Professional Documents
Culture Documents
and Management
ICMP and SNMP
ICMP
ICMP IGMP
Network IP
ARP RARP
Link Ethernet
Driver
incoming frame
FTP telnet 7
server 21 23 server SMTP
25
TCP src port TCP dest port header data
UDP 17
ICMP 1 TCP 6 TCP
hdr dest source
IP header protocol type cksum addr addr data
ARP x0806
IP x0800 IP
dest source
addr addr Ethernet frame type data CRC
IP HEADER
IP HEADER
PROTOCOL = 1
TYPE = 3
CODE
0 = Net unreachable
1 = Host unreachable
2 = Protocol unreachable
3 = Port unreachable
4 = Fragmentation needed but DF set
5 = Source route failed
6 = Dest network unknown
7 = Dest host unknown
Source Quench
TYPE CODE CHECKSUM
UNUSED
IP HEADER + 64 bits data from original DG
TYPE = 4; CODE = 0
Flow control:
Indicates that a router has dropped the original DG
or may indicate that a router is approaching its
capacity limit.
TYPE = 11
CODE
0 = Time to live exceeded in transit
1 = Fragment reassembly time exceeded
Redirect
TYPE CODE CHECKSUM
NEW ROUTER ADDRESS
IP HEADER + 64 bits data from original DG
TYPE = 5
CODE =
0 = Network redirect
1 = Host redirect
2 = Network redirect for specific TOS
3 = Host redirect for specific TOS
Redirection Concept
Internet
QUERY Message:
Echo and Echo Reply
TYPE CODE CHECKSUM
IDENTIFIER SEQUENCE #
DATA .
Destination known
Traceroute and ICMP (3)
Trace the route of an IP packet
Upon reaching destination,
No Time exceeded message generated
How do you know when final destination is
reached?
Traceroute sends to unused UDP port
(>30000), generating an ICMP destination
unreachable message
With code port unreachable
Taceroute
mymachine:~% traceroute www.cis.ksu.edu
traceroute to polaris.cis.ksu.edu (129.130.10.93), 30 hops max, 40 byte packets
1 wraith.facnet.mcs.kent.edu (131.123.46.1) 0.878 ms 0.620 ms 0.553 ms
2 ghost.uis-mcs.mcs.kent.edu (131.123.40.1) 6.000 ms 3.366 ms 2.632 ms
3 lib2-255x248-e37-lib.gate.kent.edu (131.123.255.254) 7.170 ms 3.552 ms 4.477 ms
4 twcneo-cw.neo.rr.com (204.210.223.3) 9.515 ms 15.167 ms 18.687 ms
5 bordercore4-hssi1-0.NorthRoyalton.cw.net (166.48.233.253) 17.864 ms 10.971 ms
14.652 ms
6 core4.WillowSprings.cw.net (204.70.4.73) 23.438 ms 22.099 ms 17.397 ms
7 wsp-sprint2-nap.WillowSprings.cw.net (206.157.77.94) 18.367 ms 22.854 ms 20.267 ms
8 sl-bb11-chi-2-1.sprintlink.net (144.232.10.157) 23.518 ms 24.528 ms 18.757 ms
9 sl-bb12-chi-5-1.sprintlink.net (144.232.10.6) 21.197 ms 31.452 ms 15.050 ms
10 sl-bb10-kc-7-1.sprintlink.net (144.232.9.117) 46.752 ms * 40.125 ms
11 sl-gw5-kc-0-0-0.sprintlink.net (144.232.2.62) 38.360 ms 48.002 ms 44.795 ms
12 sl-uok-1-0-0.sprintlink.net (144.232.132.14) 93.256 ms 67.070 ms 61.727 ms
13 ks-1-ks-ksu.r.greatplains.net (164.113.232.193) 77.743 ms 64.566 ms 67.117 ms
14 164.113.212.250 (164.113.212.250) 59.988 ms 46.188 ms 55.616 ms
15 129.130.252.9 (129.130.252.9) 68.211 ms 67.881 ms 75.441 ms
16 polaris.cis.ksu.edu (129.130.10.93) 76.462 ms 54.838 ms *
TCP: path-
PMTU-D MTU
discovery
SNMP
get_next_request
get_response port 161
trap
port 162 port 161
SNMPv1 Packet Format
UDP PDU Request Error Error
Version Community name value name ...
Header Type ID Status Index
1 - iso
3 - org
6 - dod
1 - Internet
1 - mib 1 - En terprise
1 - ifEntry
root
org(3)
dod(6)
Internet(1)
mib-2(1) enterprise(1)
Subtree
OID Description
Name
system 1.3.6.1.2.1.1 Defines a list of objects that pertain to system operation, such as the system uptime, system contact, and system name.
