Network Monitoring

and Management
ICMP and SNMP
ICMP

Internet Control Message Protocol

RFC 792
Transfer of (control) messages from
routers and hosts to hosts
Feedback about problems
e.g. time to live expired
Encapsulated in plain IP datagram
Not reliable
Application Application Application Application Application

Transport TCP UDP

ICMP IGMP

Network IP

ARP RARP

Link Ethernet
Driver
incoming frame
 FTP telnet 7
server 21 23 server SMTP
25
TCP src port TCP dest port header data
UDP 17
ICMP 1 TCP 6 TCP
hdr dest source
IP header protocol type cksum addr addr data
ARP x0806

IP x0800 IP
dest source
addr addr Ethernet frame type data CRC

(Ethernet frame types in hex, others in decimal)

ICMP Types
ICMP
Uses IP but is a separate protocol in the network layer
ICMP messages contain
Type
Code
1st 8 bytes of bad datagram

IP HEADER
IP HEADER
PROTOCOL = 1

TYPE CODE CHECKSUM

IP DATA REMAINDER OF ICMP

MESSAGE (FORMAT IS TYPE
SPECIFIC)
ICMP Message Formats
 Destination Unreachable
TYPE CODE CHECKSUM
UNUSED
IP HEADER + 64 bits data from original DG

TYPE = 3
CODE
0 = Net unreachable
1 = Host unreachable
2 = Protocol unreachable
3 = Port unreachable
4 = Fragmentation needed but DF set
5 = Source route failed
6 = Dest network unknown
7 = Dest host unknown
 Source Quench
TYPE CODE CHECKSUM
UNUSED
IP HEADER + 64 bits data from original DG

TYPE = 4; CODE = 0
Flow control:
Indicates that a router has dropped the original DG
or may indicate that a router is approaching its
capacity limit.

Correct behavior for source host is not defined.

 Time Exceeded
TYPE CODE CHECKSUM
UNUSED
IP HEADER + 64 bits data from original DG

TYPE = 11
CODE
0 = Time to live exceeded in transit
1 = Fragment reassembly time exceeded
Redirect
TYPE CODE CHECKSUM
NEW ROUTER ADDRESS
IP HEADER + 64 bits data from original DG

TYPE = 5
CODE =
0 = Network redirect
1 = Host redirect
2 = Network redirect for specific TOS
3 = Host redirect for specific TOS
 Redirection Concept

Internet
QUERY Message:
Echo and Echo Reply
TYPE CODE CHECKSUM
IDENTIFIER SEQUENCE #
DATA .

TYPE = 8 = ECHO; 0 = ECHO REPLY

CODE = 0
IDENTIFIER
An identifier to aid in matching echoes and replies
SEQUENCE #
Same use as for IDENTIFIER
UNIX ping uses echo/echo reply
Replaced by Network Time Protocol (NTP)
 Using Ping
[wirth:~] [4:15pm] -> ping www.uakron.edu
PING arwen.uakron.edu (130.101.81.50) 56(84) bytes of data.
64 bytes from arwen.uakron.edu (130.101.81.50): icmp_seq=0 ttl=62 time=0.512 ms
64 bytes from arwen.uakron.edu (130.101.81.50): icmp_seq=1 ttl=62 time=0.449 ms
64 bytes from arwen.uakron.edu (130.101.81.50): icmp_seq=2 ttl=62 time=1.38 ms
64 bytes from arwen.uakron.edu (130.101.81.50): icmp_seq=3 ttl=62 time=0.439 ms
64 bytes from arwen.uakron.edu (130.101.81.50): icmp_seq=4 ttl=62 time=0.448 ms
64 bytes from arwen.uakron.edu (130.101.81.50): icmp_seq=5 ttl=62 time=0.496 ms
64 bytes from arwen.uakron.edu (130.101.81.50): icmp_seq=6 ttl=62 time=0.449 ms

--- arwen.uakron.edu ping statistics ---

7 packets transmitted, 7 received, 0% packet loss, time 6001ms
rtt min/avg/max/mdev = 0.439/0.596/1.383/0.323 ms, pipe 2
[wirth:~] [4:16pm] ->
 Extended Ping

