chapter_8

Chapter 8 Overview











RMON1 is a MIB o Also known as RMON

Recall that mib-2 gives info on devices

RMONs provide network info

RMON1 provides info at link (MAC) layer

RMON2 is discussed in chapter 9 o Info at network layer and above

Chapter 8  Remote Monitoring (RMON1)

1

Textbook LAN







Probe 1 and probe 2 are RMON probes

Probe 2 is RMON1 only

Probes capture packets in promiscuous mode


2

RMON1 MIB Groups



We’ll consider the following groups

o o

Statistics group, History group,

Alarm group, Host group, o o o

HostTopN group, Matrix group

Filter group, Capture group, and Event group


3

Statistics Group

Group

Statistics group

(mib-2.16.1)

Description



Consists of the etherStatsTable .



Ther e is one table entry (row) for each Etherne t subn etwork to which the RMON1 device is conne cted.



Each row cons ist s of values of column objects for a subn etwork .



The co lumn objects are count er objects. An exa mple column ob ject is the counter etherStatsPkts that is the nu mber of ethernet packets received since the RMON1 device was fir st started.



Ther e are 21 column objects in the table.

Function

Coun ts packets wit h cha racteris tics defined by objects in the etherStatsTab le .

The pa cket coun t is for all frames read rega rdless of device.



Overall statistics


4

History Group

Group

History group

(mib-2.16.2)

Description



Consists of two tables: t he historyCo ntrolTable and the etherHistoryTa ble.



The management appli cation use s the historyCon trolTab le to specif y for exa mple the subn etwork interface that wil l be mon it ored, the sampling interval and how many sampli ng intervals.



The e therHist oryTable has 15 column objects. Each of these objects is sampled in the sampli ng interval.



A row in the etherHistoryTable consists of the values of the column ob jects for one sampling interval. Thu s, fo r each in terface, there are as many rows in the etherHistoryTab le as sampling intervals

Function

Deve lops a history of each etherHistoryTable object. Does this by coun ting p ackets for each object ove r a number of defined sampling intervals


5

Alarm Group

Alarm group

(mib-2.16.3)



Consists of the alarmTable



The management appli cation creates a row in the table by de fining the object to be moni tored, the sampling interval and the alarm thre sholds



Other colu mn objects define how the threshold and object values during a sampli ng interval are to be compared



Alarms can be gen erated and actions taken, depend ing on the result of the comparison, by referencing rows in the eventTable.

Identifies selected object values that become greater or less than thresho lds during the sampli ng interval.


6

Host Group

Host group

(mib-2.16.4)



This group gather s statistics specif ic to hos ts on the

LAN that is being monit ored.



It consists of 3 tables: hostControlTable, hostTable and hostTimeTable.



The remote mon it or learns about hos ts from reading MAC add resses in p ackets it receives



The ho st Table has one row for each host discover ed



The va lues of column ob jects in a ho stTab le row are statistics for a specific hos t. An exa mple wou ld be the nu mber of packets received , hostInPk ts.



The ho stTim eTable contains the same information as the hos tTable. Howev er, the rows are ordered by the tim e when the ho st was detected.

Records MAC

Add ress and statisti cs for packets received or trans mitt ed for each hos t detected on the subn et


7

HostTopN Group

HostTopN group

(mib-2.16.5)



This group cons is ts of 2 tables: hostTopNControlTable and hostTopNTable.



The statistics that are compli ed make use of the values of objects in the ho st group.



The management station us es the hos tTopNControlTable to specif y the maxim um number of ho sts, N, to moni tor, the sampli ng interval, a variable from the ho stTab le to monit or and the ch ange of that va riable during the sampling interval



The ho stTopN Table rank s the result s for the topN hos ts relative to a sele cted va riable such as hos tInPkts.

Determi nes the most active N hosts during eve ry sampling interval for a specified variable such as "i n-packets."


8

Matrix Group

Matrix group

(mib-2.16.6)



This group contains 3 tables: matrixCo ntrolTable, matrixSDTable and matrixDSTable. (SD = source->destination and DS = destination ->sour ce )



The matrixCon trolTab le func tion s li ke control tables described for other groups



The matrixSDTab le and matrixDSTable present a logical matrix of source and d estination addresses to the manage me nt appli cation.



The matrixSDTab le and matrixDSTable contain the same informa tion.



