Rmon 1

Chapter 8 Overview
RMON1 is a MIB
o Also known as RMON
Recall that mib-2 gives info on devices

RMONs provide network info
RMON1 provides info at link (MAC) layer
RMON2 is discussed in chapter 9
o Info at network layer and above
Chapter 8 Remote Monitoring (RMON1)
Textbook LAN
Probe 1 and probe 2 are RMON probes

Probe 2 is RMON1 only
Probes capture packets in promiscuous mode
RMON1 MIB Groups

Well
consider the following groups
o Statistics group, History group,

o Alarm group, Host group,
o HostTopN group, Matrix group
o Filter group, Capture group,
o and Event group
Statistics Group
Group
Statistics
group
(mib2.16.1)
Description
Consists of the etherStatsTable.
There is one table entry (row) for eachEthernet
subnetwork to which the RMON1 device is
connected.
Eachrow consists of valuesof column objects for a
subnetwork.
The column objects are counter objects. An
example column object is the counter
etherStatsPkts that is the number of ethernet
packets received sincethe RMON1 device was first
started.
There are 21 column objects in the table.
Overall
Function
Counts packets with
characteristics
defi ned byobjects in
the etherStatsTable.
The packet count is
for all framesread
regardless of device.
statistics
History Group
Group
History
group
(mib2.16.2)
Description
Consists of two tables: the historyControlTable
and the etherHistoryTable.
The management appli cation uses the
historyControlTable to specif y for example the
subnetwork interface that wil l be monitored, the
sampling interval andhow many sampli ng
intervals.
The etherHistoryTable has 15column objects. Each
of these objects is sampled in the sampli ng interval.
A row in the etherHistoryTable consists of the
values of the column objects for one sampling
interval. Thus, for each interface, there are as many
rows in the etherHistoryTable as sampling intervals
Function
Develops a history
of each
etherHistoryTable
object. Does this by
counting packets for
each object over a
number of defined
sampling intervals
Alarm Group
Alarm
group
(mib2.16.3)
Consists of the alarmTable

The management appli cation creates a row in the
table by defi ning the object to be monitored, the
sampling interval andthe alarm thresholds
Other column objects defi ne howthe threshold and
object valuesduring a sampli ng interval are to be
compared
Alarms can be generated andactions taken,
depending on the result of the comparison, by
referencing rows in the eventTable.
Identifies selected
object valuesthat
become greater or
less than thresholds
during the sampli ng
interval.
Host Group
Hostgroup
(mib2.16.4)
This group gathers statistics specif ic to hosts on the

LAN that is being monitored.
It consists of 3 tables: hostControlTable,
hostTable and hostTimeTable.
The remote monitor learns about hosts from
reading MAC addressesin packets it receives
The host Table has onerow for each host
discovered
The values of column objects in a hostTable row
are statistics for a specifi c host. An example would
be the number of packets received, hostInPkts.
The hostTimeTable contains the same information
as the hostTable. However, the rows are ordered by
the time when the host was detected.
Records MAC
Address and
statistics for packets
received or
transmitted for each
host detected on the
subnet
HostTopN Group
HostTopN
group
(mib2.16.5)
This group consists of 2 tables:

hostTopNControlTable and hostTopNTable.
The statistics that are compli ed make use of the
values of objects in the host group.
The management station uses the
hostTopNControlTable to specif y the maximum
number of hosts, N, to monitor, the sampli ng
interval, a variable from the hostTable to monitor
and the changeof that variable during the sampling
interval
The hostTopNTable ranks the results for the topN
hosts relative to a selected variable suchas
hostInPkts.
Determinesthe most
active N hosts
during every
sampling interval for
a specifi ed variable
such as "i n-packets."
Matrix Group
Matrix
group
(mib2.16.6)
This group contains 3 tables: matrixControlTable,

matrixSDTable and matrixDSTable. (SD =
source->destination andDS = destination->source )
The matrixControlTable functions li ke control
tables describedfor other groups
The matrixSDTable and matrixDSTable present a
logical matrix of source and destination addresses
to the management appli cation.
The matrixSDTable and matrixDSTable contain the
same information.
The matrixSDTable and the matrixDSTable are
indexeddifferently so that the management
appli cation canquickly access the desired data for a
particular communication.
Includedamong the column objects are the MAC
source and destination addresses ofthe hosts
involved in communication. There is one row for
each communication in the matrixSDTable and
matrixDSTable.
Records host MAC

