TEIN2 Measurement and Monitoring Workshop

Passive MeasurementsBruce.Morgan@aarnet.edu.au

Passive Measurements• Syslog• SNMP

Syslog• Syslog is a means where messages originating on a device

are logged• Normally these are logged to a machine running the syslogd

daemon

Configuring syslog• On the router:

– logging history notifications– logging trap debugging– logging source-interface Loopback0– logging 10.1.1.1

• Logs will be sent to the device at ip address 10.1.1.1

Configuring syslog (continued)• On a unix host syslogd or syslog-ng can be used• /etc/syslog.conf

– Local7.* /var/log/netdev

• /etc/syslog-ng/syslog-ng.confdestination d_netdev {

file("/srv/syslog/netdev/$HOST/$YEAR$MONTH/$YEAR$MONTH$DAY-$HOST.log"template("$DATE $HOST $MESSAGE\n")template_escape(no)owner(root) group(network) perm(0640)dir_owner(root) dir_group(network) dir_perm(0750) create_dirs(yes)); };

filter f_netdev {facility(local7);

};

SNMP• SNMP is the Simple Network Management Protocol and

runs over TCP/IP and is embedded in many network devices allowing access to information

• An SNMP MIB is a Management Information Base –essentially a database that contains information about the state of objects within a device. The initial SNMP MIB (RFC1213) contained basic information for use with network management protocols in TCP/IP-based internets.

SNMP

• Since then the SNMP protocol has been enhanced by versions SNMPv2 and SNMPv3.

• Each SNMP capable device will have a community string (password) with the default for read access being “public”. Make sure you control SNMP access by passwords and ACLS!

Configuring SNMP• On a Cisco router:snmp-server community public RO 99snmp-server community thisismysecretcommunity RW 98 snmp-server ifindex persistsnmp-server trap link ietfsnmp-server trap-source Loopback0snmp-server packetsize 9178snmp-server location APL, ARRC, Kensington, WA 6151snmp-server contact noc@aarnet.edu.ausnmp-server enable traps ttysnmp-server enable traps configsnmp-server enable traps entitysnmp-server enable traps envmon fan shutdown supply temperature statussnmp-server enable traps sonetsnmp-server enable traps bgpsnmp-server enable traps frame-relaysnmp-server enable traps rtrsnmp-server enable traps mpls traffic-engsnmp-server host 10.1.1.10 inform version 2c thisismysecretcommunity

SNMP Tools• There are a number of basic SNMP packages which

can be used to interrogate MIB Object Identifiers (OIDs). Net-SNMP (http://net-snmp.sourceforge.net/) contains command-line applications to retrieve information from SNMP capable devices.

snmp……• snmpget• snmpgetnext• snmpwalk• snmpstatus• snmpset• snmptranslate

OID translation• .1.3.6.1.2.1.2.2.1.10• iso(1).org(3).dod(6).internet(1).mgmt(2).mib-

2(1).Interfaces(2).iftable(2)Ifentry(1).ifInOctets(10).ifIndex

MIB values• RFC 1213

are counts of outbound unicast packets

ifOutUcastPkts(.1.3.6.1.2.1.2.2.1.17)

are counts of inbound unicast packets

ifInUcastPkts(.1.3.6.1.2.1.2.2.1.11)

are counts of the number of bytes output by the interface as shown in the show interfaces command

ifOutOctets (.1.3.6.1.2.1.2.2.1.16)

are counts of the number of bytes input by the interface as shown in the show interfaces command

ifInOctets (.1.3.6.1.2.1.2.2.1.10)

More MIB OIDs

are counted as unclassified errors

ifInUnknownProtos(.1.3.6.1.2.1.2.2.1.15)

are counts of all input errors as reflected in the show interfaces command

ifInErrors (.1.3.6.1.2.1.2.2.1.14)

are counted as no buffers as reflected in the show interfaces command

ifInDiscards (.1.3.6.1.2.1.2.2.1.13)

are counts of inbound broadcast and multicast packets

ifInNUcastPkts(.1.3.6.1.2.1.2.2.1.12)

And out…

is the number of packets allowed to be on the output queue as shown in the show interfaces command

ifOutQLen(.1.3.6.1.2.1.2.2.1.21)

are counted as output errors as shown in the show interfaces command

ifOutErrors(.1.3.6.1.2.1.2.2.1.20)

are counted as output drops as shown in the show interfaces command

ifOutDiscards(.1.3.6.1.2.1.2.2.1.19)

…but as speed increases…• Normally measurements of interface counters are taken at

5 minute intervals - 300 seconds. With 32 bit counters we get wrap around at (2**32/300)*8 bits per second –114Mbps – as opposed to petabits with 64bit counters

• Standard Interface management information is defined in the ifTable, and this is extended with SNMPv2 to the ifXTable described in RFC2233 ifTable uses 32 bit counters to store inbound and outbound octets (ifInOctets/ifOutOctets) while ifXTable uses 64-bit values (ifHCInOctets/ifHCOutOctets).