The matrixSDTab le and the matrixDSTab le are indexed differently so that the management appli cation can qui ckly ac cess the desir ed data for a particular comm unication.



Included among the column ob jects are the MAC source and destination addresses of the ho sts invo lved in comm unication. There is one row for each comm unication in the matrixSDTable and matrixDS Table.

Records ho st MAC

Add resses and statisti cs, such as

"in-packets," for conve rsation s between hosts.


9

Filter Group

Filter group

(mib-2.16.7)



Consists of two control t ables: filterTable and channelTable.



Objects in the filt erTable all ow the manage ment appli cation to define what packets will be processed by the monitor based on the content of the fields in the packets



Two type s of cont ent filters are appli ed to define a chann el: the data filt er and the status filt er. The re can be mu lti ple filt ers appli ed by c reating multi ple data and status filt ers.



Data filt ers filter on b it patterns in the pa cket



Status filt ers filt er on errors such as CRC errors



Packets that pass a data/status filt er combination constitute a channel.



Each channe l has a capture buffer for its packets



Packets in a channe l can be retrieved from t he capture buf fer by the N MS using cap ture group objects



Packets that match filt ers can p roduce even ts defined in the even t group

Defines the cha racteris tics of read packets that shou ld be processed by the probe. Such cha racteris tics determi ne a chann el


10

Capture Group

Capture group

(mib-2.16.8)



This group has two tables: bufferCo ntrolTable and captureBufferTable.



Each row of the bu fferControlT able defines the capture cha racteristics of one buffer. For exa mple, one object defines how much o f a packet will be captured and anoth er object ho w much of that will be returned to the manage ment appli cation in a

SNMP GetRespons e message



Each bu ffer ha s a cap tureBu fferTab le. Each row in this table is assigned to a packet in that buffer. One object, for exa mple, defines the leng th o f the packet.

Defines how much of a channe l packet is captured and how much is transmitted to the Manage ment

Station.


11

Event Group

Event group

(mib-2.16.9)



This group contains the eventTable and the logTa ble.



A row in the even tTable defines the parameters of an even t



A row in the logTab le defines the even t type and the specifi c even t of that type and stores data about the even t



Trap message s gen erated by an ev ent can be used to cont rol objects in o ther groups .

Defines and logs even ts that are gene rated by objects in other groups and initi ates actions


12

Statistics Group







Simplest

RMON1 group

“Counts” all packets detected

Increment counts


13

Control Objects and Tables











Control objects in RMON1 and RMON2

Specify how data is collected o And whether probe or mgmt station decides

Mgmt station looks at control objects to see if data being collected as desired

Mgmt station can modify control objects

Probe-created control objects generally should not be changed


14

Control Objects and Tables











Suppose mgmt station wants to collect data from a particular subnet

It could create a new row in etherStatsTable

Instead, could use control objects so that only the desired data is collected

Saves storage on the probe

Use SetRequest to set control object values


15

etherStatsTable Control Objects

Object etherStatsDa taSource etherStatsOwner etherStatsStatus

Description



An integer that formall y identif ies the dev ice interface from which the d ata is to be processed.



Has the same va lue as if Index in the ifTable in mi b-2 for this device



A string that identifi es the creator of the table row that is associated with etherStatsDa taSource



Is eit her the agen t wit h the na me monit or or a

Manage ment Station name and IP address



An integer that specifi es the status of the row.

Its values can be either vali d (1), createReque st (2) unde rCreation (3) or

inva li d (4).



The row creator use s a SetRequ est to set the value of this object to createReques t (2)



The ag ent then sets the value to unde rCreation(3) until the creator is finis hed



The c reator must then set the v alue to vali d(1) for the row objects to begin to coll ect data.


16

MeterWare



Summary view



Probe 2 info


17

RMON1 on Probe 2





Object values

Click “Statistics”


18

etherStatsTable Control Objects











Probe 2 has one interface, so only one row etherStatsOwner = monitor o Agent created and “owns” this row etherStatsStatus = valid o Agent will store collected data etherStatsDataSource = ifIndex.1

o Identifier of mib-2 for probe interface to 192.192.192.240

etherStatsIndex = 1 o First row in table


19

etherStatsTable Control

Objects











View  select row and start collecting stats

Add  add another row

Modify  edit current row

Delete  delete a row

Help  get help (duh!)


