Chapter 8 Remote Monitoring (RMON1) 1 Chapter 8 Overview RMON1 is a MIB o Also known as RMON ...
-
date post
15-Jan-2016 -
Category
Documents
-
view
238 -
download
1
Transcript of Chapter 8 Remote Monitoring (RMON1) 1 Chapter 8 Overview RMON1 is a MIB o Also known as RMON ...
Chapter 8 Remote Monitoring (RMON1) 1
Chapter 8 Overview RMON1 is a MIB
o Also known as RMON Recall that mib-2 gives info on devices RMONs provide network info RMON1 provides info at link (MAC) layer RMON2 is discussed in chapter 9
o Info at network layer and above
Chapter 8 Remote Monitoring (RMON1) 2
Textbook LAN
Probe 1 and probe 2 are RMON probes Probe 2 is RMON1 only Probes capture packets in promiscuous mode
Chapter 8 Remote Monitoring (RMON1) 3
RMON1 MIB Groups We’ll consider the following groups
o Statistics group, History group,o Alarm group, Host group, o HostTopN group, Matrix groupo Filter group, Capture group, o and Event group
Chapter 8 Remote Monitoring (RMON1) 4
Statistics GroupGroup Description Function
Statisticsgroup
(mib-2.16.1)
• Consists of the etherStatsTable.• There is one table entry (row) for each Ethernet
subnetwork to which the RMON1 device isconnected.
• Each row consists of values of column objects for asubnetwork.
• The column objects are counter objects. Anexample column object is the counteretherStatsPkts that is the number of ethernetpackets received since the RMON1 device was firststarted.
• There are 21 column objects in the table.
Counts packets withcharacteristicsdefined by objects inthe etherStatsTable.The packet count isfor all frames readregardless of device.
Overall statistics
Chapter 8 Remote Monitoring (RMON1) 5
History GroupGroup Description FunctionHistorygroup
(mib-2.16.2)
• Consists of two tables: the historyControlTableand the etherHistoryTable.
• The management application uses thehistoryControlTable to specify for example thesubnetwork interface that wil l be monitored, thesampling interval and how many samplingintervals.
• The etherHistoryTable has 15 column objects. Eachof these objects is sampled in the sampling interval.
• A row in the etherHistoryTable consists of thevalues of the column objects for one samplinginterval. Thus, for each interface, there are as manyrows in the etherHistoryTable as sampling intervals
Develops a historyof eachetherHistoryTableobject. Does this bycounting packets foreach object over anumber of definedsampling intervals
Chapter 8 Remote Monitoring (RMON1) 6
Alarm Group
Alarmgroup
(mib-2.16.3)
• Consists of the alarmTable• The management application creates a row in the
table by defining the object to be monitored, thesampling interval and the alarm thresholds
• Other column objects define how the threshold andobject values during a sampling interval are to becompared
• Alarms can be generated and actions taken,depending on the result of the comparison, byreferencing rows in the eventTable.
Identifies selectedobject values thatbecome greater orless than thresholdsduring the samplinginterval.
Chapter 8 Remote Monitoring (RMON1) 7
Host GroupHost group(mib-2.16.4)
• This group gathers statistics specif ic to hosts on theLAN that is being monitored.
• It consists of 3 tables: hostControlTable,hostTable and hostTimeTable.
• The remote monitor learns about hosts fromreading MAC addresses in packets it receives
• The host Table has one row for each hostdiscovered
• The values of column objects in a hostTable roware statistics for a specifi c host. An example wouldbe the number of packets received, hostInPkts.
• The hostTimeTable contains the same informationas the hostTable. However, the rows are ordered bythe time when the host was detected.
Records MACAddress andstatistics for packetsreceived ortransmitted for eachhost detected on thesubnet
Chapter 8 Remote Monitoring (RMON1) 8
HostTopN GroupHostTopN
group(mib-2.16.5)
• This group consists of 2 tables:hostTopNControlTable and hostTopNTable.
• The statistics that are complied make use of thevalues of objects in the host group.
• The management station uses thehostTopNControlTable to specify the maximumnumber of hosts, N, to monitor, the samplinginterval, a variable from the hostTable to monitorand the change of that variable during the samplinginterval
• The hostTopNTable ranks the results for the topNhosts relative to a selected variable such ashostInPkts.
