Network Monitoring and Management ICMP and SNMP ICMP

  • Slides: 85
Download presentation
Network Monitoring and Management ICMP and SNMP

Network Monitoring and Management ICMP and SNMP

ICMP n Internet Control Message Protocol n RFC 792 n Transfer of (control) messages

ICMP n Internet Control Message Protocol n RFC 792 n Transfer of (control) messages from routers and hosts to hosts n Feedback about problems – e. g. time to live expired n Encapsulated – Not reliable in plain IP datagram

Application Transport ICMP Application TCP UDP IGMP Network IP ARP Link RARP Ethernet Driver

Application Transport ICMP Application TCP UDP IGMP Network IP ARP Link RARP Ethernet Driver incoming frame Application

FTP server 21 TCP src port ICMP UDP 17 TCP 1 TCP dest port

FTP server 21 TCP src port ICMP UDP 17 TCP 1 TCP dest port SMTP data header TCP protocol type ARP x 0806 source addr 25 6 IP header dest addr 7 telnet 23 server hdr cksum IP x 0800 IP Ethernet frame type data (Ethernet frame types in hex, others in decimal) dest addr source addr data CRC

ICMP Types

ICMP Types

ICMP Uses IP but is a separate protocol in the network layer n ICMP

ICMP Uses IP but is a separate protocol in the network layer n ICMP messages contain n – Type – Code – 1 st 8 bytes of “bad” datagram IP HEADER PROTOCOL = 1 TYPE CODE CHECKSUM IP DATA REMAINDER OF ICMP MESSAGE (FORMAT IS TYPE SPECIFIC)

ICMP Message Formats

ICMP Message Formats

Destination Unreachable TYPE CODE CHECKSUM UNUSED IP HEADER + 64 bits data from original

Destination Unreachable TYPE CODE CHECKSUM UNUSED IP HEADER + 64 bits data from original DG TYPE = 3 CODE 0 = Net unreachable 1 = Host unreachable 2 = Protocol unreachable 3 = Port unreachable 4 = Fragmentation needed but DF set 5 = Source route failed 6 = Dest network unknown 7 = Dest host unknown

Source Quench TYPE CODE CHECKSUM UNUSED IP HEADER + 64 bits data from original

Source Quench TYPE CODE CHECKSUM UNUSED IP HEADER + 64 bits data from original DG TYPE = 4; CODE = 0 Flow control: • Indicates that a router has dropped the original DG or may indicate that a router is approaching its capacity limit. • Correct behavior for source host is not defined.

Time Exceeded TYPE CODE CHECKSUM UNUSED IP HEADER + 64 bits data from original

Time Exceeded TYPE CODE CHECKSUM UNUSED IP HEADER + 64 bits data from original DG TYPE = 11 CODE 0 = Time to live exceeded in transit 1 = Fragment reassembly time exceeded

Redirect TYPE CODE CHECKSUM NEW ROUTER ADDRESS IP HEADER + 64 bits data from

Redirect TYPE CODE CHECKSUM NEW ROUTER ADDRESS IP HEADER + 64 bits data from original DG TYPE = 5 CODE = 0 = Network redirect 1 = Host redirect 2 = Network redirect for specific TOS 3 = Host redirect for specific TOS

Redirection Concept Internet

Redirection Concept Internet

QUERY Message: Echo and Echo Reply TYPE CODE CHECKSUM IDENTIFIER SEQUENCE # DATA ….

QUERY Message: Echo and Echo Reply TYPE CODE CHECKSUM IDENTIFIER SEQUENCE # DATA …. TYPE = 8 = ECHO; 0 = ECHO REPLY CODE = 0 IDENTIFIER An identifier to aid in matching echoes and replies SEQUENCE # Same use as for IDENTIFIER UNIX “ping” uses echo/echo reply

Replaced by Network Time Protocol (NTP)

Replaced by Network Time Protocol (NTP)

Using Ping [wirth: ~] [4: 15 pm] -> ping www. uakron. edu PING arwen.