Addresses and
statistics, such as
"in-packets," for
conversations
between hosts.
Filter Group
Filtergroup
(mib2.16.7)
Consists of two control tables: filterTable and

channelTable.
Objects in the filt erTable all ow the management
appli cation to defi ne what packets will be
processed bythe monitor based onthe content of
the fields in the packets
Two types of content fi lters are appli ed to define a
channel: the data filt er andthe status filt er. There
canbe multi ple filt ers appli ed by creating multi ple
data andstatus filters.
Data filters fi lter on bit patterns in the packet
Status filt ers filter on errors such as CRC errors
Packets that pass a data/status filt er combination
constitute a channel.
Eachchannel has acapture buffer for its packets
Packets in a channel can be retrieved from the
capture buffer by the NMS using capture group
objects
Packets that match filt ers can produceevents
defi nedin the event group
Defi nesthe
characteristics of
readpackets that
should be processed
by the probe.Such
characteristics
determine a channel
Capture Group
Capture
group
(mib2.16.8)
This group hastwo tables: bufferControlTable

and captureBufferTable.
Eachrow of the buff erControlTable defines the
capture characteristics of onebuffer. For example,
one object defines how much of a packet will be
captured andanother object how much of that will
be returned to the management appli cation in a
SNMP GetResponse message
Each buff er has a captureBuff erTable. Eachrow in
this table is assignedto a packet in that buffer. One
object, for example, defines the length of the
packet.
Defi neshow much

of a channel packet
is captured and how
much is transmitted
to the Management
Station.
Event Group
Event
group
(mib2.16.9)
This group contains the eventTable and the

logTable.
A row in the eventTable defines the parameters of
an event
A row in the logTable defi nesthe event type and
the specifi c event of that type andstores data about
the event
Trap messages generated by an event canbe used
to control objects in other groups.
Defi nesand logs

events that are
generated by
objects in other
groupsandiniti ates
actions
Statistics Group
Simplest
RMON1 group
Counts all
packets
detected
Increment
counts
Control Objects and Tables

Control objects in RMON1 and RMON2
Specify how data is collected
o And whether probe or mgmt station decides
Mgmt station looks at control objects to see

if data being collected as desired
Mgmt station can modify control objects
Probe-created control objects generally
should not be changed
Control Objects and Tables

Suppose mgmt station wants to collect data
from a particular subnet
It could create a new row in
etherStatsTable
Instead, could use control objects so that
only the desired data is collected
Saves storage on the probe
Use SetRequest to set control object values
etherStatsTable Control Objects

Object
etherStatsDataSource
etherStatsOwner
etherStatsStatus
Description
An integer that formall y identif ies the device
interface from which the data is to be processed.
Has the same value as if Index in the ifTable in
mib-2 for this device
A string that identifi es the creator of the table
row that is associated with
etherStatsDataSource
Is either the agent with the name monitor or a
Management Station name and IP address
An integer that specifi es the status of the row.
Its valuescanbe either vali d (1),
createRequest (2) underCreation (3) or
invali d (4).
The row creator uses a SetRequest to set the
value of this object to createRequest (2)
The agent then sets the value to
underCreation(3) until the creator is finished
The creator must then set the value to vali d(1)
for the row objects to begin to coll ect data.
MeterWare
Summary
view
Probe
2 info
RMON1 on Probe 2
Object values
Click Statistics
Probe 2 has one interface, so only one row

etherStatsOwner = monitor
o Agent created and owns this row
etherStatsStatus = valid
o Agent will store collected data
etherStatsDataSource = ifIndex.1
o Identifier of mib-2 for probe interface to 192.192.192.240
etherStatsIndex = 1
o First row in table
View
Add
Modify
Delete
Help
select row and start collecting stats