Determines the mostactive N hostsduring everysampling interval fora specified variablesuch as "in-packets."
Chapter 8 Remote Monitoring (RMON1) 9
Matrix GroupMatrixgroup
(mib-2.16.6)
• This group contains 3 tables: matrixControlTable,matrixSDTable and matrixDSTable. (SD =source->destination and DS = destination->source )
• The matrixControlTable functions like controltables described for other groups
• The matrixSDTable and matrixDSTable present alogical matrix of source and destination addressesto the management application.
• The matrixSDTable and matrixDSTable contain thesame information.
• The matrixSDTable and the matrixDSTable areindexed differently so that the managementapplication can quickly access the desired data for aparticular communication.
• Included among the column objects are the MACsource and destination addresses of the hostsinvolved in communication. There is one row foreach communication in the matrixSDTable andmatrixDSTable.
Records host MACAddresses andstatistics, such as"in-packets," forconversationsbetween hosts.
Chapter 8 Remote Monitoring (RMON1) 10
Filter GroupFilter group(mib-2.16.7)
• Consists of two control tables: filterTable andchannelTable.
• Objects in the filt erTable allow the managementapplication to define what packets will beprocessed by the monitor based on the content ofthe fields in the packets
• Two types of content fi lters are applied to define achannel: the data filter and the status filter. Therecan be multiple filters applied by creating multipledata and status filters.
• Data filters fi lter on bit patterns in the packet• Status filters filter on errors such as CRC errors• Packets that pass a data/status filter combination
constitute a channel.• Each channel has a capture buffer for its packets• Packets in a channel can be retrieved from the
capture buffer by the NMS using capture groupobjects
• Packets that match filt ers can produce eventsdefined in the event group
Defines thecharacteristics ofread packets thatshould be processedby the probe. Suchcharacteristicsdetermine a channel
Chapter 8 Remote Monitoring (RMON1) 11
Capture Group
Capturegroup
(mib-2.16.8)
• This group has two tables: bufferControlTableand captureBufferTable.
• Each row of the buff erControlTable defines thecapture characteristics of one buffer. For example,one object defines how much of a packet will becaptured and another object how much of that willbe returned to the management application in aSNMP GetResponse message
• Each buff er has a captureBuff erTable. Each row inthis table is assigned to a packet in that buffer. Oneobject, for example, defines the length of thepacket.
Defines how muchof a channel packetis captured and howmuch is transmittedto the ManagementStation.
Chapter 8 Remote Monitoring (RMON1) 12
Event Group
Eventgroup
(mib-2.16.9)
• This group contains the eventTable and thelogTable.
• A row in the eventTable defines the parameters ofan event
• A row in the logTable defines the event type andthe specifi c event of that type and stores data aboutthe event
• Trap messages generated by an event can be usedto control objects in other groups.
Defines and logsevents that aregenerated byobjects in othergroups and initiatesactions
Chapter 8 Remote Monitoring (RMON1) 13
Statistics Group
Simplest RMON1 group
“Counts” all packets detected
Increment counts
Chapter 8 Remote Monitoring (RMON1) 14
Control Objects and Tables
Control objects in RMON1 and RMON2 Specify how data is collected
o And whether probe or mgmt station decides Mgmt station looks at control objects to
see if data being collected as desired Mgmt station can modify control objects Probe-created control objects generally
should not be changed
Chapter 8 Remote Monitoring (RMON1) 15
Control Objects and Tables
Suppose mgmt station wants to collect data from a particular subnet
It could create a new row in etherStatsTable
Instead, could use control objects so that only the desired data is collected
Saves storage on the probe Use SetRequest to set control object
values
Chapter 8 Remote Monitoring (RMON1) 16
etherStatsTable Control Objects
Object DescriptionetherStatsDataSource • An integer that formally identif ies the device
interface from which the data is to be processed.• Has the same value as if Index in the ifTable in
mib-2 for this deviceetherStatsOwner • A string that identifi es the creator of the table
row that is associated withetherStatsDataSource
• Is either the agent with the name monitor or aManagement Station name and IP address
etherStatsStatus • An integer that specifi es the status of the row.Its values can be either valid (1),createRequest (2) underCreation (3) or
invalid (4).• The row creator uses a SetRequest to set the
value of this object to createRequest (2)• The agent then sets the value to
underCreation(3) until the creator is finished• The creator must then set the value to valid(1)
for the row objects to begin to collect data.
