rmon2 rfc2021 rfc2021 decode packets at layer 3 through 7 of the osi model decode packets at layer 3...

RMON2RMON2

• RFC2021RFC2021

• Decode packets at layer 3 through 7 Decode packets at layer 3 through 7 of the OSI Modelof the OSI Model– An RMON probe can monitor traffic on An RMON probe can monitor traffic on

the basis of network-layer protocolthe basis of network-layer protocol•To look beyond the LAN segment To look beyond the LAN segment

– The probe can record traffic to and from The probe can record traffic to and from host for particular applicationshost for particular applications•Can monitor application-level trafficCan monitor application-level traffic

Network layer VisibilityNetwork layer Visibility

• Network Manager can answer these questionsNetwork Manager can answer these questions– If there is excessive load on the LAN due to If there is excessive load on the LAN due to

incoming router trafficincoming router traffic, what networks or hosts , what networks or hosts account for the bulk of incoming traffic?account for the bulk of incoming traffic?

– If a router is overloaded because of high amount of If a router is overloaded because of high amount of outgoing trafficoutgoing traffic, what networks or hosts account for , what networks or hosts account for the bulk of outgoing traffic or to what destination the bulk of outgoing traffic or to what destination networks or hosts is that traffic directednetworks or hosts is that traffic directed

– If there is a high load of pass-through trafficIf there is a high load of pass-through traffic (arriving via one router and departing via another (arriving via one router and departing via another router ), what networks or hosts are responsible for router ), what networks or hosts are responsible for the bulk of this trafficthe bulk of this traffic

Application Level VisibilityApplication Level Visibility

• RMON2 probe is capable of seeing above RMON2 probe is capable of seeing above the IP layerthe IP layer by reading the enclosed higher- by reading the enclosed higher-level headers such as TCP/UDP and viewing level headers such as TCP/UDP and viewing the headers at the application protocol levelthe headers at the application protocol level

• This information is useful This information is useful in controlling load in controlling load and maintaining performanceand maintaining performance– NMS can be implemented that will generate NMS can be implemented that will generate

charts and graphs depicting traffic percentage charts and graphs depicting traffic percentage by protocols or by applicationsby protocols or by applications

RMON MIB (1&2)RMON MIB (1&2)

RMON2 MIB (1)RMON2 MIB (1)

• protocol directoryprotocol directory – a master of directory off all – a master of directory off all protocols that probe can interpretprotocols that probe can interpret

• protocol distributionprotocol distribution – aggregate statistics on – aggregate statistics on the amount of traffic generated by each the amount of traffic generated by each protocol per LAN segmentprotocol per LAN segment

• address mapaddress map – match each network address to – match each network address to a specific MAC level address and port on an a specific MAC level address and port on an attached device and the physical address on attached device and the physical address on this subnetworkthis subnetwork

• network layer hostnetwork layer host – statistics on the amount – statistics on the amount of traffic into and out of hosts on the basis of of traffic into and out of hosts on the basis of the network-layer addressthe network-layer address


• network-layer matrixnetwork-layer matrix – statistics on the – statistics on the amount of traffic between pairs of hosts amount of traffic between pairs of hosts on the basis of network addresson the basis of network address

• application-layer hostapplication-layer host - statistics on the - statistics on the amount of traffic into and out of hosts on amount of traffic into and out of hosts on the basis of application-level addressthe basis of application-level address

• application-layer matrixapplication-layer matrix - statistics on the - statistics on the amount of traffic between pairs of hosts amount of traffic between pairs of hosts on the basis of application-level addresson the basis of application-level address


• User history collectionUser history collection – periodically – periodically samples user-specified variables and logs samples user-specified variables and logs that data based on user-defined that data based on user-defined parametersparameters– Ex. Collect data on a router-to-router Ex. Collect data on a router-to-router

connectionconnection

• Probe configurationProbe configuration – define standard – define standard configuration parameters for RMON probesconfiguration parameters for RMON probes– To solve interoperability problemsTo solve interoperability problems

New features in RMON2 (1)New features in RMON2 (1)

• Indexing with external objectsIndexing with external objects– Reduce control index object in data tableReduce control index object in data table– To access instance of the data entry in To access instance of the data entry in

RMON 1 Vs RMON2RMON 1 Vs RMON2•Rm1datavalue.Rm1controlindex.Rm1dataindexRm1datavalue.Rm1controlindex.Rm1dataindex

– Rm1datavalue.2.89Rm1datavalue.2.89– 2 – Rm1controlindex / 89 – Rm1dataindex2 – Rm1controlindex / 89 – Rm1dataindex