Keeps track of the status of each interface on a managed entity. The interfaces group monitors which interfaces are up or down and tracks
interfaces 1.3.6.1.2.1.2 such things as octets sent and received, errors and discards, etc.
at 1.3.6.1.2.1.3 The address translation (at) group is deprecated and is provided only for backward compatibility. It will probably be dropped from MIB-III.
tcp 1.3.6.1.2.1.6 Tracks, among other things, the state of the TCP connection (e.g., closed, listen, synSent, etc.).
egp 1.3.6.1.2.1.8 Tracks various statistics about EGP and keeps an EGP neighbor table.
transmission 1.3.6.1.2.1.10 There are currently no objects defined for this group, but other media-specific MIBs are defined using this subtree.
Measures the performance of the underlying SNMP implementation on the managed entity and tracks things such as the number of SNMP
snmp 1.3.6.1.2.1.11 packets sent and received.
SNMP - MIB & OID -
SNMP Manager can acquire the management information
defined by MIB(Management Information Base) from
Agent
Current version : MIBv2 RFC 1213
MIB is the aggregate of object (information) on the
equipment which SNMP Agent holds
Identifier is defined for each object = OID
MIB performed by Agent is roughly divided into:
MIBv2 : standard, public, specified by IETF
Enterprise MIB : private, specified by vendor company
SNMP MIB
MIB module specified via SMI
(Structure of Management Information)
MODULE-IDENTITY
(100 standardized MIBs, more vendor-specific)
Value, 259
Length, 2 bytes
Type=2, integer
GetNextRequest
inetapan@tools:~> snmpget -v2c -c xxxx tpr2.jp.apan.net system
SNMPv2-MIB::system = No Such Object available on this agent at this OID
inetapan@tools:~> snmpwalk -v2c -c xxxx tpr2.jp.apan.net system
SNMPv2-MIB::sysDescr.0 = STRING: m20 internet router, kernel 6.2R3.10
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.2
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (423280751) 48 days, 23:46:47.51
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: tpr2
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 4
SetRequest
inetapan@tools:~> snmpset v2c c xxxx tppr.jp.apan.net system.sysLocation.0
system.sysLocation.0 = ""
inetapan@tools:~> snmpset v2c c yyyy tppr.jp.apan.net system.sysLocation.0 s Tokyo, JP
system.sysLocation.0 = Tokyo, JP"
inetapan@tools:~> snmpset v2c c xxxx tppr.jp.apan.net system.sysLocation.0
system.sysLocation.0 = Tokyo, JP"
SNMP - Trap Message -
The way for Agent to inform Manager about event of something
undesirable
Trap originates from Agent and is sent to the trap destination, as
configured within Agent itself
When Manager receives a trap, it needs to know how to interpret it
PDU
Enterprise
vendor identification (OID) for the agent
AgentAddress
The IP address of the node where the trap was generated.
Trap Type
Generic / Specific (not used)
Timestamp
The length of time between the last re-initialization of the agent that issued a trap and the moment at
which the trap was issued
SNMP
SNMP Traps
unsolicited notification of events
can include variable list
ColdStart, WarmStart
LinkUp, LinkDown
Authentication Failure
EGP Neighbour Loss
Enterprise Specific
Traps
Forwarded automatically from agent to
station(s) in response to an event with the
device
Traps defined in MIB-II
Cold-start of system
Warm-start of system
Link down
Link up
Failure of authentication
Exterior Gateway Protocol (EGP) neighbour loss
Enterprise specific
SNMPv2 History
RFC 1441, 1993: Introduction to
version 2 of the Internet-standard
Network Management Framework
RFC 1446, 1993: Security Protocols for
version 2 of the Simple Network
Management Protocol
Written to address security and feature
deficiencies in SNMPv1
SNMPv2 Protocol
Extension to SNMPv1
Provided security model
2 new commands
get-bulk-request
inform-request
SNMPv2 Protocol continued...
