Remote Monitoring (RMON) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2819 Remote network monitoring management information base (RMONI) RFC 2021 Remote network monitoring management information base II (RMON2) RFC 2021 Remote network monitoring management information base II (RMON2) RFC 2613 RMON MIB Extension for Switched Network SMON RFC 2613 RMON MIB Extension for Switched Network SMON RFC3577 Introduction to RMON family of MIB Modules RFC3577 Introduction to RMON family of MIB Modules

Goals (RFC2819) (1) Offline Operation Offline Operation –An attempt to lower communications costs (especially when communicating over a WAN or dialup link), or by accident as network failures affect the communications between the management station and the probe. –MIB allows a probe to be configured to perform diagnostics and to collect statistics continuously,

Goals (RFC2819) (2) Proactive Monitoring Proactive Monitoring –It is potentially helpful to run diagnostics and to log network performance. –It can notify the management station of the failure and can store historical statistical information about the failure. –This historical information can be played back by the management station in an attempt to perform further diagnosis into the cause of the problem.

Goals (RFC2819) (3) Problem Detection and Reporting Problem Detection and Reporting –The monitor can be configured to recognize conditions, most notably error conditions, and continuously to check for them. –When one of these conditions occurs, the event may be logged, and management stations may be notified in a number of ways.

Goals (RFC2819) (4) Value Added Data Value Added Data –The remote network monitoring device has the opportunity to add significant value to the data it collects. –For instance, by highlighting those hosts on the network that generate the most traffic or errors, the probe can give the management station precisely the information it needs to solve a class of problems.

Goals (RFC2819) (5) Multiple Managers Multiple Managers –Environments with multiple management stations are common, the remote network monitoring device has to deal with more than own management station, potentially using its resources concurrently.

Fig 8.1 Fig 8.1

Control of Remote Monitor Devices (1) Configuration Configuration –Each MIB group consists of one or more control tables and data tables Control table – read/write contains parameters that describe the data in data table Control table – read/write contains parameters that describe the data in data table Data table – read only contains information that is defined by control table Data table – read only contains information that is defined by control table Action invocation Action invocation –Use SET operation to issue a command –RMON MIB defines objects to be represented several commands

Control of Remote Monitor Devices (2) Modifying Parameters Modifying Parameters –First, invalidate the control entry, causing its deletion and the deletion of any associated data entries –Then, create a new control entry with the proper parameters. Start Process Start Process –Some objects in this MIB provide a mechanism to execute an action on the remote monitoring device. –These objects may execute an action as a result of a change in the state of the object.

Multiple Manager - Problems Potential conflicts Potential conflicts –Two or more management stations wish to simultaneously use resources that together would exceed the capability of the device. –A management station uses a significant amount of resources for a long period of time. –A management station uses resources and then crashes, forgetting to free the resources so others may use them

Multiple Manager – Solution Ownership label is used for a particular row of the table Ownership label is used for a particular row of the table –A management station may recognize resources its owns and no longer need –A network operator can identify and negotiate the management station to free the resources –A network operator may have the authority unilaterally to free resources another network operator has reserved –If a management station experiences a reinitialization, it can recognize resources it had reserved in the past and free those it no longer needs

Ownership concept Ownership label contains one or more of the following: Ownership label contains one or more of the following: –IP address, management station name, network manager’s name, location or phone number However, the ownership label does not act as a password or access-control mechanism However, the ownership label does not act as a password or access-control mechanism Therefore, a row can be read-write by the management station who does not own the row Therefore, a row can be read-write by the management station who does not own the row

Note (1) Default functionality Default functionality –The resources are intended to be long-lived process should be set the relevant owner object to a string starting with 'monitor'. –Indiscriminate modification of the monitor-owned configuration by network management stations is discouraged. –In fact, a network management station should only modify these objects under the direction of the administrator of the probe.

Note (2) When a network management station wishes to utilize a function in a monitor, it is encouraged to first scan the control table of that function to find an instance with similar parameters to share. When a network management station wishes to utilize a function in a monitor, it is encouraged to first scan the control table of that function to find an instance with similar parameters to share. If a management station decides to share an instance owned by another management station, it should understand that the management station that owns the instance may indiscriminately modify or delete it. If a management station decides to share an instance owned by another management station, it should understand that the management station that owns the instance may indiscriminately modify or delete it.