Chapter 8 Remote Monitoring (RMON1) 17
MeterWare Summary view Probe 2 info
Chapter 8 Remote Monitoring (RMON1) 18
RMON1 on Probe 2 Object values Click “Statistics”
Chapter 8 Remote Monitoring (RMON1) 19
etherStatsTable Control Objects
Probe 2 has one interface, so only one row etherStatsOwner = monitor
o Agent created and “owns” this row etherStatsStatus = valid
o Agent will store collected data etherStatsDataSource = ifIndex.1
o Identifier of mib-2 for probe interface to 192.192.192.240
etherStatsIndex = 1o First row in table
Chapter 8 Remote Monitoring (RMON1) 20
etherStatsTable Control Objects
View select row and start collecting stats
Add add another row Modify edit current row Delete delete a row Help get help (duh!)
Chapter 8 Remote Monitoring (RMON1) 21
History Group A record of what happens over
defined sampling intervals Similar to Statistics Group Main difference is sampling
intervals History Group includes
o etherHistoryTableo historyControlTable
Chapter 8 Remote Monitoring (RMON1) 22
History Group MIB browser view
Chapter 8 Remote Monitoring (RMON1) 23
historyControlTable Column objects
Chapter 8 Remote Monitoring (RMON1) 24
historyControlTable One row for each historyControlInterval
o In this case, 30 and 1800 secondso 120 “buckets” (intervals) for each
So 240 rows in etherHistoryTable
Chapter 8 Remote Monitoring (RMON1) 25
historyControlTableObject Row 1 Row 2 Description
historyControlIndex 1 2 • Index object for the rowshistoryControlDataSource if Index.1 if Index.1 • Interface to subnet 192.192.192.240
• Has the value of ifIndex. in the mib-2 ifTable
historyControlInterval 30 sec 1800 sec • There are two Sampling intervallengths. One for short term historyand one for long term history
historyControlBucketsRequested
120 120 • Number of sampling intervalsrequested
historyControlBucketsGranted
120 120 • Number of sampling intervalsgranted. Determines how long thesampling will be done and thus howmuch probe memory is granted.Granted buckets can be less thanrequested buckets
historyControlStatus valid(1) valid(1) • An integer that specifi es the status ofthe row.
• Its values can be either valid (1),createRequest (2)
underCreation (3) or invalid (4).• The row creator uses a SetRequest to
set the value of this object tocreateRequest (2)
• The agent then sets the value tounderCreation(3) until the creator isfinished
• The creator then sets the value tovalid(1)
Chapter 8 Remote Monitoring (RMON1) 26
etherHistoryTable Recall, 240 rows in etherHistoryTable
Chapter 8 Remote Monitoring (RMON1) 27
etherHistoryTable and historyControlTable
Object DescriptionetherHistoryIndex • Identifies etherHistoryTable rows with a row in the
historyControlTable.• etherHistoryIndex = historyControlIndex• It is an Index object for the etherHistoryTable
etherHistorySampleIndex • etherHistoryIndex and etherHistorySampleIndex takentogether identify the buckets to associate with a row in thehistoryControlTable
• It is an Index object for the etherHistoryTableetherHistoryIntervalStart • The value of sysUpTime object in the Systems group at the
start of the sample interval.etherHistoryDropEvents • The number of times it was detected that the monitor
dropped a packet due to lack of resources
Chapter 8 Remote Monitoring (RMON1) 28
Sample History Report 30 second history report
Chapter 8 Remote Monitoring (RMON1) 29
Host Group Statistics per host Note statistics and history groups do not
relate their stats to hosts 4 tables: hostControlTable, hostTable,
hostTimeTable, hostControl2Table (RMON2)
Chapter 8 Remote Monitoring (RMON1) 30
hostControlTable hostCotrolTableSize
o Number of hosts detected so far hostControlLastDeleteTime
o Last “reset” time
Chapter 8 Remote Monitoring (RMON1) 31
hostControlTable
Object DescriptionhostControlIndex • An integer that identifi es a row in
hostControlTable and the probe interface tothe subnet
hostControlDataSource • An integer that identifi es the probeinterface to the subnet. It is equal to thevalue of ifIndex in the ifTable in mib-2.
hostControlTableSize • The number of rows (hosts) in thehostTable detected onhostControlDataSource.
hostControlLastDeleteTime • The value of sysUpTime at which an entryin the hostTable was deleted
• Agent does deletion if monitor resourcesbecome scarce.