Using Ping [wirth: ~] [4: 15 pm] -> ping www. uakron. edu PING arwen. uakron. edu (130. 101. 81. 50) 56(84) bytes of data. 64 bytes from arwen. uakron. edu (130. 101. 81. 50): icmp_seq=0 ttl=62 time=0. 512 ms 64 bytes from arwen. uakron. edu (130. 101. 81. 50): icmp_seq=1 ttl=62 time=0. 449 ms 64 bytes from arwen. uakron. edu (130. 101. 81. 50): icmp_seq=2 ttl=62 time=1. 38 ms 64 bytes from arwen. uakron. edu (130. 101. 81. 50): icmp_seq=3 ttl=62 time=0. 439 ms 64 bytes from arwen. uakron. edu (130. 101. 81. 50): icmp_seq=4 ttl=62 time=0. 448 ms 64 bytes from arwen. uakron. edu (130. 101. 81. 50): icmp_seq=5 ttl=62 time=0. 496 ms 64 bytes from arwen. uakron. edu (130. 101. 81. 50): icmp_seq=6 ttl=62 time=0. 449 ms --- arwen. uakron. edu ping statistics --7 packets transmitted, 7 received, 0% packet loss, time 6001 ms rtt min/avg/max/mdev = 0. 439/0. 596/1. 383/0. 323 ms, pipe 2 [wirth: ~] [4: 16 pm] ->

Extended Ping IP header options can be used along with ICMP: • route recording,

Extended Ping IP header options can be used along with ICMP: • route recording, • timestamping, • source routing Used for path MTU discovery

Traceroute UNIX utility - displays router used to get to a specified Internet Host

Traceroute UNIX utility - displays router used to get to a specified Internet Host (Van Jacobson, 1988) n Operation n – router sends ICMP Time Exceeded message to source if TTL is decremented to 0 – if TTL starts at 5, source host will receive Time Exceeded message from router that is 5 hops away Traceroute sends a series of UDP probes (to port ~33500) with different TTL values… and records the source address of the ICMP Time Exceeded message for each n Probes are formatted so that the destination host will send an ICMP Port Unreachable message n

Traceroute and ICMP (2) n Trace the route of an IP packet Source Router

Traceroute and ICMP (2) n Trace the route of an IP packet Source Router 1 Timeline: Router 2 TTL=1 Router 1 known Router 2 known Destination known TTL=2 TTL=3 Destination

Traceroute and ICMP (3) n Trace the route of an IP packet – Upon

Traceroute and ICMP (3) n Trace the route of an IP packet – Upon reaching destination, • No “Time exceeded” message generated • How do you know when final destination is reached? – Traceroute sends to unused UDP port (>30000), generating an ICMP “destination unreachable” message • With code “port unreachable”

Taceroute mymachine: ~% traceroute www. cis. ksu. edu traceroute to polaris. cis. ksu. edu

Taceroute mymachine: ~% traceroute www. cis. ksu. edu traceroute to polaris. cis. ksu. edu (129. 130. 10. 93), 30 hops max, 40 byte packets 1 wraith. facnet. mcs. kent. edu (131. 123. 46. 1) 0. 878 ms 0. 620 ms 0. 553 ms 2 ghost. uis-mcs. kent. edu (131. 123. 40. 1) 6. 000 ms 3. 366 ms 2. 632 ms 3 lib 2 -255 x 248 -e 37 -lib. gate. kent. edu (131. 123. 255. 254) 7. 170 ms 3. 552 ms 4. 477 ms 4 twcneo-cw. neo. rr. com (204. 210. 223. 3) 9. 515 ms 15. 167 ms 18. 687 ms 5 bordercore 4 -hssi 1 -0. North. Royalton. cw. net (166. 48. 233. 253) 17. 864 ms 10. 971 ms 14. 652 ms 6 core 4. Willow. Springs. cw. net (204. 70. 4. 73) 23. 438 ms 22. 099 ms 17. 397 ms 7 wsp-sprint 2 -nap. Willow. Springs. cw. net (206. 157. 77. 94) 18. 367 ms 22. 854 ms 20. 267 ms 8 sl-bb 11 -chi-2 -1. sprintlink. net (144. 232. 10. 157) 23. 518 ms 24. 528 ms 18. 757 ms 9 sl-bb 12 -chi-5 -1. sprintlink. net (144. 232. 10. 6) 21. 197 ms 31. 452 ms 15. 050 ms 10 sl-bb 10 -kc-7 -1. sprintlink. net (144. 232. 9. 117) 46. 752 ms * 40. 125 ms 11 sl-gw 5 -kc-0 -0 -0. sprintlink. net (144. 232. 2. 62) 38. 360 ms 48. 002 ms 44. 795 ms 12 sl-uok-1 -0 -0. sprintlink. net (144. 232. 14) 93. 256 ms 67. 070 ms 61. 727 ms 13 ks-1 -ks-ksu. r. greatplains. net (164. 113. 232. 193) 77. 743 ms 64. 566 ms 67. 117 ms 14 164. 113. 212. 250 (164. 113. 212. 250) 59. 988 ms 46. 188 ms 55. 616 ms 15 129. 130. 252. 9 (129. 130. 252. 9) 68. 211 ms 67. 881 ms 75. 441 ms 16 polaris. cis. ksu. edu (129. 130. 10. 93) 76. 462 ms 54. 838 ms *