Row Addition for Multiple Manager When more than one manager simultaneously attempts to create the same conceptual row, only the first can succeed. The others will receive an error When more than one manager simultaneously attempts to create the same conceptual row, only the first can succeed. The others will receive an error When a manager wishes to create a new control entry, it needs to choose an index for that row. When a manager wishes to create a new control entry, it needs to choose an index for that row. –Examples of schemes to choose index values include random selection or scanning the control table looking for the first unused index. –If the index is in use, agent sends an error

Fig 8.3 Fig 8.3

RMON Row Addition If a management attempts to create a new row and the index object value does not exist, the row is created with a status of createRequest(2) If a management attempts to create a new row and the index object value does not exist, the row is created with a status of createRequest(2) After completing the create operation, the agent sets the status object value to underCreation (3) After completing the create operation, the agent sets the status object value to underCreation (3) After management station is finished creating all of the rows that it desires for its configuration, the management station sets the status object value to valid (1) After management station is finished creating all of the rows that it desires for its configuration, the management station sets the status object value to valid (1) It an attempt is made to create a new row and the row already exists (duplicate index) an error will be returned It an attempt is made to create a new row and the row already exists (duplicate index) an error will be returned

Control Status

Good Packets RFC 2819 RFC 2819 Good packets are error-free packets that have a valid frame length. Good packets are error-free packets that have a valid frame length. –For example, on Ethernet, good packets are error-free packets that are between 64 octets long and 1518 octets long.

Bad Packets Bad packets are packets that have proper framing and are therefore recognized as packets, but contain errors within the packet or have an invalid length. Bad packets are packets that have proper framing and are therefore recognized as packets, but contain errors within the packet or have an invalid length. –For example, on Ethernet, bad packets have a valid preamble and SFD, but have a bad CRC, or are either shorter

The RMON MIB RMON (v1) MIB is incorporated into MIB-II with a subtree identifier of 16 (10 groups) RMON (v1) MIB is incorporated into MIB-II with a subtree identifier of 16 (10 groups) statistics: maintains low-level utilization and error statistics for each subnetwork monitored by the agent statistics: maintains low-level utilization and error statistics for each subnetwork monitored by the agent History: record periodic statiscal samples from information available in the statistic group History: record periodic statiscal samples from information available in the statistic group

RMON MIB Group alarm: allow the management console user to set a sampling interval and alarm threshold for any counter or integer recorded by the RMON probe alarm: allow the management console user to set a sampling interval and alarm threshold for any counter or integer recorded by the RMON probe host:contains counter for various types of traffic to and from hosts attached to the subnetwork host:contains counter for various types of traffic to and from hosts attached to the subnetwork hostTopN: contains sorted host statistics that report that top a list based on some parameter in the host table hostTopN: contains sorted host statistics that report that top a list based on some parameter in the host table

matrix: show error and utilization information in matrix form matrix: show error and utilization information in matrix form filter:allow the monitor to observe packet that match a filter filter:allow the monitor to observe packet that match a filter (Packet) capture: governs how data is sent to a management console (Packet) capture: governs how data is sent to a management console event: gives a table of all events generated by RMON probe event: gives a table of all events generated by RMON probe tokenRing:maintains statistics and configuration information for token ring subnetworks tokenRing:maintains statistics and configuration information for token ring subnetworks

Important note 1 All groups in the RMON MIB are optional but there are some dependencies All groups in the RMON MIB are optional but there are some dependencies The alarm group require the implementation of the event group The alarm group require the implementation of the event group The hostTopN group requires the implementation of the host group The hostTopN group requires the implementation of the host group The packet capture group require the implementation of the filter group The packet capture group require the implementation of the filter group

Important note 2 Collection of traffic statistics for one or more subnetworks Collection of traffic statistics for one or more subnetworks –statistics, history, host, hostTopN, matrix, tokenRing Various alarm conditions and filtering with user-defined Various alarm conditions and filtering with user-defined –alarm, filter, capture, event

Statistics Group (1) Fig 8-6 Fig 8-6

Statistics Group (2) Table 8.2 Table 8.2

Statistics Group (3)

Statistics Group (4) The statistics group provides useful information about the load and overall health of the subnetwork The statistics group provides useful information about the load and overall health of the subnetwork Various error conditions are counted such as CRC or alignment error, collision, undersized and oversized packets Various error conditions are counted such as CRC or alignment error, collision, undersized and oversized packets

History Group The history group is used to define sampling functions for one or more of the interfaces of the monitor The history group is used to define sampling functions for one or more of the interfaces of the monitor 2 tables 2 tables –historyControltable – specify the interface and detail of sampling function –etherHistorytable – record data