20

History Group









A record of what happens over defined sampling intervals

Similar to Statistics Group

Main difference is sampling intervals

History Group includes

o o etherHistoryTable historyControlTable


21

History Group



MIB browser view


22

historyControlTable



Column objects


23

historyControlTable





One row for each historyControlInterval o o

In this case, 30 and 1800 seconds

120 “buckets” (intervals) for each

So 240 rows in etherHistoryTable


24

historyControlTable

Object historyCon trolInd ex

Row 1

1

Row 2

2



Description

Index ob ject for the rows historyCon trolDataSource if Index .1

if Index .1



Interface to subne t 192.192 .192.240



Has the value of ifIndex . in the historyCon trolInterval 30 sec

mi b-2 ifTable

1800 sec



Ther e are two Sampli ng interval historyCon trolBucke ts

Reques ted historyCon trolBucke ts

Granted

120

120

120

120 leng ths. One for sho rt term history and one for long term history



Number of sampli ng intervals reques ted



Number of sampli ng intervals granted. Determi nes how long the sampling will be done and thus how much probe memory is granted.

Granted bucke ts can be less than reques ted bucke ts historyCon trolStatus vali d(1) vali d(1)






Its values can be either vali d (1), createReque st (2)

unde rCreation (3) or

inva li d (4).



The row creator use s a SetRequ est to set the value o f this object to createReque st (2)



The ag ent then sets the value to unde rCreation(3) until the creator is finished



The c reator then sets the va lue to vali d(1)


25

etherHistoryTable



Recall, 240 rows in etherHistoryTable


26

etherHistoryTable and historyControlTable

Object etherHistoryIndex

Description



Identifies etherHist oryTable rows wit h a row in the

historyCon trolTab le.

 etherHistoryIndex = hist oryControlI ndex



It is an Index object for the etherHistoryTable etherHistorySampleIndex

 etherHistoryIndex and etherHistorySampleIndex taken etherHistoryIntervalStart etherHistoryDropEven ts toge ther identif y the bucke ts to associate with a row in the historyCon trolTab le



It is an Index object for the etherHistoryTable



The va lue of sysUp Tim e object in the Systems group a t the start of the sample interval.



The nu mber of t imes it was detected that the monit or dropped a packet due to lack of resources


27

Sample History Report



30 second history report


28

Host Group







Statistics per host

Note statistics and history groups do not relate their stats to hosts

4 tables: hostControlTable, hostTable, hostTimeTable, hostControl2Table (RMON2)


29

hostControlTable



 hostCotrolTableSize o Number of hosts detected so far hostControlLastDeleteTime o Last “reset” time


30

hostControlTable

Object hos tControlI ndex

Description



An integer that identifi es a row in hos tControlT able and the probe interface to the subne t hos tControlDataSource



An integer that identifi es the probe interface to the subne t. It is equa l to the hos tControlT ableSize value of ifIndex in the ifTable in mi b-2.



The nu mber of rows (hos ts) in the hos tTable detected on hos tControlDataSource.

hos tControlL astDeleteTim e



The va lue of sysUp Tim e at which an entry in the hos tTable was deleted



Agen t does deletion if monit or resourc es hos tControlOwner hos tControlStatus become scarce.



Info rmation is ne eded by hos tTimeTab le



The c reator of the ho stControlT able row



As we have se en in o ther control t ables, the status must be set to vali d(1) in o rder for the probe to collect data for the ho stTab le


31

hostTable

Object hos t Add ress hos tCreationOrde r hos tIndex

Description



The MAC addr ess of the hos t



An integer be tween 1 and hos tControlT ableSize specif ying the order in tim e in wh ich the ho st was detected on the interface. The small er the intege r, the earli er the hos t was detected



All ho sts detected on the same interface have the same integer va lue, i. e.

hos tIndex = ho stControlIndex





Index object, MAC address pairs

Host address is index object

o Index object has address in decimal


32

hostTimeTable

Object hos tTim eAdd ress



Description

The MAC addr ess of the hos t hos tTim eCreationO rder



An integer be tween 1 and hostControlT ableSize specifying the o rder in time in which the hos t was hos tTim eIndex identif ied on the interface.

The small er the integer, the earli er the hos t was detected



Index ob ject for the ho stTim eTable



All ho sts detected on the same interface have the same value.



Index ob ject for the ho stTim eTable

 hos tTim eIndex = hos tIndex = ho stControlIndex





Same objects as hostTable

Different index object o o o hostTimeCreationOrder, not hostAddress

So that new hosts easily distinguished

Also hostTimeIndex


33

Too Many Hosts?