add another row
edit current row
delete a row
get help (duh!)
History Group
A
record of what happens over

defined sampling intervals
Similar to Statistics Group
Main difference is sampling intervals
History Group includes
o etherHistoryTable
o historyControlTable
History Group
MIB
browser view
historyControlTable
Column
objects
historyControlTable
One row for each historyControlInterval

o In this case, 30 and 1800 seconds
o 120 buckets (intervals) for each
So 240 rows in etherHistoryTable
historyControlTable
Object
historyControlIndex
historyControlDataSource
Row1
1
if Index.1
Row2
2
if Index.1
historyControlInterval
30 sec
historyControlBuckets
Requested
historyControlBuckets
Granted
120
120
120
120
historyControlStatus
vali d(1)
vali d(1)
1800 sec
Description
Index object for the rows
Interface to subnet 192.192.192.240
Has the value of ifIndex. in the
mib-2 ifTable
There are two Sampli ng interval
lengths. One for short term history
and onefor long term history
Number of sampli ng intervals
requested
Number of sampli ng intervals
granted. Determineshow long the
sampling will be doneand thus how
much probememory is granted.
Granted buckets canbe less than
requested buckets
An integer that specifi es the status of
the row.
Its valuescanbe either vali d (1),
createRequest (2)
underCreation (3) or
invali d (4).
The row creator uses a SetRequest to
set the value of this object to
createRequest (2)
The agent then sets the value to
underCreation(3) until the creator is
finished
The creator then sets the value to
valid(1)
etherHistoryTable
Recall,
240 rows in etherHistoryTable
etherHistoryTable and
historyControlTable
Object
etherHistoryIndex
etherHistorySampleIndex
etherHistoryIntervalStart
etherHistoryDropEvents
Description
IdentifiesetherHistoryTablerowswitharowinthe
historyControlTable.
etherHistoryIndex=historyControlIndex
ItisanIndexobjectfortheetherHistoryTable
etherHistoryIndexandetherHistorySampleIndextaken
togetheridentifythebucketstoassociatewitharowinthe
historyControlTable
ItisanIndexobjectfortheetherHistoryTable
ThevalueofsysUpTimeobjectintheSystemsgroupatthe
startofthesampleinterval.
Thenumberoftimesitwasdetectedthatthemonitor
droppedapacketduetolackofresources
Sample History Report

30
second history report
Host Group
Statistics per host
Note statistics and history groups do not
relate their stats to hosts
4 tables: hostControlTable, hostTable,
hostTimeTable, hostControl2Table (RMON2)
hostControlTable
hostCotrolTableSize
o Number of hosts detected so far
hostControlLastDeleteTime
o Last reset time
hostControlTable
Object
hostControlIndex
hostControlDataSource
hostControlTableSize
hostControlL astDeleteTime
hostControlOwner
hostControlStatus
Description
An integer that identifi esa row in
hostControlTable and the probe interface to
the subnet
An integer that identifi es the probe
interface to the subnet. It is equal to the
value of ifIndex in the ifTable in mib-2.
The number of rows (hosts) in the
hostTable detected on
hostControlDataSource.
The value of sysUpTime at which an entry
in the hostTable was deleted
Agent doesdeletion if monitor resources
become scarce.
Information is neededby hostTi meTable
The creator of the hostControlTable row
As we have se
en in other control tables, the
status must be set to vali d(1) in order for
the probeto collect data for the hostTable
hostTable
Object
host Address
hostCreationOrder
hostIndex
Description
The MAC address of the host
An integer between 1 and
hostControlTableSize specif ying the order
in time in which the host was detected on
the interface. The small er the integer, the
earli er the host wasdetected
All hosts detected on the same interface
havethe same integer value, i.e.
hostIndex= hostControlIndex
Index
object, MAC address pairs

