1 Kyung Hee University RMON2

Overview  RMON MIB specification to include monitoring of protocol traffic above the MAC level  An RMON probe can monitor traffic on the basis of network-layer protocols and addresses, including the Internet Protocol (IP)  Because an RMON probe can decode and monitor application- level traffic, such as , file transfer, and WWW protocols, the probe can record traffic to and from hosts for particular applications.

3 Kyung Hee University Network-Layer Visibility  RMON probe with RMON1 can monitor all of the traffic on the LANs, or can capture all of the MAC-level frames and read the MAC-level source and destination addresses in those frames. But, no way of determining the ultimate source of incoming traffic arriving via the router or the ultimate destination of outgoing traffic leaving via the router.  With RMON2, the RMON probe has the capability of seeing above the MAC layer by reading the header of the enclosed network-layer protocol, which is typically IP. analyzing traffic passing through the router to determine the ultimate source and destination.

4 Kyung Hee University Network-Layer Visibility (cont’d)  Answering a number of new questions by a network manager 1.If there is excessive load on the LAN due to incoming router traffic, what networks or hosts account for the bulk of that incoming traffic ? 2. If a router is overload because of high amounts of outgoing traffic, what local hosts account for the bulk of that outgoing traffic, and to what destination networks or hosts in that traffic directed ? 3. If there is a high load of pass-through traffic (arriving via one router and departing via another router), what networks or hosts are responsible for the bulk of this traffic ?  The network manager may be able to take steps to contain traffic loads and improve performance. optimizing traffic flow

5 Kyung Hee University Application-Level Visibility  RMON 2 probe is capable of seeing above the IP layer by reading the enclosed higher-level headers such as TCP and viewing the headers at the applications protocol level. allowing the network manager to monitor traffic in great detail  With RMON2, a network application can be implemented that will generate charts and graphs depicting traffic percentage by protocols or by applications.

6 Kyung Hee University The RMON2 MIB  rmon (mib-2, 16) statistics (1) history (2) alarm (3) host (4) hostTopN (5) matrix (6) filter (7) capture (8) event (9) tokenRing (10) protocolDir (11) ProtocolDist (12) addressMap(13) nlHost (14) nlMatrix (15) alHost (16) alMatrix (17) usrHistory (18) probeConfig (19) rmonConformance (20) RMON1 RMON2

7 Kyung Hee University The RMON2 MIB  The new mib group defined in RMON2. protocol directory (protocolDir) : master directory of all of the protocols that the probe can interpret protocol distribution (protocolDist) : aggregate statistics on the amount of traffic generated by each protocol, per LAN segment address map (addressMap) : matches each network address to a specific MAC address and port on an attached device and physical address on this subnetwork network-layer host (nlHost) : statistics on the amount traffic into and out of hosts on the basis of network-layer address network-layer matrix (nlMatrix) : statistics on the amount of traffic between pairs of hosts on the basis of network-layer address

8 Kyung Hee University The RMON2 MIB (cont’d) application-layer host (alHost) : statistics on the amount of traffic into and out of hosts on the basis of application application-layer matrix (alMatrix) : statistics on the amount of traffic between pairs of hosts on the basis of application-layer address user history collection (usrHistory) : periodically samples user- specified variables and logs that data based on user-defined parameters probe configuration (probeConfig) : defines standard configuration parameters for RMON probes

9 Kyung Hee University New Functional Features in RMON2  Enhancing the power and flexibility of RMON the use of index objects that are not part of the table objects index, and the use of time filter indexing  Indexing with external Objects SMI for SNMPv2 explicitly states that it is possible to use an object that is not part of a conceptual table as an index for that table. l in that case, the DESCRIPTION clause for the conceptual row must include a textual explanation of how such objects are to be used in uniquely identifying a conceptual row instance. In Figure 8.2, the data table is in indexed by rm1DataControlIndex and then rm1DataIndex. The value of rmlDataControlIndex is the same as the value of rmlControlIndex in rmlControlTable that defines the control row for this data entry. Seeing an example of this type of structure in Figure 8.8, which showing the layout of the RMON1 history table

