2. Chapter 8  Remote Monitoring (RMON1) 1 Chapter 8 Overview  RMON1 is a MIB o Also known as RMON  Recall that mib-2 gives info on devices  RMONs provide network info  RMON1 provides info at link (MAC) layer  RMON2 is discussed in chapter 9 o Info at network layer and above

3. Chapter 8  Remote Monitoring (RMON1) 2 Textbook LAN  Probe 1 and probe 2 are RMON probes  Probe 2 is RMON1 only  Probes capture packets in promiscuous mode

4. Chapter 8  Remote Monitoring (RMON1) 3 RMON1 MIB Groups  We’ll consider the following groups o Statistics group, History group, o Alarm group, Host group, o HostTopN group, Matrix group o Filter group, Capture group, o and Event group

5. Chapter 8  Remote Monitoring (RMON1) 4 Statistics Group  Overall statistics

6. Chapter 8  Remote Monitoring (RMON1) 5 History Group

7. Chapter 8  Remote Monitoring (RMON1) 6 Alarm Group

8. Chapter 8  Remote Monitoring (RMON1) 7 Host Group

9. Chapter 8  Remote Monitoring (RMON1) 8 HostTopN Group

10. Chapter 8  Remote Monitoring (RMON1) 9 Matrix Group

11. Chapter 8  Remote Monitoring (RMON1) 10 Filter Group

12. Chapter 8  Remote Monitoring (RMON1) 11 Capture Group

13. Chapter 8  Remote Monitoring (RMON1) 12 Event Group

14. Chapter 8  Remote Monitoring (RMON1) 13 Statistics Group  Simplest RMON1 group  “Counts” all packets detected  Increment counts

15. Chapter 8  Remote Monitoring (RMON1) 14 Control Objects and Tables  Control objects in RMON1 and RMON2  Specify how data is collected o And whether probe or mgmt station decides  Mgmt station looks at control objects to see if data being collected as desired  Mgmt station can modify control objects  Probe-created control objects generally should not be changed

16. Chapter 8  Remote Monitoring (RMON1) 15 Control Objects and Tables  Suppose mgmt station wants to collect data from a particular subnet  It could create a new row in etherStatsTable  Instead, could use control objects so that only the desired data is collected  Saves storage on the probe  Use SetRequest to set control object values

17. Chapter 8  Remote Monitoring (RMON1) 16 etherStatsTable Control Objects

18. Chapter 8  Remote Monitoring (RMON1) 17 MeterWare  Summary view  Probe 2 info

19. Chapter 8  Remote Monitoring (RMON1) 18 RMON1 on Probe 2  Object values  Click “Statistics”

20. Chapter 8  Remote Monitoring (RMON1) 19 etherStatsTable Control Objects  Probe 2 has one interface, so only one row  etherStatsOwner = monitor o Agent created and “owns” this row  etherStatsStatus = valid o Agent will store collected data  etherStatsDataSource = ifIndex.1 o Identifier of mib-2 for probe interface to 192.192.192.240  etherStatsIndex = 1 o First row in table

21. Chapter 8  Remote Monitoring (RMON1) 20 etherStatsTable Control Objects  View  select row and start collecting stats  Add  add another row  Modify  edit current row  Delete  delete a row  Help  get help (duh!)

22. Chapter 8  Remote Monitoring (RMON1) 21 History Group  A record of what happens over defined sampling intervals  Similar to Statistics Group  Main difference is sampling intervals  History Group includes o etherHistoryTable o historyControlTable

23. Chapter 8  Remote Monitoring (RMON1) 22 History Group  MIB browser view

24. Chapter 8  Remote Monitoring (RMON1) 23 historyControlTable  Column objects

25. Chapter 8  Remote Monitoring (RMON1) 24 historyControlTable  One row for each historyControlInterval o In this case, 30 and 1800 seconds o 120 “buckets” (intervals) for each  So 240 rows in etherHistoryTable