Used for path MTU discovery

IP header options can be used along with ICMP:
route recording,
timestamping,
source routing
Traceroute
UNIX utility - displays router used to get to a specified
Internet Host (Van Jacobson, 1988)
Operation
router sends ICMP Time Exceeded message to source if
TTL is decremented to 0
if TTL starts at 5, source host will receive Time Exceeded
message from router that is 5 hops away
Traceroute sends a series of UDP probes (to port
~33500) with different TTL values and records the
source address of the ICMP Time Exceeded
message for each
Probes are formatted so that the destination host will
send an ICMP Port Unreachable message
Traceroute and ICMP (2)
Trace the route of an IP packet
Source

Router 1 Router 2 Destination

Timeline: TTL=1

Router 1 known TTL=2

Router 2 known TTL=3

Destination known
Traceroute and ICMP (3)
Trace the route of an IP packet
Upon reaching destination,
No Time exceeded message generated
How do you know when final destination is
reached?
Traceroute sends to unused UDP port
(>30000), generating an ICMP destination
unreachable message
With code port unreachable
 Taceroute
mymachine:~% traceroute www.cis.ksu.edu
traceroute to polaris.cis.ksu.edu (129.130.10.93), 30 hops max, 40 byte packets
1 wraith.facnet.mcs.kent.edu (131.123.46.1) 0.878 ms 0.620 ms 0.553 ms
2 ghost.uis-mcs.mcs.kent.edu (131.123.40.1) 6.000 ms 3.366 ms 2.632 ms
3 lib2-255x248-e37-lib.gate.kent.edu (131.123.255.254) 7.170 ms 3.552 ms 4.477 ms
4 twcneo-cw.neo.rr.com (204.210.223.3) 9.515 ms 15.167 ms 18.687 ms
5 bordercore4-hssi1-0.NorthRoyalton.cw.net (166.48.233.253) 17.864 ms 10.971 ms
14.652 ms
6 core4.WillowSprings.cw.net (204.70.4.73) 23.438 ms 22.099 ms 17.397 ms
7 wsp-sprint2-nap.WillowSprings.cw.net (206.157.77.94) 18.367 ms 22.854 ms 20.267 ms
8 sl-bb11-chi-2-1.sprintlink.net (144.232.10.157) 23.518 ms 24.528 ms 18.757 ms
9 sl-bb12-chi-5-1.sprintlink.net (144.232.10.6) 21.197 ms 31.452 ms 15.050 ms
10 sl-bb10-kc-7-1.sprintlink.net (144.232.9.117) 46.752 ms * 40.125 ms
11 sl-gw5-kc-0-0-0.sprintlink.net (144.232.2.62) 38.360 ms 48.002 ms 44.795 ms
12 sl-uok-1-0-0.sprintlink.net (144.232.132.14) 93.256 ms 67.070 ms 61.727 ms
13 ks-1-ks-ksu.r.greatplains.net (164.113.232.193) 77.743 ms 64.566 ms 67.117 ms
14 164.113.212.250 (164.113.212.250) 59.988 ms 46.188 ms 55.616 ms
15 129.130.252.9 (129.130.252.9) 68.211 ms 67.881 ms 75.441 ms
16 polaris.cis.ksu.edu (129.130.10.93) 76.462 ms 54.838 ms *
 TCP: path-
PMTU-D MTU
discovery
SNMP

Where did it come from ?

Internet Engineering Task Force
Network Management Area
SNMP v1
MIBv1, MIBv2
SNMP v2 (?)
SNMP v3 (?)
SNMPv1 History
RFC 1157, 1990:
A Simple Network Management Protocol
(SNMP)
RFC 1155, 1158, 1213, 1990:
Specification of the MIBv2
Written in ASN.1
Protocol context of SNMP
SNMPv1 Protocol
Five Simple Messages:
get-request
get-next-request
get-response
set-request
trap
 SNMP - SNMP Message Handling -

GetRequest (What is the value of MIB?)

SNMP Manager GetResponse (The value is XXXX!) SNMP Agent

GetNextRequest
(What is the next value of MIB Tree ?)