• Information is needed by hostTimeTablehostControlOwner • The creator of the hostControlTable rowhostControlStatus • As we have seen in other control tables, the
status must be set to valid(1) in order forthe probe to collect data for the hostTable
Chapter 8 Remote Monitoring (RMON1) 32
hostTable
Index object, MAC address pairs Host address is index object
o Index object has address in decimal
Object Descriptionhost Address • The MAC address of the host
hostCreationOrder • An integer between 1 andhostControlTableSize specifying the orderin time in which the host was detected onthe interface. The smaller the integer, theearlier the host was detected
hostIndex • All hosts detected on the same interfacehave the same integer value, i.e.
hostIndex = hostControlIndex
Chapter 8 Remote Monitoring (RMON1) 33
hostTimeTable
Object DescriptionhostTimeAddress • The MAC address of the host
hostTimeCreationOrder • An integer between 1 and hostControlTableSizespecifying the order in time in which the host wasidentif ied on the interface. The smaller the integer, theearlier the host was detected
• Index object for the hostTimeTablehostTimeIndex • All hosts detected on the same interface have the same
value.• Index object for the hostTimeTable• hostTimeIndex = hostIndex = hostControlIndex
Same objects as hostTable Different index object
o hostTimeCreationOrder, not hostAddresso So that new hosts easily distinguishedo Also hostTimeIndex
Chapter 8 Remote Monitoring (RMON1) 34
Too Many Hosts?
If too many hosts, probe uses hostTimeCreationOrder to drop hostso Drop those that have not been used for
longesto hostTimeCreationOrder is in hostTimeTable
To be sure it uses valid object identifier, mgmt station checks hostControlLastDeletedo In hostControlTable
Chapter 8 Remote Monitoring (RMON1) 35
hostTable Example
Hosts detected on probe 2 subnet
Chapter 8 Remote Monitoring (RMON1) 36
HostTopN Group Rate of change of hostTable info Sorta like History for specific Host For each row of hostTopNControlTable
o N rows in hostTopNTable (N is configurable)
Chapter 8 Remote Monitoring (RMON1) 37
hostTopNControlTable
Object DescriptionhostTopNControlIndex • An integer that identifi es a row in the
hostTopNControlTable• Each row in that table defines the data that will be
reported for N-hosts on one interfacehostTopNHostIndex • An integer that refers to the interface on which the N-
hosts are observed. It is the same for each of the N-hosts• hostTopNHostIndex = hostControlIndex
hostTopNRateBase • An integer that specifi es one of the 7 variables in thehostTable to count in the sampling interval todetermine the hostTopNRateBase (packets/second inthe hostTopNTable)
• Choices are:q hostTopNInPkts (1)q hostTopNOutPkts(2)q hostTopNInOctets (3)q hostTopNOutOctets (4)q hostTopNOutErrors (5)q hostTopNOutBroadcastPkts (6)q hostTopNOutMulticastPkts (7)
hostTopNTimeRemaining • Number of seconds remaining in the sampling intervalhostTopNDuration • The sampling interval in secondshostTopNRequestedSize • The number of hosts, N, requested to include in the
reporthostTopNGrantedSize • The number of hosts grantedhostTopNStartTime • sysUpTime when this report sampling was started.hostTopNOwner • Monitor or Management Station that creates the row in
the hostTopNControlTablehostTopNStatus • An integer that specifies the status of the control table
row.• Its values can be either valid (1),
createRequest (2) underCreation (3) or invalid (4).• The row creator uses a SetRequest to set the value of
this object to createRequest (2)• The agent then sets the value to underCreation(3) until
the creator is finished• The creator then sets the value to valid(1)
Chapter 8 Remote Monitoring (RMON1) 38
hostTopNControlTable
Index is generated by the probe Unique for each distribution created
Chapter 8 Remote Monitoring (RMON1) 39
hostTopNTable
Note that it’s measuring the change
Object DescriptionhostTopNReport • An integer that identifi es the report
• hostTopNReport = hostTopNControlIndexhostTopNIndex • An integer that identifi es the data from one host
included in the hostTopNReporthostTopNAddress • The MAC address associated with the host identified
by hostTopNIndexhostTopNRate • The amount of change in the hostTopNRateBase in
packets/second during the sampling interval.
