rmon2 rfc4502 (2021 obsolete) remote monitor are often called “monitor” or “probe” decode...

RMON2

• RFC4502 (2021 Obsolete)• Remote Monitor are often called “Monitor”

or “Probe”• Decode packets at layer 3 through 7 of the

OSI Model– An RMON probe can monitor traffic on the basis

of network-layer protocol– The probe can record traffic to and from host for

particular applications

Network layer Visibility

• Network Manager can answer these questions– If there is excessive load on the LAN due to incoming router

traffic, what networks or hosts account for the bulk of incoming traffic?

– If a router is overloaded because of high amount of outgoing traffic, what networks or hosts account for the bulk of outgoing traffic or to what destination networks or hosts is that traffic directed

– If there is a high load of pass-through traffic (arriving via one router and departing via another router ), what networks or hosts are responsible for the bulk of this traffic

Application Level Visibility

• RMON2 probe is capable of seeing above the IP layer by reading the enclosed higher-level headers such as TCP/UDP and viewing the headers at the application protocol level

• This information is useful in controlling load and maintaining performance– NMS can be implemented that will generate charts and

graphs depicting traffic percentage by protocols or by applications

RMON MIB (1&2)

RMON2 MIB (1)

• protocol directory – a master of directory off all protocols that probe can interpret

• protocol distribution – aggregate statistics on the amount of traffic generated by each protocol per LAN segment

• address map – match each network address to a specific MAC level address and port on an attached device and the physical address on this subnetwork

• network layer host – statistics on the amount of traffic into and out of hosts on the basis of the network-layer address

RMON2 MIB (2)

• network-layer matrix – statistics on the amount of traffic between pairs of hosts on the basis of network address

• application-layer host - statistics on the amount of traffic into and out of hosts on the basis of application-level address

• application-layer matrix - statistics on the amount of traffic between pairs of hosts on the basis of application-level address

RMON2 MIB (3)

• User history collection – periodically samples user-specified variables and logs that data based on user-defined parameters– Ex. Collect data on a router-to-router connection

• Probe configuration – define standard configuration parameters for RMON probes– To solve interoperability problems

New features in RMON2 (1)

• Indexing with external objects– Reduce control index object in data table– To access instance of the data entry in RMON 1 Vs

RMON2• Rm1datavalue.Rm1controlindex.Rm1dataindex

– Rm1datavalue.2.89– 2 – Rm1controlindex / 89 – Rm1dataindex

• Rm2datavalue.X.Rm2dataindex – X – the value of index that specifying set of data rows by the Xth

row (external object)– Rm2datavalue.2.89 – 2 – external object / 89 – Rm2dataindex

New features in RMON2 (2)

• Time filtering Indexing– Typically, a network management app. is periodically to

poll all probes for the values of objects – It is desirable to have the probe return values only for

those objects whose value have changed since the last poll

– No direct way in SNMP, but RMON2 has a mechanism

Example of time filtering

FooTable

fooTable (1)

fooEntry (1)

fooTimeMark (1)

fooIndex (2)

fooCount (3)

EX1. Time filtering (1)

• Suppose fooTable has 2 values of index – 1,2– If no fooTimeMark , a management station can see

only two counter– With fooTimeMark, it is possible to request the

values of these counter only if they have been updated since a given time

EX1. Time filtering (2)

• For example, current value of – The counter associated with fooIndex = 1 is 5 and

most recently updated at time 6 – The counter associated with fooIndex=2 is 9 and

most recently updated at time 8– Then, at time 10, a manager issues the request

• GetRequest(fooCounts.7.1, fooCounts.7.2)• To get the value updated since time 7• The agent will response fooCounts.7.2=9

EX2. Time Filtering (1)


• Assume that basic row 1 (fooIndex=1) was updated as follows:

sysUptimesysUptime fooCount.*.1valuefooCount.*.1value

500500 11

900900 22

23002300 33


• Assume that basic row 2 (fooIndex=2) was updated as follows:

sysUptimesysUptime fooCount.*.2valuefooCount.*.2value

11001100 11

14001400 22


• A manager station polls a probe every 15 seconds (clock nms records time in hundredths of second)

1 At nms=1000, the manager does the baseline poll to get everything since the last agent restart (Timefilter =0)GetRequest (sysUpTime.0,fooCounts.0.1,fooCount.0.2)Response(sysUpTime.0=600,fooCounts.0.1=1,fooCount.0.2=0)

2 At nms=2500 (15 second later), the manager get an update on all changes since the last report (agent time=600)GetRequest (sysUpTime.0, fooCounts.600.1, fooCount.600.2)Response(sysUpTime.0=2100,fooCounts.600.1=2,fooCount.600.2=2)