GetResponse (The value is XXXX!)

SetRequest (Modify the value of OID)

GetResponse (The value is XXXX!)

Trap (Problem happened!)

SNMPv1: UDP ports
get_request
get_response port 161

get_next_request
get_response port 161

Manager set_request Agent

get_response port 161

trap
port 162 port 161
 SNMPv1 Packet Format
UDP PDU Request Error Error
Version Community name value name ...
Header Type ID Status Index

SNMP version (0 is for version 1)

Community (read-only, read-write):
Shared password between agent and manager
PDU: Specifies request type
Request ID
Error Status
Error Index
 Community Names

Community names are used to define where an SNMP

message is destined for.
Set up your agents to belong to certain communities.
Set up your management applications to monitor and
receive traps from certain community names.
RFC 1065 (MIB Structure)
Structure and Identification of Management
Information for TCP/IP-based Internets (SMI)
Uses Abstract Syntax Notation 1 (ASN.1)
Types of information
Network Address
IP Address
Counter (32 bit monotonically increasing)
Gauge (32 bit variable)
Timeticks (time in hundredths of a second)
Opaque (arbitrary syntax for text data)
Adopted as a full standard in RFC 1155
(basically unchanged)
MIB definitions

RFC 1066 - MIB definitions using RFC 1065

(RFC 1155) (Rose & McCloghrie)
First version of the MIB now called MIB-I
Adopted as a full standard in RFC 1156
(essentially unchanged from 1066)
RFC 1158 - extends MIB-I and defines MIB-II
Adopted as a full standard in RFC 1213
Vendor extensions to MIB
RFC 1156 (MIB-I) allowed for vendor specific
extensions to be included in the MIB
Allows for additional management information
about devices not provided for in the standard
MIB
For example: CPU utilisation
Normal for devices to support all of MIB-II
PLUS have their own vendor-specific
extensions
SNMP NAMES
SNMP Name St ruct ure

1 - iso

3 - org

6 - dod

1 - Internet

1 - directory 2 - mgmt 3 - expt 4 - private

1 - mib 1 - En terprise

1 - system 2 - interfaces 9 - ci sco

1 - sysDescr 2 - sysOb jectID 1 - ifTable

1 - ifEntry

1 - ifIn dex 2 - ifDescr 3 - ifType .. .... .. 10 - i fIn Octets

OSI
Object
Identifier
Tree
 SNMP - MIB Tree -
Objects are managed by the tree
Expressed in a row of values divided by the period

root

ccitt(0) iso(1) Joint-iso-ccitt(2)

org(3)

dod(6)

Internet(1)

directory(1) mgmt(2) exprimental(3) private(4)

mib-2(1) enterprise(1)

Standard MIBs Vendor-specific MIBs

 SNMP Naming
question: how to name every possible standard
object (protocol, data, more..) in every possible
network standard??
answer: ISO Object Identifier (OID) tree:
hierarchical naming of all objects
each branchpoint has name, number
1.3.6.1.2.1.7.1
ISO udpInDatagrams
ISO-ident. Org. UDP
US DoD MIB2
Internet management
 SNMP - OID -
OID Expression
iso(1). org(3). dod(6). internet(1). mgmt(2). mib2(1)
-> .1.3.6.1.2.1
e.g. sysDscr = .1.3.6.1.2.1.1.1 = mib-2.1.1 = system.1

Subtree
OID Description
Name

system 1.3.6.1.2.1.1 Defines a list of objects that pertain to system operation, such as the system uptime, system contact, and system name.

Keeps track of the status of each interface on a managed entity. The interfaces group monitors which interfaces are up or down and tracks
interfaces 1.3.6.1.2.1.2 such things as octets sent and received, errors and discards, etc.

at 1.3.6.1.2.1.3 The address translation (at) group is deprecated and is provided only for backward compatibility. It will probably be dropped from MIB-III.

ip 1.3.6.1.2.1.4 Keeps track of many aspects of IP, including IP routing.

icmp 1.3.6.1.2.1.5 Tracks things such as ICMP errors, discards, etc.

tcp 1.3.6.1.2.1.6 Tracks, among other things, the state of the TCP connection (e.g., closed, listen, synSent, etc.).

udp 1.3.6.1.2.1.7 Tracks UDP statistics, datagrams in and out, etc.

egp 1.3.6.1.2.1.8 Tracks various statistics about EGP and keeps an EGP neighbor table.

transmission 1.3.6.1.2.1.10 There are currently no objects defined for this group, but other media-specific MIBs are defined using this subtree.

