Recent Changes - Search:

Classes

FinalExam

Troubleshooting

edit SideBar

Main /

Class05

Class05

as slideshow

Practical

Homework Review

HW04a

Oh Yeah

  • free VoIP soft(ware) phones
    • Skype - P2P (Kazaa), worrisome terms
    • Gizmo - supports SIP standard, Google (GrandCentral) integration
    • QuteCom - supports SIP standard, F/OSS, was Wengo

Goal

My goal for this class is for you to be able to get out of a network paper bag.

Projects

  • packet capture
  • SNMP
  • analysis (report and presentation)

Project Choices

  • Analyze a building or department
    • what department or building is interesting or convenient?
    • packet capture of representative traffic, SNMP for errors
  • Your Suggestions
    • must be practical, hands-on!
  • More choices to come

Practical Application

  • Necessary Information
    • IP address
    • netmask
    • gateway / default router
  • Useful Information
    • DNS servers

Impact of Incorrect Information

  • DNS
  • gateway
  • MTU
  • hardware

Troubleshooting References

  • O'Reilly chapter on Troubleshooting TCP/IP is excellent if basic
  • RFC 1470: more than you want to know about network troubleshooting tools (also dated)

Tools

  • Configuration
    • ifconfig -a or ipconfig /all
    • netstat: netstat -nr for routing table, netstat -na for open ports
  • DNS
    • nslookup
    • dig
    • host
      • use DNS for number to name resolution (or the other way around)

Tools

Tools

  • Performance
    • ping: measures packet loss, latency, jitter (ICMP)
    • traceroute / tracert: list routers in path with latency to each router hop, shows asymmetric paths and where latency accumulates (ICMP)
    • mtr: combines ping and traceroute for Linux
    • NDT: throughput
    • NPAD: for bulk throughput, TCP Tuning
  • ports
    • nmap: is the port open all the way from "here" to "there"? (may be blocked by intermediate router)

Tools

  • duplicate IP address or wrong router
    • arp: arp -a to see all of your arp table
  • packet capture is the final word, the trump card: this is what's on the wire!
    • tcpdump
    • wireshark
    • snoop

Packet Capture

  • tcpdump
    • analyze
      • tcpdump -r capturefile
    • flooding?
      • sudo tcpdump -c 30 -i eth0 -s 0 -w floodfile not broadcast and not ip broadcast and not multicast and not ip multicast and not arp and not rarp and not dst host 152.2.145.83
    • not Netflow
      • sudo tcpdump -c 30 -i eth0 -s 0 -w flowfile not dst port 2055
tcpdump is available on most *nix; WinDump for Windows, snoop is the analog on Solaris (can install tcpdump too)

Packet Capture

  • wireshark
    • flooding?
      • not broadcast and not multicast and not arp
    • not Netflow
      • not dst port 2055

Network Management in Practice

  • Small and Medium vs Large
    • RFC 1958, Architectural Principles of the Internet
      • The end-to-end argument ... is that, as a first principle, certain required end-to-end functions can only be performed correctly by the end-systems themselves. A specific case is that any network, however carefully designed, will be subject to failures of transmission at some statistically determined rate. The best way to cope with this is to accept it, and give responsibility for the integrity of communication to the end systems.

Network Management in Practice

  • Small and Medium vs Large
    • RFC 3439, Some Internet Architecture Guidelines and Philosophy
      • The Simplicity Principle, which was perhaps first articulated by Mike O'Dell, former Chief Architect at UUNET, states that complexity is the primary mechanism which impedes efficient scaling, and as a result is the primary driver of increases in both capital expenditures (CAPEX) and operational expenditures (OPEX). The implication for carrier IP networks then, is that to be successful we must drive our architectures and designs toward the simplest possible solutions.

Network Management in Practice

  • Small and Medium vs Large
    • The Amplification Principle states that there are non-linearities which occur at large scale which do not occur at small to medium scale.
    • The Coupling Principle states that as things get larger, they often exhibit increased interdependence between components.

Large Enterprise Network Management

  • scalable
  • manageable
  • simple

Network Management in Theory

  • SMI - rulebook / toolkit
    • ASN.1
      • BER, basic encoding rules
      • TLV, tag (8 bits) - length (8 bits) - value (?)
  • MIB - layout / questionnaire
    • the OID is a complete path through MIB tree, from root to leaf
OID = Object IDentifier
  • SNMP
    • managers and agents

SNMP Versions

  • Everything supports SNMPv1
    • v1 - prevalent
  • SNMPv2 adds another PDU type, GetBulk, to skip a series of GetNextRequest's
    • v2 - compact, GetBulk
  • SNMPv3 adds User Security Management
    • match users and devices for:
      • authentication
      • authorization
      • encryption type
    • v3 - security

MIB Tree

  • ASN.1: iso.identified-organization.dod.internet.private.enterprises or 1.3.6.1.4.1

MIB Tree Examples

  • example: the one-minute average CPU utilization on a Cisco router follows the MIB path 1.3.6.1.4.1.9.2.1.57, equivalent to the object name iso.org.dod.internet.private.enterprises.cisco.local.lsystem.avgBusy1
    • .0 is a scalar leaf, often omitted (gee, that helps ...)
  • table example: CPUUtilization on an Enterasys SmartSwitch Router is instance 1 in the CPUTable MIB variable, or 1.3.6.1.4.1.52.2501.1.270.2.1.1.2.1
    • a table entry never ends with .0

