Title: Network Monitoring and Management
1Network Monitoring and Management
2ICMP
- Internet Control Message Protocol
- RFC 792
- Transfer of (control) messages from routers and
hosts to hosts - Feedback about problems
- e.g. time to live expired
- Encapsulated in plain IP datagram
- Not reliable
3Application
Transport
TCP
UDP
IGMP
ICMP
Network
IP
Link
Ethernet Driver
incoming frame
4FTP server
telnet server
7
21
23
SMTP
25
data
TCP src port
TCP dest port
header
UDP
17
TCP
TCP
ICMP
6
1
dest addr
source addr
hdr cksum
data
protocol type
IP header
ARP
x0806
IP
IP
x0800
dest addr
source addr
data
Ethernet frame type
CRC
(Ethernet frame types in hex, others in decimal)
5ICMP Types
6(No Transcript)
7ICMP
- Uses IP but is a separate protocol in the network
layer - ICMP messages contain
- Type
- Code
- 1st 8 bytes of bad datagram
IP HEADER PROTOCOL 1 TYPE CODE
CHECKSUM REMAINDER OF ICMP MESSAGE (FORMAT IS
TYPE SPECIFIC)
IP HEADER
IP DATA
8ICMP Message Formats
9(No Transcript)
10(No Transcript)
11(No Transcript)
12Destination Unreachable
- TYPE CODE CHECKSUM
- UNUSED
- IP HEADER 64 bits data from original DG
TYPE 3 CODE 0 Net unreachable 1 Host
unreachable 2 Protocol unreachable 3 Port
unreachable 4 Fragmentation needed but DF
set 5 Source route failed 6 Dest network
unknown 7 Dest host unknown
13Source Quench
- TYPE CODE CHECKSUM
- UNUSED
- IP HEADER 64 bits data from original DG
- TYPE 4 CODE 0
- Flow control
- Indicates that a router has dropped the original
DG or may indicate that a router is approaching
its capacity limit. - Correct behavior for source host is not defined.
14(No Transcript)
15Time Exceeded
- TYPE CODE CHECKSUM
- UNUSED
- IP HEADER 64 bits data from original DG
TYPE 11 CODE 0 Time to live exceeded in
transit 1 Fragment reassembly time exceeded
16Redirect
TYPE CODE CHECKSUM NEW ROUTER ADDRESS IP
HEADER 64 bits data from original DG
TYPE 5 CODE 0 Network redirect 1 Host
redirect 2 Network redirect for specific
TOS 3 Host redirect for specific TOS
17Redirection Concept
Internet
18(No Transcript)
19QUERY Message Echo and Echo Reply
- TYPE CODE CHECKSUM
- IDENTIFIER SEQUENCE
- DATA .
TYPE 8 ECHO 0 ECHO REPLY CODE
0 IDENTIFIER An identifier to aid in matching
echoes and replies SEQUENCE Same use as for
IDENTIFIER UNIX ping uses echo/echo reply
20Replaced by Network Time Protocol (NTP)
21Using Ping
wirth 415pm -gt ping www.uakron.edu PING
arwen.uakron.edu (130.101.81.50) 56(84) bytes of
data. 64 bytes from arwen.uakron.edu
(130.101.81.50) icmp_seq0 ttl62 time0.512
ms 64 bytes from arwen.uakron.edu
(130.101.81.50) icmp_seq1 ttl62 time0.449
ms 64 bytes from arwen.uakron.edu
(130.101.81.50) icmp_seq2 ttl62 time1.38
ms 64 bytes from arwen.uakron.edu
(130.101.81.50) icmp_seq3 ttl62 time0.439
ms 64 bytes from arwen.uakron.edu
(130.101.81.50) icmp_seq4 ttl62 time0.448
ms 64 bytes from arwen.uakron.edu
(130.101.81.50) icmp_seq5 ttl62 time0.496
ms 64 bytes from arwen.uakron.edu
(130.101.81.50) icmp_seq6 ttl62 time0.449
ms --- arwen.uakron.edu ping statistics --- 7
packets transmitted, 7 received, 0 packet loss,
time 6001ms rtt min/avg/max/mdev