Host address is index object
o Index object has address in decimal
hostTimeTable
Object
hostTimeAddress
hostTimeCreationOrder
hostTimeIndex
Same objects as hostTable
Different index object
Description
The MAC address of the host
An integer between 1 andhostControlTableSize
specifying the order in time in which the host was
identif ied on the interface. The small er the integer, the
earli er the host was detected
Index object for the hostTimeTable
All hosts detected on the same interface have the same
value.
Index object for the hostTimeTable
hostTimeIndex =hostIndex = hostControlIndex
o hostTimeCreationOrder, not hostAddress

o So that new hosts easily distinguished
o Also hostTimeIndex
Too Many Hosts?
If too many hosts, probe uses

hostTimeCreationOrder to drop hosts
o Drop those that have not been used for longest
o hostTimeCreationOrder is in hostTimeTable
To be sure it uses valid object identifier,

mgmt station checks hostControlLastDeleted
o In hostControlTable
hostTable Example
Hosts detected on probe 2 subnet
HostTopN Group
Rate of change of hostTable info
Sorta like History for specific Host
For each row of hostTopNControlTable
o N rows in hostTopNTable (N is configurable)
hostTopNControlTable
Object
hostTopNControlIndex
hostTopNHostIndex
hostTopNRateBase
hostTopNTimeRemaining
hostTopNDuration
hostTopNReques
tedSize
hostTopNGrantedSize
hostTopNStartTime
hostTopNOwne
r
hostTopNStatus
Description
An integer that identifi esa row in the
Eachrow in that table defi nes the data that will be
reported for N-hosts on one interface
An integer that refers to the interface on which the Nhosts are obse
rved. It is the same for eachof the
N-hosts
hostTopNHostIndex= hostControlIndex
An integer that specifi esone of the 7variables in the
hostTable to count in the sampli ng interval to
determine the hostTopNRateBase (packets/second in
the hostTopNTable)
Choices are:
q
hostTopNInPkts(1)
q
hostTopNOutPkts(2)
q
hostTopNInOctets (3)
q
hostTopNOutOctets(4)
q
hostTopNOutErrors (5)
q
hostTopNOutBroadc
astPkts (6)
q
hostTopNOutMulticastPkts (7)
Number of second
s remainingin thesamplinginterval
Thesamplinginterval in seconds
The nu
mber of hosts, N, requ
estedto includein the
repor
t
The nu
mber of hosts granted
sysUpTimewhenthis report sampling was started.
Monitor or Manag
ement Stationthat createstherow in
thehostTopNControlTable
Anintegerthatspecifiesthestatusofthecontroltable
row.
Itsvaluescanbeeithervalid(1),
createRequest(2)underCreation(3)or
invalid(4).
TherowcreatorusesaSetRequesttosetthevalueof
thisobjecttocreateRequest(2)
TheagentthensetsthevaluetounderCreation(3)until
thecreatorisfinished
Thecreatorthensetsthevaluetovalid(1)
Index
is generated by the probe

Unique for each distribution created
hostTopNTable
Object
hostTopNReport
hostTopNIndex
hostTopNAddress
hostTopNRate
Note
Description
An integer that identifi es the report
hostTopNReport = hostTopNControlIndex
An integer that identifi es the data from onehost
includedin the hostTopNReport
The MAC address associated with the host identified
by hostTopNIndex
The amount of changein the hostTopNRateBase in
packets/second during the sampli ng interval.
that its measuring the change
HostTopN in MeterWare
Distribution
of top 5 hosts
Based on in-packets rate
Addresses of
hosts with
largest number
of in-packets
HostTopN Addresses
This
is not the
same as view on
previous slide
hostTopNAddress
1.3.6.1.2.1.16.5.2.1.3
hostTo pNReport
1915
hostTo pNIndex
1
Va lue
00 40 05 44 A7 DC
Matrix Group
Host-to-host
statistics
Like a 2-d
version of
Host
Matrix Control Tables
matrixControlTable
o Same objects as hostControlTable
matrixSDTable and matrixDSTable

o Only difference is order of index objects
o Source to destination vs destination to source?
o If matrixSDTable is A to B, then corresponding
matrixDSTable is B to A

matrixSDTable
matrixSD
Source Address
(2)
A
A
A
B
B
C
matrixSD
DestAddress
(3)
B
C
D
C
D
D
matrixSD
Index
(1)
matrixSD
Pkts
matrixSD
Octets
matrixSD
Errors
matrixDS
Pkts
matrixDS
Octets
matrixDS
Errors
matrixDSTable
matrixDS
Source Address
(3)
B
C
D
C
D
D
matrixDS
DestAddress
(2)
A
A
A
B
B
C
matrixDS
Index
(1)
Matrix in MeterWare
Filter and Capture Groups

