinations
– nlMatrixDSTable : stores statistics on traffic to a particular
destination network-layer address from a number of
sources
Network Layer Matrix Group (2)
• The nlMatrixSDTable is indexed
– the row of nlMatrixControlTable that control it then
– by a time filter: nlMatrixSDTimeMark then
– by the network-layer protocol : protocolDirLocalIndex
then
– by the network layer source address :
nlMatrixSDSourceAddress then
– by the network layer destination address :
nlMatrixSDDestAddress
Network Layer Matrix Group (3)
• The nlMatrixDSTable is indexed
– the row of nlMatrixControlTable that control it then
– by a time filter: nlMatrixDSTimeMark then
– by the network-layer protocol : protocolDirLocalIndex
then
– by the network layer destination address :
nlMatrixDSDestAddress
– by the network layer source address :
nlMatrixDSSourceAddress then
Network-Layer TopN Statistics (1)
• To determine which pairs of hosts rank in
the top N according to some metric
• One control table and one datatable
– nlMatrixTopNControlTable
– nlMatrixTopNTaable
Network-Layer TopN Statistics (2)
• nlMatrixTopNControlTable
– nlMatrixTopNRateBase : specifies one of two
variables (nlMatrixTopNPackets(1)
/nlMatrixTopNOctets(2) )
– nlMatrixTopNRequestedSize: the maximum
number of matrix entries requested for the
topN table
Network-Layer TopN Statistics (3)
• nlMatrixTopNtable
– nlMatrixTopNPktRate – the number of packets seen
from source host to destination host during this
sampling interval
– nlMatrixTopNReversePktRate – same as above (but
destination to source)
– nlMatrixTopNOctetRate – the number of octets seen
from source host to destination host during this
sampling interval
– nlMatrixTopNReverseOctetRate – same as above (but
destination to source)
Network-Layer TopN Statistics (4)
• The nlMatrixTopNTable is indexed by
– nlMatrixTopNControlIndex
– nlMatrixTopNIndex
Application-Layer Matrix Group (1)
• Statistical collection of information based on
source and destination application address
(port number)
• This group consists of 3 data tables and 1
control table
– alMatrixSDTable
– alMatrixDSTable
– alMatrixTopNControlTable
– alMatrixTopNTable
alMatrix Group (2)
• Fig 10.15
Application-Layer Matrix Group (2)
• The alMatrixSDTable (alMatrixDSTable) is
indexed by
– nlMatrixControlIndex : that identifies a unique
subnetwork
– nlMatrixSDTimeMark : time filter
– protocolDirLocalIndex : the network-layer protocol
– nlMatrixSDSourceAddress : the network layer source
address
– nlMatrixSDDestAddress : the network layer
destination address
– protocolDirLocalIndex : the application-layer protocol
Application-Layer Matrix Group (3)
• alMatrixTopNControlTable has the same
structure as the nlMatrixTopNControlTable
• Only difference is the definition of the rate
base object: alMatrixTopNRateBase
• alMatrixTopNTerminalsPkts(1) count only protocol
packets (no child protocol)
• alMatrixTopNTerminalsOctets(2) count only protocol
octets
(no child protocol)
• alMatrixTopNAllPkts(3)
• alMatrixTopNAllOctets(4 )
Application-Layer Matrix Group (4)
• alMatrixTopNtable
– alMatrixTopNPktRate – the number of packets
seen from source host to destination host
during this sampling interval
– alMatrixTopNReversePktRate – same as above
(Destination to source)
User history collection group (1)
• User history collection group
– Collect particular statistics and variables then
logs that data based on user-defined
parameters
User history
collection group
(2)
User history collection group (3)
Probe configuration group
• Probe configuration group
– To solve interoperability among RMON probe
and managers
Practical Issues