RMON2 RFC2021 RFC2021 Decode packets at layer 3 through 7 of the OSI Model Decode packets at layer 3...
-
Upload
gyles-bishop -
Category
Documents
-
view
217 -
download
0
Transcript of RMON2 RFC2021 RFC2021 Decode packets at layer 3 through 7 of the OSI Model Decode packets at layer 3...
RMON2RMON2
• RFC2021RFC2021
• Decode packets at layer 3 through 7 Decode packets at layer 3 through 7 of the OSI Modelof the OSI Model– An RMON probe can monitor traffic on An RMON probe can monitor traffic on
the basis of network-layer protocolthe basis of network-layer protocol•To look beyond the LAN segment To look beyond the LAN segment
– The probe can record traffic to and from The probe can record traffic to and from host for particular applicationshost for particular applications•Can monitor application-level trafficCan monitor application-level traffic
Network layer VisibilityNetwork layer Visibility
• Network Manager can answer these questionsNetwork Manager can answer these questions– If there is excessive load on the LAN due to If there is excessive load on the LAN due to
incoming router trafficincoming router traffic, what networks or hosts , what networks or hosts account for the bulk of incoming traffic?account for the bulk of incoming traffic?
– If a router is overloaded because of high amount of If a router is overloaded because of high amount of outgoing trafficoutgoing traffic, what networks or hosts account for , what networks or hosts account for the bulk of outgoing traffic or to what destination the bulk of outgoing traffic or to what destination networks or hosts is that traffic directednetworks or hosts is that traffic directed
– If there is a high load of pass-through trafficIf there is a high load of pass-through traffic (arriving via one router and departing via another (arriving via one router and departing via another router ), what networks or hosts are responsible for router ), what networks or hosts are responsible for the bulk of this trafficthe bulk of this traffic
Application Level VisibilityApplication Level Visibility
• RMON2 probe is capable of seeing above RMON2 probe is capable of seeing above the IP layerthe IP layer by reading the enclosed higher- by reading the enclosed higher-level headers such as TCP/UDP and viewing level headers such as TCP/UDP and viewing the headers at the application protocol levelthe headers at the application protocol level
• This information is useful This information is useful in controlling load in controlling load and maintaining performanceand maintaining performance– NMS can be implemented that will generate NMS can be implemented that will generate
charts and graphs depicting traffic percentage charts and graphs depicting traffic percentage by protocols or by applicationsby protocols or by applications
RMON MIB (1&2)RMON MIB (1&2)
RMON2 MIB (1)RMON2 MIB (1)
• protocol directoryprotocol directory – a master of directory off all – a master of directory off all protocols that probe can interpretprotocols that probe can interpret
• protocol distributionprotocol distribution – aggregate statistics on – aggregate statistics on the amount of traffic generated by each the amount of traffic generated by each protocol per LAN segmentprotocol per LAN segment
• address mapaddress map – match each network address to – match each network address to a specific MAC level address and port on an a specific MAC level address and port on an attached device and the physical address on attached device and the physical address on this subnetworkthis subnetwork
• network layer hostnetwork layer host – statistics on the amount – statistics on the amount of traffic into and out of hosts on the basis of of traffic into and out of hosts on the basis of the network-layer addressthe network-layer address
RMON2 MIB (2)RMON2 MIB (2)
• network-layer matrixnetwork-layer matrix – statistics on the – statistics on the amount of traffic between pairs of hosts amount of traffic between pairs of hosts on the basis of network addresson the basis of network address
• application-layer hostapplication-layer host - statistics on the - statistics on the amount of traffic into and out of hosts on amount of traffic into and out of hosts on the basis of application-level addressthe basis of application-level address
• application-layer matrixapplication-layer matrix - statistics on the - statistics on the amount of traffic between pairs of hosts amount of traffic between pairs of hosts on the basis of application-level addresson the basis of application-level address
RMON2 MIB (3)RMON2 MIB (3)
• User history collectionUser history collection – periodically – periodically samples user-specified variables and logs samples user-specified variables and logs that data based on user-defined that data based on user-defined parametersparameters– Ex. Collect data on a router-to-router Ex. Collect data on a router-to-router
connectionconnection
• Probe configurationProbe configuration – define standard – define standard configuration parameters for RMON probesconfiguration parameters for RMON probes– To solve interoperability problemsTo solve interoperability problems
New features in RMON2 (1)New features in RMON2 (1)
• Indexing with external objectsIndexing with external objects– Reduce control index object in data tableReduce control index object in data table– To access instance of the data entry in To access instance of the data entry in