Chapter 8 Remote Monitoring (RMON1) 40
HostTopN in MeterWare Distribution of top 5 hosts Based on “in-packets” rate
Addresses of hosts with largest number of in-packets
Chapter 8 Remote Monitoring (RMON1) 41
HostTopN Addresses
This is not the same as view on previous slide
hostTopNAddress hostTopNReport hostTopNIndex Value1.3.6.1.2.1.16.5.2.1.3 1915 1 00 40 05 44 A7 DC
Chapter 8 Remote Monitoring (RMON1) 42
Matrix Group
Host-to-host statistics
Like a 2-d version of Host
Chapter 8 Remote Monitoring (RMON1) 43
Matrix Control Tables
Chapter 8 Remote Monitoring (RMON1) 44
Matrix Control Tables matrixControlTable
o Same objects as hostControlTable matrixSDTable and matrixDSTable
o Only difference is order of index objectso Source to destination vs destination to
source?o If matrixSDTable is A to B, then
corresponding matrixDSTable is B to A
Chapter 8 Remote Monitoring (RMON1) 45
Matrix Control Tables
matrixSDTablematrixSD
Source Address(2)
matrixSDDestAddress
(3)
matrixSDIndex
(1)
matrixSDPkts
matrixSDOctets
matrixSDErrors
A B
A C
A D
B C
B D
C D
matrixDSTablematrixDS
Source Address(3)
matrixDSDestAddress
(2)
matrixDSIndex
(1)
matrixDSPkts
matrixDSOctets
matrixDSErrors
B A
C A
D A
C B
D B
D C
Chapter 8 Remote Monitoring (RMON1) 46
Matrix in MeterWare
Chapter 8 Remote Monitoring (RMON1) 47
Filter and Capture Groups These groups usually used together Capture Group
o How probe captures frameo How info is sent from buffer on probe to
buffer on mgmt station Filter Group
o To select types of frames to captureo Used to conserve space in buffers
Chapter 8 Remote Monitoring (RMON1) 48
Capture Group Capture group objects
Chapter 8 Remote Monitoring (RMON1) 49
Capture Group
bufferControlTable
Object DescriptionbufferControlIndex • The integer that identif ies a row in the
bufferControlTable.• There is one buffer for each defined channel.• A channel is defined by the filter(s) that are
applied to determine which packets arecaptured in the buffer.
bufferControlChannelIndex • An integer that identifi es the channel that issupplying the buff er with packets
bufferControlFullStatus • A Status value of (1) means space is availablein the buffer.
• If the value is (2), the buffer is full .bufferControlFullAction • A value of (1) means the buffer is locked
when full and will accept no further packets.• A value of (2) means the buffer will wrap and
discard old packets to make room for new.bufferControlCaptureSliceSize • Maximum number of octets in each packet
that will be captured in the bufferbufferControlDownloadSliceSize • Maximum number of octets in the buff er that
will be downloaded to the management stationin a single SNMP GetResponse
bufferControlDownloadOff set • The off set, in octets, of the first octet that willbe retrieved in a single SNMP GetResponse.
bufferControlMaxOctetsRequested • The size of buffers, in octets, requested by themanagement station
bufferControlMaxOctetsGranted • Number of buff er octets granted by the probeagent
bufferControlCapturedPackets • Number of packets currently in the bufferbufferControlTurnOnTime • The value of sysUpTime (System Group
object) when this buffer was first turned onbufferControlOwner • The creator of the buff er (see Control Table)bufferControlStatus • An integer that specifies the status of the row.
