1 Kyung Hee University Prof. Choong Seon HONG Remote Network Monitoring Remote Network Monitoring...
-
Upload
kerrie-kelly -
Category
Documents
-
view
218 -
download
1
Transcript of 1 Kyung Hee University Prof. Choong Seon HONG Remote Network Monitoring Remote Network Monitoring...
11Kyung Hee Universit
y
Prof. Choong Seon HONG
Remote Network MonitoringRemote Network MonitoringAlarms and Filters
22Kyung Hee Universit
y
OverviewOverview
Dealing with alarms and the filtering and capturing of packets
alarm group
filter group
Packet capture group
event group
33Kyung Hee Universit
y
9.1 9.1 alarmalarm Group Group
defines a set of thresholds for network performance
If a threshold is crossed in the appropriate direction, an alarm is generated and sent to the central console
consists of a single table, alarmTable
each entry in the table specifies a particular variable to be monitored, a sampling interval, threshold parameters
the single entry contains the recent sample value, that is, the value observed at the end of the last sampling interval
alarmTable including following objects
alarmIndex
alarmInterval
alarmVarible
alarmSampleType
44Kyung Hee Universit
y
alarmalarm Group (cont’d) Group (cont’d)
alarmTable including following objects (cont’d)
alarmIndex
alarmInterval
alarmVarible
alarmSampleType : having absoluteValue(1) and deltaValue
alarmValue
alarmStartupAlarm
alarmRisingThreshold
alarmFallingThreshold
alarmRisingEventIndex
alarmFallingEventIndex
55Kyung Hee Universit
y
alarmalarm Group (cont’d) Group (cont’d) alarm ( rmon 3 )
alarmTable (1)
alarmEntry (1)
alarmIndex (1)
alarmInterval (2)
alarmVariable (3)
alarmSampleType (4)
alarmValue (5)
alarmStartupAlarm (6)
alarmRisingThreshold (7)
alarmFallingThreshold (8)
alarmRisingEventIndex (9)
alarmFallngEventIndex (10)
alarmOwner (11)
alarmStatus (12)
66Kyung Hee Universit
y
alarmalarm Group (cont’d) Group (cont’d)
Alarm scheme
the monitor or a management station can define a new alarm by creating a new row in the alarmTable.
combination of variable, sampling interval, and threshold parameter is unique to a given row
The rising threshold is crossed if the current sampled value is greater than or equal to the rising threshold and the value at the last sampling interval was less than the threshold
The falling threshold is crossed if the current sampled value is less than or equal to the falling threshold and the value at the last sampling interval was greater than the threshold
Two types of values for alarms
absoluteValue : the value of an object at the time of sampling
deltaValue : difference in values for the object over successive sampling periods (rate of change)
77Kyung Hee Universit
y
alarmalarm Group (cont’d) Group (cont’d)
The rules for the generation of rising-alarm events (see page 254)
alarmStartupAlarm value of risingAlarm or risingOrFalling
Sampled objectvalue
Risingthreshold
Fallingthreshold
TimeEntry first
set to valid
*
*
* *
*
* = alarm event generated
88Kyung Hee Universit
y
alarmalarm Group (cont’d) Group (cont’d)
The fluctuations in the value produce another crossing of the risin
g threshold; this crossing is not counted as an alarm event since it
does not satisfy the rules spelled out in the preceding list
99Kyung Hee Universit
y
alarmalarm Group (cont’d) Group (cont’d)
Hysteresis mechanism
Sampled
State ofalarm-generation
mechanism
Falling-alarm
stateRising-alarm
state
Falling alarmtriggered
Rising alarmtriggered
Fallingthreshold
Risingthreshold
objectvalue
1010Kyung Hee Universit
y
alarmalarm Group (cont’d) Group (cont’d)
deltaValue be sampled with greater precision than indicated by alarmInterval
The delta sample should be taken twice per period
Time (t) 0 10 20
Observed value 0 19 32
Delta value 0 19 13
Time (t) 0 5 10 15 20
Observed value 0 10 19 30 32
Delta value 0 10 9 11 2
( X )
if ( rising threshold=20)
1111Kyung Hee Universit
y
filterfilter group group
provides a means by which a management station can instruct a
monitor to observe selected packets on a particular interface
Two kinds of filter
data filter : allowing the monitor to screen observed packets on the basis of a bit pattern that a portion of the packet matches (or fail to match)