RMON 1 Vs RMON2RMON 1 Vs RMON2•Rm1datavalue.Rm1controlindex.Rm1dataindexRm1datavalue.Rm1controlindex.Rm1dataindex
– Rm1datavalue.2.89Rm1datavalue.2.89– 2 – Rm1controlindex / 89 – Rm1dataindex2 – Rm1controlindex / 89 – Rm1dataindex
•Rm2datavalue.X.Rm2dataindex Rm2datavalue.X.Rm2dataindex – X – the value of index that specifying set of data rows X – the value of index that specifying set of data rows
by the Xth row (external object)by the Xth row (external object)– Rm2datavalue.2.89 Rm2datavalue.2.89 – 2 – external object / 89 – Rm2dataindex2 – external object / 89 – Rm2dataindex
New features in RMON2 (2)New features in RMON2 (2)
• Time filtering IndexingTime filtering Indexing– Typically, a network management app. is Typically, a network management app. is
periodically to poll all probes for the values periodically to poll all probes for the values of objects of objects
– It is desirable to have the probe return It is desirable to have the probe return values only for those objects whose value values only for those objects whose value have changed since the last pollhave changed since the last poll
– No direct way in SNMP, but RMON2 has a No direct way in SNMP, but RMON2 has a mechanismmechanism
Example of time filteringExample of time filtering
FooTable FooTable
fooTable (1)
fooEntry (1)
fooTimeMark (1)
fooIndex (2)
fooCount (3)
EX1. Time filtering (1)EX1. Time filtering (1)
• Suppose fooTable has 2 values of index Suppose fooTable has 2 values of index – 1,2– 1,2– If no fooTimeMark , a management station If no fooTimeMark , a management station
can see only two countercan see only two counter– With fooTimeMark, it is possible to request With fooTimeMark, it is possible to request
the values of these counter only if they the values of these counter only if they have been updated since a given timehave been updated since a given time
EX1. Time filtering (2)EX1. Time filtering (2)
• For example, current value of For example, current value of – The counter associated with fooIndex = 1 The counter associated with fooIndex = 1
is 5 and most recently updated at time 6 is 5 and most recently updated at time 6 – The counter associated with fooIndex=2 is The counter associated with fooIndex=2 is
9 and most recently updated at time 89 and most recently updated at time 8– Then, Then, at time 10at time 10, a manager issues the , a manager issues the
requestrequest•GetRequest(fooCounts.7.1, fooCounts.7.2)GetRequest(fooCounts.7.1, fooCounts.7.2)
•To get the value updated since time 7To get the value updated since time 7
•The agent will response The agent will response fooCounts.7.2=9fooCounts.7.2=9
EX2. Time Filtering (1)EX2. Time Filtering (1)
EX2. Time Filtering (2)EX2. Time Filtering (2)
• Assume that basic row 1 (fooIndex=1) was Assume that basic row 1 (fooIndex=1) was updated as follows:updated as follows:
sysUptimesysUptime fooCount.*.1valuefooCount.*.1value
500500 11
900900 22
23002300 33
EX2. Time Filtering (3)EX2. Time Filtering (3)
• Assume that basic row 2 (fooIndex=2) was Assume that basic row 2 (fooIndex=2) was updated as follows:updated as follows:
sysUptimesysUptime fooCount.*.2valuefooCount.*.2value
11001100 11
14001400 22
EX2. Time Filtering (4)EX2. Time Filtering (4)
• A manager station polls a probe every 15 seconds (clock A manager station polls a probe every 15 seconds (clock nms records time in hundredths of second)nms records time in hundredths of second)
1 At nms=1000, the manager does the baseline poll to 1 At nms=1000, the manager does the baseline poll to get everything since the last agent restart (Timefilter =0)get everything since the last agent restart (Timefilter =0)GetRequest (sysUpTime.0,fooCounts.0.1,fooCount.0.2)GetRequest (sysUpTime.0,fooCounts.0.1,fooCount.0.2)Response(sysUpTime.0=600,fooCounts.0.1=1,fooCount.0.2=0Response(sysUpTime.0=600,fooCounts.0.1=1,fooCount.0.2=0))
2 At nms=2500 (15 second later), the manager get an 2 At nms=2500 (15 second later), the manager get an update on all changes since the last report (agent update on all changes since the last report (agent time=600)time=600)GetRequest (sysUpTime.0, fooCounts.600.1, fooCount.600.2)GetRequest (sysUpTime.0, fooCounts.600.1, fooCount.600.2)Response(sysUpTime.0=2100,fooCounts.600.1=2,fooCount.600.2=2)Response(sysUpTime.0=2100,fooCounts.600.1=2,fooCount.600.2=2)
EX2. Time Filtering (5)EX2. Time Filtering (5)
The agent received the request at a local time of The agent received the request at a local time of 2100 ; a counter 1 was incremented at time 900 2100 ; a counter 1 was incremented at time 900 counter 2 was incremented at 1100 and 1400counter 2 was incremented at 1100 and 1400
3 3 At nms=4000, the manager get an At nms=4000, the manager get an update on all changes since the last report update on all changes since the last report (agent time=2100)(agent time=2100)GetRequest (sysUpTime.0, fooCounts.2100.1, fooCount.2100.2)GetRequest (sysUpTime.0, fooCounts.2100.1, fooCount.2100.2)Response(sysUpTime.0=3600,fooCounts.2100.1=3)Response(sysUpTime.0=3600,fooCounts.2100.1=3)
A counter 1 was incremented at time 2300 A counter 1 was incremented at time 2300 counter 2 has not changed since 2100 , so no counter 2 has not changed since 2100 , so no value returned value returned
EX2. Time Filtering (6)EX2. Time Filtering (6)