privDst authInfo dstParty srcParty context PDU
General Format
Version Community PDU Enter- Agent Generic Specific Time Name X Value X
String type prise Addr trap trap
Trap
Coexistence by Means of
Proxy Agent
SNMPv2 environment SNMPv1 environment
GetRequest GetRequest
GetNextRequest GetNextRequest
SetRequest SetRequest
GetBulkRequest GetNextRequest
SNMPv2-Trap Trap
62
SNMPv1 and SNMPv2
SNMPv1 is a subset of SNMPv2
Managers usually can send requests in either
format depending on the capability of the agents
Requires an update of the agent and manager
software to migrate from SNMPv1 to SNMPv2
Many manufacturers are resisting SNMPv2 for a
variety of reasons leading to an SNMPv3
specification
Almost all manufacturers currently support
SNMPv1
Network Monitoring Tools
Ways of Monitoring
Classified into three monitoring ways
In Internal Network (mostly)
Via External Network
Non-network (Emergency case)
1, Monitoring in internal
3, Independent access Network (mostly)
(Emergency case)
- ISDN, PSTN
External network
Internal network
SNMP Agents
provided by all router vendors
many expanded (enterprise) MIBs
bridges, wiring concentrators, toasters
Network Management Software
Public Domain
Application Programming Interfaces
available from CMU and MIT
include variety of applications
Network Management Software
Commercially
many offerings, UNIX and PC based
HP OpenView
SunNet Manager
Cabletron Spectrum
*MANY* others
Commercial SNMP Applications
http://www.hp.com/go/openview/ HP OpenView
http://www.tivoli.com/ IBM NetView
http://www.novell.com/products/managewise/ Novell ManageWise
http://www.sun.com/solstice/ Sun MicroSystems Solstice
http://www.microsoft.com/smsmgmt/ Microsoft SMS Server
http://www.compaq.com/products/servers/management/ Compaq Insight Manger
http://www.redpt.com/ SnmpQL - ODBC Compliant
http://www.empiretech.com/ Empire Technologies
ftp://ftp.cinco.com/users/cinco/demo/ Cinco Networks NetXray
http://www.netinst.com/html/snmp.html SNMP Collector (Win9X/NT)
http://www.netinst.com/html/Observer.html Observer
http://www.gordian.com/products_technologies/snmp.html Gordians SNMP Agent
http://www.castlerock.com/ Castle Rock Computing
http://www.adventnet.com/ Advent Network Management
http://www.smplsft.com/ SimpleAgent, SimpleTester
Monitoring Targets
Target suitable for checking normality of network
service
Router
Dead or Alive?
Status?
Performance? Routing?
Server
Dead or Alive?
Status?
Damon? Service Port?
Traffic, etc.
Increase or decrease?
Dos Attack? Performance? Environment?
Monitoring Method
How to monitor the target
Active monitor or Passive monitor
Polling = Monitoring machines give message in watching target
Useful for checking the current status
ICMP/SNMP polling
Receive trap message from target
Useful for detecting the status change
SNMP trap, syslog
Statistics data
Useful for grasping the trend and transition
Select the Monitoring Tool
Ping (ICMP), SNMP, Monitoring Tool, Original Tool, etc.
Check the monitoring Route to Target
Internal or External network
- ICMP/Ping Polling -
Using telnet
WWW,SMTP,POP
Using tool
Radius - radping
bash-2.05$ telnet ns.jp.apan.net 80
Trying 203.181.248.3...
Connected to ns.jp.apan.net.
Escape character is '^]'.
get Telnet with service port
<!DOCTYPE HTML PUBLIC "-//IETF//DTD
HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
:
reply
Monitoring Software - HP OpenView -
HP OpenView Network Node Manager
Overview
Auto discovery and mapping
Drill-down views (Hierarchy Map)
Fault monitoring : ICMP / SNMP polling
Event monitoring : Trap receiving/Event configuration
SNMP tools : Status polling
MIB Browser
Web-based reports
Extended software is enhanced
Platform : Windows 2000/XP, Solaris 8/9, HP-UX
Monitoring Software
- HP OpenView Sample 1-
OpenView Contracture
Event log
Network map
Event configuration
Weekly grafh/30min
SNMP
engine
Graph
Firewall
Frontend
Frame Relay Program Graph
router Switch
Firewall
RRD
text
Frame Relay
Switch
RRDtool - Sample -
http://mrtg.jp.apan.net/cricket/router-interfaces/
Netflow - Overview -
Overview
Enables IP traffic flow analysis without probes
Invented and patented by Cisco
Juniper (called cflowd), Foundry, many venders are supporting
Flow cash data on routers is exported
to a flow tool, so that traffic flow is to be analyzed
Enable NetFlow Traffic flow Definition:
Source IP address
Core Network Destination IP address
Source port
Destination port
Layer 3 protocol type
UDP TOS byte (DSCP)
NetFlow
Input logical interface
Export
Packets (ifIndex)
Collector
Application GUI
(Solaris, HP-UX, or Linux)
Netflow - Flow Data -
Flow data export
Enable NetFlow on the router
There is difference in architecture between Cisco and Juniper routers
Take care! the load of a router does not become high!
- Check CPU, memory, bandwidth, sampling rate
Flow data collection & Analysis
Prepare the software for receiving flow-export data
flow-tools http://www.splintered.net/sw/flow-tools/
cflowd http://www.caida.org/tools/measurement/cflowd/
Cisco : NetflowCollector
Analyze traffic from raw data with software
flow-scan http://net.doit.wisc.edu/~plonka/FlowScan/
(If you want to graph-ize analysis data, I recommend you to use RRDtool)
Cisco : CiscoWorks
Source and destination IP address
Source and destination TCP/UDP ports
Packet and byte counts
Routing information (next-hop address, source autonomous system (AS) number,
destination AS number, source prefix mask, destination prefix mask)
Netflow - Example -
Netflow Example