Measures the performance of the underlying SNMP implementation on the managed entity and tracks things such as the number of SNMP
snmp 1.3.6.1.2.1.11 packets sent and received.
 SNMP - MIB & OID -
SNMP Manager can acquire the management information
defined by MIB(Management Information Base) from
Agent
Current version : MIBv2 RFC 1213
MIB is the aggregate of object (information) on the
equipment which SNMP Agent holds
Identifier is defined for each object = OID
MIB performed by Agent is roughly divided into:
MIBv2 : standard, public, specified by IETF
Enterprise MIB : private, specified by vendor company
 SNMP MIB
MIB module specified via SMI
(Structure of Management Information)
MODULE-IDENTITY
(100 standardized MIBs, more vendor-specific)

MODULE OBJECT TYPE:

OBJECT TYPE:OBJECT TYPE:

objects specified via SMI

OBJECT-TYPE construct
 SMI: Object, module examples
MODULE-IDENTITY: OBJECT-TYPE:
ipMIB ipInDelivers
ipMIB MODULE-IDENTITY
LAST-UPDATED 941101000Z ipInDelivers OBJECT TYPE
ORGANZATION IETF SNPv2 SYNTAX Counter32
Working Group MAX-ACCESS read-only
CONTACT-INFO STATUS current
Keith McCloghrie DESCRIPTION
The total number of input
DESCRIPTION datagrams successfully
The MIB module for managing IP
delivered to IP user-
and ICMP implementations, but
protocols (including ICMP)
excluding their management of
IP routes. ::= { ip 9}
REVISION 019331000Z

::= {mib-2 48}
 MIB example: UDP module
Object ID Name Type Comments
1.3.6.1.2.1.7.1 UDPInDatagrams Counter32 total # datagrams delivered
at this node
1.3.6.1.2.1.7.2 UDPNoPorts Counter32 # underliverable datagrams
no app at portl
1.3.6.1.2.1.7.3 UDInErrors Counter32 # undeliverable datagrams
all other reasons
1.3.6.1.2.1.7.4 UDPOutDatagrams Counter32 # datagrams sent
1.3.6.1.2.1.7.5 udpTable SEQUENCE one entry for each port

in use by app, gives port #

and IP address
 ASN.1: Abstract Syntax Notation 1
ISO standard X.680
defined data types, object constructors
like SMI
BER: Basic Encoding Rules
specify how ASN.1-defined data objects are
to be transmitted
each transmitted object has
Type, Length, Value (TLV) encoding
 Syntax
uses ASN.1 (Abstract Syntax Notation)
binary encoding
02 01 06 is a 1 byte integer, value 6
Primitive Types
INTEGER, OCTECT STRING, OBJECT IDENTIFIER, NULL
Constructor Types
SEQUENCE <primitive-type> ... ie. a record
SEQUENCE OF <primitive-type> ... ie. an array
Defined Data Types
IpAddress what you expect
Counter non-negative integer that wraps
Gauge non-negative integer that latches
TimeTicks time in hundredths of seconds
 TLV Encoding
Idea: transmitted data is self-identifying
T: data type, one of ASN.1-defined types
L: length of data in bytes
V: value of data, encoded according to ASN.1
standard
Tag Value Type
1 Boolean
2 Integer
3 Bitstring
4 Octet string
5 Null
6 Object Identifier
9 Real
TLV
encoding:
example

Value, 259
Length, 2 bytes
Type=2, integer

Value, 5 octets (chars)

Length, 5 bytes
Type=4, octet string
 SNMP - SNMP Message Handling
Command examples
GetRequest
inetapan@tools:~> snmpget -v2c -c xxxx tpr2.jp.apan.net .1.3.6.1.2.1.2.2.1.4.136
IF-MIB::ifMtu.136 = INTEGER: 9192

