1 Kyung Hee University Prof. Choong Seon HONG Remote Network Monitoring Remote Network Monitoring...

11Kyung Hee Universit

y

Prof. Choong Seon HONG

Remote Network MonitoringRemote Network MonitoringAlarms and Filters


y

OverviewOverview

Dealing with alarms and the filtering and capturing of packets

alarm group

filter group

Packet capture group

event group


y

9.1 9.1 alarmalarm Group Group

defines a set of thresholds for network performance

If a threshold is crossed in the appropriate direction, an alarm is generated and sent to the central console

consists of a single table, alarmTable

each entry in the table specifies a particular variable to be monitored, a sampling interval, threshold parameters

the single entry contains the recent sample value, that is, the value observed at the end of the last sampling interval

alarmTable including following objects

alarmIndex

alarmInterval

alarmVarible

alarmSampleType


y

alarmalarm Group (cont’d) Group (cont’d)

alarmTable including following objects (cont’d)

alarmIndex

alarmInterval

alarmVarible

alarmSampleType : having absoluteValue(1) and deltaValue

alarmValue

alarmStartupAlarm

alarmRisingThreshold

alarmFallingThreshold

alarmRisingEventIndex

alarmFallingEventIndex


y

alarmalarm Group (cont’d) Group (cont’d) alarm ( rmon 3 )

alarmTable (1)

alarmEntry (1)

alarmIndex (1)

alarmInterval (2)

alarmVariable (3)

alarmSampleType (4)

alarmValue (5)

alarmStartupAlarm (6)

alarmRisingThreshold (7)

alarmFallingThreshold (8)

alarmRisingEventIndex (9)

alarmFallngEventIndex (10)

alarmOwner (11)

alarmStatus (12)


y


Alarm scheme

the monitor or a management station can define a new alarm by creating a new row in the alarmTable.

combination of variable, sampling interval, and threshold parameter is unique to a given row

The rising threshold is crossed if the current sampled value is greater than or equal to the rising threshold and the value at the last sampling interval was less than the threshold

The falling threshold is crossed if the current sampled value is less than or equal to the falling threshold and the value at the last sampling interval was greater than the threshold

Two types of values for alarms

absoluteValue : the value of an object at the time of sampling

deltaValue : difference in values for the object over successive sampling periods (rate of change)


y


The rules for the generation of rising-alarm events (see page 254)

alarmStartupAlarm value of risingAlarm or risingOrFalling

Sampled objectvalue

Risingthreshold

Fallingthreshold

TimeEntry first

set to valid

*

*

* *

*

* = alarm event generated


y


The fluctuations in the value produce another crossing of the risin

g threshold; this crossing is not counted as an alarm event since it

does not satisfy the rules spelled out in the preceding list


y


Hysteresis mechanism

Sampled

State ofalarm-generation

mechanism

Falling-alarm

stateRising-alarm

state

Falling alarmtriggered

Rising alarmtriggered

Fallingthreshold

Risingthreshold

objectvalue


y


deltaValue be sampled with greater precision than indicated by alarmInterval

The delta sample should be taken twice per period

Time (t) 0 10 20

Observed value 0 19 32

Delta value 0 19 13

Time (t) 0 5 10 15 20

Observed value 0 10 19 30 32

Delta value 0 10 9 11 2

( X )

if ( rising threshold=20)


y

filterfilter group group

provides a means by which a management station can instruct a

monitor to observe selected packets on a particular interface

Two kinds of filter

data filter : allowing the monitor to screen observed packets on the basis of a bit pattern that a portion of the packet matches (or fail to match)

status filter : allowing the monitor to screen observed packets on the basis of their status (for example, valid, CRC error)


y

filterfilter group (cont’d) group (cont’d)