0.439/0.596/1.383/0.323 ms, pipe 2 wirth
416pm -gt
22Extended Ping
Used for path MTU discovery
- IP header options can be used along with ICMP
- route recording,
- timestamping,
- source routing
23Traceroute
- UNIX utility - displays router used to get to a
specified Internet Host (Van Jacobson, 1988) - Operation
- router sends ICMP Time Exceeded message to source
if TTL is decremented to 0 - if TTL starts at 5, source host will receive Time
Exceeded message from router that is 5 hops away - Traceroute sends a series of UDP probes (to port
33500) with different TTL values and records
the source address of the ICMP Time Exceeded
message for each - Probes are formatted so that the destination host
will send an ICMP Port Unreachable message
24Traceroute and ICMP (2)
- Trace the route of an IP packet
Source
Destination
Router 1
Router 2
Timeline
25Traceroute and ICMP (3)
- Trace the route of an IP packet
- Upon reaching destination,
- No Time exceeded message generated
- How do you know when final destination is
reached? - Traceroute sends to unused UDP port (gt30000),
generating an ICMP destination unreachable
message - With code port unreachable
26Taceroute
- mymachine traceroute www.cis.ksu.edu
- traceroute to polaris.cis.ksu.edu
(129.130.10.93), 30 hops max, 40 byte packets - 1 wraith.facnet.mcs.kent.edu (131.123.46.1)
0.878 ms 0.620 ms 0.553 ms - 2 ghost.uis-mcs.mcs.kent.edu (131.123.40.1)
6.000 ms 3.366 ms 2.632 ms - 3 lib2-255x248-e37-lib.gate.kent.edu
(131.123.255.254) 7.170 ms 3.552 ms 4.477 ms - 4 twcneo-cw.neo.rr.com (204.210.223.3) 9.515
ms 15.167 ms 18.687 ms - 5 bordercore4-hssi1-0.NorthRoyalton.cw.net
(166.48.233.253) 17.864 ms 10.971 ms 14.652 ms - 6 core4.WillowSprings.cw.net (204.70.4.73)
23.438 ms 22.099 ms 17.397 ms - 7 wsp-sprint2-nap.WillowSprings.cw.net
(206.157.77.94) 18.367 ms 22.854 ms 20.267 ms - 8 sl-bb11-chi-2-1.sprintlink.net
(144.232.10.157) 23.518 ms 24.528 ms 18.757 ms - 9 sl-bb12-chi-5-1.sprintlink.net (144.232.10.6)
21.197 ms 31.452 ms 15.050 ms - 10 sl-bb10-kc-7-1.sprintlink.net (144.232.9.117)
46.752 ms 40.125 ms - 11 sl-gw5-kc-0-0-0.sprintlink.net (144.232.2.62)
38.360 ms 48.002 ms 44.795 ms - 12 sl-uok-1-0-0.sprintlink.net (144.232.132.14)
93.256 ms 67.070 ms 61.727 ms - 13 ks-1-ks-ksu.r.greatplains.net
(164.113.232.193) 77.743 ms 64.566 ms 67.117
ms - 14 164.113.212.250 (164.113.212.250) 59.988 ms
46.188 ms 55.616 ms - 15 129.130.252.9 (129.130.252.9) 68.211 ms
67.881 ms 75.441 ms - 16 polaris.cis.ksu.edu (129.130.10.93) 76.462
ms 54.838 ms
27PMTU-D
TCP path-MTU discovery
28(No Transcript)
29SNMP
- Where did it come from ?
- Internet Engineering Task Force
- Network Management Area
- SNMP v1
- MIBv1, MIBv2
- SNMP v2 (?)
- SNMP v3 (?)
30SNMPv1 History
- RFC 1157, 1990
- A Simple Network Management Protocol (SNMP)
- RFC 1155, 1158, 1213, 1990
- Specification of the MIBv2
- Written in ASN.1
31(No Transcript)
32Protocol context of SNMP
33SNMPv1 Protocol
- Five Simple Messages
- get-request
- get-next-request
- get-response
- set-request
- trap
34SNMP - SNMP Message Handling -
GetRequest (What is the value of MIB?)