PMTU-D TCP: path. MTU discovery

PMTU-D TCP: path. MTU discovery

SNMP n Where did it come from ? – Internet Engineering Task Force •

SNMP n Where did it come from ? – Internet Engineering Task Force • Network Management Area – SNMP v 1 – MIBv 1, MIBv 2 – SNMP v 2 (? ) – SNMP v 3 (? )

SNMPv 1 History n RFC 1157, 1990: – “A Simple Network Management Protocol (SNMP)”

SNMPv 1 History n RFC 1157, 1990: – “A Simple Network Management Protocol (SNMP)” n RFC 1155, 1158, 1213, 1990: – Specification of the MIBv 2 n Written in ASN. 1

Protocol context of SNMP

Protocol context of SNMP

SNMPv 1 Protocol Five Simple Messages: n get-request n get-next-request n get-response n set-request

SNMPv 1 Protocol Five Simple Messages: n get-request n get-next-request n get-response n set-request n trap

SNMP - SNMP Message Handling Get. Request SNMP Manager (What is the value of

SNMP - SNMP Message Handling Get. Request SNMP Manager (What is the value of MIB? ) Get. Response (The value is XXXX!) Get. Next. Request (What is the next value of MIB Tree ? ) Get. Response Set. Request (The value is XXXX!) (Modify the value of OID) Get. Response (The value is XXXX!) Trap (Problem happened!) SNMP Agent

SNMPv 1: UDP ports get_request get_response port 161 get_next_request Manager set_request get_response port 162

SNMPv 1: UDP ports get_request get_response port 161 get_next_request Manager set_request get_response port 162 trap port 161 Agent

SNMPv 1 Packet Format UDP PDU Request Error Version Community name value name. .

SNMPv 1 Packet Format UDP PDU Request Error Version Community name value name. . . Header Type ID Status Index SNMP version (0 is for version 1) n Community (read-only, read-write): n – Shared “password” between agent and manager PDU: Specifies request type n Request ID n Error Status n Error Index n

Community Names Community names are used to define where an SNMP message is destined

Community Names Community names are used to define where an SNMP message is destined for. • Set up your agents to belong to certain communities. • Set up your management applications to monitor and receive traps from certain community names.

RFC 1065 (MIB Structure) “Structure and Identification of Management Information for TCP/IP-based Internets (SMI)”

RFC 1065 (MIB Structure) “Structure and Identification of Management Information for TCP/IP-based Internets (SMI)” n Uses Abstract Syntax Notation 1 (ASN. 1) n Types of information n – – – n Network Address IP Address Counter (32 bit monotonically increasing) Gauge (32 bit variable) Timeticks (time in hundredths of a second) Opaque (arbitrary syntax for text data) Adopted as a full standard in RFC 1155 (basically unchanged)

MIB definitions n n n RFC 1066 - MIB definitions using RFC 1065 (RFC

MIB definitions n n n RFC 1066 - MIB definitions using RFC 1065 (RFC 1155) (Rose & Mc. Cloghrie) First version of the MIB now called MIB-I Adopted as a full standard in RFC 1156 (essentially unchanged from 1066) RFC 1158 - extends MIB-I and defines MIB-II Adopted as a full standard in RFC 1213

Vendor extensions to MIB RFC 1156 (MIB-I) allowed for vendor specific extensions to be

Vendor extensions to MIB RFC 1156 (MIB-I) allowed for vendor specific extensions to be included in the MIB n Allows for additional management information about devices not provided for in the standard MIB n For example: CPU utilisation n Normal for devices to support all of MIB-II PLUS have their own vendor-specific extensions n

SNMP NAMES

SNMP NAMES

OSI Object Identifier Tree

OSI Object Identifier Tree

SNMP - MIB Tree Objects are managed by the tree n Expressed in a

SNMP - MIB Tree Objects are managed by the tree n Expressed in a row of values divided by the period n root iso(1) ccitt(0) Joint-iso-ccitt(2) org(3) dod(6) Internet(1) directory(1) mgmt(2) mib-2(1) Standard MIBs exprimental(3) private(4) enterprise(1) Vendor-specific MIBs

SNMP Naming question: how to name every possible standard object (protocol, data, more. .