These groups usually used together
Capture Group
o How probe captures frame

o How info is sent from buffer on probe to
buffer on mgmt station
Filter Group
o To select types of frames to capture

o Used to conserve space in buffers
Capture Group
Capture
group objects
Capture Group
bufferControlTable
Object
bufferControlIndex
bufferControlChannelIndex
bufferControlFull Status
bufferControlFull Action
bufferControlCaptureSliceSize
bufferControlDownloadSliceSize
bufferControlDownloadOff set
bufferControlMaxOctetsRequested
bufferControlMaxOctetsGranted
bufferControlCapturedPackets
bufferControlTurnOnTime
bufferControlOwner
bufferControlStatus
Description
The integer that identif ies arow in the
bufferControlTable.
There is onebuffer for each defined channel.
A channel is definedby the filter(s) that are
appli ed to determine which packets are
captured in the buffer.
An integer that identifi es the channel that is
supplying the buff er with packets
A Status value of (1) means spaceis avail able
in the buffer.
If the value is (2), the buffer is full .
A value of (1) means the buffer is locked
when full andwill accept no further packets.
A value of (2) means the buffer will wrap and
discard old packets to make room for new.
Maximum number of octets in eachpacket
that will be captured in the buffer
Maximum number of octets in the buff er that
will be downloadedto the management station
in a single SNMP GetResponse
The off set, in octets, of the first octet that will
be retrievedin a single SNMP GetResponse.
The size of buffers, in octets, requested bythe
management station
Number of buff er octets granted by the probe
agent
Number of packets currently in the buffer
The value of sysUpTime (System Group
object) when this buffer was first turned on
The creator of the buff er (seeControl Table)
Anintegerthatspecifiesthestatusoftherow.
invalid(4).
TherowcreatorusesaSetRequesttosetthe
valueofthisobjecttocreateRequest(2)
Theagentthensetsthevalueto
underCreation(3)untilthecreatorisfinished
Capture Group
captureBufferTable
Object
captureBufferControlIndex
captureBufferIndex
captureBufferPacketID
captureBufferPacketData
captureBufferPacketLength
captureBufferPacketTime
captureBufferPacketStatus
Description
An integer that identifies the buffer that holds this
packet. It has the same value as the
bufferControlIndex that identifies the buffer
The integer that uniquely identifies this packet
The integer that identifies the order in which packets
were received on the interface regardless of the buffer
in which stored.
The actual packet data
The actual length of the packet in octets
The number of milliseconds from the time the buffer
was turned on until this packet was captured
A number that represents the number of errors
detected in the packet. See RFC 1271 for details about
how this number is calculated.
Capture Group
How packets are captured and buffered
o Well fill in the details on the next few slides

Data
Status
Channel1
Buffer1
Filter2
Channel2
Buffer2
Filter3
Channel3
Buffer3
Filter1
Packets
Edit
NMS
Channels
Probe
2 channels
Channel editor
o To set values in
bufferControlTable
Channels
Create new channel
Run button
o Start capturing
Filter tab
o Make filters
Buffer tab
o Show captured
packets, protocols,
Analyze tab
o More specific
filtering/analysis
Filter Group
By
default (in Meterware) all packets

captured until buffer is full
Can then filter the ones of interest
o Using analyze tab
But
some packets might be missed