The agent received the request at a local time of 2100 ; a counter 1 was incremented at time 900 counter 2 was incremented at 1100 and 1400

3 At nms=4000, the manager get an update on all changes since the last report (agent time=2100)GetRequest (sysUpTime.0, fooCounts.2100.1, fooCount.2100.2)Response(sysUpTime.0=3600,fooCounts.2100.1=3)

A counter 1 was incremented at time 2300 counter 2 has not changed since 2100 , so no value returned


4 At nms=5500, the manager get an update on all changes since the last report (agent time=3600)GetRequest (sysUpTime.0, fooCounts.3600.1, fooCount.3600.2)Response(sysUpTime.0=5500,)

Neither counter has been updated since time 3600 , so no value returned

Protocol Directory Group

• It provides a single central point for storing information about types of protocols

• One entry in the table for each protocol for which the probe can decode and count protocol data unit (PDU)

• One scalar objects– protocolDirLastChange which contains the time of the last table

change

• One columnar object (Table)– protocolDirTable– The table covers MAC, network and higher layer protocols

protocolDirTable

• Fig 10.5

Protocol identification

• protocolDirID object contains a unique octet string for a specific protocol.

• Octet string identifiers for protocols are arranged in a tree structured hierarchy. – Each layer is identified by 32 bit value which is

encoded as dot decimal format [a.b.c.d]– EX. Ethernet is hexadecimal 1 which is encoded as

[0.0.0.1] and referred to symbolically as ether2

Protocol Assignments

• Each layer is identified by a 32 bit number (four octets)• For MAC level protocols

– ether2 = 1 [0.0.0.1]– llc = 2 [0.0.0.2]– snap = 3 [0.0.0.3]– vsnap = 4 [0.0.0.4]– ianaAssigned = 5 [0.0.0.5]

• Protocol consideration– network layer, use type field of Ethernet frame (IP =0.0.8.0)– transport layer, use protocol field of IP header (UDP = 0.0.0.17)– application layer, use port field of UDP/TCP header (0.0.0.161)

Entry in protocolDirEntry (1)

• EX. Identification of SNMP running over UDP/IP on Ethernet– 16.0.0.0.1.0.0.8.0.0.0.0.17.0.0.0.161– 16 : the number of octets to follow

• So, for previous example the probe is capable of – Interpreting all incoming Ethernet frames– Looking past the Ethernet header and trailer and interpreting

the encapsulated IP datagram– Looking past the IP header and interpreting the encapsulated

UDP segment– Looking past the UDP header and interpreting the encapsulated

SNMP PDU

Entry in protocolDirEntry (2)

• A separate entry is needed for each protocol that the probe can interpret and count

• Then the four entries are needed in protocolDirEntry and the protocolDirID values would be– Ether2 (4.0.0.0.1)– Ether2.ip (8.0.0.1.0.0.8.0)– Ether2.ip.udp (12.0.0.0.1.0.0.8.0.0.0.0.17)– Ether2.ip.udp.snmp (16.0.0.0.1.0.0.8.0.0.0.0.17.0.0.0.161)

Format of index values for protocolDirTable

Protocol parameter (1)

• The second index object for protocolDirTable is protocolDirParameters

• This object instance contains information about the probe’s capability with the respect to a particular protocol

• The value is structured as a one-octet count field followed by a set of N-octet parameters, one for each protocol layer in protocolDirID

• Each bit in the parameter octet is encoded separately to define a particular capability


• 2 LSB are reserved for all protocols– CountFragment (bit0) : Higher-layer protocols encapsulated

within this protocol will be counted correctly even if this protocol fragments the upper-layer PDUs into multiple fragments

– tracksSessions (bit1) :Correctly attributes all packets of a port-mapped protocol, that is a protocol start session on a well-known port or socket and then transfer them to dynamically assigned ports or sockets for the duration of the session

• TFTP (Trivial File Transfer Protocol)


• SNMP running over UDP/IP/Ethernet with fragments counted correctly for IP or above, the following encoding is for the two objects (protocolDirID, protocolDirParameter)16.0.0.0.1.0.0.8.0.0.0.0.17.0.0.0.161.4.0.1.0.0

Protocol Directory Table (1)

• protocolDirType This object describes 2 attributes of this protocol directory entry.