GetNextRequest
inetapan@tools:~> snmpget -v2c -c xxxx tpr2.jp.apan.net system
SNMPv2-MIB::system = No Such Object available on this agent at this OID
inetapan@tools:~> snmpwalk -v2c -c xxxx tpr2.jp.apan.net system
SNMPv2-MIB::sysDescr.0 = STRING: m20 internet router, kernel 6.2R3.10
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.2
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (423280751) 48 days, 23:46:47.51
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: tpr2
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 4

SetRequest
inetapan@tools:~> snmpset v2c c xxxx tppr.jp.apan.net system.sysLocation.0
system.sysLocation.0 = ""
inetapan@tools:~> snmpset v2c c yyyy tppr.jp.apan.net system.sysLocation.0 s Tokyo, JP
system.sysLocation.0 = Tokyo, JP"
inetapan@tools:~> snmpset v2c c xxxx tppr.jp.apan.net system.sysLocation.0
system.sysLocation.0 = Tokyo, JP"
 SNMP - Trap Message -
The way for Agent to inform Manager about event of something
undesirable
Trap originates from Agent and is sent to the trap destination, as
configured within Agent itself
When Manager receives a trap, it needs to know how to interpret it
PDU
Enterprise
vendor identification (OID) for the agent
AgentAddress
The IP address of the node where the trap was generated.
Trap Type
Generic / Specific (not used)
Timestamp
The length of time between the last re-initialization of the agent that issued a trap and the moment at
which the trap was issued
SNMP

SNMP Traps
unsolicited notification of events
can include variable list
ColdStart, WarmStart
LinkUp, LinkDown
Authentication Failure
EGP Neighbour Loss
Enterprise Specific
 Traps
Forwarded automatically from agent to
station(s) in response to an event with the
device
Traps defined in MIB-II
Cold-start of system
Warm-start of system
Link down
Link up
Failure of authentication
Exterior Gateway Protocol (EGP) neighbour loss
Enterprise specific
SNMPv2 History
RFC 1441, 1993: Introduction to
version 2 of the Internet-standard
Network Management Framework
RFC 1446, 1993: Security Protocols for
version 2 of the Simple Network
Management Protocol
Written to address security and feature
deficiencies in SNMPv1
SNMPv2 Protocol
Extension to SNMPv1
Provided security model
2 new commands
get-bulk-request
inform-request
 SNMPv2 Protocol continued...
privDst authInfo dstParty srcParty context PDU

General Format

privDst 0-length OCTET STRING dstParty srcParty context PDU

Nonsecure Message

privDst digest dstTime srcTime dstParty srcParty context PDU

Authenticated, not encrypted

privDst 0-length OCTET STRING dstParty srcParty context PDU

Private, not authenticated

privDst digest dstTime srcTime dstParty srcParty context PDU

Private and authenticated

Format of SNMPv1 messages
Version Community PDU Request 0 0 Name X Value X
String type ID

Get-Request, Get-Next-Request, Set-Request

Version Community PDU Request Error Error Name X Value X

String type ID status index
Get-Response

Version Community PDU Enter- Agent Generic Specific Time Name X Value X
String type prise Addr trap trap
Trap
Coexistence by Means of
Proxy Agent
SNMPv2 environment SNMPv1 environment
GetRequest GetRequest
GetNextRequest GetNextRequest
SetRequest SetRequest
GetBulkRequest GetNextRequest

SNMPv2 manager-to-agent SNMPv1 manager-to-agent

PDUs PDUs
SNMPv2 Proxy SNMPv1
manager SNMPv2 agent-to-
Agent SNMPv1 agent-to- agent
manager PDUs manager PDUs
Response GetResponse

SNMPv2-Trap Trap

62
 SNMPv1 and SNMPv2
SNMPv1 is a subset of SNMPv2
Managers usually can send requests in either
format depending on the capability of the agents
Requires an update of the agent and manager
software to migrate from SNMPv1 to SNMPv2
Many manufacturers are resisting SNMPv2 for a
variety of reasons leading to an SNMPv3
specification
Almost all manufacturers currently support
SNMPv1
Network Monitoring Tools
 Ways of Monitoring
Classified into three monitoring ways
In Internal Network (mostly)
Via External Network
Non-network (Emergency case)