Fig 8.7 Fig 8.7

historyControlTable historyControlIndex: index of entry which is the same number as used in etherhistoryTable historyControlIndex: index of entry which is the same number as used in etherhistoryTable historyControlDataSource: identify interface to be sampled historyControlDataSource: identify interface to be sampled historyControlBucketsRequested: the requested number of discrete sampling interval, a default value is 50 historyControlBucketsRequested: the requested number of discrete sampling interval, a default value is 50 historyControlBucketsGranted: the actual number of discrete sampling interval historyControlBucketsGranted: the actual number of discrete sampling interval historyControlInterval: interval in second, maximum is 3600 (1 hour),default value is 1800 historyControlInterval: interval in second, maximum is 3600 (1 hour),default value is 1800

Sampling scheme Consider by historyControlBucketGranted and historyControlInterval Consider by historyControlBucketGranted and historyControlInterval Ex. Use the default value of both Ex. Use the default value of both –the monitor would take a sample once every 1800 seconds ( 30 min) each sample is stored in a row of etherHistoryTable –The most 50 rows are retained

Utilization It calculates on the two counters :ehterStatsOctets and etherStatsPkts It calculates on the two counters :ehterStatsOctets and etherStatsPkts Utilization=100% x [(Packets x (96+64)))+(Ocetsx8)/interval x 10 7 ] Utilization=100% x [(Packets x (96+64)))+(Ocetsx8)/interval x 10 7 ] 64 bit – preamble 64 bit – preamble 96 bit – interframe gap 96 bit – interframe gap Assume that interface data rate is 10Mbps Assume that interface data rate is 10Mbps

Host Group To gather statistics about specific hosts on the LAN by observing the source and destination MAC addresses in good packets To gather statistics about specific hosts on the LAN by observing the source and destination MAC addresses in good packets Consists of 3 tables: Consists of 3 tables: –one control table (HostControlTable) –two data tables (hostTable,hostTimeTable) same information but index differently

hostControlTable hostControlIndex: hostControlIndex: –identify a row in the hostControlTable,refering to a unique interface of the monitor hostControlDatasource: hostControlDatasource: –identify the interface (the source of the data) hostControlTablesize: hostControlTablesize: –the number of rows in hostTable (hostTimeTable) hostControlLastDeleteTime: the last time that an entry (hostTable) was deleted hostControlLastDeleteTime: the last time that an entry (hostTable) was deleted

Fig 8.9 Fig 8.9

A simple RMON configuration Fig8.10 Fig8.10

hostTable hostAddress: MAC address of this host hostAddress: MAC address of this host hostCreationOrder: an index that defines the relative ordering of the creation time of hosts (index takes on a value 1-N) hostCreationOrder: an index that defines the relative ordering of the creation time of hosts (index takes on a value 1-N) hostIndex : the same number as hostControlIndex hostIndex : the same number as hostControlIndex

Counter in hostTable

Fig 8.11 Fig 8.11

hostTopN Group (1) To maintain statistics about the set of hosts on one subnetwork that top a list based on some parameters To maintain statistics about the set of hosts on one subnetwork that top a list based on some parameters Statistics that are generated for this group are derived from data in the host group Statistics that are generated for this group are derived from data in the host group The set of statistics for one object collected during one sampling interval is referred as report The set of statistics for one object collected during one sampling interval is referred as report

hostTopN Group (2) Each report contains the results for only one variable Each report contains the results for only one variable –The variable represents amount of change in a host group object over the sampling interval So, the report lists the hosts on a particular subnetwork with the greatest rate of change in a particular variable So, the report lists the hosts on a particular subnetwork with the greatest rate of change in a particular variable

hostTopNControlTable (1) hostTopNControlIndex : hostTopNControlIndex : –identify row in hostTopNControlTable,defining one top-N report for one interface hostTopNHostIndex: hostTopNHostIndex: – match the value of hostControlIndex,specifying a particular subnetwork hostTopNRateBase: hostTopNRateBase: –specify one of seven variables from hostTable

hostTopNControlTable (2) Variable in hostTopNRate Variable in hostTopNRate –INTEGER { hostTopNInPkts (1), hostTopNOutPkts (2), hostTopNOutPkts (2), hostTopNInOctets (3), hostTopNInOctets (3), hostTopNOutOctets (4), hostTopNOutOctets (4), hostTopNOutErrors (5), hostTopNOutErrors (5), hostTopNOutBroadcastPkts (6), hostTopNOutBroadcastPkts (6), hostTopNOutMulticastPkt (7), hostTopNOutMulticastPkt (7),}