Filter logic

input = the incoming portion of a packet to be filtered

filterPktData = the bit pattern to be tested for,

filterPktDataMask = the relevant bits to be tested for,

filterPktDataNotMask = indication of whether to test for a match or a mismatch

An example of the use of the filter test in case of Ethernet

filterPktDatOffset = 0

filterPktData = 0x0000000000A50000000000BB

filterPktDataMask = 0xFFFFFFFFFFFFFFFFFFFFFFFF

filterPktDataNotMask = 0x000000000000FFFFFFFFFFFF


y



y

filterfilter group (cont’d) group (cont’d) Channel Definition

the stream of packets that pass the test

The packet is passed through each of the filters defined for that channel

filter logic for channel i if channelAcceptType = acceptMatched (1)


y

filterfilter group (cont’d) group (cont’d) RMON filter group structure


y


filter group structure

consists of two control tables

associated with that channel are one or more rows in the filterTable

read page 265


y

PacketPacket capture capture group group The packet capture group can be used to set up a buffering schem

e for capturing packets from one of the channels in the filter grou

p rmon (mib-2 16)

statestics (1)

history (2)

alarm (3)

host (4)

hostTopN (5)

matrix (6)

filter (7)

capture (8)

event (9)

tokenRing (10)


y

PacketPacket capture capture group (cont’d) group (cont’d)

consisting of two groups

bufferControlTable : specifying the details of the buffering function

captureBufferTable : buffering the data

Refer to page 266


y


capture (rmon 8)

bufferControlTable (1)

bufferControlEntry (1)

bufferControlIndex (1)

bufferControlChannelIndex (2)

bufferControlFullStatus (3)

bufferControlFullAction (4)

bufferControlCaptureSliceSize (5)

bufferControlDownloadSliceSize (6)

bufferControlDownloadOffset (7)

bufferControlMaxOctetsRequested (8)

bufferControlMaxOctetsGranted (9)

bufferControlCapturedPkts (10)

bufferControlTurnOnTime (11)

bufferControlOwner (12)

bufferControlStatus (13)

captureBufferTable (2)

captureBufferEntry (1)

captureBufferControlIndex (1)

captureBufferIndex (2)

captureBufferPacketStatus (7)

captureBufferPacketTime (6)

captureBufferPacketLength (5)

captureBufferPacketData (4)

captureBufferPacketID (3)


y


the relationship between the control table

and the data table

buffer ControlIndex

bufferControlChannelIndex

bufferControlCapturedPkts

1 C 1 N 1

2 C 2 N 2

K C K N K

1 1 P(1,1)

1 2

1 3

1 N 1 P(1,N 1)

2 x + 1 P(2,x + 1)

2 x + 2 P(2,x + 2)

2 x + 3 P(2,x + 3)

2 x + N 2 P(2,x + N 2)

captureBufferControlIndex

captureBufferIndex

captureBufferPacketData

captureBufferTable

bufferControlTable

Identifier in buffer


y

9.4 9.4 eventevent Group Group

An event is triggered by a condition located elsewhere in the MIB,

and an event can trigger an action defined elsewhere in the MIB

An event may also cause information to be logged in this group a

nd may cause an SNMP trap message to be issued.

Also, an event that is defined in this group can be used to trigger

activity related to another group.

For example, an event can trigger turning a channel on or off

Refer to Page 271

One key use of the event group is in conjunction with the alarm gr

oup

The alarm group can define rising-threshold and falling threshold events that are referenced by indexing into the eventTable


y

eventevent Group (cont’d) Group (cont’d)


y

9.5 Practical Issues9.5 Practical Issues

Packet capture overload

A preferred alternative is to do much of the analysis locally, at the monitor, and send much more aggregated results to the management station.

The packet capture feature of RMON can be useful if used intelligently

for example, broadcast storm RMON can be used to capture packets to and from the suspect device, for

analysis by the network manager at the management station

Interoperability

RMON manager program must be able to work with a variety of RMON probes

1 Kyung Hee University Prof. Choong Seon HONG Remote Network Monitoring Remote Network Monitoring...

Documents

Transcript of 1 Kyung Hee University Prof. Choong Seon HONG Remote Network Monitoring Remote Network Monitoring...