1, Monitoring in internal
3, Independent access Network (mostly)
(Emergency case)
- ISDN, PSTN
External network

Internal network

2, Monitoring via External

Network
Monitoring - via Peering Network
Machine - via the Internet
Network Management Software

SNMP Agents
provided by all router vendors
many expanded (enterprise) MIBs
bridges, wiring concentrators, toasters
Network Management Software

Public Domain
Application Programming Interfaces
available from CMU and MIT
include variety of applications
Network Management Software

Commercially
many offerings, UNIX and PC based
HP OpenView
SunNet Manager
Cabletron Spectrum
*MANY* others
Commercial SNMP Applications
http://www.hp.com/go/openview/ HP OpenView
http://www.tivoli.com/ IBM NetView
http://www.novell.com/products/managewise/ Novell ManageWise
http://www.sun.com/solstice/ Sun MicroSystems Solstice
http://www.microsoft.com/smsmgmt/ Microsoft SMS Server
http://www.compaq.com/products/servers/management/ Compaq Insight Manger
http://www.redpt.com/ SnmpQL - ODBC Compliant
http://www.empiretech.com/ Empire Technologies
ftp://ftp.cinco.com/users/cinco/demo/ Cinco Networks NetXray
http://www.netinst.com/html/snmp.html SNMP Collector (Win9X/NT)
http://www.netinst.com/html/Observer.html Observer
http://www.gordian.com/products_technologies/snmp.html Gordians SNMP Agent
http://www.castlerock.com/ Castle Rock Computing
http://www.adventnet.com/ Advent Network Management
http://www.smplsft.com/ SimpleAgent, SimpleTester
 Monitoring Targets
Target suitable for checking normality of network
service
Router
Dead or Alive?
Status?
Performance? Routing?

Server
Dead or Alive?
Status?
Damon? Service Port?

Traffic, etc.
Increase or decrease?
Dos Attack? Performance? Environment?
 Monitoring Method
How to monitor the target
Active monitor or Passive monitor
Polling = Monitoring machines give message in watching target
Useful for checking the current status
ICMP/SNMP polling
Receive trap message from target
Useful for detecting the status change
SNMP trap, syslog
Statistics data
Useful for grasping the trend and transition
Select the Monitoring Tool
Ping (ICMP), SNMP, Monitoring Tool, Original Tool, etc.
Check the monitoring Route to Target
Internal or External network
 - ICMP/Ping Polling -

Check IP reachability by ICMP echo/reply

Additional information
RTT (Round Trip Time)
Packet Loss
TTL (Time to Live)
Most standard way of checking node activity
Time series RTT/Packet loss data becomes important
information when measuring link performance
RTT: xx msec ICMP echo
Packet Loss: xx %
TTL: xx
ICMP echo reply
 UDP/TCP polling

Effective in monitoring service ports of server

Using client for service
DNS - nslookup

Using telnet
WWW,SMTP,POP

Using tool
Radius - radping
bash-2.05$ telnet ns.jp.apan.net 80
Trying 203.181.248.3...
Connected to ns.jp.apan.net.
Escape character is '^]'.
get Telnet with service port
<!DOCTYPE HTML PUBLIC "-//IETF//DTD
HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
:
reply
 Monitoring Software - HP OpenView -
HP OpenView Network Node Manager
Overview
Auto discovery and mapping
Drill-down views (Hierarchy Map)
Fault monitoring : ICMP / SNMP polling
Event monitoring : Trap receiving/Event configuration
SNMP tools : Status polling
MIB Browser
Web-based reports
Extended software is enhanced
Platform : Windows 2000/XP, Solaris 8/9, HP-UX
 Monitoring Software
- HP OpenView Sample 1-
OpenView Contracture