• Its values can be either valid (1),createRequest (2) underCreation (3) or
invalid (4).• The row creator uses a SetRequest to set the
value of this object to createRequest (2)• The agent then sets the value to
underCreation(3) until the creator is finished• The creator then sets the value to valid(1)
Chapter 8 Remote Monitoring (RMON1) 50
Capture Group
captureBufferTable
Object DescriptioncaptureBufferControlIndex An integer that identifies the buffer that holds this
packet. It has the same value as thebufferControlIndex that identifies the buffer
captureBufferIndex The integer that uniquely identifies this packetcaptureBufferPacketID The integer that identifies the order in which packets
were received on the interface regardless of the bufferin which stored.
captureBufferPacketData The actual packet datacaptureBufferPacketLength The actual length of the packet in octetscaptureBufferPacketTime The number of milliseconds from the time the buffer
was turned on until this packet was capturedcaptureBufferPacketStatus A number that represents the number of errors
detected in the packet. See RFC 1271 for details abouthow this number is calculated.
Chapter 8 Remote Monitoring (RMON1) 51
Capture Group How packets are captured and buffered
o We’ll fill in the details on the next few slides
Channel 1
Channel 2
Channel 3
Filter 1
Filter 2
Filter 3
Buffer 1
Buffer 2
Buffer 3
Packets
EditStatusData
NMS
Chapter 8 Remote Monitoring (RMON1) 52
Channels
Probe 2 channels Channel editor
o To set values in bufferControlTable
Chapter 8 Remote Monitoring (RMON1) 53
Channels
Run buttono Start capturing
Filter tabo Make filters
Buffer tabo Show captured
packets, protocols,…
Analyze tabo More specific
filtering/analysis
Create new channel
Chapter 8 Remote Monitoring (RMON1) 54
Filter Group By default (in Meterware) all
packets captured until buffer is full Can then filter the ones of interest
o Using analyze tab But some packets might be missed
due to full buffer Filter group used to prevent this
Chapter 8 Remote Monitoring (RMON1) 55
Filter Group Filter group objects
Chapter 8 Remote Monitoring (RMON1) 56
Filter Group
filterTable objects
Object DescriptionfilterIndex An integer that identifies a row in the table. Each row
defines a data filter and a status filter. Together theseform the filter for a channel
filterChannelIndex An integer that identifies the channel that uses the filter.filterPktDataOffset Offset, in octets, from the beginning of the MAC
destination address to where the filter will begin to beapplied for the case of an Ethernet frame
filterPktData The data specified in the data filter that the input packetmust match.
filterPktDataMask The mask that determines which packet bits to bematched are relevant for processing. Only if a bit in thefilterPktDataMask is 1 is the packet bit relevant forprocessing
filterPktDataNotMask For relevant bits in the packet to pass thefilterPktDataNotMask test, for each bit in this mask thatis 1, the relevant packet bit must differ from the bit in thefilterPktData. Likewise, for each bit in thefilterPktDataNotMask that is 0, the packet bits and thefilterPktData bits must differ
filterPktStatus Errors found in the relevant bits of the input packet aremapped to an integer sum. The value of this sum iscompared to the filterPktStatus. (see RFC2819 for howthe sum is calculated)
filterPktStatusMask Bits in this mask determine which packet input bits arerelevant for the filterPktStatus test
filterPktStatusNotMask For the relevant bits in the input packet to pass thefilterPktStatusNotMask test, for each bit in this mask thatis 1, the bits in the integer sum must all differ from thebits in the filterPktStatus. Likewise, for each bit in thefilterPktStatusNotMask that is 0, the sum bits and thefilterPktStatus bits must differ. (see RFC 2819 for howthe sum is calculated)
filterOwner The entity that configured this table. It could be the probeagent or the Management Station.
filterStatus • An integer that specifies the status of the row.• Its values can be either valid (1),
createRequest (2) underCreation (3) or invalid (4).• The row creator uses a SetRequest to set the value of
this object to createRequest (2)• The agent then sets the value to underCreation(3)
until the creator is finished• The creator then sets the value to valid(1)
Chapter 8 Remote Monitoring (RMON1) 57
Filter Group
channelTable objects
Object Description
channelIndex An integer that identifies one row in the table. A row corresponds to achannel.
channelIfindex An integer that identifies the interface through which the monitor isreceiving packets. The value of channelIfindex is the same as the value ofifIndex for this interface in the mib-2 ifTable.