4 4 At nms=5500, the manager get an At nms=5500, the manager get an update on all changes since the last update on all changes since the last report (agent time=3600)report (agent time=3600)GetRequest (sysUpTime.0, fooCounts.3600.1, fooCount.3600.2)GetRequest (sysUpTime.0, fooCounts.3600.1, fooCount.3600.2)
Response(sysUpTime.0=5500,)Response(sysUpTime.0=5500,)
Neither counter has been updated since time Neither counter has been updated since time 3600 , so no value returned3600 , so no value returned
Protocol Directory GroupProtocol Directory Group
• It provides a single central point for storing It provides a single central point for storing information about information about types of protocolstypes of protocols
• One entry in the table for each protocol for which One entry in the table for each protocol for which the probe can decode and count protocol data unit the probe can decode and count protocol data unit (PDU)(PDU)
• One scalar objectsOne scalar objects– protocolDirLastChangeprotocolDirLastChange which contains the time of the which contains the time of the
last table changelast table change
• One columnar object (Table)One columnar object (Table)– protocolDirTableprotocolDirTable– The table covers MAC, network and higher layer The table covers MAC, network and higher layer
protocolsprotocols
protocolDirTableprotocolDirTable
• Fig 10.5Fig 10.5
Protocol identificationProtocol identification
• protocolDirIDprotocolDirID object contains a unique object contains a unique octet string for a specific protocol.octet string for a specific protocol.
• Octet string identifiers for protocols are Octet string identifiers for protocols are arranged in a tree structured hierarchy. arranged in a tree structured hierarchy. – Each layer is identified by 32 bit value Each layer is identified by 32 bit value
which is encoded as dot decimal format which is encoded as dot decimal format [a.b.c.d][a.b.c.d]
– EX. Ethernet is hexadecimal 1 which is EX. Ethernet is hexadecimal 1 which is encoded as encoded as [0.0.0.1][0.0.0.1] and referred to and referred to symbolically as symbolically as ether2ether2
Protocol AssignmentsProtocol Assignments
• Each layer is identified by a 32 bit number (four Each layer is identified by a 32 bit number (four octets)octets)
• For MAC level protocolsFor MAC level protocols– ether2 = 1 [0.0.0.1]ether2 = 1 [0.0.0.1]– llc = 2 [0.0.0.2]llc = 2 [0.0.0.2]– snap = 3 [0.0.0.3]snap = 3 [0.0.0.3]– vsnap = 4 [0.0.0.4]vsnap = 4 [0.0.0.4]– ianaAssigned = 5 [0.0.0.5]ianaAssigned = 5 [0.0.0.5]
• Protocol considerationProtocol consideration– network layer, use network layer, use type fieldtype field of Ethernet frame (IP =0.0.8.0) of Ethernet frame (IP =0.0.8.0)– transport layer, use transport layer, use protocol fieldprotocol field of IP header (UDP = of IP header (UDP =
0.0.0.17)0.0.0.17)– application layer, use application layer, use port fieldport field of UDP/TCP header of UDP/TCP header
(0.0.0.161)(0.0.0.161)
Entry in protocolDirEntry (1)Entry in protocolDirEntry (1)
• EX. Identification of SNMP running over UDP/IP EX. Identification of SNMP running over UDP/IP on Etherneton Ethernet– 16.16.0.0.0.10.0.0.1.0.0.8.0.0.0.8.0..0.0.0.170.0.0.17.0.0.0.161.0.0.0.161– 16 : the number of octets to follow16 : the number of octets to follow
• So, for previous example the probe is capable of So, for previous example the probe is capable of – Interpreting all incoming Ethernet framesInterpreting all incoming Ethernet frames– Looking past the Ethernet header and trailer and Looking past the Ethernet header and trailer and
interpreting the encapsulated IP datagraminterpreting the encapsulated IP datagram– Looking past the IP header and interpreting the Looking past the IP header and interpreting the
encapsulated UDP segmentencapsulated UDP segment– Looking past the UDP header and interpreting the Looking past the UDP header and interpreting the
encapsulated SNMP PDU encapsulated SNMP PDU
Entry in protocolDirEntry (2)Entry in protocolDirEntry (2)
• A separate entry is needed for each protocol A separate entry is needed for each protocol that the probe can interpret and countthat the probe can interpret and count
• Then the four entries are needed in Then the four entries are needed in protocolDirEntry and the protocolDirID protocolDirEntry and the protocolDirID values would bevalues would be– Ether2 (4.0.0.0.1)Ether2 (4.0.0.0.1)– Ether2.ip (8.0.0.1.0.0.8.0)Ether2.ip (8.0.0.1.0.0.8.0)– Ether2.ip.udp (12.0.0.0.1.0.0.8.0.0.0.0.17)Ether2.ip.udp (12.0.0.0.1.0.0.8.0.0.0.0.17)– Ether2.ip.udp.snmp Ether2.ip.udp.snmp
(16.0.0.0.1.0.0.8.0.0.0.0.17.0.0.0.161)(16.0.0.0.1.0.0.8.0.0.0.0.17.0.0.0.161)
Format of index values for Format of index values for protocolDirTableprotocolDirTable
Protocol parameter (1)Protocol parameter (1)
• The second index object for protocolDirTable The second index object for protocolDirTable is is protocolDirParametersprotocolDirParameters
• This object instance contains information This object instance contains information about the probe’s capability with the respect about the probe’s capability with the respect to a particular protocolto a particular protocol
• The value is structured as a one-octet count The value is structured as a one-octet count field followed by a set of N-octet parameters, field followed by a set of N-octet parameters, one for each protocol layer in one for each protocol layer in protocolDirIDprotocolDirID