• SYNTAX – Bits {extensible(0) , addressRecognitionCapable(1) }


• protocolDirType – extensible(0) if the agent or manager may extend this

table by creating entries that are children of this protocol

• An example of an entry that will often allow extensibility is'ip.udp'. The probe may automatically populate some children of this node, such as 'ip.udp.snmp' and 'ip.udp.dns'.

– addressRecognitionCapable(1) If this bit is set, the agent will recognize network-layer addresses for this protocol and populate the network- and application-layer host and matrix tables with these protocols.


• protocolDirAddressMapConfig • SYNTAX – Integer {notSupported(1) , supportedOff(2

supportedOn(3)}• This object describes and configures the probe's

support for address mapping for this protocol. – notSupported(1) : if not capable of performing address

mapping – If capable then the value may be set to supportedOff(2) or

supportedOn(3)


• protocolDirHostConfig • SYNTAX – Integer {notSupported(1) , supportedOff(2

supportedOn(3)}• This object describes and configures the probe's support

for the network-layer and application-layer host tables for this protocol. – If the value of this object is notSupported(1), the probe will

not track the nlHostTable or alHostTable for this protocol– If the value of this object is supportedOn(3), the probe

supports tracking of the nlHostTable and alHostTable for this protocol and is configured to track both tables for this protocol for all control entries and all interfaces.


• protocolDirMatrixConfig• SYNTAX – Integer {notSupported(1) , supportedOff(2

supportedOn(3)}• This object describes and configures the probe's

support for the network-layer and application-layer matrix tables for this protocol. – If the value of this object is notSupported(1), the probe will

not track either of the nlMatrixTables or the alMatrixTables– If the value of this object is supportedOn(3), the probe

supports tracking of both of the nlMatrixTables and (if implemented) both of the alMatrixTables for this protocol and is configured to track these tables for this protocol for all control entries and all interfaces.

Protocol Distribution Group (1)

• It summarizes how many octets and packets have been sent from each of the protocols supported

• protocolDistControlTable – controls collection of basic statistics for all supported protocols

• protocolDistStatsTable – records the data


• Each row in protocolDistControlTable refers to a unique network interface for this probe and controls a number of rows of protocolDistStatsTable, one for each protocol recognized on that interface


• protocolDistControlTable consists of – protocolDistControlIndex : an integer that uniquely

identifies a row in the protocolDistControlTable– protocolDistControlDatasource : identifies the interface

that is th source of the data for this row– protocolDistControlDroppedFrames : total number of

received frames for this interface that the probe chose not to count (out of resources)

– protocolDistControlCreateTime : the value of sysUptime when this control entry was activated


• The protocolDistStatsTable includes one row for each protocol in protocolDirTable for which at least one packet has been seen

• It is indexed by protocolDistControlIndex and by protocolDirLocalIndex


• protocolDistStatsTable consists of– protocolDistStatsPkts: the number of packets

received for this protocol– protocolDistStatsOctets: the number of octets

transmitted to this address since it was added to nlHostTable

Address Map Group (1)

• It matches each network address to a specific MAC-level address

• It is helpful in node discovery and network topology applications for pinpointing the specific path of the network traffic

• 3 scalars objects, one control table (addressMapControlTable) and one data table (addressMapTable)


• 3 scalar objects are– addressMapInserts : the number of times an address-

mapping entry has been inserted into the data table– addressMapDeletes: the number of times an address-

mapping entry has been deleted into the data table– addressMapMaxDesiredEntries : the desired maximum

number of entries in addressMapTable (if this value is set to -1, the probe may create any number of entries in addressMapTable)

Data table size = addressMapInserts - addressMapDeletes


• The addressMapControlTable consists of – addressMapControlIndex: an integer that uniquely

identifies a row in the addressMapControlTable– addressMapcontrolDatasource : identifies the interface

that is the source of the data for this row and that this row is configured to analyze

– addressMapControlDroppedFrames: total number of received frame for this interface that the probe chose not to count (out of resources)


• The addressMapTable will collect address mapping based on source MAC and network addresses seen in error-free MAC frames

• The table will create entries for all protocols in the protocol directory table whose value of protocolDirAddressMapConfig is equal to supportedOn(3)

Address Map Group (4)• The addressMapTable consists of

– addressMapTimeMark : a time filter for this entry– addressMapNetworkAddress : the network address for

this entry– addressMapSource : the last interface which the

associated network address was seen– addressMapPhysicalAddress : the last source MAC address

on which the associated network address was seen– addressMapLastChange : the value of sysUpTime at the

time this entry was most recently updated

Network-layer Host Group (1)

• nlHost group enables users to decode packets based on their network-layer address

• This group consists of 2 Tables– nlHostControlTable : control table– nlHostTable : data table