due to full buffer
Filter group used to prevent this
Filter Group
Filter
group objects
Filter Group
Object
filterIndex
filterChannelIndex
filterPktDataOffset
filterPktData
filterTable
objects
filterPktDataMask
filterPktDataNotMask
filterPktStatus
filterPktStatusMask
filterPktStatusNotMask
filterOwner
filterStatus
Description
An integer that identifies a row in the table. Each row
defines a data filter and a status filter. Together these
form the filter for a channel
An integer that identifies the channel that uses the filter.
Offset, in octets, from the beginning of the MAC
destination address to where the filter will begin to be
applied for the case of an Ethernet frame
The data specified in the data filter that the input packet
must match.
The mask that determines which packet bits to be
matched are relevant for processing. Only if a bit in the
filterPktDataMask is 1 is the packet bit relevant for
processing
For relevant bits in the packet to pass the
filterPktDataNotMask test, for each bit in this mask that
is 1, the relevant packet bit must differ from the bit in the
filterPktData. Likewise, for each bit in the
filterPktDataNotMask that is 0, the packet bits and the
filterPktData bits must differ
Errors found in the relevant bits of the input packet are
mapped to an integer sum. The value of this sum is
compared to the filterPktStatus. (see RFC2819 for how
the sum is calculated)
Bits in this mask determine which packet input bits are
relevant for the filterPktStatus test
For the relevant bits in the input packet to pass the
filterPktStatusNotMask test, for each bit in this mask that
is 1, the bits in the integer sum must all differ from the
bits in the filterPktStatus. Likewise, for each bit in the
filterPktStatusNotMask that is 0, the sum bits and the
filterPktStatus bits must differ. (see RFC 2819 for how
the sum is calculated)
The entity that configured this table. It could be the probe
agent or the Management Station.
invalid(4).
TherowcreatorusesaSetRequesttosetthevalueof
thisobjecttocreateRequest(2)
TheagentthensetsthevaluetounderCreation(3)
untilthecreatorisfinished
Filter Group
channelTable
objects
Object
channelIndex
channelIfindex
channelAcceptType
channelDataControl
channelTurnOnEventIndex
channelTurnOffEventIndex
channelEventIndex
channelEventStatus
channelMatches
channelDescription
channelOwner
channelStatus
Description
An integer that identifies one row in the table. A row corresponds to a
channel.
An integer that identifies the interface through which the monitor is
receiving packets. The value of channelIfindex is the same as the value of
ifIndex for this interface in the mib-2 ifTable.
The value of this object determines how the filters for the channel are to
function. There are two possible integer values: acceptMatched (1) and
acceptFailed (2). If the value is set to 1, the packet must pass both the data
and status filters associated with the channel to be accepted by the channel.
If the value is set to (2), the packet will be accepted by the channel only if it
fails either the data or status filters associated with the channel.
There are two possible integer values: on (1) and off(2). The channel must
be "on" for data, status and events to "flow through" the channel.
An integer that identifies the event in the Event group that will turn the
channelDataControl from off to on when the event occurs.
channelTurnOnEventIndex has the same value as the eventIndex object in
the Event Group (to be discussed) that identifies the same event. In other
words, if the event associated with eventIndex occurs, channelDataControl is
turned on and the channel passes filtered packets
An integer that identifies the event in the Event group that will turn the
channelDataControl from on to off when the event occurs.
channelTurnOffEventIndex has the same value as the eventIndex object
in the Event Group that identifies the same event. In other words, if the event
associated with eventIndex occurs, channelDataControl is turned off and the
channel passes no further packets.
An integer that identifies the event that is generated when the
channelDataControl is on and the packet is matched. channelEventIndex
has the same value as eventIndex in the Event Group.
There are 3 possible integer values for this object: eventReady (1),
eventFired (2) and eventAlwaysReady (3).If the value is 1, a single event
may be generated and then the probe will set the value to 2. No further
events may be generated until this object is reset to 1. If the value of the
object is 3, events may continue to be generated.
The number of times a packet matches this channel. The number of matches
continues to be updated even if channelDataControl is set to off.
Comments about the channel
The entity that configured the channel such as a Management Station
invalid(4).
TherowcreatorusesaSetRequesttosetthevalueofthisobjectto
createRequest(2)
TheagentthensetsthevaluetounderCreation(3)untilthecreatoris
finished
RMON Control Table
Create/edit RMON channels

o As shown in Capture Group slides
Control Table for RMON Channels (above)