channelAcceptType The value of this object determines how the filters for the channel are tofunction. There are two possible integer values: acceptMatched (1) andacceptFailed (2). If the value is set to 1, the packet must pass both the dataand status filters associated with the channel to be accepted by the channel.If the value is set to (2), the packet will be accepted by the channel only if itfails either the data or status filters associated with the channel.
channelDataControl There are two possible integer values: on (1) and off(2). The channel mustbe "on" for data, status and events to "flow through" the channel.
channelTurnOnEventIndex An integer that identifies the event in the Event group that will turn thechannelDataControl from off to on when the event occurs.channelTurnOnEventIndex has the same value as the eventIndex object inthe Event Group (to be discussed) that identifies the same event. In otherwords, if the event associated with eventIndex occurs, channelDataControl isturned on and the channel passes filtered packets
channelTurnOffEventIndex An integer that identifies the event in the Event group that will turn thechannelDataControl from on to off when the event occurs.channelTurnOffEventIndex has the same value as the eventIndex objectin the Event Group that identifies the same event. In other words, if the eventassociated with eventIndex occurs, channelDataControl is turned off and thechannel passes no further packets.
channelEventIndex An integer that identifies the event that is generated when thechannelDataControl is on and the packet is matched. channelEventIndexhas the same value as eventIndex in the Event Group.
channelEventStatus There are 3 possible integer values for this object: eventReady (1),eventFired (2) and eventAlwaysReady (3).If the value is 1, a single eventmay be generated and then the probe will set the value to 2. No furtherevents may be generated until this object is reset to 1. If the value of theobject is 3, events may continue to be generated.
channelMatches The number of times a packet matches this channel. The number of matchescontinues to be updated even if channelDataControl is set to off.
channelDescription Comments about the channel
channelOwner The entity that configured the channel such as a Management Station
channelStatus • An integer that specifies the status of the row.• Its values can be either valid (1),
createRequest (2) underCreation (3) or invalid (4).• The row creator uses a SetRequest to set the value of this object to
createRequest (2)• The agent then sets the value to underCreation(3) until the creator is
finished• The creator then sets the value to valid(1)
Chapter 8 Remote Monitoring (RMON1) 58
RMON Control Table
Create/edit RMON channelso As shown in Capture Group slides
Control Table for RMON Channels (above)
Select: Owner View Details
Chapter 8 Remote Monitoring (RMON1) 59
Channel Information
Interface Index channelIfIndex Channel Index channelIndex Status channelStatus Packet Matches channelMatches Accept Type channelAcceptType
All objects here are in channelTable
Owner channelOwner
Chapter 8 Remote Monitoring (RMON1) 60
Channel Information
Data Flow Control channelDataControlo off(2) means no packets being captured
Turn On Event Index channel…o Event to turn off(2) to on(1)
Turn Off Event Index channel…o Event to turn on(1) to off(2)
All objects here are in channelTable
Chapter 8 Remote Monitoring (RMON1) 61
Channel Information
Generated Event Index channelEventIndexo 0 means no event generated by a matched packet
(configured in Event Group) Generated Event Status channelEventStatus
o Options are…o eventReady(1)o eventFired(2)o eventAlwaysReady(3)
All objects here are in channelTable
Chapter 8 Remote Monitoring (RMON1) 62
Filter Example
May not want to include all packets Can set up filter for each channel Above is filter from Probe 2 to WS2 Another filter needed for opposite direction
Chapter 8 Remote Monitoring (RMON1) 63
Filter Example
Link layer ifTable/ifType = ethernet-csma(6) Protocol filterTable/filterPktData = IP Sub-protocol filterTable/filterPktData = UDP Source address Probe 2 (MAC and IP address) Destination address WS2 (MAC and IP
address) Allow packets filterTable/filterPktStatus
o Any Packet = 0
Filter for packets from probe 2 to WS2
Chapter 8 Remote Monitoring (RMON1) 64
Captured/Filtered Packets
Chapter 8 Remote Monitoring (RMON1) 65
All Captured Frames
Chapter 8 Remote Monitoring (RMON1) 66
Contents of Frame
Detailed view of packeto Similar to Ethereal
Chapter 8 Remote Monitoring (RMON1) 67
Analysis of Captured Frames
Packet 10 (out of 28) shown
Next, filtero UDP packetso Length 00 fe
Click “apply”o Next slide…
Chapter 8 Remote Monitoring (RMON1) 68
Analyze Screen
Find 6 frames that satisfy the filtero Out of 28 captured frames
Can filter down to frames of interest
Chapter 8 Remote Monitoring (RMON1) 69
Alarm Group
alarmTable “Threshold” comparedo If threshold exceeded, alarm sent
Used with Event Group
Chapter 8 Remote Monitoring (RMON1) 70
alarmTable Objects
Object Description
alarmIndex An integer that identifies a row in the table
alarmInterval The time interval over which the variable is sampled
alarmVariable The object identifier of the variable to be sampled
alarmSampleType There are two types:• absoluteValue (1) - value of object is compared directly with the threshold.• deltaValue (2)- diff erence between values of object after current sample and last
sample is compared to the threshold.
