Network Monitoring Chapter 20
Objectives Explain how SNMP works Describe network monitoring tools Discuss a scenario that uses management and monitoring tools
Introduction Modern networks require intervention from network technicians Intervention may be regular or irregular Technician responsibilities Install network management tools Deploy other tools to monitor, troubleshoot, and optimize networks over time Cross Check: CAN, MAN, LAN, WAN, WLAN (p. 580) You encountered the acronym soup of networking terms back in Chapters 2, 4, 14, 15, 17… so cross check your memory now. What do these terms mean? How do they differ? Do they all use Ethernet? How do they communicate if not?
Test Specific SNMP
SNMP Simple Network Management Protocol (SNMP) Components of SNMP De facto protocol for TCP/IP networks Creates a managed network Components of SNMP SNMP manager Managed devices Management information bases
Figure 20.1 Massive list of network monitoring tools maintained by the Stanford Linear Accelerator Center (SLAC)
SNMP (cont’d.) SNMP manager function Network management station (NMS) Requests and processes information from managed devices Network management station (NMS) Specialized software run by the SNMP manager Agent Specialized software run by managed devices
SNMP (cont’d.) Types of managed devices Printers Workstations Video cameras Routers Switches
Figure 20.2 SNMP components
SNMP (cont’d.) Types of information collected by the SNMP manager vary SNMP: an extensible protocol Can be adapted to accommodate different needs Uses management information bases (MIBs) to categorize the data that can be queried
Core Functions of SNMP SNMP has up to eight core functions Each known as a protocol data unit (PDU) Four PDUs discussed in this chapter Get Response Set Trap
SNMP Query Process SNMP manager sends a Get request Examples: GetRequest or GetNextRequest Agent sends a response with the requested information SetRequest Used to ask agent to make changes to information it queries and sends Variables
Figure 20.3 Simple SNMP process
SNMP Query Process (cont’d.) Trap PDU Used by an agent to solicit information from an NMS Can happen with or without prior action from the SNMP manager
Example Query Bayland Widgets’ art department printer Maintained by Network+ technicians Uses an SNMP management system Network management station sends a GetRequest to the printer agent Queries the number of pages printed Printer sends the Response Techs determine if the printer needs maintenance
Figure 20.4 The Bayland Widgets’ Art Department printer
Example Query (cont’d.) Printer needs to advise techs when printer is out of toner or paper Sends a Trap to the NMS
Figure 20.5 Get/Response and Trap
SNMP (cont’d.) SNMP systems can use additional utilities Example: snmpwalk utility tells SNMP manager to perform a series of Get commands Manager software can send SMS or email alerts to network technicians Versions of SNMP SNMPv1, SNMPv2, and SNMPv3 Version 3 added robust security
SNMP (cont’d.) SNMP uses User Datagram Protocol ports 161 and 162 for unsecure communication Ports 10161 and 10162 when security is added via TLS Exam Tip (p. 583): SNMP managers listen on UDP ports 162 or 10162 (with TLS). Agents listen on ports 161 or 10161 (with TLS).
Monitoring Tools
Packet Sniffers Query the network interface and capture packets into a capture file Programs might reside on a computer, a router, a switch, or a dedicated hardware Connecting in promiscuous mode enables getting as much data as possible Usually packaged with a packet analyzer
Packet Analyzers Programs that read capture files and analyze based on monitoring needs Typical question “What is the IP and MAC address of the device sending out DHCP Offer messages and when is it doing this?” Note (p. 584): Various names are used to describe utilities that analyze packets: packet sniffer, packet analyzer, protocol analyzer, and network analyzer. There’s so much overlap here! That can be attributed to the fact that so many packet analyzers come with sniffers as well. Bottom line, don’t rely on the name of the monitoring tool to determine all it can do. Read the tech specs.
Packet Analyzing With Wireshark Powerful, popular, and free protocol analyzer Process Select an interface to begin the capture Try This! Play along with Wireshark! (p. 584) It’s never too late to learn how to use packet analyzers, so try this! Download a copy of Wireshark (www.wireshark.org) and just play. There’s no danger to doing so, and it’s actually a lot of fun!