• Each bit in the parameter octet is encoded Each bit in the parameter octet is encoded separately to define a particular capabilityseparately to define a particular capability
Protocol parameter (2)Protocol parameter (2)
• 2 LSB are reserved for all protocols2 LSB are reserved for all protocols– CountFragment (bit0) :CountFragment (bit0) : Higher-layer protocols Higher-layer protocols
encapsulated within this protocol will be counted encapsulated within this protocol will be counted correctly even if this protocol fragments the upper-correctly even if this protocol fragments the upper-layer PDUs into multiple fragmentslayer PDUs into multiple fragments
– tracksSessions (bit1)tracksSessions (bit1) :Correctly attributes all :Correctly attributes all packets of a port-mapped protocol, that is a packets of a port-mapped protocol, that is a protocol start session on a well-known port or protocol start session on a well-known port or socket and then transfer them to dynamically socket and then transfer them to dynamically assigned ports or sockets fpr the duration of the assigned ports or sockets fpr the duration of the session session • TFTP (Trivial File Transfer Protocol) TFTP (Trivial File Transfer Protocol)
Protocol parameter (3)Protocol parameter (3)
• SNMP running over UDP/IP/Ethernet SNMP running over UDP/IP/Ethernet withwith fragments counted correctly for fragments counted correctly for IP or above, the following encoding is IP or above, the following encoding is for the two objects (protocolDirID, for the two objects (protocolDirID, protocolDirParameter)protocolDirParameter)16.0.0.0.1.0.0.8.0.0.0.0.17.0.0.0.16116.0.0.0.1.0.0.8.0.0.0.0.17.0.0.0.161..4.0.14.0.1
.0.0.0.0
Protocol Directory Table (1)Protocol Directory Table (1)
• protocolDirTypeprotocolDirType – extensible(0)extensible(0) if the agent or manager may if the agent or manager may
extend this table by creating entries that are extend this table by creating entries that are children of this protocolchildren of this protocol
– addressRecognitionCapable(1)addressRecognitionCapable(1) indicates that indicates that the probe can not only count packets for this the probe can not only count packets for this protocol but can also recognize source and protocol but can also recognize source and destination address fields for finer-grained destination address fields for finer-grained countingcounting
Protocol Directory Table (2)Protocol Directory Table (2)
• protocolDirAddressMapConfigprotocolDirAddressMapConfig – notSupported(1)notSupported(1) : if not capable of performing : if not capable of performing
address mapping address mapping – If capable then the value may be set to If capable then the value may be set to
supportedOff(2) or supportedOn(3)supportedOff(2) or supportedOn(3)
• protocolDirHostConfig protocolDirHostConfig – It may be set to It may be set to notsupported(1), notsupported(1),
supportedOff(2) or supportOn(3)supportedOff(2) or supportOn(3) with the with the respect to the network-layer and application respect to the network-layer and application layer host table for this protocol layer host table for this protocol
Protocol Directory Table (3)Protocol Directory Table (3)
• protocolDirMatrixConfigprotocolDirMatrixConfig– It may be set to It may be set to notSupported (1)notSupported (1) , ,
supportedOff(2), supportedON (3)supportedOff(2), supportedON (3) with with the respect to the network-layer and the respect to the network-layer and application layer matrix tables for this application layer matrix tables for this protocol protocol
Protocol Distribution Group Protocol Distribution Group (1)(1)
• It summarizes how many octets and It summarizes how many octets and packetspackets have been sent from each of have been sent from each of the protocols supportedthe protocols supported
• protocolDistControlTableprotocolDistControlTable – controls – controls collection of basic statistics for all collection of basic statistics for all supported protocolssupported protocols
• protocolDistStatsTableprotocolDistStatsTable – records the – records the datadata
Protocol Distribution Group Protocol Distribution Group (2)(2)
• Each row in protocolDistControlTable Each row in protocolDistControlTable refers to a unique network interface refers to a unique network interface for this probe and controls a number for this probe and controls a number of rows of protocolDistStatsTable, of rows of protocolDistStatsTable, one for each protocol recognized on one for each protocol recognized on that interfacethat interface
Protocol Distribution Group Protocol Distribution Group (3)(3)• protocolDistControlTable protocolDistControlTable consists of consists of
– protocolDistControlIndexprotocolDistControlIndex : an integer that : an integer that uniquely identifies a row in the uniquely identifies a row in the protocolDistControlTableprotocolDistControlTable
– protocolDistControlDatasource protocolDistControlDatasource : identifies the : identifies the interface that is th source of the data for this rowinterface that is th source of the data for this row
– protocolDistControlDroppedFramesprotocolDistControlDroppedFrames : total number : total number of received frames for this interface that the of received frames for this interface that the probe chose not to count (out of resources)probe chose not to count (out of resources)