10 Kyung Hee University New Functional Features in RMON2 (cont’d)  Indexing with external Objects (cont’d) Figure 10.2 shows the same type of control table and date table definition in the RMON2 style. Suppose that we are interested in the set of data rows controlled by the second control row and that we are further interested in the 89 th member, or row, of that set. l The instance of the value of that row would be named rm2DataValue.2.89 l In this case, the index value “2” refers to rm2ControlIndex. Another difference found in RMON2 is that status objects are specified as having syntax RowStatus rather than EntryStatus RowStatus provides a more elaborate method for adding and removing rows than that supported by EntryStatus.

11 Kyung Hee University New Functional Features in RMON2 (cont’d)  Time Filter Indexing A common function of a network management application is periodically to poll all probes for values of objects maintained at the probe. For the sake of efficiency, it is desirable to have the probe return values only for those objects whose values have changed since the last poll l no direct way in SNMP or SNMP2 to achieve this function RMON2 has an innovative means of achieving above functionality in the MIB definition TimeFilter :: = TEXTUAL – CONVENTION STATUS CURRENT DESCRIPTION “…………” SYNTAX TimeTicks

12 Kyung Hee University 10.2 Protocol Directory Group (protocolDir)  addresses a key difficulty in the remote monitoring of protocol traffic above the MAC layer.  On any particular network, many different protocols may be running.  The purpose of the protocol directory group providing a single central point for storing information about types of protocols  The protocol directory group provides a way for an RMON2 manager to learn which protocols a particular RMON2 probe interprets. This information is especially important when the manager and probe are from different vendors

13 Kyung Hee University Protocol Directory Group (cont’d)  RMON2 protocol directory group (Figure 10.5) including a protocol directory table, with one entry for each protocol for which the probe can decode and count PDUs. The table covers MAC-, network-, and higher-layer protocols DirLastChange : containing the time of the last table update

14 Kyung Hee University Protocol Directory Group (cont’d)

15 Kyung Hee University Protocol Identification  Protocol Identifier ProtocolDirID object contains a unique octet string for a specific protocol Octet string identifies for protocols are arranged in a tree-structured hierarchy, similar to the hierarchy of MIB objects ether 2 = 1 [ ] llc= 2 [ ] snap= 3 [ ] vsnap= 4 [ ] ianaAssigned= 5 [ ] The identifier for IP running over Ethernet : ether2.ip UDP running over IP on an Ethernet LAN : ether2.ip.udp for SNMP, ether2.ip.udp.snmp

16 Kyung Hee University Protocol Identification (cont’d)  Protocol Identifier (cont’d) Ethernet MAC protocol [0.0.a.b], where a and b contain the 16-bit value in the Type field of an Ethernet MAC protocol l In case of IP, [ ] IP PDU includes eight-bit Protocol field that identifies that user of IP : [ a ] l The protocol identifier for UDP running over IP is [ ] UDP PDU format includes a 16-bit Port field to identify a UDP user. l In case of SNMP, [ ] So, protocolDirID that uniquely identifies SNMP running over UDP/IP on Ethernet: octets

17 Kyung Hee University Protocol Identification (cont’d)  Protocol Identifier (cont’d) Capability of the probe in above example - interpreting all incoming Ethernet frames - looking past the Ethernet header and trailer and interpreting the encapsulated IP datagram - looking past the IP header and interpreting the encapsulated UDP segment - looking past the UDP header and interpreting the encapsulated SNMP PDU

18 Kyung Hee University Protocol Identification (cont’d)  Protocol Parameters This indexes an entry in protocolDirTable referring to the protocol SNMP running over UDP/IP/Ethernet, with fragments counted correctly for IP and above A new protocol descriptor macro has been specified. The macro is defined using a simple Backus-Naur Form (BNF) syntax rather than ASN.1 l See Page 292 l See Figure 10.7