SNMP Naming question: how to name every possible standard object (protocol, data, more. . ) in every possible network standard? ? answer: ISO Object Identifier (OID) tree: – hierarchical naming of all objects – each branchpoint has name, number 1. 3. 6. 1. 2. 1. 7. 1 ISO-ident. Org. US Do. D Internet udp. In. Datagrams UDP MIB 2 management

SNMP - OID n OID Expression – iso(1). org(3). dod(6). internet(1). mgmt(2). mib 2(1)

SNMP - OID n OID Expression – iso(1). org(3). dod(6). internet(1). mgmt(2). mib 2(1)      ->. 1. 3. 6. 1. 2. 1 e. g. sys. Dscr =. 1. 3. 6. 1. 2. 1. 1. 1 = mib-2. 1. 1 = system. 1 Subtree Name OID Description system 1. 3. 6. 1. 2. 1. 1 Defines a list of objects that pertain to system operation, such as the system uptime, system contact, and system name. interfaces 1. 3. 6. 1. 2 Keeps track of the status of each interface on a managed entity. The interfaces group monitors which interfaces are up or down and tracks such things as octets sent and received, errors and discards, etc. at 1. 3. 6. 1. 2. 1. 3 The address translation (at) group is deprecated and is provided only for backward compatibility. It will probably be dropped from MIB-III. ip 1. 3. 6. 1. 2. 1. 4 Keeps track of many aspects of IP, including IP routing. icmp 1. 3. 6. 1. 2. 1. 5 Tracks things such as ICMP errors, discards, etc. tcp 1. 3. 6. 1. 2. 1. 6 Tracks, among other things, the state of the TCP connection (e. g. , closed, listen, syn. Sent, etc. ). udp 1. 3. 6. 1. 2. 1. 7 Tracks UDP statistics, datagrams in and out, etc. egp 1. 3. 6. 1. 2. 1. 8 Tracks various statistics about EGP and keeps an EGP neighbor table. transmission 1. 3. 6. 1. 2. 1. 10 There are currently no objects defined for this group, but other media-specific MIBs are defined using this subtree. snmp 1. 3. 6. 1. 2. 1. 11 Measures the performance of the underlying SNMP implementation on the managed entity and tracks things such as the number of SNMP packets sent and received.

SNMP - MIB & OID n SNMP Manager can acquire the management information defined

SNMP - MIB & OID n SNMP Manager can acquire the management information defined by MIB(Management Information Base) from Agent – Current version : MIBv 2 RFC 1213 – MIB is the aggregate of object (information) on the equipment which SNMP Agent holds – Identifier is defined for each object = OID – MIB performed by Agent is roughly divided into: • MIBv 2 :  standard, public, specified by IETF • Enterprise MIB : private, specified by vendor company

SNMP MIB module specified via SMI (Structure of Management Information) MODULE-IDENTITY (100 standardized MIBs,

SNMP MIB module specified via SMI (Structure of Management Information) MODULE-IDENTITY (100 standardized MIBs, more vendor-specific) MODULE OBJECT TYPE: objects specified via SMI OBJECT-TYPE construct

SMI: Object, module examples MODULE-IDENTITY: ip. MIB MODULE-IDENTITY LAST-UPDATED “ 941101000 Z” ORGANZATION “IETF

SMI: Object, module examples MODULE-IDENTITY: ip. MIB MODULE-IDENTITY LAST-UPDATED “ 941101000 Z” ORGANZATION “IETF SNPv 2 Working Group” CONTACT-INFO “ Keith Mc. Cloghrie ……” DESCRIPTION “The MIB module for managing IP and ICMP implementations, but excluding their management of IP routes. ” REVISION “ 019331000 Z” ……… : : = {mib-2 48} OBJECT-TYPE: ip. In. Delivers OBJECT TYPE SYNTAX Counter 32 MAX-ACCESS read-only STATUS current DESCRIPTION “The total number of input datagrams successfully delivered to IP userprotocols (including ICMP)” : : = { ip 9}

MIB example: UDP module Object ID Name Type Comments 1. 3. 6. 1. 2.