– protocolDistControlCreateTime protocolDistControlCreateTime : the value of : the value of sysUptime when this control entry was activated sysUptime when this control entry was activated
Protocol Distribution Group Protocol Distribution Group (4)(4)
• The protocolDistStatsTable includes The protocolDistStatsTable includes one row for each protocol in one row for each protocol in protocolDirTable for which at least protocolDirTable for which at least one packet has been seenone packet has been seen
• It is indexed by It is indexed by protocolDistControlIndex and by protocolDistControlIndex and by protocolDirLocalIndexprotocolDirLocalIndex
Protocol Distribution Group Protocol Distribution Group (5)(5)
• protocolDistStatsTableprotocolDistStatsTable consists of consists of– protocolDistStatsPktsprotocolDistStatsPkts: the number of : the number of
packets received for this protocolpackets received for this protocol– protocolDistStatsOctetsprotocolDistStatsOctets: the number of : the number of
octets transmitted to this address since octets transmitted to this address since it was added to nlHostTable it was added to nlHostTable
Address Map Group (1)Address Map Group (1)
• It matches each network address to a It matches each network address to a specific MAC-level address specific MAC-level address
• It is helpful in node discovery and It is helpful in node discovery and network topology applications for network topology applications for pinpointing the specific path of the pinpointing the specific path of the network trafficnetwork traffic
• 3 scalars objects, one control table 3 scalars objects, one control table (addressMapControlTable) and one (addressMapControlTable) and one data table (addressMapTable) data table (addressMapTable)
Address Map Group (1)Address Map Group (1)
• 3 scalar objects are3 scalar objects are– addressMapInsertsaddressMapInserts : the number of times an : the number of times an
address-mapping entry has been inserted into the address-mapping entry has been inserted into the data tabledata table
– addressMapDeletesaddressMapDeletes: the number of times an : the number of times an address-mapping entry has been deleted into the address-mapping entry has been deleted into the data tabledata table
– addressMapMaxDesiredEntries addressMapMaxDesiredEntries : the desired : the desired maximum number of entries in addressMapTable maximum number of entries in addressMapTable (if this value is set to -1, the probe may create any (if this value is set to -1, the probe may create any number of entries in addressMapTable) number of entries in addressMapTable)
Data table size = addressMapInserts - addressMapDeletes Data table size = addressMapInserts - addressMapDeletes
Address Map Group (2)Address Map Group (2)
• The The addressMapControlTableaddressMapControlTable consists of consists of – addressMapControlIndexaddressMapControlIndex: an integer that : an integer that
uniquely identifies a row in the uniquely identifies a row in the addressMapControlTableaddressMapControlTable
– addressMapcontrolDatasourceaddressMapcontrolDatasource : identifies the : identifies the interface that is the source of the data for this interface that is the source of the data for this row and that this row is configured to analyzerow and that this row is configured to analyze
– addressMapControlDroppedFramesaddressMapControlDroppedFrames: total : total number of received frame for this interface that number of received frame for this interface that the probe chose not to count (out of resources) the probe chose not to count (out of resources)
Address Map Group (3)Address Map Group (3)
• The The addressMapTable addressMapTable will collect address will collect address mapping based on source MAC and mapping based on source MAC and network addresses seen in error-free MAC network addresses seen in error-free MAC framesframes
• The table will The table will create entries for all create entries for all protocols in the protocol directory tableprotocols in the protocol directory table whose value of whose value of protocolDirAddressMapConfig is equal to protocolDirAddressMapConfig is equal to supportedOn(3)supportedOn(3)
Address Map Group (4)Address Map Group (4)
• The The addressMapTable addressMapTable consists ofconsists of– addressMapTimeMarkaddressMapTimeMark : a time filter for this entry : a time filter for this entry– addressMapNetworkAddress addressMapNetworkAddress : the network : the network
address for this entryaddress for this entry– addressMapSourceaddressMapSource : the last interface which the : the last interface which the
associated network address was seenassociated network address was seen– addressMapPhysicalAddressaddressMapPhysicalAddress : the last source : the last source
MAC address on which the associated network MAC address on which the associated network address was seenaddress was seen
– addressMapLastChangeaddressMapLastChange : the value of : the value of sysUpTime at the time this entry was most sysUpTime at the time this entry was most recently updatedrecently updated
Network-layer Host Group Network-layer Host Group (1)(1)
• nlHost group enables users to nlHost group enables users to decode packets based on their decode packets based on their network-layer addressnetwork-layer address
