Information Engineering and Technology Faculty Department of Networks German University in Cairo

Assignment One

Group names :
Aalaa Othman Salma Youssef Monica Akladious Karim Ali 13-3691 13_553 13-8196 13-4364 T-6 T-8 T-6 T-8

Submission Date : May 22nd , 2012

Table of Contents
Remote Monitoring ................................................................................................................................. 3 How is RMON beneficial in network management? ................................................................................. 4 RMON 1 and RMON 2 .............................................................................................................................. 5 RMON1 ............................................................................................................................................... 5 RMON1 Groups ................................................................................................................................... 6 Token Ring extensions to RMON MIB................................................................................................... 7 RMON2 ............................................................................................................................................... 7 Capabilities of RMON2......................................................................................................................... 7 RMON2 Groups. .................................................................................................................................. 8 Probes ................................................................................................................................................... 12

Remote Monitoring
The success achieved by the SNMP management led to the popularity of managing the network components in the network. SNMPv1 established the basis for remotely monitoring a network from a network operation center NOC and carrying out configuration and error management. But the degree of managing the network performance was restricted. The networks performance description is usually statistical. This has participated in measuring the statistics of the significant parameters in the network from the NOC mentioned above and in developing the remote monitoring features. RMON was introduced to adopt the issue of managing LAN sections and remote places from a central location .It is a specification that allows different network monitors and console systems to send and receive network monitoring data. It enables the network administrators to easily choose consoles and probes with specifications that satisfy the networking requirements. Monitors and probes mentioned above are the remote network monitoring devices; they are used mainly for running and observing a network. The probes are mostly separate devices that dedicate major resources to manage a network. An organization can use a huge number of these devices, up till one device per a network section, so as to manage its internet and it also has the ability to manage a geographically remote network like the support center of a certain service provider or the central support organization of a company to control a certain remote spot. Initially RMON devices were devoted to execute the RMON MIB modules. But eventually cards were proposed that introduced RMON potentials into a switch, hub or a router and it started to act as a software ability that was introduced to the software of a device in the network and a software application that can operate on clients or servers. And aside from the fact that the different scenarios addressed differed, the main function of RMON as a devoted network management tool was offered for all different happenings and activities in the network. These functions were initially created to operate in the promiscuous mode for packets capturing on network sections. Eventually the functions were implemented to not rely only on the promiscuous capturing of the packets nowadays more procedures for collecting data were introduced and the mode mentioned initially was one of the so many options for gathering data.

How is RMON beneficial in network management?

The following section explains the main advantages of using RMON in network management.

1. Offline Operation
The management station doesnt constantly keep in touch with its remote monitoring devices mainly to reduce communications costs as a result a probe is set up to constantly gather statistics provided that the management station itself is not functioning efficiently and in case an exceptional condition takes place it tried to alert the station. This allows for the management station to be informed about the performance, fault and configuration continuously in an efficient way.

2. Proactive Monitoring
In case the resources can be reached through the monitor it should perform diagnostics and record information about the network performance and since the monitor is always obtainable at the beginning of the occurrence of any fault in the network, this monitor can instantly inform the station about the failure that took place and can log statistical information, about that failure, that can be used by the station so as to do more analysis to find out the main cause of the failure that took place .

3. Problem Detection and Reporting

The monitor can be defined to identify the error conditions that occur mostly and constantly check if they took place. As soon as one of the conditions takes place the event will be recorded and the stations will be alerted about the occurrence of such an event.

4. Value Added Data

A remote monitoring device is a devoted network resource for managing the network and since it is placed at the part of the network that is monitored it can enhance the data it gathers with useful value. For example by defining the hosts that yield the largest amount of faults and traffic the probe can provide the management station with the information and statistics needed to decipher the issues that take place.

5. Multiple Managers
A single organization can contain more than one management station in order to offer recovery from failures and disasters and for different tasks and units in the given organization. Because

this case is likely to exist in the network the remote monitoring device has to communicate with more than just one management station possible using its resources synchronously.