•Rm2datavalue.X.Rm2dataindex Rm2datavalue.X.Rm2dataindex – X – the value of index that specifying set of data rows X – the value of index that specifying set of data rows

by the Xth row (external object)by the Xth row (external object)– Rm2datavalue.2.89 Rm2datavalue.2.89 – 2 – external object / 89 – Rm2dataindex2 – external object / 89 – Rm2dataindex

New features in RMON2 (2)New features in RMON2 (2)

• Time filtering IndexingTime filtering Indexing– Typically, a network management app. is Typically, a network management app. is

periodically to poll all probes for the values periodically to poll all probes for the values of objects of objects

– It is desirable to have the probe return It is desirable to have the probe return values only for those objects whose value values only for those objects whose value have changed since the last pollhave changed since the last poll

– No direct way in SNMP, but RMON2 has a No direct way in SNMP, but RMON2 has a mechanismmechanism

Example of time filteringExample of time filtering

FooTable FooTable

fooTable (1)

fooEntry (1)

fooTimeMark (1)

fooIndex (2)

fooCount (3)

EX1. Time filtering (1)EX1. Time filtering (1)

• Suppose fooTable has 2 values of index Suppose fooTable has 2 values of index – 1,2– 1,2– If no fooTimeMark , a management station If no fooTimeMark , a management station

can see only two countercan see only two counter– With fooTimeMark, it is possible to request With fooTimeMark, it is possible to request

the values of these counter only if they the values of these counter only if they have been updated since a given timehave been updated since a given time

EX1. Time filtering (2)EX1. Time filtering (2)

• For example, current value of For example, current value of – The counter associated with fooIndex = 1 The counter associated with fooIndex = 1

is 5 and most recently updated at time 6 is 5 and most recently updated at time 6 – The counter associated with fooIndex=2 is The counter associated with fooIndex=2 is

9 and most recently updated at time 89 and most recently updated at time 8– Then, Then, at time 10at time 10, a manager issues the , a manager issues the

requestrequest•GetRequest(fooCounts.7.1, fooCounts.7.2)GetRequest(fooCounts.7.1, fooCounts.7.2)

•To get the value updated since time 7To get the value updated since time 7

•The agent will response The agent will response fooCounts.7.2=9fooCounts.7.2=9

EX2. Time Filtering (1)EX2. Time Filtering (1)


• Assume that basic row 1 (fooIndex=1) was Assume that basic row 1 (fooIndex=1) was updated as follows:updated as follows:

sysUptimesysUptime fooCount.*.1valuefooCount.*.1value

500500 11

900900 22

23002300 33


• Assume that basic row 2 (fooIndex=2) was Assume that basic row 2 (fooIndex=2) was updated as follows:updated as follows:

sysUptimesysUptime fooCount.*.2valuefooCount.*.2value

11001100 11

14001400 22


• A manager station polls a probe every 15 seconds (clock A manager station polls a probe every 15 seconds (clock nms records time in hundredths of second)nms records time in hundredths of second)

1 At nms=1000, the manager does the baseline poll to 1 At nms=1000, the manager does the baseline poll to get everything since the last agent restart (Timefilter =0)get everything since the last agent restart (Timefilter =0)GetRequest (sysUpTime.0,fooCounts.0.1,fooCount.0.2)GetRequest (sysUpTime.0,fooCounts.0.1,fooCount.0.2)Response(sysUpTime.0=600,fooCounts.0.1=1,fooCount.0.2=0Response(sysUpTime.0=600,fooCounts.0.1=1,fooCount.0.2=0))

2 At nms=2500 (15 second later), the manager get an 2 At nms=2500 (15 second later), the manager get an update on all changes since the last report (agent update on all changes since the last report (agent time=600)time=600)GetRequest (sysUpTime.0, fooCounts.600.1, fooCount.600.2)GetRequest (sysUpTime.0, fooCounts.600.1, fooCount.600.2)Response(sysUpTime.0=2100,fooCounts.600.1=2,fooCount.600.2=2)Response(sysUpTime.0=2100,fooCounts.600.1=2,fooCount.600.2=2)


The agent received the request at a local time of The agent received the request at a local time of 2100 ; a counter 1 was incremented at time 900 2100 ; a counter 1 was incremented at time 900 counter 2 was incremented at 1100 and 1400counter 2 was incremented at 1100 and 1400

3 3 At nms=4000, the manager get an At nms=4000, the manager get an update on all changes since the last report update on all changes since the last report (agent time=2100)(agent time=2100)GetRequest (sysUpTime.0, fooCounts.2100.1, fooCount.2100.2)GetRequest (sysUpTime.0, fooCounts.2100.1, fooCount.2100.2)Response(sysUpTime.0=3600,fooCounts.2100.1=3)Response(sysUpTime.0=3600,fooCounts.2100.1=3)

A counter 1 was incremented at time 2300 A counter 1 was incremented at time 2300 counter 2 has not changed since 2100 , so no counter 2 has not changed since 2100 , so no value returned value returned