• This group consists of 2 TablesThis group consists of 2 Tables– nlHostControlTable : control tablenlHostControlTable : control table– nlHostTable : data tablenlHostTable : data table
• Fig 10.11 Fig 10.11
Network-layer Host Group Network-layer Host Group (2)(2)• Each row in control table refers to a Each row in control table refers to a
unique interface of the monitorunique interface of the monitor• nlHostControlTablenlHostControlTable
– nlhostControlIndexnlhostControlIndex : an integer that uniquely : an integer that uniquely identifies a row in the nlHostControlTableidentifies a row in the nlHostControlTable
– nlHostControlDataSourcenlHostControlDataSource : identifies the : identifies the interface that is the source of the data for the interface that is the source of the data for the data tableentries defined by this rowdata tableentries defined by this row
– nlHostControlNlDroppedFramesnlHostControlNlDroppedFrames : total number : total number of received frames for this interface that the of received frames for this interface that the probe chose not to count for the associated probe chose not to count for the associated nlHost entriesnlHost entries
Network-layer Host Group Network-layer Host Group (3)(3)
– nlHostControlNlInsertsnlHostControlNlInserts : the number of : the number of times an nlHost entry has been inserted times an nlHost entry has been inserted into the nlHostTable data tableinto the nlHostTable data table
– nlHostControlNldeletesnlHostControlNldeletes : the number of : the number of times an nlHost entry has been deleted times an nlHost entry has been deleted from the nlHostTable data tablefrom the nlHostTable data table
– nlhostControlNlMaxDesiredEntries nlhostControlNlMaxDesiredEntries : the : the desired maximum number of entries in desired maximum number of entries in nlHostTablenlHostTable
Network-layer Host Group Network-layer Host Group (4)(4)
– nlHostControlAlDroppedFramesnlHostControlAlDroppedFrames : total number : total number of received frames for this interface that the of received frames for this interface that the probe chose not to count for the associated probe chose not to count for the associated alHost entriesalHost entries
– nlHostControlAlInsertsnlHostControlAlInserts : the number of times an : the number of times an alHost entry has been inserted into the alHost entry has been inserted into the alHostTable data tablealHostTable data table
– nlHostControlAldeletesnlHostControlAldeletes : the number of times : the number of times an alHost entry has been deleted from the an alHost entry has been deleted from the alHostTable data tablealHostTable data table
– nlhostControlAlMaxDesiredEntries nlhostControlAlMaxDesiredEntries : the desired : the desired maximum number of entries in alHostTablemaximum number of entries in alHostTable
Network-layer Host Group Network-layer Host Group (5)(5)• nlHostTable nlHostTable will create entries for all network-will create entries for all network-
layer protocols in the protocol directory table layer protocols in the protocol directory table whose value of protocolDirNlHostConfig is whose value of protocolDirNlHostConfig is equal to supportedOn(3)equal to supportedOn(3)
• nlHostTable nlHostTable – nlHostTimeMarknlHostTimeMark : a time filter for this entry : a time filter for this entry– nlHostAddressnlHostAddress : the network address for this entry : the network address for this entry– nlHostInPacketsnlHostInPackets : the number of error-free packets : the number of error-free packets
transmitted to this address since it was added to transmitted to this address since it was added to the tablethe table
Network-layer Host Group Network-layer Host Group (6)(6)
– nlHostOutPacketsnlHostOutPackets : the number of error- : the number of error-free packets transmitted from this free packets transmitted from this address since it was added to the tableaddress since it was added to the table
– nlHostInOctetsnlHostInOctets : the number of octets : the number of octets (error-free packets) transmitted to this (error-free packets) transmitted to this address since it was added to the tableaddress since it was added to the table
– nlHostOutOctetsnlHostOutOctets : the number of octets : the number of octets (error-free packets) transmitted from this (error-free packets) transmitted from this address since it was added to the tableaddress since it was added to the table
Network-layer Host Group Network-layer Host Group (7)(7)
– nlHostCreateTime nlHostCreateTime : the value of : the value of sysUpTime when this control entry was sysUpTime when this control entry was activatedactivated
– nlHostOutMacNonUnicastPktsnlHostOutMacNonUnicastPkts : the : the number of packets transmitted by this number of packets transmitted by this address that were directed to the MAC address that were directed to the MAC broadcast address or ti any MAC broadcast address or ti any MAC multicast address since this entry was multicast address since this entry was added to the tableadded to the table
Network-layer Host Group Network-layer Host Group (7)(7)
• nlHostTable is indexed by four nlHostTable is indexed by four objects:objects:– nlHostControlIndexnlHostControlIndex : define interface : define interface– nlHostTimeMarknlHostTimeMark : a time filter : a time filter– protocolDirLocalIndexprotocolDirLocalIndex : the identity of : the identity of