Select: Owner View Details
Channel Information
All objects here are in
channelTable
Owner
channelOwner
Interface Index channelIfIndex

Channel Index
channelIndex
Status
channelStatus
Packet Matches
channelMatches
Accept Type
channelAcceptType
Channel Information

channelTable
Data Flow Control
channelDataControl
o off(2) means no packets being captured
Turn On Event Index
channel
o Event to turn off(2) to on(1)
Turn Off Event Index
channel
o Event to turn on(1) to off(2)
Channel Information

channelTable
Generated Event Index
channelEventIndex
o 0 means no event generated by a matched packet
(configured in Event Group)
Generated Event Status

o
o
o
o
Options are
eventReady(1)
eventFired(2)
eventAlwaysReady(3)
channelEventStatus
Filter Example
May not want to include all packets

Can set up filter for each channel
Above is filter from Probe 2 to WS2
Another filter needed for opposite direction
Filter Example
Filter for packets from

probe 2 to WS2
Link layer ifTable/ifType = ethernet-csma(6)

Protocol filterTable/filterPktData = IP
Sub-protocol filterTable/filterPktData = UDP
Source address Probe 2 (MAC and IP address)
Destination address WS2 (MAC and IP address)
Allow packets filterTable/filterPktStatus
o Any Packet = 0
Captured/Filtered Packets
All Captured Frames
Contents of Frame
Detailed
view of packet
o Similar to Ethereal
Analysis of Captured Frames

Packet 10 (out
of 28) shown
Next, filter
o UDP packets
o Length 00 fe
Click apply
o Next slide
Analyze Screen
Find 6 frames that satisfy the filter

o Out of 28 captured frames
Can filter down to frames of interest
Alarm Group
alarmTable
Threshold compared
o If threshold exceeded, alarm sent
Used
with Event Group
alarmTable
Objects
Object
alarmIndex
alarmInterval
alarmVariable
alarmSampleType
Description
An integer that identifies a row in the table
The time interval over which the variable is sampled
The object identifier of the variable to be sampled
There are two types:
absoluteValue (1) - value of object is compared directl y with the threshold.
deltaValue (2)- diff erence between values of object after current sample and last
sample is compared to the threshold.
alarmValue
alarmStartupAlarm
alarmRisingThreshold
alarmFall ingThreshold
alarmRisingEventIndex
alarmFall ingEventIndex
alarmOwner
alarmStatus
The value of the object sampled at the end of the last sampling
period.
There are three types:
risingAlarm(1) - is generated if the first sample after the row
becomes "vali d" equals or exceedsthe alarmRisingThreshold.
falli ngAlarm(2) - is generated if the fir st sample after the row
becomes "vali d" is less than or equal to the alarmFalli ngThreshold
risingOrFallingAlarm(3) - is generated if either the risingAlarm or
the falli ngAlarm are violated.
The rising threshold is exceeded bythe variable
The falli ng threshold is greater than the variable
The value of this object is employed when the alarmRisingThreshold
is crossed
This value is the same asan eventIndex object in the eventTable.
Thus, the alarmRisingEventIndex will trigger an event in the
eventTable.
The value of this object is employed when the
alarmFall ingThreshold is crossed
This value is the same asan eventIndex object in the eventTable.
Thus the alarmFalli ngEventIndex will trigger an event in the
eventTable
Monitor or Management Station that created a row in the alarmTable
invalid(4).
TherowcreatorusesaSetRequesttosetthevalueofthisobjectto
createRequest(2)
TheagentthensetsthevaluetounderCreation(3)untilthecreatoris
finished
Event Group
Two tables
o eventTable and
logTable
Specify event
triggered by
Alarm group
o Events can also
be triggered
from elsewhere
eventTable and logTable