Network-layer Host Group (2)• Each row in control table refers to a unique interface

of the monitor• nlHostControlTable

– nlhostControlIndex : an integer that uniquely identifies a row in the nlHostControlTable

– nlHostControlDataSource : identifies the interface that is the source of the data for the data tableentries defined by this row

– nlHostControlNlDroppedFrames : total number of received frames for this interface that the probe chose not to count for the associated nlHost entries


– nlHostControlNlInserts : the number of times an nlHost entry has been inserted into the nlHostTable data table

– nlHostControlNldeletes : the number of times an nlHost entry has been deleted from the nlHostTable data table

– nlhostControlNlMaxDesiredEntries : the desired maximum number of entries in nlHostTable

Network-layer Host Group (4)– nlHostControlAlDroppedFrames : total number of received

frames for this interface that the probe chose not to count for the associated alHost entries

– nlHostControlAlInserts : the number of times an alHost entry has been inserted into the alHostTable data table

– nlHostControlAldeletes : the number of times an alHost entry has been deleted from the alHostTable data table

– nlhostControlAlMaxDesiredEntries : the desired maximum number of entries in alHostTable


• nlHostTable will create entries for all network-layer protocols in the protocol directory table whose value of protocolDirNlHostConfig is equal to supportedOn(3)

• nlHostTable – nlHostTimeMark : a time filter for this entry– nlHostAddress : the network address for this entry– nlHostInPackets : the number of error-free packets

transmitted to this address since it was added to the table


– nlHostOutPackets : the number of error-free packets transmitted from this address since it was added to the table

– nlHostInOctets : the number of octets (error-free packets) transmitted to this address since it was added to the table

– nlHostOutOctets : the number of octets (error-free packets) transmitted from this address since it was added to the table


– nlHostCreateTime : the value of sysUpTime when this control entry was activated

– nlHostOutMacNonUnicastPkts : the number of packets transmitted by this address that were directed to the MAC broadcast address or ti any MAC multicast address since this entry was added to the table


• nlHostTable is indexed by four objects:– nlHostControlIndex : define interface– nlHostTimeMark : a time filter– protocolDirLocalIndex : the identity of the

protocol– nlHostAddress : the network address

Application-Layer Host Group (1)

• The nlHostControlTable also controls alHostTable• Only alHostTable in application-layer host group• alHostTable will create entries for all application-

level protocols in the protocol directory table whose value of protocolDirALHostConfig is equal to supportedOn(3)


• alHostTable – alHostTimeMark : a time filter for this entry– alHostInPackets : the number of error-free

packets of this protocol type transmitted to this address since it was added to the table

– alHostOutPackets : the number of error-free packets of this protocol type transmitted from this address since it was added to the table


– alHostInOctets : the number of octets (error-free packets) of this protocol type transmitted to this address since it was added to the table

– alHostOutOctets : the number of octets (error-free packets) of this protocol type transmitted from this address since it was added to the table

– alHostCreateTime : the value of sysUpTime when this control entry was activated


• alHostTable is indexed by five objects:– nlHostControlIndex : define interface– alHostTimeMark : a time filter– protocolDirLocalIndex : the identity of the

network layer protocol– nlHostAddress : the network address– protocolDirLocalIndex : the identity of the

application layer protocol

Network Layer Matrix Group (1)

• It gathers statistics based on source and destination network-layer address

• For network layer statistic consists of one control table and 2 data tables– nlMatrixControlTable : control table for network layer matrix

group and application layer matrix group– nlMatrixSDTable : stores statistics on traffic from a particular

source network-layer address to a number of destinations – nlMatrixDSTable : stores statistics on traffic to a particular

destination network-layer address from a number of sources


• The nlMatrixSDTable is indexed – the row of nlMatrixControlTable that control it then – by a time filter: nlMatrixSDTimeMark then– by the network-layer protocol : protocolDirLocalIndex then– by the network layer source address :

nlMatrixSDSourceAddress then– by the network layer destination address :

nlMatrixSDDestAddress


• The nlMatrixDSTable is indexed – the row of nlMatrixControlTable that control it then – by a time filter: nlMatrixDSTimeMark then– by the network-layer protocol : protocolDirLocalIndex then– by the network layer destination address :

nlMatrixDSDestAddress – by the network layer source address :

nlMatrixDSSourceAddress then

Network-Layer TopN Statistics (1)

• To determine which pairs of hosts rank in the top N according to some metric

• One control table and one datatable– nlMatrixTopNControlTable– nlMatrixTopNTaable