19 Kyung Hee University Protocol Directory Table  protocolDirLocalIndex : an arbitrary unique index number associated with this entry  protocolDirDesc : a textual description object  prtocolDirType : extensible (0), addressRecognitionCapable (1)  protocolDirAddressMapConfig : notSupported (1), supportedOff (2), supportedOn (3)  protocolDirHostConfig : notSupported (1), supportedOff (2), supportedOn (3)  protocolDirMatrixConfig : notSupported (1), supportedOff (2), supportedOn (3)  ptotocoDirOwner  protocolDirStatus

20 Kyung Hee University Protocol Distribution Group  summarizes how many octets and packets have been sent from each of the protocols supported. protocolDistControlTable : controlling collection of basis statistics for all supported protocols refers to a unique network interface for this probe and controls a number of rows of protocolDistStatsTable protocolDistStatsTable : recording the data It is indexed by protocolDistControlIndex and by protocolDirLocalIndex, which uniquely identifies a particular protocol

21 Kyung Hee University Protocol Distribution Group (cont’d)

22 Kyung Hee University 10.4 Address Map Group  matches each network address to a specific MAC-level address and therefore to a specific port on the network device. helpful in node discovery and network topology applications for pinpointing the specific paths of network traffic  has three scalar objects, a control table, a data table addressMapInserts addressMapDeletes addressMapMaxDesiredEntries addressControlTable addressMapTable  Current size of the data table = addressMapInserts - addressMapDeletes

23 Kyung Hee University Address Map Group (cont’d)

24 Kyung Hee University Address Map Group (cont’d)  A single ‘central’ data table that contains entries that provide the mapping between network-layer (typically IP) addresses and MAC addresses.  addressMapTable will collect address mappings based on source MAC and network addresses seen in error-free MAC frames The table will create entries for all protocols in the protocol directory table whose value of protocolDirAddressMapConfig is equal to supportedOn (3)  Given a network address for a particular protocol observed on a particular amount of time, the MAC address (only one entry in the table) for any specific network address.

25 Kyung Hee University 10.5 RMON2 Host Groups  Two RMON2 groups deal with the collection of statistics on a host basis: the network layer host group and the application analysis group  Both of these groups contain a data table is controlled by a control table in the network-layer host group

26 Kyung Hee University Network-layer Host Group  enables users to decode packets based on their network-layer address letting the network manager look beyond a router to the connected hosts collecting similar statistics to those collected in the RMON1 host group. (Fig. 8.9) ( based on MAC address)

27 Kyung Hee University Network-layer Host Group (cont’d) 

28 Kyung Hee University Network-layer Host Group (cont’d)  The nlHostTable will create entries for all network-layer protocols in the protocol directory table whose value of protocolDirHostConfig is equal to supportedOn(3)  The probe adds entries to this table for all addresses seen as the source or destination address in all packets with no MAC errors.  After a new row is defined in nlHostControlTable, the monitor begins to learn network-layer addresses on the corresponding interface. Each time a new network-layer address is discovered on that interface, a row is added to hostTable, and the value of nlHostControlNlInserts is incremented by one

29 Kyung Hee University Network-layer Host Group (cont’d)  The nlHostTable is indexed by four objects: nlHostControlIndex, which defines the interface; nlHostTimeMark, a time filter; protocolDirLocalIndex, the identity of the protocol; and nlHostAddress, the network address. Given a network address for a particular protocol observed on a particular interface within a particular amount of time, the traffic statistics for that address can be read.

30 Kyung Hee University Application-layer Host Group  The nlHostControlTable also controls alHostTable in the application-layer host group. There is one entry in alHostTable for each application-level protocol discovered at each known network-layer address.  The alHostTable will create entries for all application-level protocols in the protocol directory table whose value of protocolDirAlHostConfig is equal to supportedOn (3). The probe addes entries to this table for all addresses seen as the source or destination address in all packets with no MAC errors. For example, the user could learn of the amount of traffic generated or received by Lotus Notes or MS Mail, a given host.