4 4 At nms=5500, the manager get an At nms=5500, the manager get an update on all changes since the last update on all changes since the last report (agent time=3600)report (agent time=3600)GetRequest (sysUpTime.0, fooCounts.3600.1, fooCount.3600.2)GetRequest (sysUpTime.0, fooCounts.3600.1, fooCount.3600.2)

Response(sysUpTime.0=5500,)Response(sysUpTime.0=5500,)

Neither counter has been updated since time Neither counter has been updated since time 3600 , so no value returned3600 , so no value returned

Protocol Directory GroupProtocol Directory Group

• It provides a single central point for storing It provides a single central point for storing information about information about types of protocolstypes of protocols

• One entry in the table for each protocol for which One entry in the table for each protocol for which the probe can decode and count protocol data unit the probe can decode and count protocol data unit (PDU)(PDU)

• One scalar objectsOne scalar objects– protocolDirLastChangeprotocolDirLastChange which contains the time of the which contains the time of the

last table changelast table change

• One columnar object (Table)One columnar object (Table)– protocolDirTableprotocolDirTable– The table covers MAC, network and higher layer The table covers MAC, network and higher layer

protocolsprotocols

protocolDirTableprotocolDirTable

• Fig 10.5Fig 10.5

Protocol identificationProtocol identification

• protocolDirIDprotocolDirID object contains a unique object contains a unique octet string for a specific protocol.octet string for a specific protocol.

• Octet string identifiers for protocols are Octet string identifiers for protocols are arranged in a tree structured hierarchy. arranged in a tree structured hierarchy. – Each layer is identified by 32 bit value Each layer is identified by 32 bit value

which is encoded as dot decimal format which is encoded as dot decimal format [a.b.c.d][a.b.c.d]

– EX. Ethernet is hexadecimal 1 which is EX. Ethernet is hexadecimal 1 which is encoded as encoded as [0.0.0.1][0.0.0.1] and referred to and referred to symbolically as symbolically as ether2ether2

Protocol AssignmentsProtocol Assignments

• Each layer is identified by a 32 bit number (four Each layer is identified by a 32 bit number (four octets)octets)

• For MAC level protocolsFor MAC level protocols– ether2 = 1 [0.0.0.1]ether2 = 1 [0.0.0.1]– llc = 2 [0.0.0.2]llc = 2 [0.0.0.2]– snap = 3 [0.0.0.3]snap = 3 [0.0.0.3]– vsnap = 4 [0.0.0.4]vsnap = 4 [0.0.0.4]– ianaAssigned = 5 [0.0.0.5]ianaAssigned = 5 [0.0.0.5]

• Protocol considerationProtocol consideration– network layer, use network layer, use type fieldtype field of Ethernet frame (IP =0.0.8.0) of Ethernet frame (IP =0.0.8.0)– transport layer, use transport layer, use protocol fieldprotocol field of IP header (UDP = of IP header (UDP =

0.0.0.17)0.0.0.17)– application layer, use application layer, use port fieldport field of UDP/TCP header of UDP/TCP header

(0.0.0.161)(0.0.0.161)

Entry in protocolDirEntry (1)Entry in protocolDirEntry (1)

• EX. Identification of SNMP running over UDP/IP EX. Identification of SNMP running over UDP/IP on Etherneton Ethernet– 16.16.0.0.0.10.0.0.1.0.0.8.0.0.0.8.0..0.0.0.170.0.0.17.0.0.0.161.0.0.0.161– 16 : the number of octets to follow16 : the number of octets to follow

• So, for previous example the probe is capable of So, for previous example the probe is capable of – Interpreting all incoming Ethernet framesInterpreting all incoming Ethernet frames– Looking past the Ethernet header and trailer and Looking past the Ethernet header and trailer and

interpreting the encapsulated IP datagraminterpreting the encapsulated IP datagram– Looking past the IP header and interpreting the Looking past the IP header and interpreting the

encapsulated UDP segmentencapsulated UDP segment– Looking past the UDP header and interpreting the Looking past the UDP header and interpreting the

encapsulated SNMP PDU encapsulated SNMP PDU

Entry in protocolDirEntry (2)Entry in protocolDirEntry (2)

• A separate entry is needed for each protocol A separate entry is needed for each protocol that the probe can interpret and countthat the probe can interpret and count

• Then the four entries are needed in Then the four entries are needed in protocolDirEntry and the protocolDirID protocolDirEntry and the protocolDirID values would bevalues would be– Ether2 (4.0.0.0.1)Ether2 (4.0.0.0.1)– Ether2.ip (8.0.0.1.0.0.8.0)Ether2.ip (8.0.0.1.0.0.8.0)– Ether2.ip.udp (12.0.0.0.1.0.0.8.0.0.0.0.17)Ether2.ip.udp (12.0.0.0.1.0.0.8.0.0.0.0.17)– Ether2.ip.udp.snmp Ether2.ip.udp.snmp