SNMP Agent
SNMP Manager
GetResponse (The value is XXXX!)
GetNextRequest (What is the next value of MIB
Tree ?)
GetResponse (The value is XXXX!)
SetRequest (Modify the value of OID)
GetResponse (The value is XXXX!)
Trap (Problem happened!)
35SNMPv1 UDP ports
get_request
get_response
port 161
get_next_request
port 161
get_response
Manager
Agent
set_request
port 161
get_response
trap
port 161
port 162
36SNMPv1 Packet Format
UDP Header
PDU Type
Request ID
Error Status
Error Index
Version
Community
name
value
name
...
- SNMP version (0 is for version 1)
- Community (read-only, read-write)
- Shared password between agent and manager
- PDU Specifies request type
- Request ID
- Error Status
- Error Index
37Community Names
- Community names are used to define where an SNMP
message is destined for. - Set up your agents to belong to certain
communities. - Set up your management applications to monitor
and receive traps from certain community names.
38RFC 1065 (MIB Structure)
- Structure and Identification of Management
Information for TCP/IP-based Internets (SMI) - Uses Abstract Syntax Notation 1 (ASN.1)
- Types of information
- Network Address
- IP Address
- Counter (32 bit monotonically increasing)
- Gauge (32 bit variable)
- Timeticks (time in hundredths of a second)
- Opaque (arbitrary syntax for text data)
- Adopted as a full standard in RFC 1155 (basically
unchanged)
39MIB definitions
- RFC 1066 - MIB definitions using RFC 1065 (RFC
1155) (Rose McCloghrie) - First version of the MIB now called MIB-I
- Adopted as a full standard in RFC 1156
(essentially unchanged from 1066) - RFC 1158 - extends MIB-I and defines MIB-II
- Adopted as a full standard in RFC 1213
40Vendor extensions to MIB
- RFC 1156 (MIB-I) allowed for vendor specific
extensions to be included in the MIB - Allows for additional management information
about devices not provided for in the standard
MIB - For example CPU utilisation
- Normal for devices to support all of MIB-II PLUS
have their own vendor-specific extensions
41SNMP NAMES
42OSI Object Identifier Tree
43SNMP - MIB Tree -
- Objects are managed by the tree
- Expressed in a row of values divided by the
period
root
iso(1)
ccitt(0)
Joint-iso-ccitt(2)
org(3)
dod(6)
Internet(1)
directory(1)
mgmt(2)
exprimental(3)
private(4)
mib-2(1)
enterprise(1)
Standard MIBs
Vendor-specific MIBs
44SNMP Naming
- question how to name every possible standard
object (protocol, data, more..) in every possible
network standard?? - answer ISO Object Identifier (OID) tree
- hierarchical naming of all objects
- each branchpoint has name, number
1.3.6.1.2.1.7.1
udpInDatagrams UDP MIB2 management
ISO ISO-ident. Org. US DoD Internet
45SNMP - OID -
- OID Expression
- iso(1). org(3). dod(6). internet(1). mgmt(2).
mib2(1) - -gt .1.3.6.1.2.1
- e.g. sysDscr .1.3.6.1.2.1.1.1
mib-2.1.1 system.1
Subtree Name OID Description
system 1.3.6.1.2.1.1 Defines a list of objects that pertain to system operation, such as the system uptime, system contact, and system name.
interfaces 1.3.6.1.2.1.2 Keeps track of the status of each interface on a managed entity. The interfaces group monitors which interfaces are up or down and tracks such things as octets sent and received, errors and discards, etc.
at 1.3.6.1.2.1.3 The address translation (at) group is deprecated and is provided only for backward compatibility. It will probably be dropped from MIB-III.
ip 1.3.6.1.2.1.4 Keeps track of many aspects of IP, including IP routing.
icmp 1.3.6.1.2.1.5 Tracks things such as ICMP errors, discards, etc.
tcp 1.3.6.1.2.1.6 Tracks, among other things, the state of the TCP connection (e.g., closed, listen, synSent, etc.).
udp 1.3.6.1.2.1.7 Tracks UDP statistics, datagrams in and out, etc.
egp 1.3.6.1.2.1.8 Tracks various statistics about EGP and keeps an EGP neighbor table.
transmission 1.3.6.1.2.1.10 There are currently no objects defined for this group, but other media-specific MIBs are defined using this subtree.
snmp 1.3.6.1.2.1.11 Measures the performance of the underlying SNMP implementation on the managed entity and tracks things such as the number of SNMP packets sent and received.