Event log

Network map

ICMP polling for

connectivity check

Network sub-map Router map

Monitoring Software
- HP OpenView Sample 2-
OpenView Tools

Event configuration

Snmp configuration for polling

- parameters
- community

Data collection & Thresholds for SNMP

 MRTG (Multi-Router Traffic Grapher)
Overview
Monitors the load of network equipment using SNMP, mainly used for
creation of traffic graph
Excellent graphing tool developed by Tobias Oetiker
Plots graph with any two variables against time, It is graph-ized with PNG
format on HTML page
Able to create scripts to feed data into MRTG
Implements data collection, image, web-page collection
Very widely deployed in large networks and still being actively developed
Platform : UNIX system / Windows NT
Supports SNMPv2 : able to read 64bit counters
http://people.ee.ethz.ch/~oetiker/webtools/mrtg/
 MRTG - Workflow -
Display of graph
Green area typically represents incoming
maximum bits per second
Blue line typically represents outgoing
maximum bits per second
Workflow
1.Read configuration file
2.Collect graphing data from network equipment, based on configuration
3.Update database file and generate graph
4.If required, generate HTML file
MRTG performs above workflow then completes
Since MRTG collects data of the past 5 minutes (default value of source code),
it is desirable to set crontab for every 5 minutes
 MRTG - Data Storage -
Data Storage
Keeps 5 minute data only for 2.5 days.
Daily grafh/5min
The data is thrown away afterward.
There is no referring to historical data with
high resolution
Keeps 1-day data for approx. 2 years

Weekly grafh/30min

Interval Num of record Storage Graph

period
5 minutes 600 2.5 days daily
Monthly grafh/2hours
30 minutes 600 12.5 days Weekly
Rougher 2 hours 600 50 days Monthly
Resolution 1 day 731 2 years Yearly
Yearly grafh/1day
 RRDtool (Round Robin Database
Tool)
Overview
Successor to MRTG
Developed by the same developer of MRTG : Tobias Oetiker
Tool group for RRD can flexibly define data item, time interval, data
amount, graph depiction, etc.
Binary file format that can store data at any interval for any length of
time
File does not grow in size over time
Ability to make custom graphs across user-defined intervals
Ability to graph multiple variables on a single graph
Additional scripts are necessary in creating graphs and web-page
25-30 percent faster than MRTG
Does not have the function to collect data
http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/
 RRDtool - Architecture -
Comparison of architecture between MRTG and RRD

SNMP
engine
Graph
Firewall

router ATM Switch Index

log
Frontend
Program

Frontend
Frame Relay Program Graph
router Switch

Firewall

server Frame Relay

Switch
Frame Relay
Switch Index

RRD
text
Frame Relay
Switch
RRDtool - Sample -

http://mrtg.jp.apan.net/cricket/router-interfaces/
 Netflow - Overview -
Overview
Enables IP traffic flow analysis without probes
Invented and patented by Cisco
Juniper (called cflowd), Foundry, many venders are supporting
Flow cash data on routers is exported
to a flow tool, so that traffic flow is to be analyzed
Enable NetFlow Traffic flow Definition:
Source IP address
Core Network Destination IP address
Source port
Destination port
Layer 3 protocol type
UDP TOS byte (DSCP)
NetFlow
Input logical interface
Export
Packets (ifIndex)
Collector
Application GUI
(Solaris, HP-UX, or Linux)
 Netflow - Flow Data -
Flow data export
Enable NetFlow on the router
There is difference in architecture between Cisco and Juniper routers
Take care! the load of a router does not become high!
- Check CPU, memory, bandwidth, sampling rate
Flow data collection & Analysis
Prepare the software for receiving flow-export data
flow-tools http://www.splintered.net/sw/flow-tools/
cflowd http://www.caida.org/tools/measurement/cflowd/
Cisco : NetflowCollector
Analyze traffic from raw data with software
flow-scan http://net.doit.wisc.edu/~plonka/FlowScan/
(If you want to graph-ize analysis data, I recommend you to use RRDtool)
Cisco : CiscoWorks
Source and destination IP address
Source and destination TCP/UDP ports
Packet and byte counts
Routing information (next-hop address, source autonomous system (AS) number,
destination AS number, source prefix mask, destination prefix mask)
Netflow - Example -

Netflow Example