Practical

Homework Review

HW04a

Oh Yeah

free VoIP soft(ware) phones
- Skype - P2P (Kazaa), worrisome terms
- Gizmo - supports SIP standard, Google (GrandCentral) integration
- QuteCom - supports SIP standard, F/OSS, was Wengo

Goal

My goal for this class is for you to be able to get out of a network paper bag.

Projects

packet capture
SNMP
analysis (report and presentation)

Project Choices

Analyze a building or department
- what department or building is interesting or convenient?
- packet capture of representative traffic, SNMP for errors
Your Suggestions
- must be practical, hands-on!
More choices to come

Practical Application

Necessary Information
- IP address
- netmask
- gateway / default router
Useful Information
- DNS servers

Impact of Incorrect Information

DNS
gateway
MTU
hardware

Troubleshooting References

O'Reilly chapter on Troubleshooting TCP/IP is excellent if basic
RFC 1470: more than you want to know about network troubleshooting tools (also dated)

Tools

Configuration
- ifconfig -a or ipconfig /all
- netstat: netstat -nr for routing table, netstat -na for open ports
DNS
- nslookup
- dig
- host
  - use DNS for number to name resolution (or the other way around)

Tools

information
hardware
- replace cables
- replace Ethernet card
- look for errors with iptraf

Tools

Performance
- ping: measures packet loss, latency, jitter (ICMP)
- traceroute / tracert: list routers in path with latency to each router hop, shows asymmetric paths and where latency accumulates (ICMP)
- mtr: combines ping and traceroute for Linux
- NDT: throughput
- NPAD: for bulk throughput, TCP Tuning
ports
- nmap: is the port open all the way from "here" to "there"? (may be blocked by intermediate router)

Tools

duplicate IP address or wrong router
- arp: arp -a to see all of your arp table
packet capture is the final word, the trump card: this is what's on the wire!
- tcpdump
- wireshark
- snoop

Packet Capture

tcpdump
- analyze
  - tcpdump -r capturefile
- flooding?
  - sudo tcpdump -c 30 -i eth0 -s 0 -w floodfile not broadcast and not ip broadcast and not multicast and not ip multicast and not arp and not rarp and not dst host 152.2.145.83
- not Netflow
  - sudo tcpdump -c 30 -i eth0 -s 0 -w flowfile not dst port 2055

tcpdump is available on most *nix; WinDump for Windows, snoop is the analog on Solaris (can install tcpdump too)

Packet Capture

wireshark
- flooding?
  - not broadcast and not multicast and not arp
- not Netflow
  - not dst port 2055

Network Management in Practice

Small and Medium vs Large
- RFC 1958, Architectural Principles of the Internet
  - The end-to-end argument ... is that, as a first principle, certain required end-to-end functions can only be performed correctly by the end-systems themselves. A specific case is that any network, however carefully designed, will be subject to failures of transmission at some statistically determined rate. The best way to cope with this is to accept it, and give responsibility for the integrity of communication to the end systems.

Network Management in Practice

Small and Medium vs Large
- RFC 3439, Some Internet Architecture Guidelines and Philosophy
  - The Simplicity Principle, which was perhaps first articulated by Mike O'Dell, former Chief Architect at UUNET, states that complexity is the primary mechanism which impedes efficient scaling, and as a result is the primary driver of increases in both capital expenditures (CAPEX) and operational expenditures (OPEX). The implication for carrier IP networks then, is that to be successful we must drive our architectures and designs toward the simplest possible solutions.

Network Management in Practice

Small and Medium vs Large
- The Amplification Principle states that there are non-linearities which occur at large scale which do not occur at small to medium scale.
- The Coupling Principle states that as things get larger, they often exhibit increased interdependence between components.

Large Enterprise Network Management

scalable
manageable
simple

Network Management in Theory

SMI - rulebook / toolkit
- ASN.1
  - BER, basic encoding rules
  - TLV, tag (8 bits) - length (8 bits) - value (?)
MIB - layout / questionnaire
- the OID is a complete path through MIB tree, from root to leaf

OID = Object IDentifier

SNMP
- managers and agents

SNMP Versions

Everything supports SNMPv1
- v1 - prevalent
SNMPv2 adds another PDU type, GetBulk, to skip a series of GetNextRequest's
- v2 - compact, GetBulk
SNMPv3 adds User Security Management
- match users and devices for:
  - authentication
  - authorization
  - encryption type
- v3 - security

MIB Tree

ASN.1: iso.identified-organization.dod.internet.private.enterprises or 1.3.6.1.4.1

MIB Tree Examples

example: the one-minute average CPU utilization on a Cisco router follows the MIB path 1.3.6.1.4.1.9.2.1.57, equivalent to the object name iso.org.dod.internet.private.enterprises.cisco.local.lsystem.avgBusy1
- .0 is a scalar leaf, often omitted (gee, that helps ...)
table example: CPUUtilization on an Enterasys SmartSwitch Router is instance 1 in the CPUTable MIB variable, or 1.3.6.1.4.1.52.2501.1.270.2.1.1.2.1
- a table entry never ends with .0