If too many hosts, probe uses hostTimeCreationOrder to drop hosts o Drop those that have not been used for longest o hostTimeCreationOrder is in hostTimeTable

To be sure it uses valid object identifier, mgmt station checks hostControlLastDeleted o In hostControlTable


34

hostTable Example



Hosts detected on probe 2 subnet


35

HostTopN Group







Rate of change of hostTable info

Sorta like History for specific Host

For each row of hostTopNControlTable o N rows in hostTopNTable (N is configurable)


36

hostTopNControlTable

Object hos tTopNControlInd ex hos tTopNHostIndex hos tTopNRateBase

Description



An integer that identifi es a row in the hos tTopNControlTable



Each row in that table defines the data that will be reported for N-hos ts on on e interface



An integer that refers to the interface on wh ich the Nhos ts are obse rved . It is the same for each of the

N-hos ts

 hos tTopNHostIndex = ho stControlIndex



An integer that specifi es one of the 7 variables in the hos tTable to coun t in the sampli ng interval t o determi ne the hos tTopNRateBase (packets/second in the hos tTop NTab le)



Cho ices are:

 hos tTopNInPk ts (1)







 hos tTopNOutPkts(2) hos tTopNInOc tets (3) hos tTopNOutOctets (4) hos tTopNOutErrors (5)

 hos tTopNOutBroadcastPkts (6)

 hos tTopNOutMulti castPkts (7) hos tTopNTime Remaining



Number of second s remaining in the sampli ng interval hos tTopNDuration hos tTopNReques tedSize



The sampli ng interval in seconds



The nu mber of hos ts, N, requ ested to include in the hos tTopNGrantedSize hos tTopNStartTim e hos tTopNOwne r hos tTopNStatus report



The nu mber of hos ts granted

 sysUpTime when this report sampli ng w as started.



Monit or or Manag ement Station that creates the row in the hos tTop NControlT able



An integer that specifi es the status of the control t able row.




inva li d (4).



The row creator use s a SetRequ est to set the value o f this object to createReques t (2)






The c reator then sets the va lue to valid(1)


37

hostTopNControlTable





Index is generated by the probe

Unique for each distribution created


38

hostTopNTable

Object hos tTopNReport hos tTopNIndex hos tTopNAdd ress hos tTopNRate

Description



An integer that identifi es the report

 hos tTopNReport = hos tTopNControlIndex



An integer that identifi es the data from one hos t included in the hos tTopNRepo rt



The MAC addr ess associated wit h the ho st identified by hos tTop NIndex



The a mount of change in the hos tTopNRateBase in packets/second during the sampli ng interva l.



Note that it’s measuring the change


39

HostTopN in MeterWare





Distribution of top 5 hosts

Based on “in-packets” rate

 Addresses of hosts with largest number of in-packets


40

HostTopN Addresses



This is not the same as view on previous slide

hostTopNAddress

1.3.6.1.2.1.16.5.2.1.3

hostTopNReport

1915 hostTopNIndex

1

Value

00 40 05 44 A7 DC


41

Matrix Group





Host-to-host statistics

Like a 2-d version of

Host


42

Matrix Control Tables


43




 matrixControlTable o Same objects as hostControlTable matrixSDTable and matrixDSTable o Only difference is order of index objects o o

Source to destination vs destination to source?

If matrixSDTable is A to B, then corresponding matrixDSTable is B to A


44




matrixSDTable

matrixSD

Source Address

(2)

A

B

B

A

A

C matrixSD

DestAdd ress

(3)

B

C

D

C

D

D matrixSD

Ind ex

(1)



matrixDSTable

matrixDS

Ind ex

(1) matrixDS

Source Address

(3)

B

C

D

C

D

D matrixDS

DestAdd ress

(2)

A

A

A

B

B

C matrixSD

Pkts matrixDS

Pkts matrixSD

Octets matrixDS

Octets matrixSD

Error s matrixDS

Errors


45

Matrix in MeterWare


46

Filter and Capture Groups







These groups usually used together

Capture Group o o

How probe captures frame

How info is sent from buffer on probe to buffer on mgmt station

Filter Group o o

To select types of frames to capture

Used to conserve space in buffers


47

Capture Group



Capture group objects


48



Capture Group bufferControlTable

Object bufferControlI ndex bufferControlChann elIndex bufferControlF ull Status bufferControlF ull Action

Description



The intege r that identif ies a row in the bufferControlTable.