hostTopNControlTable (3) hostTopNTimeRemaining: hostTopNTimeRemaining: –time left during report currently being collected hostTopNDuration: hostTopNDuration: –sampling interval hostTopNRequestedSize: hostTopNRequestedSize: –maximum number of requested hosts for the top-N report hostTopNGrantedSize: hostTopNGrantedSize: –maximum number of hosts for the top-N report hostTopNStartTime: hostTopNStartTime: –the last start time

hostTopNTable hostTopNReport: hostTopNReport: –same value as hostTopNControlIndex hostTopNIndex: hostTopNIndex: –uniquely identify a row hostTopNAddress: hostTopNAddress: –MAC address hostTopNRate: hostTopNRate: –the amount of change in selected variable during sampling interval

Report preparation (1) A management station creates a row of the control table to specify a new report. A management station creates a row of the control table to specify a new report. This control entry instructs the monitor to measure the difference between the beginning and ending values of a particular host group variable over a specific sampling period This control entry instructs the monitor to measure the difference between the beginning and ending values of a particular host group variable over a specific sampling period The sampling period value is stored in both hostTopNDuration (Static) and hostTopNTimeRemaining (Dynamic) The sampling period value is stored in both hostTopNDuration (Static) and hostTopNTimeRemaining (Dynamic)

Report preparation (2) The value in hostTopNDuration is static and the value in hostTopNTimeRemaining counts second down while preparing report The value in hostTopNDuration is static and the value in hostTopNTimeRemaining counts second down while preparing report When hostTopNTimeRemaining reaches 0 The monitor calculates the final results and creates a set of N data rows When hostTopNTimeRemaining reaches 0 The monitor calculates the final results and creates a set of N data rows To generate additional report for a new time period, get the old report and reset hostTopNTimeRemaining to the value of hostTopNDuration To generate additional report for a new time period, get the old report and reset hostTopNTimeRemaining to the value of hostTopNDuration

Fig 8.12 Fig 8.12

Fig 8.13 Fig 8.13

Matrix group To record information about the traffic between pairs of hosts on a subnetwork To record information about the traffic between pairs of hosts on a subnetwork The information is stored in the form of a matrix The information is stored in the form of a matrix Consists of 3 tables Consists of 3 tables –One control table - matrixControlTable –Two data table – matrixSDTable (traffic from one host to all others), matrixDSTable (traffic from all hosts to one particular host

matrixControlTable matrixControlIndex: matrixControlIndex: – identify a row in the matrixControlTable matrixControlDataSource: matrixControlDataSource: –identify interface matrixControlTableSize: matrixControlTableSize: –the number of rows in the matrixSDTable matrixControlLastDeleteTime: matrixControlLastDeleteTime: –the last time that an entry was deleted

Fig 8.14 Fig 8.14

matrixSDTable (matrixDSTable) matrixSDSourceAddress: the source MAC Address matrixSDSourceAddress: the source MAC Address matrixSDDestAddress: the destination MAC Address matrixSDDestAddress: the destination MAC Address matrixSDIndex: same value as matrixControlIndex matrixSDIndex: same value as matrixControlIndex matrixSDPkts: number of packets transmitted from this source add. to destination add. including bad packet matrixSDPkts: number of packets transmitted from this source add. to destination add. including bad packet matrixSDOctets: number of octets contained in all packets matrixSDOctets: number of octets contained in all packets matrixSDErrors:number of bad packets transmitted from this source add. to destination add. matrixSDErrors:number of bad packets transmitted from this source add. to destination add.

matrixSDTable - operation Indexed first by matrixSDIndex then source address then by destination address,for matrixDSTable the source address is the last Indexed first by matrixSDIndex then source address then by destination address,for matrixDSTable the source address is the last The matrixSDTable contains 2 rows for every pair of hosts The matrixSDTable contains 2 rows for every pair of hosts –One row per direction

RMON (alarms and filtering) W.lilakiatsakun

Alarm group It is used to define a set of threshold for network performance. It is used to define a set of threshold for network performance. If a threshold is crossed in the appropriate direction If a threshold is crossed in the appropriate direction An alarm is generated and sent to the central console An alarm is generated and sent to the central console Ex. An alarm could be generated if there are more than 500 CRC errors in any 5 minutes interval Ex. An alarm could be generated if there are more than 500 CRC errors in any 5 minutes interval