alarmValue • The value of the object sampled at the end of the last samplingperiod.
alarmStartupAlarm There are three types:• risingAlarm(1) - is generated if the first sample after the row
becomes "valid" equals or exceeds the alarmRisingThreshold.• falli ngAlarm(2) - is generated if the fir st sample after the row
becomes "valid" is less than or equal to the alarmFalli ngThreshold• risingOrFallingAlarm(3) - is generated if either the risingAlarm or
the falli ngAlarm are violated.alarmRisingThreshold • The rising threshold is exceeded by the variablealarmFall ingThreshold • The falli ng threshold is greater than the variablealarmRisingEventIndex • The value of this object is employed when the alarmRisingThreshold
is crossed• This value is the same as an eventIndex object in the eventTable.
Thus, the alarmRisingEventIndex will trigger an event in theeventTable.
alarmFall ingEventIndex • The value of this object is employed when thealarmFall ingThreshold is crossed
• This value is the same as an eventIndex object in the eventTable.Thus the alarmFalli ngEventIndex will trigger an event in theeventTable
alarmOwner • Monitor or Management Station that created a row in the alarmTablealarmStatus • An integer that specifies the status of the row.
• Its values can be either valid (1),createRequest (2) underCreation (3) or
invalid (4).• The row creator uses a SetRequest to set the value of this object to
createRequest (2)• The agent then sets the value to underCreation(3) until the creator is
finished• The creator then sets the value to valid(1)
Chapter 8 Remote Monitoring (RMON1) 71
Event Group
Two tableso eventTable
and logTable Specify event
triggered by Alarm groupo Events can
also be triggered from elsewhere
Chapter 8 Remote Monitoring (RMON1) 72
eventTable and logTableObject Description
eventIndex • An integer that identifi es a row in the eventTableeventDescription • Text description of the event defined by this roweventType There are 4 types:
• none (1) - no event has been defined• log (2) - an entry is made in the corresponding row of
the logTable• snmp-trap (3) - a trap is sent to one or more
management stations• log-and-trap (4) - entry is made and trap is sent
eventCommunity • the community string that is to be entered in the trapmessage. Must be the same as what is configured forthe trap recipient
eventLastTimeSent • the value of the sysUpTime object in the mib-2 systemgroup when the event defined by eventIndex was lasttriggered.
eventOwner • Monitor or Management Station that created this rowin the eventTable
eventStatus • Must be "valid (1)" for event to be triggerablelogEventIndex • Has same value as eventIndex for the event that
triggered the log entrylogIndex • An integer that identifi es this entry among other
entries of the same eventType, i.e. none, log, trap orlog-and-trap
logTime • The value of sysUpTime in the mib-2 system groupwhen this entry was generated
logDescription • A description of the event that caused this entry in thelogTable.
Chapter 8 Remote Monitoring (RMON1) 73
Event Example In channelTable… channelTurnOffEventIndex
o Can set value equal to an eventIndex in eventTable with eventType of trap(3)
o Then any packet that matches channel will cause a trap to be sent to Mgmt Station
o Mgmt Station could be configured to send SetRequest to turn off the channel
Chapter 8 Remote Monitoring (RMON1) 74
Chapter 8 Summary Examined RMON1 groups (9 of
them) RMON monitors network traffic
o RMON1 for link layero RMON2 for higher layerso Chapter 8: RMON1o Chapter 9: RMON2