Ther e is one buf fer for each defined channe l.



A channe l is defined by the filt er(s) that are appli ed to determi ne which packets are captured in the buf fer.



An integer that identifi es the channe l that is supp lying the bu ffer wit h p ackets



A Status value of (1) means space is ava il able in the buffer.



If the v alue is (2), the buffer is full .



A value o f (1) means th e buffer is locked when full and will accept no further packets.



A value o f (2) means th e buffer will wrap and bufferControlCaptureSliceSize bufferControlDown loadSliceSize discard old packets to make room for new .



Maximum number of octets in each packet that will be captured in the buffer



Maximum number of octets in the bu ffer that will be down loaded to the manage ment station in a sing le SNMP GetRespons e



The o ffset, in o ctets, of the fir st octet that will bufferControlDown loadOffset be retrieved in a single SNMP GetResponse .

bufferControlMaxOc tetsReque sted



The size o f buf fers, in octets, reque sted by the bufferControlMaxOc tetsGranted manage me nt station



Number of buffer octets granted by the probe bufferControlCapturedPackets bufferControlTurnOn Tim e agen t



Number of packets currently in the buffer



The va lue of sysUp Tim e (System Group bufferControlOwne r bufferControlStatus object) when this buffer was f ir st turn ed on



The c reator of the bu ffer (see Control Table)







inva li d (4).



The row creator use s a SetRequ est to set the value of this object to createReques t (2)








49

Capture Group



captureBufferTable

Object captureBu fferControlIndex captureBu fferIndex captureBu fferPacketID captureBu fferPacketData captureBu fferPacketLength captureBu fferPacketTim e captureBu fferPacketStatus

Description

An integer that identifi es the buf fer that holds this packet. It has the same value a s the bufferControlI ndex that identifies the buffer

The intege r that un ique ly identifi es this packet

The intege r that identif ies the order in which pa ckets were received on the interface rega rdless of the buf fer in which stored.

The a ctual packet data

The a ctual leng th of the pa cket in octets

The nu mber of m illis econds from the tim e the buffer was turned on until this packet was captured

A number that represents the nu mber of errors detected in the packet. See RFC 1271 for detail s about how this nu mber is calculated.


50

Capture Group



How packets are captured and buffered o We’ll fill in the details on the next few slides

Data Status

Filter 1

Edit

Channel 1 Buffer 1

Filter 2 Channel 2

Packets Buffer 2

NMS

Filter 3 Channel 3

Buffer 3


51

Channels



Probe 2 channels



Channel editor o To set values in bufferControlTable


52

Channels



Create new channel









Run button o Start capturing

Filter tab o Make filters

Buffer tab o Show captured packets, protocols,…

Analyze tab o More specific filtering/analysis


53

Filter Group









By default (in Meterware) all packets captured until buffer is full

Can then filter the ones of interest

o Using analyze tab

But some packets might be missed due to full buffer

Filter group used to prevent this


54

Filter Group



Filter group objects


55



Filter Group filterTable objects

Object filterIndex filterChanne lInd ex filterPktDataOffset filterPktData filterPktDataMask filterPktDataNotMask filterPktStatus filterPktStatusMask

Description

An integer that identifi es a row in the table. Each row defines a data filt er and a status filt er. Toge ther thes e form the filter for a channe l

An integer that identifi es the channe l that us es the filt er.

Offset, in o ctets, from t he beg inning of the MAC destination address to whe re the fi lter wil l begin to be appli ed for the case of an Ethernet frame

The da ta specified in the data filt er that the input packet must match.

The mask that determines wh ich pa cket bits to be matched are relevant for processing. Only if a bit in the filterPktDataMask is 1 is the packet bit relevan t for processing

For relevan t bits in the packet to pass the filterPktDataNotMask test, for each bit in this mask that is 1, the relevant pack et bit must differ from the bit in the filterPktData. Likewise, fo r each bit i n the filterPktDataNotMask that is 0, the packet bit s and the filterPktData bit s must dif fer

Errors found in the rele van t bit s of the inpu t packet are mapped to an intege r sum. The value of this sum is compared to the filt erPktStatus. (see RFC2819 for how the sum is calculated)

Bits in this mask determi ne which p acket input bits are relevan t for the filt erPktStatus test filterPktStatusNo tMask For the relevant bit s in the input packet to pass the filterPktStatusNo tMask test, for each bit in this ma sk that is 1, the b its in the intege r sum must all differ from t he bit s in the filt erPktStatus. Likewise, for each bit in the filterPktStatusNo tMask that is 0, the sum bits and the filterPktStatus bits must dif fer. (see RFC 2819 for ho w the sum is calculated) filterOwner filterStatus

The en tit y that configur ed this table. It could be the probe agen t or the Manag ement Station.







inva li d (4).