Alarm table (1) Each entry specifies a particular variable to be monitored, a sampling interval, threshold parameter Each entry specifies a particular variable to be monitored, a sampling interval, threshold parameter The single entry of a variable contains the most sampled value (last sampling interval) The single entry of a variable contains the most sampled value (last sampling interval) –The new value will be stored, so the old is lost Objects in the alarmTable: Objects in the alarmTable: alarmIndex : an integer that uniquely identifies a row in alarmTable alarmIndex : an integer that uniquely identifies a row in alarmTable –Each row specifies a sample at a particular interval for a particular object in the monitor’s MIB

Alarm table (2) alarmInterval: interval in seconds over which data are sampled and compared with the rising and falling threshold alarmInterval: interval in seconds over which data are sampled and compared with the rising and falling threshold alarmVariable: the object identifier of the particular variable in the RMON MIB to be sampled alarmVariable: the object identifier of the particular variable in the RMON MIB to be sampled –Object type :INTEGER, counter, gauge, TimeTicks –Ex. etherstatsUndersizePkts alarmSampleType: the method of calculating the value to be compared to the threshold alarmSampleType: the method of calculating the value to be compared to the threshold –absoluteValue(1) – the value of variable will be compared with the threshold –deltaValue(2) – (the current value – the last value),then compare to the threshold

Alarm table (3) alarmValue: the value of the statistic during the last sampling period alarmValue: the value of the statistic during the last sampling period alamStartupAlarm: this dictates whether an alarm will be generated if the first sample is greater than or equal to the risingThreshold, less than or equal to the fallingThreshold or both alamStartupAlarm: this dictates whether an alarm will be generated if the first sample is greater than or equal to the risingThreshold, less than or equal to the fallingThreshold or both –risingAlarm(1), fallingAlarm(2), risingOrFalling Alarm(3)

Alarm table (4) alarmRisingThreshold: the rising threshold for the sampled statistic alarmRisingThreshold: the rising threshold for the sampled statistic alarmFallingThreshold: the falling threshold for the sampled statistic alarmFallingThreshold: the falling threshold for the sampled statistic alarmRisingEventIndex: index of the eventEntry that is used when the rising threshold is crossed alarmRisingEventIndex: index of the eventEntry that is used when the rising threshold is crossed alarmFallingEventIndex: index of the eventEntry that is used when the falling threshold is crossed alarmFallingEventIndex: index of the eventEntry that is used when the falling threshold is crossed

Alarm operation (1) The monitor or a management station can define a new alarm by creating a new row in the alarmTable The monitor or a management station can define a new alarm by creating a new row in the alarmTable The combination of variable, sampling interval and threshold parameters is unique to a given row. The combination of variable, sampling interval and threshold parameters is unique to a given row. Two thresholds are provided: a rising threshold and a falling threshold Two thresholds are provided: a rising threshold and a falling threshold –The rising threshold is crossed if the current sampled value is greater or equal to and the last sampling value was less than the threshold

Alarm operation (2) –Similarly, the falling threshold is crossed if the current sampled value is less than and equal to and the last sampling value was greater than the threshold Two types of values are calculated for alarms Two types of values are calculated for alarms –absoluteValue: the value of an object at the time of sampling Counter, this value is never crossed falling threshold / crossed rising threshold at most once Counter, this value is never crossed falling threshold / crossed rising threshold at most once –deltaValue: the difference in values for the object over two successive sampling period Counter/guage,this can cross both thresholds any number of times Counter/guage,this can cross both thresholds any number of times

Rules for rising-alarm generation 1 (a) if the first sampled value is less than the rising threshold, then a rising alarm is generated the first time that the sample value become greater or equal to the rising threshold (b) if the first sampled value is greater than or equal to the rising threshold and if the value of alarmStartupAlarm is risingAlarm(1) or risingOrFallingAlarm(3), then a rising- alarm event is generated (b) if the first sampled value is greater than or equal to the rising threshold and if the value of alarmStartupAlarm is risingAlarm(1) or risingOrFallingAlarm(3), then a rising- alarm event is generated

First alarm event generation

Rules for rising-alarm generation (cont’) (c) if the first sampled value is greater than or equal to the rising threshold and if the value of alarmStartupAlarm is fallingAlarm(2) then a rising- alarm event is generated the first time that the sample value again become greater than or equal to the rising threshold after the fallen below the rising threshold 2 After a rising alarm event is generated, another such event will not be generated until the sampled value has fallen below the rising threshold, reached the falling threshold, and then reached the rising threshold again