Object
eventIndex
eventDescription
eventType
eventCommunity
eventLastTimeSent
eventOwner
eventStatus
logEventIndex
logIndex
logTime
logDescription
Description
An integer that identifi esa row in the eventTable
Text description of the event defi nedby this row
There are 4 types:
none(1) - no event has been de
fi ned
log (2) - an entry is madein the corresponding row of
the logTable
snmp-trap (3) - a trap is sent to one or more
management stations
log-and-trap (4) - entry is madeand trap is sent
the community string that is to be entered in the trap
message. Must be the same as what is confi guredfor
the trap recipient
the value of the sysUpTime object in the mib-2 system
group whenthe event defined by eventIndex was last
triggered.
Monitor or Management Station that created this row
in the eventTable
Must be "valid (1)" for event to betriggerable
Has same value as eventIndex for the event that
triggered the log entry
An integer that identifi es this entry among other
entriesof the same eventType, i.e. none, log, trap or
log-and-trap
The value of sysUpTime in the mib-2 system group
when this entry was generated
A description of the event that causedthis entry in the
logTable.
Event Example
In channelTable
channelTurnOffEventIndex
o Can set value equal to an eventIndex in
eventTable with eventType of trap(3)

o Then any packet that matches channel will
cause a trap to be sent to Mgmt Station
o Mgmt Station could be configured to send
SetRequest to turn off the channel
Chapter 8 Summary
Examined
RMON1 groups (9 of them)

RMON monitors network traffic
o RMON1 for link layer
o RMON2 for higher layers
o Chapter 8: RMON1
o Chapter 9: RMON2

Rmon 1

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Rmon 1

Caricato da

Copyright:

Formati disponibili

Chapter 8 Overview

Recall that mib-2 gives info on devices

o Info at network layer and above

Chapter 8 Remote Monitoring (RMON1)

Probe 1 and probe 2 are RMON probes

Chapter 8 Remote Monitoring (RMON1)

RMON1 MIB Groups

consider the following groups

o Statistics group, History group,

Chapter 8 Remote Monitoring (RMON1)

Chapter 8 Remote Monitoring (RMON1)

Chapter 8 Remote Monitoring (RMON1)

Consists of the alarmTable

Chapter 8 Remote Monitoring (RMON1)

This group gathers statistics specif ic to hosts on the

Chapter 8 Remote Monitoring (RMON1)

This group consists of 2 tables:

Chapter 8 Remote Monitoring (RMON1)

This group contains 3 tables: matrixControlTable,

Records host MAC

Chapter 8 Remote Monitoring (RMON1)

Consists of two control tables: filterTable and

Chapter 8 Remote Monitoring (RMON1)

This group hastwo tables: bufferControlTable

Chapter 8 Remote Monitoring (RMON1)

Defi neshow much

This group contains the eventTable and the

Defi nesand logs

Chapter 8 Remote Monitoring (RMON1)

Control Objects and Tables

o And whether probe or mgmt station decides

Mgmt station looks at control objects to see

Chapter 8 Remote Monitoring (RMON1)

Control Objects and Tables

Chapter 8 Remote Monitoring (RMON1)

etherStatsTable Control Objects

Chapter 8 Remote Monitoring (RMON1)

Chapter 8 Remote Monitoring (RMON1)

Chapter 8 Remote Monitoring (RMON1)

etherStatsTable Control Objects

Probe 2 has one interface, so only one row

o Agent will store collected data

o Identifier of mib-2 for probe interface to 192.192.192.240

Chapter 8 Remote Monitoring (RMON1)

etherStatsTable Control Objects

select row and start collecting stats

Chapter 8 Remote Monitoring (RMON1)

record of what happens over

Chapter 8 Remote Monitoring (RMON1)

Chapter 8 Remote Monitoring (RMON1)

Chapter 8 Remote Monitoring (RMON1)

One row for each historyControlInterval

So 240 rows in etherHistoryTable

Chapter 8 Remote Monitoring (RMON1)

Chapter 8 Remote Monitoring (RMON1)

240 rows in etherHistoryTable

Chapter 8 Remote Monitoring (RMON1)

Chapter 8 Remote Monitoring (RMON1)

Sample History Report

second history report

Chapter 8 Remote Monitoring (RMON1)

Chapter 8 Remote Monitoring (RMON1)