The row creator use s a SetRequ est to set the value o f this object to createReques t (2)








56



Filter Group channelTable objects

Object channelIndex channelIfindex channelAcceptType channelDataControl channelTurnOnEventIndex channelTurnOffEventIndex channelEventIndex channelEventStatus channelMatches channelDescription channelOwner channelStatus

Description

An integer that identifies one row in the table. A row corresponds to a channel.

An integer that identifies the interface through which the monitor is receiving packets. T he value of channelIfindex is the same as the value of ifIndex for this interface in the mi b-2 ifTable.

The value of this object determi nes how the filters for the channel are to function. T here are two possible integer values: accept Matched ( 1 ) and accept Fai led (2).

If the value is set to 1, the packet must pass both the data and status filters associa ted with the channel to be accepted by the channel.

If the value is set to (2), the packet will be accepted by the channel only if it fails either the data or status filters associated with the channel.

There are two possible integer values: on (1) and off(2). The channel must be "on" for data, status and events to "flow through" the channel.

An integer that identifies the event in the Event group that will turn the channelDataControl from off to on when the event occurs.

channelTurnOnEv entInd ex has the same value as the eventInd ex object in the Event Group (to be discussed) that identifies the same event. In other words, if the event associated with eventIndex occurs, c hannelDataControl is turned on and the channel passes filtered packe ts

An integer that identifies the event in the Event group that will turn the channelDataControl from on to off when the event occurs.

channelTurnOffEventIndex has the same value as the eventInd ex object in the Event Gr oup that identifies the same event. In other words, if the event associa ted with eventIndex occurs, channelDataControl is turned off and the channel passes no further packets.

An integer that identifies the event that is generated when the channelDataControl is on and the packet is matched. channelEventInd ex has the same value as eventInd ex in the Eve nt Group.

There are 3 possible integer values for this object: eventReady (1), eventFired (2) and eventAlwaysReady (3 ).If the value is 1, a single event may be generated and then the probe will set the value to 2. No further events may be generated until this object is reset to 1. If the value of the object is 3, e vents may continue to be generated.

The number of times a packet matches this channel. The number of matches continues to be updated even if channelDataControl is set to off.

Comments about the channel

The entity that configured the channel such as a Management Station



An integer that specifies the status of the row.



Its values can be either valid (1), createRe quest (2) underCreation (3) or

invalid (4).



The row creator uses a SetRequest to set the value of this object to createRe quest (2)



The agent then sets the value to underCreation(3) until the creator is finished



The creator then sets the value to valid(1)


57

RMON Control Table







Create/edit RMON channels o As shown in Capture Group slides

Control Table for RMON Channels (above)

Select: Owner  View Details


58

Channel Information





All objects here are in channelTable

Owner  channelOwner











Interface Index  channelIfIndex

Channel Index  channelIndex

Status  channelStatus

Packet Matches  channelMatches

Accept Type  channelAcceptType


59

Channel Information










Data Flow Control  channelDataControl o off(2) means no packets being captured

Turn On Event Index  channel… o Event to turn off(2) to on(1)

Turn Off Event Index  channel… o Event to turn on(1) to off(2)


60

Channel Information








Generated Event Index  channelEventIndex o 0 means no event generated by a matched packet

(configured in Event Group)

Generated Event Status  channelEventStatus o o o o

Options are… eventReady(1) eventFired(2) eventAlwaysReady(3)


61

Filter Example









May not want to include all packets

Can set up filter for each channel

Above is filter from Probe 2 to WS2

Another filter needed for opposite direction


62

Filter Example



Filter for packets from probe 2 to WS2













Link layer  ifTable/ifType = ethernet-csma(6)

Protocol  filterTable/filterPktData = IP

Sub-protocol  filterTable/filterPktData = UDP

Source address  Probe 2 (MAC and IP address)