26. Chapter 8  Remote Monitoring (RMON1) 25 historyControlTable

27. Chapter 8  Remote Monitoring (RMON1) 26 etherHistoryTable  Recall, 240 rows in etherHistoryTable

28. Chapter 8  Remote Monitoring (RMON1) 27 etherHistoryTable and historyControlTable

29. Chapter 8  Remote Monitoring (RMON1) 28 Sample History Report  30 second history report

30. Chapter 8  Remote Monitoring (RMON1) 29 Host Group  Statistics per host  Note statistics and history groups do not relate their stats to hosts  4 tables: hostControlTable, hostTable, hostTimeTable, hostControl2Table (RMON2)

31. Chapter 8  Remote Monitoring (RMON1) 30 hostControlTable  hostCotrolTableSize o Number of hosts detected so far  hostControlLastDeleteTime o Last “reset” time

32. Chapter 8  Remote Monitoring (RMON1) 31 hostControlTable

33. Chapter 8  Remote Monitoring (RMON1) 32 hostTable  Index object, MAC address pairs  Host address is index object o Index object has address in decimal

34. Chapter 8  Remote Monitoring (RMON1) 33 hostTimeTable  Same objects as hostTable  Different index object o hostTimeCreationOrder, not hostAddress o So that new hosts easily distinguished o Also hostTimeIndex

35. Chapter 8  Remote Monitoring (RMON1) 34 Too Many Hosts?  If too many hosts, probe uses hostTimeCreationOrder to drop hosts o Drop those that have not been used for longest o hostTimeCreationOrder is in hostTimeTable  To be sure it uses valid object identifier, mgmt station checks hostControlLastDeleted o In hostControlTable

36. Chapter 8  Remote Monitoring (RMON1) 35 hostTable Example  Hosts detected on probe 2 subnet

37. Chapter 8  Remote Monitoring (RMON1) 36 HostTopN Group  Rate of change of hostTable info  Sorta like History for specific Host  For each row of hostTopNControlTable o N rows in hostTopNTable (N is configurable)

38. Chapter 8  Remote Monitoring (RMON1) 37 hostTopNControlTable

39. Chapter 8  Remote Monitoring (RMON1) 38 hostTopNControlTable  Index is generated by the probe  Unique for each distribution created

40. Chapter 8  Remote Monitoring (RMON1) 39 hostTopNTable  Note that it’s measuring the change

41. Chapter 8  Remote Monitoring (RMON1) 40 HostTopN in MeterWare  Distribution of top 5 hosts  Based on “in-packets” rate Addresses of hosts with largest number of in-packets 

42. Chapter 8  Remote Monitoring (RMON1) 41 HostTopN Addresses  This is not the same as view on previous slide

43. Chapter 8  Remote Monitoring (RMON1) 42 Matrix Group  Host-to-host statistics  Like a 2-d version of Host

44. Chapter 8  Remote Monitoring (RMON1) 43 Matrix Control Tables

45. Chapter 8  Remote Monitoring (RMON1) 44 Matrix Control Tables  matrixControlTable o Same objects as hostControlTable  matrixSDTable and matrixDSTable o Only difference is order of index objects o Source to destination vs destination to source? o If matrixSDTable is A to B, then corresponding matrixDSTable is B to A

46. Chapter 8  Remote Monitoring (RMON1) 45 Matrix Control Tables  matrixSDTable  matrixDSTable

47. Chapter 8  Remote Monitoring (RMON1) 46 Matrix in MeterWare

48. Chapter 8  Remote Monitoring (RMON1) 47 Filter and Capture Groups  These groups usually used together  Capture Group o How probe captures frame o How info is sent from buffer on probe to buffer on mgmt station  Filter Group o To select types of frames to capture o Used to conserve space in buffers

49. Chapter 8  Remote Monitoring (RMON1) 48 Capture Group  Capture group objects

50. Chapter 8  Remote Monitoring (RMON1) 49 Capture Group  bufferControlTable

51. Chapter 8  Remote Monitoring (RMON1) 50 Capture Group  captureBufferTable

52. Chapter 8  Remote Monitoring (RMON1) 51 Capture Group  How packets are captured and buffered o We’ll fill in the details on the next few slides

53. Chapter 8  Remote Monitoring (RMON1) 52 Channels  Probe 2 channels  Channel editor o To set values in bufferControlTable

54. Chapter 8  Remote Monitoring (RMON1) 53 Channels  Run button o Start capturing  Filter tab o Make filters  Buffer tab o Show captured packets, protocols,…  Analyze tab o More specific filtering/analysis  Create new channel