the protocolthe protocol– nlHostAddressnlHostAddress : the network address : the network address
Application-Layer Host Group Application-Layer Host Group (1)(1)
• The nlHostControlTable also controls The nlHostControlTable also controls alHostTablealHostTable
• Only alHostTable in application-layer host Only alHostTable in application-layer host groupgroup
• alHostTable will create entries for all alHostTable will create entries for all application-level protocols in the protocol application-level protocols in the protocol directory table whose value of directory table whose value of protocolDirALHostConfig is equal to protocolDirALHostConfig is equal to supportedOn(3)supportedOn(3)
Application-Layer Host Group Application-Layer Host Group (2)(2)
• alHostTable alHostTable – alHostTimeMarkalHostTimeMark : a time filter for this entry : a time filter for this entry– alHostInPacketsalHostInPackets : the number of error-free : the number of error-free
packets of this protocol type transmitted to packets of this protocol type transmitted to this address since it was added to the tablethis address since it was added to the table
– alHostOutPacketsalHostOutPackets : the number of error-free : the number of error-free packets of this protocol type transmitted from packets of this protocol type transmitted from this address since it was added to the tablethis address since it was added to the table
Application-Layer Host Group Application-Layer Host Group (3)(3)
– alHostInOctetsalHostInOctets : the number of octets (error- : the number of octets (error-free packets) of this protocol type free packets) of this protocol type transmitted to this address since it was transmitted to this address since it was added to the tableadded to the table
– alHostOutOctetsalHostOutOctets : the number of octets : the number of octets (error-free packets) of this protocol type (error-free packets) of this protocol type transmitted from this address since it was transmitted from this address since it was added to the tableadded to the table
– alHostCreateTime alHostCreateTime : the value of sysUpTime : the value of sysUpTime when this control entry was activatedwhen this control entry was activated
Application-Layer Host Group Application-Layer Host Group (4)(4)
• alHostTable is indexed by five objects:alHostTable is indexed by five objects:– nlHostControlIndexnlHostControlIndex : define interface : define interface– alHostTimeMarkalHostTimeMark : a time filter : a time filter– protocolDirLocalIndexprotocolDirLocalIndex : the identity of the : the identity of the
network layer protocolnetwork layer protocol– nlHostAddressnlHostAddress : the network address : the network address– protocolDirLocalIndexprotocolDirLocalIndex : the identity of the : the identity of the
application layer protocolapplication layer protocol
Network Layer Matrix GroupNetwork Layer Matrix Group (1)(1)
• It gathers statistics based on source and It gathers statistics based on source and destination network-layer address destination network-layer address
• For network layer statistic consists of one For network layer statistic consists of one control table and 2 data tablescontrol table and 2 data tables– nlMatrixControlTablenlMatrixControlTable : control table for network : control table for network
layer matrix group and application layer matrix layer matrix group and application layer matrix groupgroup
– nlMatrixSDTable nlMatrixSDTable : stores statistics on traffic from a : stores statistics on traffic from a particular source network-layer address to a particular source network-layer address to a number of destinations number of destinations
– nlMatrixDSTablenlMatrixDSTable : stores statistics on traffic to a : stores statistics on traffic to a particular destination network-layer address from a particular destination network-layer address from a number of sources number of sources
Network Layer Matrix GroupNetwork Layer Matrix Group (2)(2)• The nlMatrixSDTable is indexed The nlMatrixSDTable is indexed
– the row of the row of nlMatrixControlTablenlMatrixControlTable that control it that control it then then
– by a time filter: by a time filter: nlMatrixSDTimeMarknlMatrixSDTimeMark then then– by the network-layer protocol : by the network-layer protocol :
protocolDirLocalIndexprotocolDirLocalIndex then then– by the network layer source address : by the network layer source address :
nlMatrixSDSourceAddress nlMatrixSDSourceAddress thenthen– by the network layer destination address : by the network layer destination address :
nlMatrixSDDestAddress nlMatrixSDDestAddress
Network Layer Matrix GroupNetwork Layer Matrix Group (3)(3)• The nlMatrixDSTable is indexed The nlMatrixDSTable is indexed
– the row of the row of nlMatrixControlTablenlMatrixControlTable that control it that control it then then
– by a time filter: by a time filter: nlMatrixDSTimeMarknlMatrixDSTimeMark then then– by the network-layer protocol : by the network-layer protocol :
protocolDirLocalIndexprotocolDirLocalIndex then then– by the network layer destination address : by the network layer destination address :
nlMatrixDSDestAddress nlMatrixDSDestAddress – by the network layer source address : by the network layer source address :
nlMatrixDSSourceAddress nlMatrixDSSourceAddress thenthen