MIB example: UDP module Object ID Name Type Comments 1. 3. 6. 1. 2. 1. 7. 1 UDPIn. Datagrams Counter 32 total # datagrams delivered at this node 1. 3. 6. 1. 2. 1. 7. 2 UDPNo. Ports Counter 32 # underliverable datagrams no app at portl 1. 3. 6. 1. 2. 1. 7. 3 UDIn. Errors Counter 32 # undeliverable datagrams all other reasons 1. 3. 6. 1. 2. 1. 7. 4 UDPOut. Datagrams Counter 32 # datagrams sent 1. 3. 6. 1. 2. 1. 7. 5 udp. Table SEQUENCE one entry for each port in use by app, gives port # and IP address

ASN. 1: Abstract Syntax Notation 1 n ISO standard X. 680 n defined data

ASN. 1: Abstract Syntax Notation 1 n ISO standard X. 680 n defined data types, object constructors – like SMI n BER: Basic Encoding Rules – specify how ASN. 1 -defined data objects are to be transmitted – each transmitted object has Type, Length, Value (TLV) encoding

Syntax n uses ASN. 1 (Abstract Syntax Notation) – binary encoding 02 01 06

Syntax n uses ASN. 1 (Abstract Syntax Notation) – binary encoding 02 01 06 n Primitive is a 1 byte integer, value 6 Types INTEGER, OCTECT STRING, OBJECT IDENTIFIER, NULL n Constructor Types SEQUENCE <primitive-type>. . . SEQUENCE OF <primitive-type>. . . n ie. a record ie. an array Defined Data Types Ip. Address Counter Gauge Time. Ticks what you expect non-negative integer that wraps non-negative integer that latches time in hundredths of seconds

TLV Encoding Idea: transmitted data is self-identifying – T: data type, one of ASN.

TLV Encoding Idea: transmitted data is self-identifying – T: data type, one of ASN. 1 -defined types – L: length of data in bytes – V: value of data, encoded according to ASN. 1 standard Tag Value 1 2 3 4 5 6 9 Type Boolean Integer Bitstring Octet string Null Object Identifier Real

TLV encoding: example Value, 259 Length, 2 bytes Type=2, integer Value, 5 octets (chars)

TLV encoding: example Value, 259 Length, 2 bytes Type=2, integer Value, 5 octets (chars) Length, 5 bytes Type=4, octet string

SNMP - SNMP Message Handling n Command examples Get. Request inetapan@tools: ~> snmpget -v

SNMP - SNMP Message Handling n Command examples Get. Request inetapan@tools: ~> snmpget -v 2 c -c xxxx tpr 2. jp. apan. net IF-MIB: : if. Mtu. 136 = INTEGER: 9192 . 1. 3. 6. 1. 2. 2. 1. 4. 136 Get. Next. Request inetapan@tools: ~> snmpget -v 2 c -c xxxx tpr 2. jp. apan. net system SNMPv 2 -MIB: : system = No Such Object available on this agent at this OID inetapan@tools: ~> snmpwalk -v 2 c -c xxxx tpr 2. jp. apan. net system SNMPv 2 -MIB: : sys. Descr. 0 = STRING: m 20 internet router, kernel 6. 2 R 3. 10 SNMPv 2 -MIB: : sys. Object. ID. 0 = OID: SNMPv 2 -SMI: : enterprises. 2636. 1. 1. 1. 2. 2 DISMAN-EVENT-MIB: : sys. Up. Time. Instance = Timeticks: (423280751) 48 days, 23: 46: 47. 51 SNMPv 2 -MIB: : sys. Contact. 0 = STRING: SNMPv 2 -MIB: : sys. Name. 0 = STRING: tpr 2 SNMPv 2 -MIB: : sys. Location. 0 = STRING: SNMPv 2 -MIB: : sys. Services. 0 = INTEGER: 4 Set. Request inetapan@tools: ~> snmpset –v 2 c –c xxxx tppr. jp. apan. net system. sys. Location. 0 = "" inetapan@tools: ~> snmpset –v 2 c –c yyyy tppr. jp. apan. net system. sys. Location. 0 s “Tokyo, JP“ system. sys. Location. 0 = “Tokyo, JP" inetapan@tools: ~> snmpset –v 2 c –c xxxx tppr. jp. apan. net system. sys. Location. 0 = “Tokyo, JP"