RMON 1 and RMON 2

There exist two versions of RMON: RMONv1 and RMONv2. RMON1 stated 10 MIB groups for monitoring the network which are used by the most recent network hardware. On the other hand RMON2 mainly concentrates on traffic from higher layers which the MAC layer is below it focuses on the IP and application level traffics. It enables packets monitoring on all network layers unlike RMON1 which operate at the MAC layer and the layer below only as shown in the
Figure 1 :Layer that RMON1 AND 2 focus on Figure 1 :Layer that RMON1 AND 2 focus on

Figure 1 :Layer that RMON1 AND 2 focus on

RMON1
RMON-1 mainly operates at layer 2 and delivers gathered statistics about the link layer in various ways. It also helps in generating the alerts and alarms incase a certain thresholds are reached and it helps in capturing packet contents. With RMON1 MIB the managers of a certain network can gather important data from different segments in the network in the aim of observing the networks performance and resolving the faults that occur. RMON1 MIB offers traffic statistics in the past and present for a network segment and in between different hosts and it delivers a fluctuating alert and mechanism to set the thresholds and inform the manager of the network about any changes that take place in the performance of the network. RMON1 can be used as a protocol analyzer. RMON1 consists of 10 MIB groups described precisely in the next section. The figure below includes the RMOM1 groups.

Figure 2 rmon1 groups

RMON1 Groups
1. The Ethernet Statistics Group: It includes measured information and statistics about the Ethernet interfaces that are observed by the probe. It consists of the Ethernet statistics table. It contains the number of packets sent and dropped, Checksum errors, fragments, counters for packets, etc... 2. The History Control Group: it controls the statistical sampling of data from different sorts of network media. 3. The Ethernet History Group: It saves the periodic statistical samples that the Ethernet network provides and keeps them to be retrieved later. It includes the count of the sampled items and the total number of samples. 4. The Alarm Group: It retrieves statistical samples from the variables in the probe and compares them to the thresholds that have been set up if one of these variables reaches the given threshold it creates an event. It contains the table of the alarm and defines the types of the alarms generated and the values of the starting and stopping thresholds. 5. The Host Group: it includes statistics related to each host found on the network. It finds hosts on the network by setting up a list that includes source and destination MAC addresses observed in good packets it captures from the network it contains the address of the host, multicast, broadcast and error packets.

6. The HostTopN Group: this group is basically used to formulate reports about the hosts that come on top of a list requested by one of their statistics. The statistics provided are basically samples of one of the base statistics over a time interval defined by the station as a result the resulted statistics are rate affected. The station also decides how many hosts of that kind are reported. This group includes hosts, sample start and stop periods, statistics and rate base. 7. The Matrix Group: it records statistics for the conversations between two MAC addresses. As soon as the device perceives a new conversation it generates a new entry in its tables. It contains the destination and source address pairs and errors generated with each pair. 8. The Filter Group: It enables the packets to be coordinated by a certain filter equation. The coordinated packets create a data stream that can be captured or can be used to notify the network about events that took place. It contains the type of the bit-filter, the bit level, conditional expression to filters. The Packet Capture Group: It captures the packets after they move through a channel, it includes information about the size of the buffer that contains the packets which were captured and the total number of captured packets. 10. The Event Group: This group mainly generates events from the device and notifies the network in case they take place. It contains information about the event type and the last time this event was detected in the network.

Token Ring extensions to RMON MIB

Since the functions implemented in RMON-1 MIB were mainly definite to Ethernet media. To activate the functions of Token Ring Media it was necessary to implement new objects in this extension to handle and support the token ring and MIB also introduced monitoring functions exclusive to Token Ring. This extension contains several groups each one if responsible of a specific task.

RMON2
It extends the architecture of RMON1 by introducing RMON diagnostics up to the application layer as mentioned earlier. But its important to know that RMON2 is not a replacement of RMON1.Both of them are being used with each one perform a different task RMON1 offers data for protocol analysis and segment monitoring and on the other hand RMON2 offers data for application and network monitoring . The main useful capability in RMON2 is focusing on monitoring the layers above the MAC layer that delivers a view of the network as a whole instead of dealing with a single segment.

Capabilities of RMON2 1. Higher Layer Statistics: It provides host and matrix tables provided by RMON1 but at
the network and application layers. On monitoring these kinds of statistics the manager can now watches which clients are communicating with which servers.

2. Address Translation: It binds between MAC and network layers addresses that are a lot simpler to remember and read as well. The process of translation helps the network manager in defining topology maps and helps in the discovery of the IP address duplication. 3. Improved Filtering: Since RMON2 supports higher layer protocols extra filters are needed in this case to enable the user to configure filters easily and more efficiently. 4. Probe Configuration: RMON2 enable the remote configuration by a certain vendors application to another vendors probe.