(16.0.0.0.1.0.0.8.0.0.0.0.17.0.0.0.161)(16.0.0.0.1.0.0.8.0.0.0.0.17.0.0.0.161)

Format of index values for Format of index values for protocolDirTableprotocolDirTable

Protocol parameter (1)Protocol parameter (1)

• The second index object for protocolDirTable The second index object for protocolDirTable is is protocolDirParametersprotocolDirParameters

• This object instance contains information This object instance contains information about the probe’s capability with the respect about the probe’s capability with the respect to a particular protocolto a particular protocol

• The value is structured as a one-octet count The value is structured as a one-octet count field followed by a set of N-octet parameters, field followed by a set of N-octet parameters, one for each protocol layer in one for each protocol layer in protocolDirIDprotocolDirID

• Each bit in the parameter octet is encoded Each bit in the parameter octet is encoded separately to define a particular capabilityseparately to define a particular capability


• 2 LSB are reserved for all protocols2 LSB are reserved for all protocols– CountFragment (bit0) :CountFragment (bit0) : Higher-layer protocols Higher-layer protocols

encapsulated within this protocol will be counted encapsulated within this protocol will be counted correctly even if this protocol fragments the upper-correctly even if this protocol fragments the upper-layer PDUs into multiple fragmentslayer PDUs into multiple fragments

– tracksSessions (bit1)tracksSessions (bit1) :Correctly attributes all :Correctly attributes all packets of a port-mapped protocol, that is a packets of a port-mapped protocol, that is a protocol start session on a well-known port or protocol start session on a well-known port or socket and then transfer them to dynamically socket and then transfer them to dynamically assigned ports or sockets fpr the duration of the assigned ports or sockets fpr the duration of the session session • TFTP (Trivial File Transfer Protocol) TFTP (Trivial File Transfer Protocol)


• SNMP running over UDP/IP/Ethernet SNMP running over UDP/IP/Ethernet withwith fragments counted correctly for fragments counted correctly for IP or above, the following encoding is IP or above, the following encoding is for the two objects (protocolDirID, for the two objects (protocolDirID, protocolDirParameter)protocolDirParameter)16.0.0.0.1.0.0.8.0.0.0.0.17.0.0.0.16116.0.0.0.1.0.0.8.0.0.0.0.17.0.0.0.161..4.0.14.0.1

.0.0.0.0

Protocol Directory Table (1)Protocol Directory Table (1)

• protocolDirTypeprotocolDirType – extensible(0)extensible(0) if the agent or manager may if the agent or manager may

extend this table by creating entries that are extend this table by creating entries that are children of this protocolchildren of this protocol

– addressRecognitionCapable(1)addressRecognitionCapable(1) indicates that indicates that the probe can not only count packets for this the probe can not only count packets for this protocol but can also recognize source and protocol but can also recognize source and destination address fields for finer-grained destination address fields for finer-grained countingcounting


• protocolDirAddressMapConfigprotocolDirAddressMapConfig – notSupported(1)notSupported(1) : if not capable of performing : if not capable of performing

address mapping address mapping – If capable then the value may be set to If capable then the value may be set to

supportedOff(2) or supportedOn(3)supportedOff(2) or supportedOn(3)

• protocolDirHostConfig protocolDirHostConfig – It may be set to It may be set to notsupported(1), notsupported(1),

supportedOff(2) or supportOn(3)supportedOff(2) or supportOn(3) with the with the respect to the network-layer and application respect to the network-layer and application layer host table for this protocol layer host table for this protocol


• protocolDirMatrixConfigprotocolDirMatrixConfig– It may be set to It may be set to notSupported (1)notSupported (1) , ,

supportedOff(2), supportedON (3)supportedOff(2), supportedON (3) with with the respect to the network-layer and the respect to the network-layer and application layer matrix tables for this application layer matrix tables for this protocol protocol

Protocol Distribution Group Protocol Distribution Group (1)(1)

• It summarizes how many octets and It summarizes how many octets and packetspackets have been sent from each of have been sent from each of the protocols supportedthe protocols supported

• protocolDistControlTableprotocolDistControlTable – controls – controls collection of basic statistics for all collection of basic statistics for all supported protocolssupported protocols

• protocolDistStatsTableprotocolDistStatsTable – records the – records the datadata


• Each row in protocolDistControlTable Each row in protocolDistControlTable refers to a unique network interface refers to a unique network interface for this probe and controls a number for this probe and controls a number of rows of protocolDistStatsTable, of rows of protocolDistStatsTable, one for each protocol recognized on one for each protocol recognized on that interfacethat interface