46SNMP - MIB OID -
- SNMP Manager can acquire the management
information defined by MIB(Management Information
Base) from Agent - Current version MIBv2 RFC 1213
- MIB is the aggregate of object (information) on
the equipment which SNMP Agent holds - Identifier is defined for each object OID
- MIB performed by Agent is roughly divided into
- MIBv2 standard, public, specified by IETF
- Enterprise MIB private, specified by vendor
company
47SNMP MIB
MIB module specified via SMI (Structure of
Management Information) MODULE-IDENTITY (100
standardized MIBs, more vendor-specific)
OBJECT TYPE
OBJECT TYPE
OBJECT TYPE
objects specified via SMI OBJECT-TYPE construct
48SMI Object, module examples
ipMIB MODULE-IDENTITY LAST-UPDATED
941101000Z ORGANZATION IETF SNPv2
Working Group CONTACT-INFO Keith
McCloghrie DESCRIPTION The MIB
module for managing IP and ICMP
implementations, but excluding their
management of IP routes. REVISION
019331000Z mib-2 48
ipInDelivers OBJECT TYPE SYNTAX
Counter32 MAX-ACCESS read-only STATUS
current DESCRIPTION The total number of
input datagrams successfully
delivered to IP user- protocols (including
ICMP) ip 9
49MIB example UDP module
Object ID Name Type
Comments 1.3.6.1.2.1.7.1 UDPInDatagrams
Counter32 total datagrams delivered
at this node 1.3.6.1.2.1.7.2
UDPNoPorts Counter32 underliverable
datagrams no app at
portl 1.3.6.1.2.1.7.3 UDInErrors
Counter32 undeliverable datagrams
all other reasons 1.3.6.1.2.1.7.4
UDPOutDatagrams Counter32 datagrams
sent 1.3.6.1.2.1.7.5 udpTable SEQUENCE
one entry for each port in use by
app, gives port and IP address
50ASN.1 Abstract Syntax Notation 1
- ISO standard X.680
- defined data types, object constructors
- like SMI
- BER Basic Encoding Rules
- specify how ASN.1-defined data objects are to be
transmitted - each transmitted object has Type, Length, Value
(TLV) encoding
51Syntax
- uses ASN.1 (Abstract Syntax Notation)
- binary encoding
- 02 01 06 is a 1 byte integer, value
6 - Primitive Types
- INTEGER, OCTECT STRING, OBJECT
IDENTIFIER, NULL - Constructor Types
- SEQUENCE ltprimitive-typegt ... ie. a
record - SEQUENCE OF ltprimitive-typegt ... ie. an
array - Defined Data Types
- IpAddress what you expect
- Counter non-negative integer that wraps
- Gauge non-negative integer that latches
- TimeTicks time in hundredths of seconds
52TLV Encoding
- Idea transmitted data is self-identifying
- T data type, one of ASN.1-defined types
- L length of data in bytes
- V value of data, encoded according to ASN.1
standard
Tag Value Type
Boolean Integer Bitstring Octet
string Null Object Identifier Real
1 2 3 4 5 6 9
53TLV encoding example
Value, 259 Length, 2 bytes Type2, integer
Value, 5 octets (chars) Length, 5 bytes Type4,
octet string
54SNMP - SNMP Message Handling
GetRequest inetapan_at_toolsgt snmpget -v2c -c xxxx
tpr2.jp.apan.net .1.3.6.1.2.1.2.2.1.4.136 IF-MIB
ifMtu.136 INTEGER 9192
GetNextRequest inetapan_at_toolsgt snmpget -v2c -c
xxxx tpr2.jp.apan.net system SNMPv2-MIBsystem
No Such Object available on this agent at this
OID inetapan_at_toolsgt snmpwalk -v2c -c xxxx
tpr2.jp.apan.net system SNMPv2-MIBsysDescr.0
STRING m20 internet router, kernel
6.2R3.10 SNMPv2-MIBsysObjectID.0 OID
SNMPv2-SMIenterprises.2636.1.1.1.2.2 DISMAN-EVEN
T-MIBsysUpTimeInstance Timeticks (423280751)
48 days, 234647.51 SNMPv2-MIBsysContact.0
STRING SNMPv2-MIBsysName.0 STRING
tpr2 SNMPv2-MIBsysLocation.0
STRING SNMPv2-MIBsysServices.0 INTEGER 4
SetRequest inetapan_at_toolsgt snmpset v2c c xxxx
tppr.jp.apan.net system.sysLocation.0
system.sysLocation.0 "" inetapan_at_toolsgt