Destination address  WS2 (MAC and IP address)

Allow packets  filterTable/filterPktStatus o Any Packet = 0


63

Captured/Filtered Packets


64

All Captured Frames


65

Contents of Frame



Detailed view of packet

o Similar to Ethereal


66

Analysis of Captured Frames







Packet 10 (out of 28) shown

Next, filter o o

UDP packets

Length 00 fe

Click “apply” o Next slide…


67

Analyze Screen





Find 6 frames that satisfy the filter o Out of 28 captured frames

Can filter down to frames of interest


68

Alarm Group





alarmTable “Threshold” compared

o If threshold exceeded, alarm sent

Used with Event Group


69

alarmTable

Objects

Object alarmI ndex alarmI nterval alarmV ariable alarmS amp leT ype alarmValue alarmSt artupA larm alarmRis ing Thresho ld alarmF all ing Thresho ld alarmRis ing Even tIndex alarmF all ing Even tIndex alarmOwne r alarmSt atus

Description

An integer that identifies a row in the table

The time interval over which the variable is sampled

The object identifier of the variable to be samp led

There are two types:

 absoluteVa lue (1) - value of object is compared directly with the threshold.

 deltaVa lue (2)- difference between values of object after current samp le and last samp le is compared to the threshold.



The va lue of the object sampled at the end o f the last sampling period.

Ther e are thre e type s:

 risingA larm(1) - is gener ated if the first sample after the row becomes "vali d" equa ls or exc eeds the alarmR isingTh reshold.

 falli ngA larm( 2) - is gene rated if the fir st sample after the row becomes "vali d" is less than or equa l to the alarmF alli ngThre shold

 risingO rFallingA la rm( 3) - is gene rated if eit her the risi ngA larm or the falli ngA larm are violated.



The rising thre shold is exc eeded by the var ia ble



The falli ng thresho ld is greater than the va riable



The va lue of this object is employ ed when the alarmRi singTh reshold is crossed



This value is the same as an even tIndex ob ject in the even tTable.

Thus , the alarmRisingEven tIndex will trigge r an even t in the even tTable.



The va lue of this object is employ ed when the alarmF all ing Thresho ld is crossed



This value is the same as an even tIndex ob ject in the even tTable.

Thus the alarmF alli ngEven tIndex will trigge r an ev ent in the even tTable



Monit or or Manag ement Station that created a row in the alarmT able







inva li d (4).



The row creator use s a SetRequ est to set the value o f this object to createReque st (2)



The ag ent then sets the value to unde rCreation(3) until the creator is finished





70





Two tables o eventTable and logTable

Specify event triggered by

Alarm group o Events can also be triggered from elsewhere

Event Group


71

eventTable and logTable

even tIndex

Object even tDescription even tType even tCommun it y even tLastTim eSent even tOwner even tStatus logEv entIndex logIndex logT im e logDe scription

Description



An integer that identifi es a row in the even tTable



Text description of the even t defined by this row

Ther e are 4 type s:

 none (1) - no event ha s been de fined

 log (2) - an entry is made in the correspond ing row of the log Table

 snmp-trap (3) - a trap is sent to one or more manage me nt stations

 log-and- trap (4) - entry is made and trap is sent

 the comm uni ty string that is to be entered in the trap message . Must be the same as what is configured for the trap recipient

 the value o f the sysUp Time object in the mi b-2 system group when the even t defined by ev entIndex was last trigg ered.



Monit or or Manag ement Station that created this row in the even tTable



Must be "v alid (1)" for even t to be trigge rable



Has same value a s even tInd ex for the even t that trigg ered the log entry



An integer that identifi es this entry among other entries of the same even tType, i.e. non e, log , trap or log-and- trap



The va lue of sysUp Tim e in the mi b-2 system group when this entry was gene rated



A description o f the even t that caused this entry in the logT able.


72

Event Example





In channelTable… channelTurnOffEventIndex o o

Can set value equal to an eventIndex in eventTable with eventType of trap(3)

Then any packet that matches channel will cause a trap to be sent to Mgmt Station o Mgmt Station could be configured to send

SetRequest to turn off the channel


73

Chapter 8 Summary





Examined RMON1 groups (9 of them)

RMON monitors network traffic

o RMON1 for link layer o o o

RMON2 for higher layers

Chapter 8: RMON1

Chapter 9: RMON2


74