IF-MIB (64-bit counters)

ifHCOutBroadcastPkts(.1.3.6.1.2.1.31.1.1.1.13)

ifHCInBroadcastPkts(.1.3.6.1.2.1.31.1.1.1.9)

ifHCOutMulticastPkts(.1.3.6.1.2.1.31.1.1.1.12)

ifHCInMulticastPkts(.1.3.6.1.2.1.31.1.1.1.8)

ifHCOutUcastPkts(.1.3.6.1.2.1.31.1.1.1.11)

ifHCInUcastPkts(.1.3.6.1.2.1.31.1.1.1.7)

ifHCOutOctets(1.3.6.1.2.1.31.1.1.1.10)

ifHCInOctets(.1.3.6.1.2.1.31.1.1.1.6)

Exercise:• % snmpwalk –v 2c 111.2.3.4 –c public• % snmpwalk –v 2c 111.2.3.4 –c public ifInOctets• % snmpwalk –v 2c 111.2.3.4 –c public .1.3.6.1.2.1.2.2.1.10• % snmpwalk –v 2c 111.2.3.4 –c public ifHCInOctets• % snmpwalk –v 2c 111.2.3.4 –c public .1.3.6.1.2.1.31.1.1.1.6

• Why is ifIndex persist important?

Monitoring Interface Status%{ifAdminStatus} = (

1 => 'up',2 => 'down'

);%{ifOperStatus} = (

1 => 'up',2 => 'down'

);

Monitoring BGP$oid{bgpPeerState} = ".1.3.6.1.2.1.15.3.1.2";$oid{bgpPeerRemoteAs} = ".1.3.6.1.2.1.15.3.1.9";$soid{bgpPeerRemoteAs} = "mib-2.15.3.1.9";$soid{bgpPeerState} = "mib-2.15.3.1.2";%{bgpPeerState} = (

1 => 'idle',2 => 'connect',3 => 'active',4 => 'opensent',5 => 'openconfirm',6 => 'established'

);

Monitoring OSPF$oid{ospfNbrIpAddr} = ".1.3.6.1.2.1.14.10.1.1";$oid{ospfNbrRtrId} = ".1.3.6.1.2.1.14.10.1.3";$oid{ospfNbrState} = ".1.3.6.1.2.1.14.10.1.6";$soid{ospfNbrIpAddr} = "mib-2.14.10.1.1";$soid{ospfNbrRtrId} = "mib-2.14.10.1.3";$soid{ospfNbrState} = "mib-2.14.10.1.6";%{ospfNbrState} = (

1 => 'down',2 => 'attempt',3 => 'init',4 => 'twoWay',5 => 'exchangeStart',6 => 'exchange',7 => 'loading',8 => 'full'

);

.

Monitoring MSDP$oid{msdpPeerState} = ".1.3.6.1.3.92.1.1.5.1.3";$soid{msdpPeerState} = "experimental.92.1.1.5.1.3";$soid{msdpPeerLocalAddress} = "experimental.92.1.1.5.1.18";$oid{msdpPeerLocalAddress} = ".1.3.6.1.3.92.1.1.5.1.18";%{msdpPeerState} = (

1 => 'inactive',2 => 'listen',3 => 'connecting',4 => 'established',5 => 'disabled'

);

Where to find OIDs?• MIB files:

– /usr/share/snmp/mibs• Cisco OID Translator

– http://tac1.ciscomessage.com/cgi-bin3/DM/y/eQvN0FGprp0GYT0BABd0A3

snmpbulkwalk• More efficient than snmpwalk as the request is processed

bulk fashion• Can result in far fewer packets and processing overhead

on both the interrogated device and the machine requesting

• Very useful if monitoring a large number of hosts

MRTG• MRTG is the Multi Router Traffic Grapher created by

Tobias Oetiker. It is a tool to monitor the traffic load on network-links. MRTG generates HTML pages containing graphical images which provide a live visual representation of this traffic. Check http://www.ee.ethz.ch/stats/mrtg/ for an example. MRTG is based on Perl and C and works under UNIX and Windows NT. MRTG is being successfully used in many places

MRTG• While MRTG is generally used to interrogate SNMP

(Simple Network Management Protocol) instances on a network device such as a switch or router, it has the capability to interact with almost any type of user defined input.

• If you have lots of devices to monitor and many things to monitor MRTG can hog the CPU of your collecting host!

MRTG basics • cfgmaker community@router > host.cfg• Set crontab entry• indexmaker host.cfg• Ensure data files are available via http

Monitoring OIDs• ifInDiscards• ifOutDiscards• ifIn Errors• ifOutErrors• monitoring router CPU

– .1.3.6.1.4.1.9.2.1.57.0– .1.3.6.1.4.1.9.2.1.58.0

• monitoring environmentals– .1.3.6.1.4.1.9.9.13.1.3.1.3.2– .1.3.6.1.4.1.9.9.13.1.3.1.3.1