Generation of alarm events Fig 9.2 Fig 9.2

Hysteresis mechanism The mechanism by which small fluctuations are prevented from causing alarms The mechanism by which small fluctuations are prevented from causing alarms

Filter Group (1) Provide a mean by which a management station can instruct a monitor to observe selected packets on a particular interface Provide a mean by which a management station can instruct a monitor to observe selected packets on a particular interface Data filter – allow the monitor to screen observed packets on the basis of a bit pattern that a portion of the packet matches (or fail to match) Data filter – allow the monitor to screen observed packets on the basis of a bit pattern that a portion of the packet matches (or fail to match) Status filter – allow the monitor to screen observed packets on the basis of their status (CRC error) Status filter – allow the monitor to screen observed packets on the basis of their status (CRC error) These filters can be combined using logical AND and OR operations These filters can be combined using logical AND and OR operations

Filter Group (2) The stream of packets that pass the test is referred to as a channel. The stream of packets that pass the test is referred to as a channel. –A count of such packets is maintained In addition, the channel can be configured to generate an event (defined in the event group) In addition, the channel can be configured to generate an event (defined in the event group) Finally, the packets passing through a channel can be captured if the mechanism is defined in the capture group Finally, the packets passing through a channel can be captured if the mechanism is defined in the capture group

Filter logic - variables input = the incoming portion of the packet to be filtered input = the incoming portion of the packet to be filtered filterPktData = the bit pattern to be tested for filterPktData = the bit pattern to be tested for filterPktDataMask = the relevant bits to be tested for filterPktDataMask = the relevant bits to be tested for filterPktDataNotMask = indication of whether to test for a match or a mismatch filterPktDataNotMask = indication of whether to test for a match or a mismatch

EX. 1 match & mismatch If (( input = ^ filterPktData) == 0) filterResult = match; We take the bitwise exclusive OR of input and filterPktData We take the bitwise exclusive OR of input and filterPktData All bits of input and filterPktData have to be the same, the result is all 0s All bits of input and filterPktData have to be the same, the result is all 0s If (( input = ^ filterPktData) != 0) filterResult = mismatch; Test for mismatch Test for mismatch

Ex2. match + Don’t care (1) Use filterPktDataMask Use filterPktDataMask –1-bits in filterPktDataNotMask – indicate the positions where need to be tested with filterPktData –0-bits in filterPktDataMask - indicate the positions where need not to be tested with filterPktData

Ex2. match + Don’t care (2) if (((input =^ filterPktData) & filterPktDataMask) == 0) filterResult = match_on_relevant_bits; else filterResult = mismatch_on_relevant_bits; filterResult = mismatch_on_relevant_bits; The XOR operation produces a result that has a 1-bit in every position where there is a mismatch The XOR operation produces a result that has a 1-bit in every position where there is a mismatch The AND operation produces a result as a don’t care The AND operation produces a result as a don’t care

Ex.3 more complex (1) Use filterPktDataNotMask Use filterPktDataNotMask –0-bits in filterPktDataNotMask – indicate the positions where an exact match is required between the relevant bits of input and filterPktData (all bits match) –1-bits in filterPktDataNotMask - indicate the positions where a mismatch is required between the relevant bits of input and filterPktData (at least one bit does not match)

Ex.3 more complex (2) Definition for relevant Definition for relevant relevant_bits_different = (input ^ filterPktData) & filterPktDataMask Incorporating with filterPktDataNotMask for a match Incorporating with filterPktDataNotMask for a match If ((relevant_bits_different & ~filterPktDataNotMask)=0) filterResult = successful_match; Incorporating with filterPktDataNotMask for a mismatch Incorporating with filterPktDataNotMask for a mismatch If ((relevant_bits_different & filterPktDataNotMask)!=0) filterResult = successful_mismatch;

Filter Operations (1) TEST1 – the packet must be long enough so that there are at least as many as bits in the filterPktData (otherwise fails to filter) TEST1 – the packet must be long enough so that there are at least as many as bits in the filterPktData (otherwise fails to filter) TEST2 – each bit set to 0 in filterPktDataNotMask indicates a bit position in which the relevant bits of the packet portion should match filterPktData. TEST2 – each bit set to 0 in filterPktDataNotMask indicates a bit position in which the relevant bits of the packet portion should match filterPktData. –If there is a match in every desired bit position, test is passed otherwise test is failed