55. Chapter 8  Remote Monitoring (RMON1) 54 Filter Group  By default (in Meterware) all packets captured until buffer is full  Can then filter the ones of interest o Using analyze tab  But some packets might be missed due to full buffer  Filter group used to prevent this

56. Chapter 8  Remote Monitoring (RMON1) 55 Filter Group  Filter group objects

57. Chapter 8  Remote Monitoring (RMON1) 56 Filter Group  filterTable objects

58. Chapter 8  Remote Monitoring (RMON1) 57 Filter Group  channelTable objects

59. Chapter 8  Remote Monitoring (RMON1) 58 RMON Control Table  Create/edit RMON channels o As shown in Capture Group slides  Control Table for RMON Channels (above)  Select: Owner  View Details

60. Chapter 8  Remote Monitoring (RMON1) 59 Channel Information  Interface Index  channelIfIndex  Channel Index  channelIndex  Status  channelStatus  Packet Matches  channelMatches  Accept Type  channelAcceptType  All objects here are in channelTable  Owner  channelOwner

61. Chapter 8  Remote Monitoring (RMON1) 60 Channel Information  Data Flow Control  channelDataControl o off(2) means no packets being captured  Turn On Event Index  channel… o Event to turn off(2) to on(1)  Turn Off Event Index  channel… o Event to turn on(1) to off(2)  All objects here are in channelTable

62. Chapter 8  Remote Monitoring (RMON1) 61 Channel Information  Generated Event Index  channelEventIndex o 0 means no event generated by a matched packet (configured in Event Group)  Generated Event Status  channelEventStatus o Options are… o eventReady(1) o eventFired(2) o eventAlwaysReady(3)  All objects here are in channelTable

63. Chapter 8  Remote Monitoring (RMON1) 62 Filter Example  May not want to include all packets  Can set up filter for each channel  Above is filter from Probe 2 to WS2  Another filter needed for opposite direction

64. Chapter 8  Remote Monitoring (RMON1) 63 Filter Example  Link layer  ifTable/ifType = ethernet-csma(6)  Protocol  filterTable/filterPktData = IP  Sub-protocol  filterTable/filterPktData = UDP  Source address  Probe 2 (MAC and IP address)  Destination address  WS2 (MAC and IP address)  Allow packets  filterTable/filterPktStatus o Any Packet = 0  Filter for packets from probe 2 to WS2

65. Chapter 8  Remote Monitoring (RMON1) 64 Captured/Filtered Packets

66. Chapter 8  Remote Monitoring (RMON1) 65 All Captured Frames

67. Chapter 8  Remote Monitoring (RMON1) 66 Contents of Frame  Detailed view of packet o Similar to Ethereal

68. Chapter 8  Remote Monitoring (RMON1) 67 Analysis of Captured Frames  Packet 10 (out of 28) shown  Next, filter o UDP packets o Length 00 fe  Click “apply” o Next slide…

69. Chapter 8  Remote Monitoring (RMON1) 68 Analyze Screen  Find 6 frames that satisfy the filter o Out of 28 captured frames  Can filter down to frames of interest

70. Chapter 8  Remote Monitoring (RMON1) 69 Alarm Group  alarmTable “Threshold” compared o If threshold exceeded, alarm sent  Used with Event Group

71. Chapter 8  Remote Monitoring (RMON1) 70 alarmTable Objects

72. Chapter 8  Remote Monitoring (RMON1) 71 Event Group  Two tables o eventTable and logTable  Specify event triggered by Alarm group o Events can also be triggered from elsewhere

73. Chapter 8  Remote Monitoring (RMON1) 72 eventTable and logTable

74. Chapter 8  Remote Monitoring (RMON1) 73 Event Example  In channelTable…  channelTurnOffEventIndex o Can set value equal to an eventIndex in eventTable with eventType of trap(3) o Then any packet that matches channel will cause a trap to be sent to Mgmt Station o Mgmt Station could be configured to send SetRequest to turn off the channel

75. Chapter 8  Remote Monitoring (RMON1) 74 Chapter 8 Summary  Examined RMON1 groups (9 of them)  RMON monitors network traffic o RMON1 for link layer o RMON2 for higher layers o Chapter 8: RMON1 o Chapter 9: RMON2