status filter : allowing the monitor to screen observed packets on the basis of their status (for example, valid, CRC error)
1212Kyung Hee Universit
y
filterfilter group (cont’d) group (cont’d)
Filter logic
input = the incoming portion of a packet to be filtered
filterPktData = the bit pattern to be tested for,
filterPktDataMask = the relevant bits to be tested for,
filterPktDataNotMask = indication of whether to test for a match or a mismatch
An example of the use of the filter test in case of Ethernet
filterPktDatOffset = 0
filterPktData = 0x0000000000A50000000000BB
filterPktDataMask = 0xFFFFFFFFFFFFFFFFFFFFFFFF
filterPktDataNotMask = 0x000000000000FFFFFFFFFFFF
1414Kyung Hee Universit
y
filterfilter group (cont’d) group (cont’d) Channel Definition
the stream of packets that pass the test
The packet is passed through each of the filters defined for that channel
filter logic for channel i if channelAcceptType = acceptMatched (1)
1616Kyung Hee Universit
y
filterfilter group (cont’d) group (cont’d)
filter group structure
consists of two control tables
associated with that channel are one or more rows in the filterTable
read page 265
1717Kyung Hee Universit
y
PacketPacket capture capture group group The packet capture group can be used to set up a buffering schem
e for capturing packets from one of the channels in the filter grou
p rmon (mib-2 16)
statestics (1)
history (2)
alarm (3)
host (4)
hostTopN (5)
matrix (6)
filter (7)
capture (8)
event (9)
tokenRing (10)
1818Kyung Hee Universit
y
PacketPacket capture capture group (cont’d) group (cont’d)
consisting of two groups
bufferControlTable : specifying the details of the buffering function
captureBufferTable : buffering the data
Refer to page 266
1919Kyung Hee Universit
y
PacketPacket capture capture group (cont’d) group (cont’d)
capture (rmon 8)
bufferControlTable (1)
bufferControlEntry (1)
bufferControlIndex (1)
bufferControlChannelIndex (2)
bufferControlFullStatus (3)
bufferControlFullAction (4)
bufferControlCaptureSliceSize (5)
bufferControlDownloadSliceSize (6)
bufferControlDownloadOffset (7)
bufferControlMaxOctetsRequested (8)
bufferControlMaxOctetsGranted (9)
bufferControlCapturedPkts (10)
bufferControlTurnOnTime (11)
bufferControlOwner (12)
bufferControlStatus (13)
captureBufferTable (2)
captureBufferEntry (1)
captureBufferControlIndex (1)
captureBufferIndex (2)
captureBufferPacketStatus (7)
captureBufferPacketTime (6)
captureBufferPacketLength (5)
captureBufferPacketData (4)
captureBufferPacketID (3)
2020Kyung Hee Universit
y
PacketPacket capture capture group (cont’d) group (cont’d)
the relationship between the control table
and the data table
buffer ControlIndex
bufferControlChannelIndex
bufferControlCapturedPkts
1 C 1 N 1
2 C 2 N 2
K C K N K
1 1 P(1,1)
1 2
1 3
1 N 1 P(1,N 1)
2 x + 1 P(2,x + 1)
2 x + 2 P(2,x + 2)
2 x + 3 P(2,x + 3)
2 x + N 2 P(2,x + N 2)
captureBufferControlIndex
captureBufferIndex
captureBufferPacketData
captureBufferTable
bufferControlTable
Identifier in buffer
2121Kyung Hee Universit
y
9.4 9.4 eventevent Group Group
An event is triggered by a condition located elsewhere in the MIB,
and an event can trigger an action defined elsewhere in the MIB
An event may also cause information to be logged in this group a
nd may cause an SNMP trap message to be issued.
Also, an event that is defined in this group can be used to trigger
activity related to another group.
For example, an event can trigger turning a channel on or off
Refer to Page 271
One key use of the event group is in conjunction with the alarm gr
oup
The alarm group can define rising-threshold and falling threshold events that are referenced by indexing into the eventTable
2323Kyung Hee Universit
y
9.5 Practical Issues9.5 Practical Issues
Packet capture overload
A preferred alternative is to do much of the analysis locally, at the monitor, and send much more aggregated results to the management station.
The packet capture feature of RMON can be useful if used intelligently
for example, broadcast storm RMON can be used to capture packets to and from the suspect device, for
analysis by the network manager at the management station
Interoperability
RMON manager program must be able to work with a variety of RMON probes