Network-Layer TopN Statistics Network-Layer TopN Statistics (1)(1)
• To determine which pairs of hosts To determine which pairs of hosts rank in the top N according to some rank in the top N according to some metricmetric
• One control table and one datatableOne control table and one datatable– nlMatrixTopNControlTablenlMatrixTopNControlTable– nlMatrixTopNTaablenlMatrixTopNTaable
Network-Layer TopN Statistics Network-Layer TopN Statistics (2)(2)
• nlMatrixTopNControlTablenlMatrixTopNControlTable– nlMatrixTopNRateBasenlMatrixTopNRateBase : specifies one of : specifies one of
two variables two variables (nlMatrixTopNPackets(1) (nlMatrixTopNPackets(1) /nlMatrixTopNOctets(2) )/nlMatrixTopNOctets(2) )
– nlMatrixTopNRequestedSizenlMatrixTopNRequestedSize: the : the maximum number of matrix entries maximum number of matrix entries requested for the topN tablerequested for the topN table
Network-Layer TopN Statistics Network-Layer TopN Statistics (3)(3)
• nlMatrixTopNtablenlMatrixTopNtable– nlMatrixTopNPktRatenlMatrixTopNPktRate – the number of packets – the number of packets
seen from source host to destination host seen from source host to destination host during this sampling interval during this sampling interval
– nlMatrixTopNReversePktRatenlMatrixTopNReversePktRate – same as above – same as above (but destination to source)(but destination to source)
– nlMatrixTopNOctetRatenlMatrixTopNOctetRate – the number of octets – the number of octets seen from source host to destination host seen from source host to destination host during this sampling interval during this sampling interval
– nlMatrixTopNReverseOctetRatenlMatrixTopNReverseOctetRate – same as – same as above (but destination to source)above (but destination to source)
Network-Layer TopN Statistics Network-Layer TopN Statistics (4)(4)
• The nlMatrixTopNTable is indexed by The nlMatrixTopNTable is indexed by – nlMatrixTopNControlIndexnlMatrixTopNControlIndex– nlMatrixTopNIndexnlMatrixTopNIndex
Application-Layer Matrix Group Application-Layer Matrix Group (1)(1)
• Statistical collection of information Statistical collection of information based on source and destination based on source and destination application address (port number) application address (port number)
• This group consists of 3 data tables and This group consists of 3 data tables and 1 control table1 control table– alMatrixSDTablealMatrixSDTable– alMatrixDSTablealMatrixDSTable– alMatrixTopNControlTablealMatrixTopNControlTable– alMatrixTopNTablealMatrixTopNTable
alMatrix Group (2)alMatrix Group (2)
• Fig 10.15Fig 10.15
Application-Layer Matrix Group Application-Layer Matrix Group (2)(2)• The alMatrixSDTable (alMatrixDSTable) is The alMatrixSDTable (alMatrixDSTable) is
indexed byindexed by– nlMatrixControlIndex nlMatrixControlIndex : that identifies a unique : that identifies a unique
subnetwork subnetwork – nlMatrixSDTimeMark nlMatrixSDTimeMark : time filter: time filter– protocolDirLocalIndexprotocolDirLocalIndex : the network-layer : the network-layer
protocol protocol – nlMatrixSDSourceAddressnlMatrixSDSourceAddress : the network layer : the network layer
source address source address – nlMatrixSDDestAddressnlMatrixSDDestAddress : the network layer : the network layer
destination address destination address – protocolDirLocalIndexprotocolDirLocalIndex : the application-layer : the application-layer
protocol protocol
Application-Layer Matrix Group Application-Layer Matrix Group (3)(3)
• alMatrixTopNControlTable has the same alMatrixTopNControlTable has the same structure as the structure as the nlMatrixTopNControlTablenlMatrixTopNControlTable
• Only difference is the definition of the Only difference is the definition of the rate base object: rate base object: alMatrixTopNRateBasealMatrixTopNRateBase
•alMatrixTopNTerminalsPkts(1) count only protocolalMatrixTopNTerminalsPkts(1) count only protocol packets (no child protocol)packets (no child protocol)
•alMatrixTopNTerminalsOctets(2) count only alMatrixTopNTerminalsOctets(2) count only protocolprotocol octetsoctets(no child protocol)(no child protocol)
•alMatrixTopNAllPkts(3) alMatrixTopNAllPkts(3) •alMatrixTopNAllOctets(4 )alMatrixTopNAllOctets(4 )
Application-Layer Matrix Group Application-Layer Matrix Group (4)(4)
• alMatrixTopNtablealMatrixTopNtable– alMatrixTopNPktRate – the number of alMatrixTopNPktRate – the number of
packets seen from source host to packets seen from source host to destination host during this sampling destination host during this sampling interval interval
– alMatrixTopNReversePktRate – same as alMatrixTopNReversePktRate – same as above (Destination to source)above (Destination to source)
User history collection User history collection group (1)group (1)
• User history collection groupUser history collection group– Collect particular statistics and variables Collect particular statistics and variables
then logs that data based on user-defined then logs that data based on user-defined parametersparameters
User history User history collection collection group (2)group (2)
User history collection User history collection group (3)group (3)
Probe configuration group Probe configuration group
• Probe configuration groupProbe configuration group– To solve interoperability among RMON To solve interoperability among RMON
probe and managersprobe and managers
Practical IssuesPractical Issues