Filter Operations (2) TEST3: Each bit set to 1 in filterPktDataNotMask indicates a bit position in which the relevant bit of the packet portion should not match filterPktData TEST3: Each bit set to 1 in filterPktDataNotMask indicates a bit position in which the relevant bit of the packet portion should not match filterPktData –The test is passed if there is a mismatch in at least one desired bit position A packet passes this filter if it passes all three tests A packet passes this filter if it passes all three tests Ex. If we wish to accept all Ethernet packet that have destination address of 0xA5 and do not have a source address of 0xBB Ex. If we wish to accept all Ethernet packet that have destination address of 0xA5 and do not have a source address of 0xBB

Filter Operations (3) filterPktDataOffset = 0 filterPktData = 0x A BB filterPktDataMask = 0xFFFFFFFFFFFF FFFFFFFFFFFF filterPktDataNotMask = 0x FFFFFFFFFFFF filterPktDataOffset indicates that the pattern matching should start with the first bit of the packet filterPktDataOffset indicates that the pattern matching should start with the first bit of the packet filterPktData indicates that the pattern of interest consists of 0xA5 and 0xBB filterPktData indicates that the pattern of interest consists of 0xA5 and 0xBB filterPktDataMask indicates that all of the first 96 bits are relevant filterPktDataMask indicates that all of the first 96 bits are relevant filterPktDataNotMask indicates that the test is for a match on the first 48 bits and a mismatch on the second 48 bits filterPktDataNotMask indicates that the test is for a match on the first 48 bits and a mismatch on the second 48 bits

Filter status Bit#Error 0 Packet is longer than 1,518 octets 1 Packet is shorter than 64 octets 2 Packet experienced a CRC or alignment error EX. An Ethernet fragment would have the status value of 6 ( ) EX. An Ethernet fragment would have the status value of 6 ( )

Channel definition (1) A channel is defined by a set of filters A channel is defined by a set of filters The way in which filters are combined to whether a packet is accepted depending on the value of the channelAcceptedType The way in which filters are combined to whether a packet is accepted depending on the value of the channelAcceptedType –acceptedMatched(1) –acceptedFailed(1)

Channel definition (2) If we define a pass as a logical 1 and a fail as a logical 0 If we define a pass as a logical 1 and a fail as a logical 0 –Data filter & status filter have to be all passed (AND logic) –The overall result for a channel is the OR of all the filters (at least one of the filter is passed)

Fig 9.5 Fig 9.5

Channel operation (1) If the packet is accepted If the packet is accepted –The counter channelMatches is incremented Several controls are associated with the channel Several controls are associated with the channel channelDataControl – determine whether the channel is on or off, if off no event is generated and no packet is captured channelDataControl – determine whether the channel is on or off, if off no event is generated and no packet is captured channelEventStatus – indicate whether the channel is enabled to generate an event when a packet is matched channelEventStatus – indicate whether the channel is enabled to generate an event when a packet is matched channelEventIndex – specify an associated event channelEventIndex – specify an associated event

Channel operation (2) If channelDataControl is on, then an event will be generated if two conditions are met If channelDataControl is on, then an event will be generated if two conditions are met 1 an event is defined for this channel in channelEventIndex and 2 channelEventStatus has the value eventReady or eventAlwaysReady –If the event status is eventReady then each time an event is generated, the event status is changed to eventFired (control the flow of events from a channel to a management station) –Not concern about flow control, the event status may set to eventAlwaysReady

Filter group (1) Consists of 2 control tables Consists of 2 control tables –filterTables define the associated filter –channelTable define a unique channel channelIfIndex – identifies the monitor interface to which the associated filters are applied to allow data into this channel channelIfIndex – identifies the monitor interface to which the associated filters are applied to allow data into this channel

Fig9.7 Fig9.7

Filter group (2) channelAcceptType – controls the action of filters associated with this channel. channelAcceptType – controls the action of filters associated with this channel. –acceptedMatched (1) packet will be accepted to this channel if they pass both the packet data match and packet status matches of at least one of associated filter –acceptedFailed (2) packet will be accepted to this channel if they fail either the packet data match or packet status matches of every associated filter

Filter group (3) channelDataControl channelDataControl –on(1) the data, status and events will flow through this channel –off(2) the data, status and event will not flow through this channel channelEventStatus: the event status of this channel channelEventStatus: the event status of this channel –If the channel is configured to generate events when packets are matched