Protocol Distribution Group Protocol Distribution Group (3)(3)• protocolDistControlTable protocolDistControlTable consists of consists of

– protocolDistControlIndexprotocolDistControlIndex : an integer that : an integer that uniquely identifies a row in the uniquely identifies a row in the protocolDistControlTableprotocolDistControlTable

– protocolDistControlDatasource protocolDistControlDatasource : identifies the : identifies the interface that is th source of the data for this rowinterface that is th source of the data for this row

– protocolDistControlDroppedFramesprotocolDistControlDroppedFrames : total number : total number of received frames for this interface that the of received frames for this interface that the probe chose not to count (out of resources)probe chose not to count (out of resources)

– protocolDistControlCreateTime protocolDistControlCreateTime : the value of : the value of sysUptime when this control entry was activated sysUptime when this control entry was activated


• The protocolDistStatsTable includes The protocolDistStatsTable includes one row for each protocol in one row for each protocol in protocolDirTable for which at least protocolDirTable for which at least one packet has been seenone packet has been seen

• It is indexed by It is indexed by protocolDistControlIndex and by protocolDistControlIndex and by protocolDirLocalIndexprotocolDirLocalIndex


• protocolDistStatsTableprotocolDistStatsTable consists of consists of– protocolDistStatsPktsprotocolDistStatsPkts: the number of : the number of

packets received for this protocolpackets received for this protocol– protocolDistStatsOctetsprotocolDistStatsOctets: the number of : the number of

octets transmitted to this address since octets transmitted to this address since it was added to nlHostTable it was added to nlHostTable

Address Map Group (1)Address Map Group (1)

• It matches each network address to a It matches each network address to a specific MAC-level address specific MAC-level address

• It is helpful in node discovery and It is helpful in node discovery and network topology applications for network topology applications for pinpointing the specific path of the pinpointing the specific path of the network trafficnetwork traffic

• 3 scalars objects, one control table 3 scalars objects, one control table (addressMapControlTable) and one (addressMapControlTable) and one data table (addressMapTable) data table (addressMapTable)


• 3 scalar objects are3 scalar objects are– addressMapInsertsaddressMapInserts : the number of times an : the number of times an

address-mapping entry has been inserted into the address-mapping entry has been inserted into the data tabledata table

– addressMapDeletesaddressMapDeletes: the number of times an : the number of times an address-mapping entry has been deleted into the address-mapping entry has been deleted into the data tabledata table

– addressMapMaxDesiredEntries addressMapMaxDesiredEntries : the desired : the desired maximum number of entries in addressMapTable maximum number of entries in addressMapTable (if this value is set to -1, the probe may create any (if this value is set to -1, the probe may create any number of entries in addressMapTable) number of entries in addressMapTable)

Data table size = addressMapInserts - addressMapDeletes Data table size = addressMapInserts - addressMapDeletes


• The The addressMapControlTableaddressMapControlTable consists of consists of – addressMapControlIndexaddressMapControlIndex: an integer that : an integer that

uniquely identifies a row in the uniquely identifies a row in the addressMapControlTableaddressMapControlTable

– addressMapcontrolDatasourceaddressMapcontrolDatasource : identifies the : identifies the interface that is the source of the data for this interface that is the source of the data for this row and that this row is configured to analyzerow and that this row is configured to analyze

– addressMapControlDroppedFramesaddressMapControlDroppedFrames: total : total number of received frame for this interface that number of received frame for this interface that the probe chose not to count (out of resources) the probe chose not to count (out of resources)


• The The addressMapTable addressMapTable will collect address will collect address mapping based on source MAC and mapping based on source MAC and network addresses seen in error-free MAC network addresses seen in error-free MAC framesframes

• The table will The table will create entries for all create entries for all protocols in the protocol directory tableprotocols in the protocol directory table whose value of whose value of protocolDirAddressMapConfig is equal to protocolDirAddressMapConfig is equal to supportedOn(3)supportedOn(3)


• The The addressMapTable addressMapTable consists ofconsists of– addressMapTimeMarkaddressMapTimeMark : a time filter for this entry : a time filter for this entry– addressMapNetworkAddress addressMapNetworkAddress : the network : the network

address for this entryaddress for this entry– addressMapSourceaddressMapSource : the last interface which the : the last interface which the

associated network address was seenassociated network address was seen– addressMapPhysicalAddressaddressMapPhysicalAddress : the last source : the last source

MAC address on which the associated network MAC address on which the associated network address was seenaddress was seen

– addressMapLastChangeaddressMapLastChange : the value of : the value of sysUpTime at the time this entry was most sysUpTime at the time this entry was most recently updatedrecently updated

Network-layer Host Group Network-layer Host Group (1)(1)