31 Kyung Hee University Application-layer Host Group (cont’d)

32 Kyung Hee University 10.6 RMON2 Matrix Groups  RMON1 matrix groups gather statistics based on MAC addresses whereas the RMON matrix groups gather statistics based on network-layer address and on application-level protocol. network-layer matrix ( nlMatrix ) application-layer matrix ( alMatrix )

33 Kyung Hee University Network-Layer Matrix Group  consists of five tables : two control tables and three data tables.

34 Kyung Hee University Network-Layer Matrix Group (cont’d)  Network-layer source/destination statistics The nlMatrixControlTable The nlMatrixSDTable is used to store statistics on traffic from a particular source network-layer address to a number of destinations. The nlMatrixSDTable will create entries for all application-level protocols in the protocol directory table whose value of protocolDirNlMatrixConfig is equal to supportedOn (3).  Network-layer TopN statistics In RMON1, the HostTopN gorup maintains statistics that rank individual hosts on one subnetwork based on some parameter. In case of RMON2 TopN statistics table, the ranking is of the traffic between pairs of hosts based on some parameter. nlMatrixTopNControlTable nlMatrixTopNTable

35 Kyung Hee University Network-Layer Matrix Group (cont’d)

36 Kyung Hee University Network-Layer Matrix Group (cont’d)  Unlike RMON1, RMON2 TopN tables automatically retriggers when the sort completes. In this way, the stored report us updated every TopNDuration seconds automatically.  A network management system can determine whether a new report is available yet by polling the TopNGeneratedReports object.

37 Kyung Hee University Application-Layer Matrix Group  One control tables and three data tables two data tables : dealing with the collection of matrix statistics other data tables : dealing with the collection of topN statistics  Application-layer source/destination statistics alMatrixSDPkts  Application-layer TopN Statistics

38 Kyung Hee University Application-Layer Matrix Group (cont’d) 

39 Kyung Hee University Application-Layer Matrix Group (cont’d)

40 Kyung Hee University 10.7 User History Collection Group  periodically polls particular statistics and variables and then logs that data based on user-defined parameters Network manager can configure history studies of any counter in the system, such as a specific history on a particular file server or router- to-router connection.  This group consists of a three-level hierarchy of tables (Figure 10.15) usrHistoryControlTable : specifying the details of the sampling function usrHistoryObjectTable : each row of usrHistoryObjectTable refers to a single mib object instance. usrHistoryTable : presenting the value of a single mib object instance during a specific sampling interval

41 Kyung Hee University User History Collection Group

42 Kyung Hee University 10.8 Probe Configuration Group  is designed to enhance interoperability among RMON probes and managers by defining a standard set of configuration parameters for probes. it makes easier for one vendor’s RMON application to be able to configure remotely another vendor’s RMON

43 Kyung Hee University Probe Configuration Group (cont’d) 

44 Kyung Hee University Probe Configuration Group (cont’d)  Control Strings Textual convention for use by several of the tables in the probe configuration group ControlString :: = DisplayString used to communicate with a modem or serial data switch represented by two-character sequences beginning with ^ character ^s, ^c, ^t, ^w, ^!, ^d, ^b  Serial configuration table  Network configuration table  Trap destination table  Serial connection table

45 Kyung Hee University 10.9 Extensions to RMON1 for RMON Devices 1.A createTime object is added to all control tables 2. A dorppedFrames object is added to a number of tables, included as a filter object in all filter definitions 3. The object filterProtocolDirLocalIndex is added to filterTable See Table 10.2

46 Kyung Hee University Practical Issues  tested on a fast Ethernet (100 Mbps) LAN segment, to which was attached the probe plus two traffic generators, one for TCP segments and one for UDP segments

47 Kyung Hee University