SNMP - Trap Message The way for Agent to inform Manager about event of

SNMP - Trap Message The way for Agent to inform Manager about event of something undesirable n Trap originates from Agent and is sent to the trap destination, as configured within Agent itself n When Manager receives a trap, it needs to know how to interpret it n PDU n – Enterprise • vendor identification (OID) for the agent – Agent. Address • The IP address of the node where the trap was generated. – Trap Type • Generic / Specific (not used) – Timestamp • The length of time between the last re-initialization of the agent that issued a trap and the moment at which the trap was issued

SNMP n SNMP Traps – unsolicited notification of events – can include variable list

SNMP n SNMP Traps – unsolicited notification of events – can include variable list – Cold. Start, Warm. Start – Link. Up, Link. Down – Authentication Failure – EGP Neighbour Loss – Enterprise Specific

Traps Forwarded automatically from agent to station(s) in response to an event with the

Traps Forwarded automatically from agent to station(s) in response to an event with the device n Traps defined in MIB-II n – – – – Cold-start of system Warm-start of system Link down Link up Failure of authentication Exterior Gateway Protocol (EGP) neighbour loss Enterprise specific

SNMPv 2 History n RFC 1441, 1993: “Introduction to version 2 of the Internet-standard

SNMPv 2 History n RFC 1441, 1993: “Introduction to version 2 of the Internet-standard Network Management Framework” n RFC 1446, 1993: “Security Protocols for version 2 of the Simple Network Management Protocol” n Written to address security and feature deficiencies in SNMPv 1

SNMPv 2 Protocol n Extension to SNMPv 1 n Provided security model n 2

SNMPv 2 Protocol n Extension to SNMPv 1 n Provided security model n 2 new commands – get-bulk-request – inform-request

SNMPv 2 Protocol continued. . . priv. Dst auth. Info dst. Party src. Party

SNMPv 2 Protocol continued. . . priv. Dst auth. Info dst. Party src. Party context PDU General Format priv. Dst 0 -length OCTET STRING dst. Party Nonsecure Message priv. Dst digest dst. Time src. Time dst. Party Authenticated, not encrypted priv. Dst 0 -length OCTET STRING dst. Party src. Party Private, not authenticated priv. Dst digest dst. Time src. Time dst. Party src. Party Private and authenticated context PDU

Format of SNMPv 1 messages Version Community PDU String type Request ID 0 0

Format of SNMPv 1 messages Version Community PDU String type Request ID 0 0 Name X Value X … Get-Request, Get-Next-Request, Set-Request Version Community PDU String type Request Error ID status Error Name X index Value X … Get-Response Version Community PDU Enter- Agent Generic Specific Time Name X String type prise Addr trap Trap Value X

Coexistence by Means of Proxy Agent SNMPv 2 environment SNMPv 1 environment Get. Request

Coexistence by Means of Proxy Agent SNMPv 2 environment SNMPv 1 environment Get. Request Get. Next. Request Set. Request Get. Bulk. Request SNMPv 2 manager-to-agent PDUs SNMPv 2 agent-tomanager PDUs Response SNMPv 2 -Trap Get. Next. Request Proxy Agent SNMPv 1 manager-to-agent PDUs SNMPv 1 agent-tomanager PDUs SNMPv 1 agent Get. Response Trap 62

SNMPv 1 and SNMPv 2 n n n SNMPv 1 is a subset of

SNMPv 1 and SNMPv 2 n n n SNMPv 1 is a subset of SNMPv 2 Managers usually can send requests in either format depending on the capability of the agents Requires an update of the agent and manager software to migrate from SNMPv 1 to SNMPv 2 Many manufacturers are resisting SNMPv 2 for a variety of reasons leading to an SNMPv 3 specification Almost all manufacturers currently support SNMPv 1

Network Monitoring Tools

Network Monitoring Tools

Ways of Monitoring n Classified into three monitoring ways – In Internal Network (mostly)

Ways of Monitoring n Classified into three monitoring ways – In Internal Network (mostly) – Via External Network – Non-network (Emergency case) 1, Monitoring in internal Network (mostly) 3, Independent access (Emergency case) - ISDN, PSTN External network Internal network Monitoring Machine 2, Monitoring via External Network - via Peering Network - via the Internet

Network Management Software n SNMP Agents – provided by all router vendors – many

Network Management Software n SNMP Agents – provided by all router vendors – many expanded (enterprise) MIBs – bridges, wiring concentrators, toasters

Network Management Software n Public Domain – Application Programming Interfaces available from CMU and

Network Management Software n Public Domain – Application Programming Interfaces available from CMU and MIT – include variety of applications

Network Management Software n Commercially – many offerings, UNIX and PC based • •

Network Management Software n Commercially – many offerings, UNIX and PC based • • HP Open. View Sun. Net Manager Cabletron Spectrum *MANY* others

Commercial SNMP Applications • http: //www. hp. com/go/openview/ HP Open. View • http: //www.