RMON2 Groups.
Rmon2 groups are composed of protocol directory, protocol distribution, address mapping, network layer host, network layer matrix, application layer host, application layer matrix, user history & probe configuration. First, the Protocol Directory is used to enable an RMON2 application to establish which protocols particular RMON2 agent implements which is particularly important when the application and the agent do not come from the same vendor. To understand this, remember that so many protocols run on one network, that can be known or costumed for a particular application; therefore any RMON2 solution had to provide a framework to support them all. The Protocol Directory concept splits the protocol definition and the table structure where the protocol traffic information is stored. Second, the protocol distribution is responsible for collecting combined statistics on the generated traffic distribution by each protocol per LAN segment. Also, it maps the collected data by a probe to the correct protocol name. Afterwards, the protocol name can be viewed by the network manager. Third, the address mapping is responsible for address translation between MAC-layer addresses and network-layer addresses where the latter is much easier in reading and hence remembering. This causes enhanced topology maps since it both helps the network manager and supports the SNMP management platform. Structure of address Map group:

Figure 3 addmap group

SubOID (1) (2) (3) Inserts

Object

Description Number of times an address mapping entry has been inserted into the data table. Number of times an address mapping entry has been deleted from the data table. Desired maximum number of entries in the address map table. Note: An entry of -1 denotes any number of entries.

Deletes MaxDesiredEntries

Fourth, the network layer host permits the manager to look beyond the router to the connected hosts by monitoring packets on traffic into and out of hosts. It collects layer 3 traffic statistics. This is done depending on the network-layer address. It hence controls both the network and application-layer host tables. Fifth, the network layer matrix has the capability to store and recover network layer statistics for conversations between sets of two addresses based on the network-layer addresses; these statistics show the protocol specific traffic between communicating pairs of systems in order to enable the network manager to debug network problems faster and more accurately. Not only can a server be detected as "dead" because it is not transmitting packets but the network manager can also diagnose the tougher problem faced when the server is "alive" but a specific protocol stack is faulty Sixth, application layer host carries a group of statistics for a protocol from a certain network address that has been discovered on the devices interface Structure of AppHost Group:

Figure 4

SubOID (1) (2)

Object TimeMark InPkts

Description Time filter for this entry. Number of error-free packets of this protocol type transmitted to this address since it was added to the table. Number of error-free packets of this protocol type transmitted by this address since it was added to the table. Number of octets of this protocol type transmitted to this address since it was added to the table, excluding packets with errors. Number of octets of this protocol type transmitted by this address since it was added to the table, excluding packets with errors. Value of sysUpTime when this entry was activated.

(3)

OutPkts

(4)

InOctets

(5)

OutOctets

(6)

CreateTime

Seventh, application layer matrix stores and retrieves application layer traffic statistics based on application layer protocol, per source/destination pairs of hosts for conversations between sets of two addresses. For all conversations between any pairs of hosts, the statistics will relate to traffic between pairs of hosts for each protocol.

Eighth, the probe configuration group defines standard configuration parameters for the agent's capability, software revision, reset control which can be either warm boot or cold boot and the trap destination table which is a list of trap recipient IP hosts. This standard configuration feature enables one vendor's RMON application to remotely configure another vendor's RMON probe. Structure of probeConfig group:

SubOID (1)

Object probeCapabilities

Description Indicates what rmon groups are supported. Software revision of this device: this string will have zero length if the revision is unknown. Hardware revision of this device. Probe's current date and time. Takes on the values: running(1)

(2)

probeSoftwareRev

(3) (4) (5)

probeHardwareRev probeDateTime probeResetControl

SubOID

Object

Description warmBoot(2) coldBoot(3)

Finally, the user history group combines mechanisms seen in the alarm and history groups in order to allow the network manager to form history studies of any counter in the system like the specific history on a particular file server. It periodically samples user-specified variables and logs that data, based on user-defined parameters.

Probes
RMON solutions are composed of two components: a probe that acts as a server and network management applications that act as a client. Information is only transmitted to the management application when required, instead of continuous polling. SNMP is used to enable communication between the client and the probe. The probe is a monitoring device that could be a router, switch or PC software containing RMON software agents. It should be noted that these probes have to be located on every LAN segment or WAN link monitored because they can only view traffic flowing through them; they are placed permanently in the network most of the time. These agents are responsible for gathering information such as bandwidth utilization, collision, network error, and many more critical Ethernet network statistics. Also, they can analyze the SNMP packets hence reducing SNMP traffic and the processing load from the clients. Moreover, a probe can be used to set an alarm when a specific situation happens by monitoring the traffics. Therefore, it can be used to and gather statistics sent to the management console and periodically check. The probe can be installed as a service in the PC background on any Windows PC in the remote network segment. If we are to compare between the RMON probe and the advanced probe, we will find that the RMON probe is superior in the following way; 3rd Party supported collection mechanism. This means that other manufacturers software or hardware can query and process statistics from a RMON probe. Also, it can support 10 concurrent interfaces. Unlike the advanced probes which only support one.