• nlHost group enables users to nlHost group enables users to decode packets based on their decode packets based on their network-layer addressnetwork-layer address

• This group consists of 2 TablesThis group consists of 2 Tables– nlHostControlTable : control tablenlHostControlTable : control table– nlHostTable : data tablenlHostTable : data table

• Fig 10.11 Fig 10.11

Network-layer Host Group Network-layer Host Group (2)(2)• Each row in control table refers to a Each row in control table refers to a

unique interface of the monitorunique interface of the monitor• nlHostControlTablenlHostControlTable

– nlhostControlIndexnlhostControlIndex : an integer that uniquely : an integer that uniquely identifies a row in the nlHostControlTableidentifies a row in the nlHostControlTable

– nlHostControlDataSourcenlHostControlDataSource : identifies the : identifies the interface that is the source of the data for the interface that is the source of the data for the data tableentries defined by this rowdata tableentries defined by this row

– nlHostControlNlDroppedFramesnlHostControlNlDroppedFrames : total number : total number of received frames for this interface that the of received frames for this interface that the probe chose not to count for the associated probe chose not to count for the associated nlHost entriesnlHost entries


– nlHostControlNlInsertsnlHostControlNlInserts : the number of : the number of times an nlHost entry has been inserted times an nlHost entry has been inserted into the nlHostTable data tableinto the nlHostTable data table

– nlHostControlNldeletesnlHostControlNldeletes : the number of : the number of times an nlHost entry has been deleted times an nlHost entry has been deleted from the nlHostTable data tablefrom the nlHostTable data table

– nlhostControlNlMaxDesiredEntries nlhostControlNlMaxDesiredEntries : the : the desired maximum number of entries in desired maximum number of entries in nlHostTablenlHostTable


– nlHostControlAlDroppedFramesnlHostControlAlDroppedFrames : total number : total number of received frames for this interface that the of received frames for this interface that the probe chose not to count for the associated probe chose not to count for the associated alHost entriesalHost entries

– nlHostControlAlInsertsnlHostControlAlInserts : the number of times an : the number of times an alHost entry has been inserted into the alHost entry has been inserted into the alHostTable data tablealHostTable data table

– nlHostControlAldeletesnlHostControlAldeletes : the number of times : the number of times an alHost entry has been deleted from the an alHost entry has been deleted from the alHostTable data tablealHostTable data table

– nlhostControlAlMaxDesiredEntries nlhostControlAlMaxDesiredEntries : the desired : the desired maximum number of entries in alHostTablemaximum number of entries in alHostTable

Network-layer Host Group Network-layer Host Group (5)(5)• nlHostTable nlHostTable will create entries for all network-will create entries for all network-

layer protocols in the protocol directory table layer protocols in the protocol directory table whose value of protocolDirNlHostConfig is whose value of protocolDirNlHostConfig is equal to supportedOn(3)equal to supportedOn(3)

• nlHostTable nlHostTable – nlHostTimeMarknlHostTimeMark : a time filter for this entry : a time filter for this entry– nlHostAddressnlHostAddress : the network address for this entry : the network address for this entry– nlHostInPacketsnlHostInPackets : the number of error-free packets : the number of error-free packets

transmitted to this address since it was added to transmitted to this address since it was added to the tablethe table


– nlHostOutPacketsnlHostOutPackets : the number of error- : the number of error-free packets transmitted from this free packets transmitted from this address since it was added to the tableaddress since it was added to the table

– nlHostInOctetsnlHostInOctets : the number of octets : the number of octets (error-free packets) transmitted to this (error-free packets) transmitted to this address since it was added to the tableaddress since it was added to the table

– nlHostOutOctetsnlHostOutOctets : the number of octets : the number of octets (error-free packets) transmitted from this (error-free packets) transmitted from this address since it was added to the tableaddress since it was added to the table


– nlHostCreateTime nlHostCreateTime : the value of : the value of sysUpTime when this control entry was sysUpTime when this control entry was activatedactivated

– nlHostOutMacNonUnicastPktsnlHostOutMacNonUnicastPkts : the : the number of packets transmitted by this number of packets transmitted by this address that were directed to the MAC address that were directed to the MAC broadcast address or ti any MAC broadcast address or ti any MAC multicast address since this entry was multicast address since this entry was added to the tableadded to the table


• nlHostTable is indexed by four nlHostTable is indexed by four objects:objects:– nlHostControlIndexnlHostControlIndex : define interface : define interface– nlHostTimeMarknlHostTimeMark : a time filter : a time filter– protocolDirLocalIndexprotocolDirLocalIndex : the identity of : the identity of

the protocolthe protocol– nlHostAddressnlHostAddress : the network address : the network address

Application-Layer Host Group Application-Layer Host Group (1)(1)

• The nlHostControlTable also controls The nlHostControlTable also controls alHostTablealHostTable