snmpset v2c c yyyy tppr.jp.apan.net
system.sysLocation.0 s Tokyo, JP system.sysLocat
ion.0 Tokyo, JP" inetapan_at_toolsgt snmpset
v2c c xxxx tppr.jp.apan.net system.sysLocation.0
system.sysLocation.0 Tokyo, JP"
55SNMP - Trap Message -
- The way for Agent to inform Manager about event
of something undesirable - Trap originates from Agent and is sent to the
trap destination, as configured within Agent
itself - When Manager receives a trap, it needs to know
how to interpret it - PDU
- Enterprise
- vendor identification (OID) for the agent
- AgentAddress
- The IP address of the node where the trap was
generated. - Trap Type
- Generic / Specific (not used)
- Timestamp
- The length of time between the last
re-initialization of the agent that issued a trap
and the moment at which the trap was issued
56SNMP
- SNMP Traps
- unsolicited notification of events
- can include variable list
- ColdStart, WarmStart
- LinkUp, LinkDown
- Authentication Failure
- EGP Neighbour Loss
- Enterprise Specific
57Traps
- Forwarded automatically from agent to station(s)
in response to an event with the device - Traps defined in MIB-II
- Cold-start of system
- Warm-start of system
- Link down
- Link up
- Failure of authentication
- Exterior Gateway Protocol (EGP) neighbour loss
- Enterprise specific
58SNMPv2 History
- RFC 1441, 1993 Introduction to version 2 of the
Internet-standard Network Management Framework - RFC 1446, 1993 Security Protocols for version 2
of the Simple Network Management Protocol - Written to address security and feature
deficiencies in SNMPv1
59SNMPv2 Protocol
- Extension to SNMPv1
- Provided security model
- 2 new commands
- get-bulk-request
- inform-request
60SNMPv2 Protocol continued...
privDst
dstParty
srcParty
context
PDU
authInfo
General Format
privDst
dstParty
srcParty
context
PDU
0-length OCTET STRING
Nonsecure Message
digest
dstTime
srcTime
privDst
dstParty
srcParty
context
PDU
Authenticated, not encrypted
privDst
dstParty
srcParty
context
PDU
0-length OCTET STRING
Private, not authenticated
privDst
digest
dstTime
srcTime
dstParty
srcParty
context
PDU
Private and authenticated
61Format of SNMPv1 messages
Get-Request, Get-Next-Request, Set-Request
Get-Response
Version Community PDU Enter- Agent Generic
Specific Time Name X Value X
String type prise Addr trap
trap
Trap
62Coexistence by Means of Proxy Agent
63SNMPv1 and SNMPv2
- SNMPv1 is a subset of SNMPv2
- Managers usually can send requests in either
format depending on the capability of the agents - Requires an update of the agent and manager
software to migrate from SNMPv1 to SNMPv2 - Many manufacturers are resisting SNMPv2 for a
variety of reasons leading to an SNMPv3
specification - Almost all manufacturers currently support SNMPv1
64Network Monitoring Tools
65Ways of Monitoring
- Classified into three monitoring ways
- In Internal Network (mostly)
- Via External Network
- Non-network (Emergency case)
1, Monitoring in internal Network (mostly)
3, Independent access (Emergency case) - ISDN,
PSTN
External network
Internal network
2, Monitoring via External Network - via
Peering Network - via the Internet
Monitoring Machine
66Network Management Software
- SNMP Agents
- provided by all router vendors
- many expanded (enterprise) MIBs
- bridges, wiring concentrators, toasters
67Network Management Software
- Public Domain
- Application Programming Interfaces available from
CMU and MIT - include variety of applications
68Network Management Software
- Commercially
- many offerings, UNIX and PC based
- HP OpenView
- SunNet Manager
- Cabletron Spectrum
- MANY others