Commercial SNMP Applications • http: //www. hp. com/go/openview/ HP Open. View • http: //www. tivoli. com/ IBM Net. View • http: //www. novell. com/products/managewise/ Novell Manage. Wise • http: //www. sun. com/solstice/ Sun Micro. Systems Solstice • http: //www. microsoft. com/smsmgmt/ Microsoft SMS Server • http: //www. compaq. com/products/servers/management/ Compaq Insight Manger • http: //www. redpt. com/ Snmp. QL - ODBC Compliant • http: //www. empiretech. com/ Empire Technologies • ftp: //ftp. cinco. com/users/cinco/demo/ Cinco Networks Net. Xray • http: //www. netinst. com/html/snmp. html SNMP Collector (Win 9 X/NT) • http: //www. netinst. com/html/Observer. html Observer • http: //www. gordian. com/products_technologies/snmp. html Gordian’s SNMP Agent • http: //www. castlerock. com/ Castle Rock Computing • http: //www. adventnet. com/ Advent Network Management • http: //www. smplsft. com/ Simple. Agent, Simple. Tester

Monitoring Targets p Target suitable for checking normality of network service – Router p

Monitoring Targets p Target suitable for checking normality of network service – Router p Dead or Alive? p Status? p Performance? Routing? – Server p Dead or Alive? p Status? p Damon? Service Port? – Traffic, etc. p Increase or decrease? p Dos Attack? Performance? Environment?

Monitoring Method p How to monitor the target – Active monitor or Passive monitor

Monitoring Method p How to monitor the target – Active monitor or Passive monitor • Polling = Monitoring machines give message in watching target – Useful for checking the current status p ICMP/SNMP polling… • Receive trap message from target – Useful for detecting the status change p SNMP trap, syslog… • Statistics data – Useful for grasping the trend and transition – Select the Monitoring Tool • Ping (ICMP), SNMP, Monitoring Tool, Original Tool, etc. – Check the monitoring Route to Target • Internal or External network

- ICMP/Ping Polling n Check IP reachability by ICMP echo/reply – Additional information •

- ICMP/Ping Polling n Check IP reachability by ICMP echo/reply – Additional information • RTT (Round Trip Time) • Packet Loss • TTL (Time to Live) Most standard way of checking node activity n Time series RTT/Packet loss data becomes important information when measuring link performance n RTT: xx msec Packet Loss: xx % TTL: xx ICMP echo reply

UDP/TCP polling n Effective in monitoring service ports of server – Using client for

UDP/TCP polling n Effective in monitoring service ports of server – Using client for service • DNS - nslookup – Using telnet • WWW, SMTP, POP – Using tool • Radius - radping bash-2. 05$ telnet ns. jp. apan. net 80 Trying 203. 181. 248. 3. . . Connected to ns. jp. apan. net. Escape character is '^]'. get <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2. 0//EN"> <html><head> <title>501 Method Not Implemented</title> : Telnet with service port reply

Monitoring Software - HP Open. View Network Node Manager n Overview n – –

Monitoring Software - HP Open. View Network Node Manager n Overview n – – – – – Auto discovery and mapping Drill-down views (Hierarchy Map) Fault monitoring : ICMP / SNMP polling Event monitoring : Trap receiving/Event configuration SNMP tools : Status polling MIB Browser Web-based reports Extended software is enhanced Platform : Windows 2000/XP, Solaris 8/9, HP-UX

Monitoring Software - HP Open. View Sample 1 n Open. View Contracture Event log

Monitoring Software - HP Open. View Sample 1 n Open. View Contracture Event log Network map ICMP polling for connectivity check Network sub-map Router map

Monitoring Software - HP Open. View Sample 2 n Open. View Tools Event configuration

Monitoring Software - HP Open. View Sample 2 n Open. View Tools Event configuration Snmp configuration for polling - parameters - community Data collection & Thresholds for SNMP

MRTG (Multi-Router Traffic Grapher) n Overview – Monitors the load of network equipment using