Filter group (4) –eventReady(1) a single event will be generated for a packet match –eventFired(2) no event are generated –eventAlwaysReady(3) every packet match generates an event channelMatches: a counter that records the number of packet matches channelMatches: a counter that records the number of packet matches channelDescription: a text description of the channel channelDescription: a text description of the channel

Packet Capture Group (1) It is used to set up a buffering scheme for capturing packets from one of the channels in the filter group It is used to set up a buffering scheme for capturing packets from one of the channels in the filter group bufferControlTable – define one buffer that is used to capture and store packets from one channel bufferControlTable – define one buffer that is used to capture and store packets from one channel captureBufferTable – data buffered captureBufferTable – data buffered

bufferControlTable (1) bufferControlFullStatus bufferControlFullStatus –spaceAvailable(1) : the buffer has room to accept new packets –full(2) : depend on the value of bufferControlFullAction bufferControlFullAction bufferControlFullAction –lockwhenFull(1) not accept more packet when buffer is full –wrapWhenFull(2) act as circular buffer, delete the oldest packets

bufferControlTable (2) bufferControlCaptureSliceSize - The maximum number of octets of each packet that will be saved in this capture buffer. bufferControlCaptureSliceSize - The maximum number of octets of each packet that will be saved in this capture buffer. –If a 1500-octet packet is received by the probe and this object is set to 500, then only500 octets of the packet will be stored –If this variable is set to 0 the capture buffer will save as many octets as is possible. –Default is 100

bufferControlTable (3) bufferControlDownloadSlicesize - The maximum number of octets of each packet in this capture buffer that will be returned in a single SNMP retrieval of that packet. bufferControlDownloadSlicesize - The maximum number of octets of each packet in this capture buffer that will be returned in a single SNMP retrieval of that packet. bufferControlDownloadOffset – the offset of the first octet of each packet in this buffer that will be returned in a single SNMP retrieval of that packet bufferControlDownloadOffset – the offset of the first octet of each packet in this buffer that will be returned in a single SNMP retrieval of that packet bufferControlCapturedPackets: the number of packets currently in this buffer bufferControlCapturedPackets: the number of packets currently in this buffer

bufferControlTable (4) bufferControlMaxOctetsRequested – the requested buffer size in octets bufferControlMaxOctetsRequested – the requested buffer size in octets –The value of -1 requests that the buffer be as large as possible bufferControlMaxOctetsGranted – the actual buffer size in octets bufferControlMaxOctetsGranted – the actual buffer size in octets bufferControlCapturedPackets – the number of packets currently in this buffer bufferControlCapturedPackets – the number of packets currently in this buffer bufferControlTurnOnTime – the value of sysUptime when this buffer was first turned on bufferControlTurnOnTime – the value of sysUptime when this buffer was first turned on

Event group An event is triggered by a condition located elsewhere in the MIB An event is triggered by a condition located elsewhere in the MIB –Alarm from risingThreshold (alarm group) An event can trigger an action defined elsewhere in the MIB An event can trigger an action defined elsewhere in the MIB –Trigger turning a channel ON or OFF (filter group) 2 tables – eventTable and logTable 2 tables – eventTable and logTable

Fig 9.10 Fig 9.10

eventTable & logTable eventType: none(1) log(2) snmp-trap(3) log- and-trap(4) eventType: none(1) log(2) snmp-trap(3) log- and-trap(4) –log will be an entry in the log table –Snmp-trap, an SNMP trap is sent to one or more management station eventCommunity : specify community of management stations to receive the trap eventCommunity : specify community of management stations to receive the trap logTime: time when this log entry was created logTime: time when this log entry was created logDescription: description logDescription: description

Practical issues Packet capture overload Packet capture overload –RMON is very real danger of overloading the monitor –Some tests resulted in bad performance Network inventory Network inventory –RMON is useful for this purpose Hardware platform Hardware platform –Dedicated or non-dedicated host Interoperability Interoperability –Unreliable in a multivendor environment

RMON probe performance Fig 9.11 Fig 9.11

Security Consideration Restrict SNMP access to the probe. Restrict SNMP access to the probe. –Some statistical data are sensitive Restrict SNMP access to some functions Restrict SNMP access to some functions –Capturing packet Should not used by SNMPv1 (not secure) Should not used by SNMPv1 (not secure) –It is recommended that the implementors consider the security features as provided by the SNMPv3 framework.