SNMPv1 PDU

Protocol Data Unit
header version has offset of 1, so SNMPv1 has value of 0
header community name is clear text "password"

this "password" is the community string

SNMPv1 PDU

PDU type
- 0 GetRequest, 1 GetNextRequest, 2 GetResponse, 3 SetRequest
request ID is unique
error status is 0 for no error, non-zero for various error pres
error index matches a particular OID in the device MIB
variable bindings have the data in name-value pair(s)

SNMPv1 Traps

PDU type is 4 for a trap
enterprise is type of managed object generating this trap
agent IP address in dotted decimal

SNMPv1 Traps

generic trap types
- 0 coldStart, 1 warmStart, 2 linkDown, 3 linkUp
- 4 authenticationFailure, 5 egpNeighborLoss, 6 enterpriseSpecific
specific trap pre is the OID to that trap in the MIB tree
time stamp uses agent's clock, and can drift
variable bindings same as before

SNMP Examples

Net-SNMP Tutorial

uptime

[hope@rhea ~]$ snmpget -v1 -c public 172.29.220.155 system.sysUpTime.0
SNMPv2-MIB::sysUpTime.0 = Timeticks: (538608587) 62 days, 8:08:05.87

[hope@rhea ~]$ snmpwalk -v1 -c public 172.29.220.155 system.sysUpTime
SNMPv2-MIB::sysUpTime.0 = Timeticks: (538609187) 62 days, 8:08:11.87

system "stuff"

[hope@rhea ~]$ snmpwalk -v1 -c public 172.29.220.155 system
SNMPv2-MIB::sysDescr.0 = STRING: Cabletron Systems, Inc. 2H252-25R Rev 05.08.18  12/06/05--12:41 ofc
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.52.3.9.3.4.80
SNMPv2-MIB::sysUpTime.0 = Timeticks: (538609886) 62 days, 8:08:18.86
SNMPv2-MIB::sysContact.0 = STRING: Networking
SNMPv2-MIB::sysName.0 = STRING: Swain Rm 11A
SNMPv2-MIB::sysLocation.0 = STRING: Swain Rm 11A
SNMPv2-MIB::sysServices.0 = INTEGER: 71

SNMP Errors

[hope@rhea ~]$ snmpget -v1 -c public 172.29.220.155 system.0
Error in packet
Reason: (noSuchName) There is no such variable name in this MIB.
Failed object: SNMPv2-MIB::system.0

[hope@rhea ~]$ snmpget -v1 -c notpublic 172.29.220.155 system.sysUpTime.0
Timeout: No Response from 172.29.220.155.

Cool OIDs

Cisco browser for standard MIB-2
ByteSphere viewer
- Airespace switching and wireless (expanded tree branches)
SimpleWeb
- MIB-2

SNMP Tools

RMON Measurement

remote monitoring, RFC 1271 for Ethernet then RFC 1757 then RFC 2819, RFC 2021 for Application / Layer 7, (link to overview)
4 basic groups: Statistics, History, Alarm, and Events
all 9 groups: 4 basic plus Host, HostTopN, Matrix, Filters, and Packet Capture

RMON for Measurement

Statistics (per port)
- packets sent, bytes sent, broadcast packets, multicast packets, runts, packets by size in five groups, giants, jabbers, fragments, CRC errors, and packets dropped
Packet Size Groups
- 64 to 127 bytes, 128 to 255 bytes, 256 to 511 bytes, 512 bytes to 1023 bytes, and 1024 to 1518 bytes
RMON, expanded tree view

SNMP for Measurement

IPFIX

flow: source and destination at Layer 3 and Layer 4 (network/IP address and transport/application port), IP protocol, ToS, timestamp for start and end, amount of data flowing
IP Flow Information eXport
IPFIX in RFC 3955 is the standard aka version 10
- Wikipedia has an example

netflow

Netflow has an exporter (the measurement point) or sensor, a collector, and a reporter. Any of those can be a many-to-one relationship. The exporter bundles the data in netflow format and sends it to the collector(s). The collector may process the data somewhat, and then sends that to the reporter(s) to display for users.
version 5 is most common, version 9 supports IPv6 (formats explained)

agent

synthetic transaction

our own Service Monitor
and many others, like Nagios, Big Brother, and Big Sister

Disadvantages

SNMP
- you only see what's in the MIB, and the perfect MIB may be proprietary
- RMON
  - you only see what's in RMON
netflow
- you only see (in general) what goes through a router, so you miss traffic that stays within a VLAN
agent
- user has to (agree to) install agent on their computer ... Big Brother is now watching you
synthetic transaction
- well, it's not real

Projects

packet capture
SNMP
analysis (report and presentation)

Project Choices

Analyze a building or department
- what department or building is interesting or convenient?
- packet capture of representative traffic, SNMP for errors
Your Suggestions
- must be practical, hands-on!
More choices to come

Light Reading

Read Andrew Odlyzko, Content is not king. He's always got an interesting spin, backed by hard data.
Read Mark Gibbs, The SNMP Show.
Read Mark Gibbs, The ABCs of MIB.