SNMPv1 PDU

  • Protocol Data Unit
  • header version has offset of 1, so SNMPv1 has value of 0
  • header community name is clear text "password"
this "password" is the community string

SNMPv1 PDU

  • PDU type
    • 0 GetRequest, 1 GetNextRequest, 2 GetResponse, 3 SetRequest
  • request ID is unique
  • error status is 0 for no error, non-zero for various error pres
  • error index matches a particular OID in the device MIB
  • variable bindings have the data in name-value pair(s)

SNMPv1 Traps

  • PDU type is 4 for a trap
  • enterprise is type of managed object generating this trap
  • agent IP address in dotted decimal

SNMPv1 Traps

  • generic trap types
    • 0 coldStart, 1 warmStart, 2 linkDown, 3 linkUp
    • 4 authenticationFailure, 5 egpNeighborLoss, 6 enterpriseSpecific
  • specific trap pre is the OID to that trap in the MIB tree
  • time stamp uses agent's clock, and can drift
  • variable bindings same as before

SNMP Examples

  • Net-SNMP Tutorial
  • uptime 
    • [hope@rhea ~]$ snmpget -v1 -c public 172.29.220.155 system.sysUpTime.0
SNMPv2-MIB::sysUpTime.0 = Timeticks: (538608587) 62 days, 8:08:05.87
    • [hope@rhea ~]$ snmpwalk -v1 -c public 172.29.220.155 system.sysUpTime
SNMPv2-MIB::sysUpTime.0 = Timeticks: (538609187) 62 days, 8:08:11.87
  • system "stuff" 
    • [hope@rhea ~]$ snmpwalk -v1 -c public 172.29.220.155 system
SNMPv2-MIB::sysDescr.0 = STRING: Cabletron Systems, Inc. 2H252-25R Rev 05.08.18  12/06/05--12:41 ofc
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.52.3.9.3.4.80
SNMPv2-MIB::sysUpTime.0 = Timeticks: (538609886) 62 days, 8:08:18.86
SNMPv2-MIB::sysContact.0 = STRING: Networking
SNMPv2-MIB::sysName.0 = STRING: Swain Rm 11A
SNMPv2-MIB::sysLocation.0 = STRING: Swain Rm 11A
SNMPv2-MIB::sysServices.0 = INTEGER: 71

SNMP Errors

  • [hope@rhea ~]$ snmpget -v1 -c public 172.29.220.155 system.0
Error in packet
Reason: (noSuchName) There is no such variable name in this MIB.
Failed object: SNMPv2-MIB::system.0
  • [hope@rhea ~]$ snmpget -v1 -c notpublic 172.29.220.155 system.sysUpTime.0
Timeout: No Response from 172.29.220.155.

Cool OIDs

SNMP Tools

RMON Measurement

  • remote monitoring, RFC 1271 for Ethernet then RFC 1757 then RFC 2819, RFC 2021 for Application / Layer 7, (link to overview)
  • 4 basic groups: Statistics, History, Alarm, and Events
  • all 9 groups: 4 basic plus Host, HostTopN, Matrix, Filters, and Packet Capture

RMON for Measurement

  • Statistics (per port)
    • packets sent, bytes sent, broadcast packets, multicast packets, runts, packets by size in five groups, giants, jabbers, fragments, CRC errors, and packets dropped
  • Packet Size Groups
    • 64 to 127 bytes, 128 to 255 bytes, 256 to 511 bytes, 512 bytes to 1023 bytes, and 1024 to 1518 bytes
  • RMON, expanded tree view

SNMP for Measurement

IPFIX

  • flow: source and destination at Layer 3 and Layer 4 (network/IP address and transport/application port), IP protocol, ToS, timestamp for start and end, amount of data flowing
  • IP Flow Information eXport
  • IPFIX in RFC 3955 is the standard aka version 10

netflow

  • Netflow has an exporter (the measurement point) or sensor, a collector, and a reporter. Any of those can be a many-to-one relationship. The exporter bundles the data in netflow format and sends it to the collector(s). The collector may process the data somewhat, and then sends that to the reporter(s) to display for users.
  • version 5 is most common, version 9 supports IPv6 (formats explained)

agent

synthetic transaction

Disadvantages

  • SNMP
    • you only see what's in the MIB, and the perfect MIB may be proprietary
    • RMON
      • you only see what's in RMON
  • netflow
    • you only see (in general) what goes through a router, so you miss traffic that stays within a VLAN
  • agent
    • user has to (agree to) install agent on their computer ... Big Brother is now watching you
  • synthetic transaction
    • well, it's not real

Projects

  • packet capture
  • SNMP
  • analysis (report and presentation)

Project Choices

  • Analyze a building or department
    • what department or building is interesting or convenient?
    • packet capture of representative traffic, SNMP for errors
  • Your Suggestions
    • must be practical, hands-on!
  • More choices to come

Light Reading
Edit - History - Print - Recent Changes - Search
Page last modified on February 11, 2009, at 04:50 PM EST