69Commercial SNMP Applications
- http//www.hp.com/go/openview/ HP OpenView
- http//www.tivoli.com/ IBM NetView
- http//www.novell.com/products/managewise/
Novell ManageWise - http//www.sun.com/solstice/ Sun MicroSystems
Solstice - http//www.microsoft.com/smsmgmt/ Microsoft SMS
Server - http//www.compaq.com/products/servers/management/
Compaq Insight Manger - http//www.redpt.com/ SnmpQL - ODBC Compliant
- http//www.empiretech.com/ Empire Technologies
- ftp//ftp.cinco.com/users/cinco/demo/ Cinco
Networks NetXray - http//www.netinst.com/html/snmp.html SNMP
Collector (Win9X/NT) - http//www.netinst.com/html/Observer.html Observe
r - http//www.gordian.com/products_technologies/snmp.
html Gordians SNMP Agent - http//www.castlerock.com/ Castle Rock
Computing - http//www.adventnet.com/ Advent Network
Management - http//www.smplsft.com/ SimpleAgent,
SimpleTester
70Monitoring Targets
- Target suitable for checking normality of network
service - Router
- Dead or Alive?
- Status?
- Performance? Routing?
- Server
- Dead or Alive?
- Status?
- Damon? Service Port?
- Traffic, etc.
- Increase or decrease?
- Dos Attack? Performance? Environment?
-
71Monitoring Method
- How to monitor the target
- Active monitor or Passive monitor
- Polling Monitoring machines give message in
watching target - Useful for checking the current status
- ICMP/SNMP polling
- Receive trap message from target
- Useful for detecting the status change
- SNMP trap, syslog
- Statistics data
- Useful for grasping the trend and transition
- Select the Monitoring Tool
- Ping (ICMP), SNMP, Monitoring Tool, Original
Tool, etc. - Check the monitoring Route to Target
- Internal or External network
72- ICMP/Ping Polling -
- Check IP reachability by ICMP echo/reply
- Additional information
- RTT (Round Trip Time)
- Packet Loss
- TTL (Time to Live)
- Most standard way of checking node activity
- Time series RTT/Packet loss data becomes
important information when measuring link
performance
ICMP echo
RTT xx msec Packet Loss xx TTL xx
ICMP echo reply
73UDP/TCP polling
- Effective in monitoring service ports of server
- Using client for service
- DNS - nslookup
- Using telnet
- WWW,SMTP,POP
- Using tool
- Radius - radping
bash-2.05 telnet ns.jp.apan.net 80 Trying
203.181.248.3... Connected to ns.jp.apan.net. Esca
pe character is ''. get lt!DOCTYPE HTML PUBLIC
"-//IETF//DTD HTML 2.0//EN"gt lthtmlgtltheadgt lttitlegt5
01 Method Not Implementedlt/titlegt
Telnet with service port
reply
74Monitoring Software - HP OpenView -
- HP OpenView Network Node Manager
- Overview
- Auto discovery and mapping
- Drill-down views (Hierarchy Map)
- Fault monitoring ICMP / SNMP polling
- Event monitoring Trap receiving/Event
configuration - SNMP tools Status polling
- MIB Browser
- Web-based reports
- Extended software is enhanced
- Platform Windows 2000/XP, Solaris 8/9, HP-UX
75Monitoring Software - HP OpenView Sample 1-
Event log
Network map
ICMP polling for connectivity check
Router map
Network sub-map
76Monitoring Software - HP OpenView Sample 2-
Event configuration
Snmp configuration for polling - parameters -
community
Data collection Thresholds for SNMP
77MRTG (Multi-Router Traffic Grapher)
- Overview
- Monitors the load of network equipment using
SNMP, mainly used for creation of traffic graph - Excellent graphing tool developed by Tobias
Oetiker - Plots graph with any two variables against time,
It is graph-ized with PNG format on HTML page - Able to create scripts to feed data into MRTG
- Implements data collection, image, web-page
collection - Very widely deployed in large networks and still