MRTG (Multi-Router Traffic Grapher) n Overview – Monitors the load of network equipment using SNMP, mainly used for creation of traffic graph – Excellent graphing tool developed by Tobias Oetiker – Plots graph with any two variables against time, It is graph-ized with PNG format on HTML page – Able to create scripts to feed data into MRTG – Implements data collection, image, web-page collection – Very widely deployed in large networks and still being actively developed – Platform : UNIX system / Windows NT – Supports SNMPv 2 : able to read 64 bit counters – http: //people. ethz. ch/~oetiker/webtools/mrtg/

MRTG - Workflow n Display of graph n Green area typically represents incoming maximum

MRTG - Workflow n Display of graph n Green area typically represents incoming maximum bits per second n Blue line typically represents outgoing maximum bits per second n Workflow 1. Read configuration file 2. Collect graphing data from network equipment, based on configuration 3. Update database file and generate graph 4. If required, generate HTML file – MRTG performs above workflow then completes – Since MRTG collects data of the past 5 minutes (default value of source code), it is desirable to set “crontab” for every 5 minutes

MRTG - Data Storage n. Data Storage – Keeps 5 minute data only for

MRTG - Data Storage n. Data Storage – Keeps 5 minute data only for 2. 5 days. The data is thrown away afterward. Daily grafh/5 min • There is no referring to historical data with high resolution • Keeps 1 -day data for approx. 2 years Weekly grafh/30 min Monthly grafh/2 hours Rougher Resolution Yearly grafh/1 day Interval Num of record Storage period Graph 5 minutes 600 2. 5 days daily 30 minutes 600 12. 5 days Weekly 2 hours 600 50 days Monthly 1 day 731 2 years Yearly

RRDtool (Round Robin Database Tool) n Overview – Successor to MRTG – Developed by

RRDtool (Round Robin Database Tool) n Overview – Successor to MRTG – Developed by the same developer of MRTG : Tobias Oetiker – Tool group for RRD can flexibly define data item, time interval, data amount, graph depiction, etc. – Binary file format that can store data at any interval for any length of time • File does not grow in size over time – Ability to make custom graphs across user-defined intervals • Ability to graph multiple variables on a single graph – Additional scripts are necessary in creating graphs and web-page • 25 -30 percent faster than MRTG – Does not have the function to collect data – http: //people. ethz. ch/~oetiker/webtools/rrdtool/

RRDtool - Architecture n Comparison of architecture between MRTG and RRD SNMP engine Graph

RRDtool - Architecture n Comparison of architecture between MRTG and RRD SNMP engine Graph router Index log Frontend Program router server Index RRD text Graph

RRDtool - Sample - http: //mrtg. jp. apan. net/cricket/router-interfaces/

RRDtool - Sample - http: //mrtg. jp. apan. net/cricket/router-interfaces/

Netflow - Overview n. Overview – Enables IP traffic flow analysis without probes –

Netflow - Overview n. Overview – Enables IP traffic flow analysis without probes – Invented and patented by Cisco • Juniper (called cflowd), Foundry, ・・・ many venders are supporting – Flow cash data on routers is exported to a flow tool, so that traffic flow is to be analyzed Enable Net. Flow flow Definition: Traffic n. Source IP address n. Destination IP address n. Source port n. Destination port n. Layer 3 protocol type n. TOS byte (DSCP) n. Input logical interface (if. Index) Core Network UDP Net. Flow Export Packets Collector (Solaris, HP-UX, or Linux) Application GUI

Netflow - Flow Data n Flow data export – Enable Net. Flow on the

Netflow - Flow Data n Flow data export – Enable Net. Flow on the router • There is difference in architecture between Cisco and Juniper routers • Take care! the load of a router does not become high! - Check CPU, memory, bandwidth, sampling rate n Flow data collection & Analysis – Prepare the software for receiving flow-export data • flow-tools http: //www. splintered. net/sw/flow-tools/ • cflowd http: //www. caida. org/tools/measurement/cflowd/ • Cisco : Netflow. Collector – Analyze traffic from raw data with software • flow-scan http: //net. doit. wisc. edu/~plonka/Flow. Scan/ (If you want to graph-ize analysis data, I recommend you to use RRDtool) • Cisco : Cisco. Works – Source and destination IP address – Source and destination TCP/UDP ports – Packet and byte counts – Routing information (next-hop address, source autonomous system (AS) number, destination AS number, source prefix mask, destination prefix mask)

Netflow - Example n Netflow Example

Netflow - Example n Netflow Example