• nlMatrixTopNControlTable– nlMatrixTopNRateBase : specifies one of two

variables (nlMatrixTopNPackets(1) /nlMatrixTopNOctets(2) )

– nlMatrixTopNRequestedSize: the maximum number of matrix entries requested for the topN table


• nlMatrixTopNtable– nlMatrixTopNPktRate – the number of packets seen from

source host to destination host during this sampling interval

– nlMatrixTopNReversePktRate – same as above (but destination to source)

– nlMatrixTopNOctetRate – the number of octets seen from source host to destination host during this sampling interval

– nlMatrixTopNReverseOctetRate – same as above (but destination to source)


• The nlMatrixTopNTable is indexed by – nlMatrixTopNControlIndex– nlMatrixTopNIndex

Application-Layer Matrix Group (1)

• Statistical collection of information based on source and destination application address (port number)

• This group consists of 3 data tables and 1 control table– alMatrixSDTable– alMatrixDSTable– alMatrixTopNControlTable– alMatrixTopNTable

alMatrix Group (2)

• Fig 10.15


• The alMatrixSDTable (alMatrixDSTable) is indexed by– nlMatrixControlIndex : that identifies a unique subnetwork – nlMatrixSDTimeMark : time filter– protocolDirLocalIndex : the network-layer protocol – nlMatrixSDSourceAddress : the network layer source

address – nlMatrixSDDestAddress : the network layer destination

address – protocolDirLocalIndex : the application-layer protocol


• alMatrixTopNControlTable has the same structure as the nlMatrixTopNControlTable

• Only difference is the definition of the rate base object: alMatrixTopNRateBase

• alMatrixTopNTerminalsPkts(1) count only protocol packets (no child protocol)

• alMatrixTopNTerminalsOctets(2) count only protocol octets(no child protocol)

• alMatrixTopNAllPkts(3) • alMatrixTopNAllOctets(4 )


• alMatrixTopNtable– alMatrixTopNPktRate – the number of packets

seen from source host to destination host during this sampling interval

– alMatrixTopNReversePktRate – same as above (Destination to source)

User history collection group (1)

• User history collection group• Collect particular statistics and variables then logs that data

based on user-defined parameters

• User history collection group consists of usrHistoryControlTable, usrHistoryObjectTable,

User history collection group

(2)


• userControlTable – usrHistoryControlIndex – usrHistoryControlObjects– usrHistoryControlBucketsRequested– usrHistoryControlBucketsGranted– usrHistoryControlInterval– usrHistoryControlOwner – usrHistoryControlStatus


• UsrHistoryObjectTable – usrHistoryObjectIndex – usrHistoryObjectVariable : Identify Variable to be

collected– usrHistoryObjectSampleType : absolute or delta

value


• UsrHistoryTable– usrHistorySampleIndex– usrHistoryIntervalStart – usrHistoryIntervalEnd – usrHistoryAbsValue – usrHistoryValStatus

Probe configuration group

• Probe configuration group– To solve interoperability among RMON probe and

managers

Security Consideration (1)

• The usrHistoryGroup periodically samples the values of user-specified variables on the probe and stores them in another table. – The agent MUST ensure that

usrHistoryObjectVariable is not writable in MIB views that don't already have read access to the entire agent. Because the access control configuration can change over time, information could later be deemed sensitive that would still be accessible to this function.


• A probe implementing this MIB is likely to also implement RMON [RFC2819], which includes functions for returning the contents of captured packets, potentially including sensitive user data or passwords. – It is recommended that SNMP access to these

functions be restricted

http://tools.ietf.org/html/rfc2819


• There are a number of management objects defined in this MIB that have a MAX-ACCESS clause of read-write and/or read-create.– Such objects may be considered sensitive or

vulnerable in some network environments. – The support for SET operations in a non-secure

environment without proper protection can have a negative effect on network operations.


• Some of the readable objects in this MIB module (i.e., objects with a MAX-ACCESS other than not-accessible) may be considered sensitive or vulnerable in some network environments. – It is thus important to control even GET and/or

NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP.

Security Consideration (5)• SNMP versions prior to SNMPv3 did not include

adequate security. • Even if the network itself is secure (for example by

using IPSec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module.

• It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy).

http://tools.ietf.org/html/rfc3410#section-8


• Deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED.

• Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them.

Practical Issues

rmon2 rfc4502 (2021 obsolete) remote monitor are often called “monitor” or “probe” decode...

Documents

traffic percentage

traffic directedif

incoming router traffic

bulk of incoming traffic

bulk of outgoing traffic

networklayer addressrmon2

ip layer

layer protocolthe probe