being actively developed - Platform UNIX system / Windows NT
- Supports SNMPv2 able to read 64bit counters
- http//people.ee.ethz.ch/oetiker/webtools/mrtg/
78MRTG - Workflow -
- Green area typically represents incoming maximum
bits per second - Blue line typically represents outgoing maximum
bits per second
- Workflow
- Read configuration file
- Collect graphing data from network equipment,
based on configuration - Update database file and generate graph
- If required, generate HTML file
- MRTG performs above workflow then completes
- Since MRTG collects data of the past 5 minutes
(default value of source code), it is desirable
to set crontab for every 5 minutes
79MRTG - Data Storage -
- Data Storage
- Keeps 5 minute data only for 2.5 days. The data
is thrown away afterward. - There is no referring to historical data with
high resolution - Keeps 1-day data for approx. 2 years
Daily grafh/5min
Weekly grafh/30min
Interval Num of record Storage period Graph
5 minutes 600 2.5 days daily
30 minutes 600 12.5 days Weekly
2 hours 600 50 days Monthly
1 day 731 2 years Yearly
Monthly grafh/2hours
Rougher Resolution
Yearly grafh/1day
80RRDtool (Round Robin Database Tool)
- Overview
- Successor to MRTG
- Developed by the same developer of MRTG Tobias
Oetiker - Tool group for RRD can flexibly define data item,
time interval, data amount, graph depiction, etc. - Binary file format that can store data at any
interval for any length of time - File does not grow in size over time
- Ability to make custom graphs across user-defined
intervals - Ability to graph multiple variables on a single
graph - Additional scripts are necessary in creating
graphs and web-page - 25-30 percent faster than MRTG
- Does not have the function to collect data
- http//people.ee.ethz.ch/oetiker/webtools/rrdtool
/
81RRDtool - Architecture -
- Comparison of architecture between MRTG and RRD
SNMP engine
Graph
router
Index
log
Frontend Program
Frontend Program
Graph
router
server
Index
RRD
text
82RRDtool - Sample -
http//mrtg.jp.apan.net/cricket/router-interfaces/
83Netflow - Overview -
- Overview
- Enables IP traffic flow analysis without probes
- Invented and patented by Cisco
- Juniper (called cflowd), Foundry, ??? many
venders are supporting - Flow cash data on routers is exported
- to a flow tool, so that traffic flow is to be
analyzed
- flow Definition
- Source IP address
- Destination IP address
- Source port
- Destination port
- Layer 3 protocol type
- TOS byte (DSCP)
- Input logical interface (ifIndex)
Traffic
Enable NetFlow
Core Network
UDP NetFlow Export Packets
Collector (Solaris, HP-UX, or Linux)
Application GUI
84Netflow - Flow Data -
- Flow data export
- Enable NetFlow on the router
- There is difference in architecture between Cisco
and Juniper routers - Take care! the load of a router does not become
high! - - Check CPU, memory, bandwidth, sampling rate
- Flow data collection Analysis
- Prepare the software for receiving flow-export
data - flow-tools http//www.splintered.net/sw/flow-tools
/ - cflowd http//www.caida.org/tools/measurement/cfl
owd/ - Cisco NetflowCollector
- Analyze traffic from raw data with software
- flow-scan http//net.doit.wisc.edu/plonka/FlowSca
n/ - (If you want to graph-ize analysis data, I
recommend you to use RRDtool) - Cisco CiscoWorks
- Source and destination IP address
- Source and destination TCP/UDP ports
- Packet and byte counts
- Routing information (next-hop address, source
autonomous system (AS) number, destination AS
number, source prefix mask, destination prefix
mask)
85Netflow - Example -