• Only alHostTable in application-layer host Only alHostTable in application-layer host groupgroup

• alHostTable will create entries for all alHostTable will create entries for all application-level protocols in the protocol application-level protocols in the protocol directory table whose value of directory table whose value of protocolDirALHostConfig is equal to protocolDirALHostConfig is equal to supportedOn(3)supportedOn(3)


• alHostTable alHostTable – alHostTimeMarkalHostTimeMark : a time filter for this entry : a time filter for this entry– alHostInPacketsalHostInPackets : the number of error-free : the number of error-free

packets of this protocol type transmitted to packets of this protocol type transmitted to this address since it was added to the tablethis address since it was added to the table

– alHostOutPacketsalHostOutPackets : the number of error-free : the number of error-free packets of this protocol type transmitted from packets of this protocol type transmitted from this address since it was added to the tablethis address since it was added to the table


– alHostInOctetsalHostInOctets : the number of octets (error- : the number of octets (error-free packets) of this protocol type free packets) of this protocol type transmitted to this address since it was transmitted to this address since it was added to the tableadded to the table

– alHostOutOctetsalHostOutOctets : the number of octets : the number of octets (error-free packets) of this protocol type (error-free packets) of this protocol type transmitted from this address since it was transmitted from this address since it was added to the tableadded to the table

– alHostCreateTime alHostCreateTime : the value of sysUpTime : the value of sysUpTime when this control entry was activatedwhen this control entry was activated


• alHostTable is indexed by five objects:alHostTable is indexed by five objects:– nlHostControlIndexnlHostControlIndex : define interface : define interface– alHostTimeMarkalHostTimeMark : a time filter : a time filter– protocolDirLocalIndexprotocolDirLocalIndex : the identity of the : the identity of the

network layer protocolnetwork layer protocol– nlHostAddressnlHostAddress : the network address : the network address– protocolDirLocalIndexprotocolDirLocalIndex : the identity of the : the identity of the

application layer protocolapplication layer protocol

Network Layer Matrix GroupNetwork Layer Matrix Group (1)(1)

• It gathers statistics based on source and It gathers statistics based on source and destination network-layer address destination network-layer address

• For network layer statistic consists of one For network layer statistic consists of one control table and 2 data tablescontrol table and 2 data tables– nlMatrixControlTablenlMatrixControlTable : control table for network : control table for network

layer matrix group and application layer matrix layer matrix group and application layer matrix groupgroup

– nlMatrixSDTable nlMatrixSDTable : stores statistics on traffic from a : stores statistics on traffic from a particular source network-layer address to a particular source network-layer address to a number of destinations number of destinations

– nlMatrixDSTablenlMatrixDSTable : stores statistics on traffic to a : stores statistics on traffic to a particular destination network-layer address from a particular destination network-layer address from a number of sources number of sources

Network Layer Matrix GroupNetwork Layer Matrix Group (2)(2)• The nlMatrixSDTable is indexed The nlMatrixSDTable is indexed

– the row of the row of nlMatrixControlTablenlMatrixControlTable that control it that control it then then

– by a time filter: by a time filter: nlMatrixSDTimeMarknlMatrixSDTimeMark then then– by the network-layer protocol : by the network-layer protocol :

protocolDirLocalIndexprotocolDirLocalIndex then then– by the network layer source address : by the network layer source address :

nlMatrixSDSourceAddress nlMatrixSDSourceAddress thenthen– by the network layer destination address : by the network layer destination address :

nlMatrixSDDestAddress nlMatrixSDDestAddress

Network Layer Matrix GroupNetwork Layer Matrix Group (3)(3)• The nlMatrixDSTable is indexed The nlMatrixDSTable is indexed

– the row of the row of nlMatrixControlTablenlMatrixControlTable that control it that control it then then

– by a time filter: by a time filter: nlMatrixDSTimeMarknlMatrixDSTimeMark then then– by the network-layer protocol : by the network-layer protocol :

protocolDirLocalIndexprotocolDirLocalIndex then then– by the network layer destination address : by the network layer destination address :

nlMatrixDSDestAddress nlMatrixDSDestAddress – by the network layer source address : by the network layer source address :

nlMatrixDSSourceAddress nlMatrixDSSourceAddress thenthen

Network-Layer TopN Statistics Network-Layer TopN Statistics (1)(1)

• To determine which pairs of hosts To determine which pairs of hosts rank in the top N according to some rank in the top N according to some metricmetric

• One control table and one datatableOne control table and one datatable– nlMatrixTopNControlTablenlMatrixTopNControlTable– nlMatrixTopNTaablenlMatrixTopNTaable