Figure 20.6 Wireshark default window
Figure 20.7 Wireshark capturing packets
Figure 20.8 Wireshark filter
Packet Flow Monitoring with NetFlow Tool to track traffic flowing between specific source and destination devices Track desired type of traffic via user-defined flows Flow Packets flowing from one specific place to another Cached in a flow cache Note (p. 586): To use NetFlow you must enable NetFlow on that device. If the device doesn’t support NetFlow, you can use stand-alone probes that can monitor maintenance ports on the unsupported device and send the information to the NetFlow collector.
Packet Flow Monitoring with NetFlow (cont’d.) Flow cache information Destination and source address Destination and source ports Source on the device running that flow Total number of bytes of that flow Enables administrators to optimize the network
NetFlow Collectors Store information from a device’s NetFlow cache Different tools available Example: LiveAction
Figure 20.9 LiveAction in action!
Interface Monitors Track bandwidth and utilization of one or more interfaces on one or more devices Interface monitoring components Speed and duplex Utilization Packet drops Errors and interface resets Discards
Interface Monitors (cont’d.) Started as manufacturer-specific tools Still common Other tools work on multiple platforms Example: Cisco Network Assistant (CNA) Monitors Cisco routers and switches Note (p. 588): Limiting the description of CNA to an “interface monitor” completely sells the software short. It can monitor individual ports on a switch, but you can use the program to setup, manage, maintain, and troubleshoot all the functions of the switch. It’s much more powerful a tool than just an interface monitor.
Figure 20.10 Percent of utilization of switch port 1
Figure 20.11 Hmm…looks pretty clean
Figure 20.12 Ouch. That’s a lot of errors!
Performance Monitors Tracks the performance of some aspect of a system over time Alerts you if something is not normal Usually tied to a particular operating system or application Common tools Windows Performance Monitor (PerfMon) Linux’s syslog Tech Tip: Performance Monitor (p. 589) The term performance monitor is not an industry term but instead just a handy way to discuss several utilities with similar functions that are listed in the CompTIA Network+ objectives. Also, PerfMon is a unique Linux tool for performance monitoring. It just happens to share the same name as Window’s Performance Monitor.
Logs Files that store performance information about a particular aspect of the system Read, filtered, or created by performance monitors
Baselines Log of performance indicators give you a picture of your network and servers when they are working correctly Examples: CPU usage, network utilization, and other values A major change in these values can indicate problems Common tool: Windows’ Performance Monitor utility
Log Management Security and maintenance Major issues pertaining to logs Log files will typically grow to fill the allocated space Common practice is to make them cyclical—overwrite the oldest files Utilities allow creation of log files on a convenient schedule
Putting It All Together
Example Network Monitoring Application Bayland Widgets’ CAN See Figure 20.13 for layout Each building is wired with 10Gb Ethernet Buildings interconnect with 10Gb fiber into access switches Campus-wide Wi-Fi network Router gives Internet access
Figure 20.13 Diagram of Bayland Widgets’ campus area network
Example Network Monitoring Application (cont’d.) Types of networked devices Routers (wired and wireless) Switches Wireless access points Servers Workstations Printers Phones
Example Network Monitoring Application (cont’d.) Dedicate an area in the main office as a network operations center (NOC) Centralized location for network management Use various programs to query devices Graphing program (e.g., Cacti) could create graphs of information received
Figure 20.14 Cacti showing switch utilization graphs Exam Tip (p. 592): Programs like Cacti enable you to see very quickly essential facts about your network hardware. You can see available storage, network device CPU usage, network device memory usage, and more. With wireless-aware tools, you can quickly spot problems with wireless channel usage or channel saturation. These tools are a tech’s friend! Figure 20.14 Cacti showing switch utilization graphs
Figure 20.15 Cacti showing file server storage utilization graph
Example Network Monitoring Application (cont’d.) Example categories to monitor Network device CPU utilization Memory usage Traffic Link status Bottlenecks
Example Network Monitoring Application (cont’d.) Top talkers and top listeners can be identified May help track down a malware problem Wireshark could be used if moving the network to IPv6 Multiple tools are often needed for complex troubleshooting scenarios
Security Information and Event Management (SIEM) An approach to monitoring and managing a network A mashup of two processes: Security event management (SEM) has the task of collecting and centralizing the log files Security information management (SIM) involves reviewing and analyzing the information