• nlMatrixTopNControlTablenlMatrixTopNControlTable– nlMatrixTopNRateBasenlMatrixTopNRateBase : specifies one of : specifies one of

two variables two variables (nlMatrixTopNPackets(1) (nlMatrixTopNPackets(1) /nlMatrixTopNOctets(2) )/nlMatrixTopNOctets(2) )

– nlMatrixTopNRequestedSizenlMatrixTopNRequestedSize: the : the maximum number of matrix entries maximum number of matrix entries requested for the topN tablerequested for the topN table


• nlMatrixTopNtablenlMatrixTopNtable– nlMatrixTopNPktRatenlMatrixTopNPktRate – the number of packets – the number of packets

seen from source host to destination host seen from source host to destination host during this sampling interval during this sampling interval

– nlMatrixTopNReversePktRatenlMatrixTopNReversePktRate – same as above – same as above (but destination to source)(but destination to source)

– nlMatrixTopNOctetRatenlMatrixTopNOctetRate – the number of octets – the number of octets seen from source host to destination host seen from source host to destination host during this sampling interval during this sampling interval

– nlMatrixTopNReverseOctetRatenlMatrixTopNReverseOctetRate – same as – same as above (but destination to source)above (but destination to source)


• The nlMatrixTopNTable is indexed by The nlMatrixTopNTable is indexed by – nlMatrixTopNControlIndexnlMatrixTopNControlIndex– nlMatrixTopNIndexnlMatrixTopNIndex

Application-Layer Matrix Group Application-Layer Matrix Group (1)(1)

• Statistical collection of information Statistical collection of information based on source and destination based on source and destination application address (port number) application address (port number)

• This group consists of 3 data tables and This group consists of 3 data tables and 1 control table1 control table– alMatrixSDTablealMatrixSDTable– alMatrixDSTablealMatrixDSTable– alMatrixTopNControlTablealMatrixTopNControlTable– alMatrixTopNTablealMatrixTopNTable

alMatrix Group (2)alMatrix Group (2)

• Fig 10.15Fig 10.15

Application-Layer Matrix Group Application-Layer Matrix Group (2)(2)• The alMatrixSDTable (alMatrixDSTable) is The alMatrixSDTable (alMatrixDSTable) is

indexed byindexed by– nlMatrixControlIndex nlMatrixControlIndex : that identifies a unique : that identifies a unique

subnetwork subnetwork – nlMatrixSDTimeMark nlMatrixSDTimeMark : time filter: time filter– protocolDirLocalIndexprotocolDirLocalIndex : the network-layer : the network-layer

protocol protocol – nlMatrixSDSourceAddressnlMatrixSDSourceAddress : the network layer : the network layer

source address source address – nlMatrixSDDestAddressnlMatrixSDDestAddress : the network layer : the network layer

destination address destination address – protocolDirLocalIndexprotocolDirLocalIndex : the application-layer : the application-layer

protocol protocol


• alMatrixTopNControlTable has the same alMatrixTopNControlTable has the same structure as the structure as the nlMatrixTopNControlTablenlMatrixTopNControlTable

• Only difference is the definition of the Only difference is the definition of the rate base object: rate base object: alMatrixTopNRateBasealMatrixTopNRateBase

•alMatrixTopNTerminalsPkts(1) count only protocolalMatrixTopNTerminalsPkts(1) count only protocol packets (no child protocol)packets (no child protocol)

•alMatrixTopNTerminalsOctets(2) count only alMatrixTopNTerminalsOctets(2) count only protocolprotocol octetsoctets(no child protocol)(no child protocol)

•alMatrixTopNAllPkts(3) alMatrixTopNAllPkts(3) •alMatrixTopNAllOctets(4 )alMatrixTopNAllOctets(4 )


• alMatrixTopNtablealMatrixTopNtable– alMatrixTopNPktRate – the number of alMatrixTopNPktRate – the number of

packets seen from source host to packets seen from source host to destination host during this sampling destination host during this sampling interval interval

– alMatrixTopNReversePktRate – same as alMatrixTopNReversePktRate – same as above (Destination to source)above (Destination to source)

User history collection User history collection group (1)group (1)

• User history collection groupUser history collection group– Collect particular statistics and variables Collect particular statistics and variables

then logs that data based on user-defined then logs that data based on user-defined parametersparameters

User history User history collection collection group (2)group (2)

User history collection User history collection group (3)group (3)

Probe configuration group Probe configuration group

• Probe configuration groupProbe configuration group– To solve interoperability among RMON To solve interoperability among RMON

probe and managersprobe and managers

Practical IssuesPractical Issues

rmon2 rfc2021 rfc2021 decode packets at layer 3 through 7 of the osi model decode packets at layer 3...

Documents

traffic percentage

traffic directedif

incoming router traffic

bulk of incoming traffic

bulk of outgoing traffic

networklayer addressrmon2

layer protocolto

ip layer