Subscribe, It's Free
Letters to the Editor
Link To Us!
SummaryBy Dr. Blair Zajac
In July, Blair described the benefits of realtime monitoring systems for Solaris systems, and described several freely available tools that allow system administrators to manage and monitor short-term problems and long-term trends for capacity planning. This month, he takes the same concepts and applies them to your network by examining network monitoring protocols and tools. (3,000 words)
urning away customers because your Web site is too slow is tantamount to corporate suicide. What every site needs is capacity planning, which requires some form of network measuring, monitoring, event trapping, and traffic plotting.
This month, expanding on my previous article, I'll identify and describe some monitoring tools. Each is free and available to the public; each is similar to the Orca tool that monitors Sun Solaris systems; and each is designed to monitor Simple Network Management Protocol (SNMP) agents instead of servers.
The precepts surrounding system monitoring are also applicable here. For medium to large sites, vast amounts of data will be collected that must be collated for easy viewing. Requirements for such a system include the ability to:
SNMP: A protocol for network monitoring
SNMP is a client/server protocol that manages, controls, and receives error messages and alert conditions from network hardware. The server/agent (i.e., managed network entity) is located on the network hardware being managed, and the client is, in fact, specialized software running on a network management station (NMS). To keep the agent on the network hardware small, simple, and easy to implement, agents gather data and let the NMS handle the collation and presentation of this data to the network administrator.
SNMP uses UDP port 161 to communicate. If a packet is lost, the NMS will resend its request. No sequencing is needed, because all requests and responses fit within a single datagram.
SNMP separates the data available on a particular agent from the method for receiving and setting that data. For example, SNMP does not know that an NFS server with an SNMP agent can report the disk usage on a particular volume. This information is supplied separately in a management information base (MIB) which is used by the NMS. Several standard MIBs exist, such as an MIB for TCP/IP statistics known as MIB-II. This MIB contains such statistics as the uptime of the SNMP agent, the number of TCP/IP packets received and sent, and the number of currently established TCP connections.
An MIB is a tree structure of globally unique object identifiers (OIDs). A separate list of rules -- the structure of management information (SMI), described in RFC 1155 -- defines and identifies OIDs. The SMI states that OIDs must be specified using ISO's Abstract Syntax Notation 1 (ASN.1), which is a formal language allowing for both a human-readable and compact description of computer reading. ASN.1 specifies exactly how to encode names and data into messages for network transport, and removes any ambiguity about the data representation. For example, instead of specifying an integer value, ASN.1 requires an exact form and range for the integer.
An OID is a sequence of integers that traverse a global tree. OIDs in an MIB are managed by ISO and ITU, and define globally unique variables in a manner similar to the way in which DNS defines globally unique hosts. The tree consists of a root connected to a number of labeled nodes via edges. Each node may, in turn, have children of its own, which are also labeled. In this context, a label is the pairing of a brief textual description and an integer. Authority for portions of the namespace are assigned to other organizations, much in the same way in which DNS delegates the authority for individual domains to either individuals or organizations.
OIDs can also be associated with standards documents. Their space,
more general than the description of variables in network boxes, is
unnamed and has three direct nodes named for their managing organization; these are
itu(2), and a third,
joint-iso-itu(3), managed by both groups. The number following the
name is the numeric identifier for a particular node. All OIDs of
interest on the Internet are rooted under
iso(1), under which is a
subtree for national or international standard organizations, which is
org(3). The U.S. National Institute for Standards and Technology allocated a node under
org for the Department of Defense that it
dod(6). The Internet Activities Board then petitioned the DOD
for a node for the Internet community. The node, named
contains a node named
mgmt(2). Under this node are the OIDs for network and system management.
At this point some examples of the OID naming scheme would be helpful. If you want to know the number of currently established TCP connections, the name would be:
Numerically this would be 126.96.36.199.188.8.131.52 -- 1 from
iso, 3 from
dod, 1 from
internet, 2 from
mgmt, etc. Since all OIDs fall under
mgmt node, they all begin with the prefix 184.108.40.206.2.1.
Two MIBs, MIB-I and MIB-II, are standard and supported by every agent.
MIB-II is a superset of MIB-I and is the standard for monitoring TCP/IP.
Vendors can provide their own MIBs for specific hardware. Under the
internet(6) node is a
private(4) node that contains an
node. There you'll find the OIDs for vendor-specific hardware,
such as routers, switches, and hubs.
A useful tool for examining the MIB and getting specific values from a
tkmib, which comes with the UCD-SNMP distribution
described below. Notice that
tkmib shows the MIB tree in
the top window and that I've selected the
iso.org.dod.internet.mgmt.mib-2.interfaces.ifNumber OID, which shows
the numeric form as 220.127.116.11.18.104.22.168. It also displays some information
about this OID farther down in the window. At the bottom it shows a
walk of the
iso.org.dod.internet.mgmt.mib-2.interfaces OID I did
earlier. This tool is a great time-saver.
Figure 1. The tkmib tool
Instead of defining a large set of commands, SNMP implements a fetch-store paradigm for operations. In the original version of SNMP there are only five types of messages:
|Get||Get a value from a specific OID|
|GetNext||Get a value without knowing its exact name|
|Response||Reply to a get operation|
|Set||Set a specific variable to a specific value|
|Trap||Reply to a triggered event|
The NMS typically polls each agent in regular intervals. However, if a problem occurs, the NMS may not pick up on it immediately. For this reason, the agent can be programmed to generate a trap upon a predefined event. The trap event is sent to the NMS on UDP port 162.
The last issue to discuss in communicating with an SNMP agent is security. Access to an SNMP agent is divided into groups called communities. Each community name is, in effect, a password, and if you know the community name, you can access the SNMP agent. The community string is transmitted as plain text in the SNMP packet, and most agents have two community names, one public and one private. The private name allows more access to the agent.
SNMP agents and clients
Let's look at what's available.
Sun's SNMP Server
Sun includes an SNMP agent in Solaris 2.6 and all subsequent versions. This product installs as the solstice enterprise agents (SUNWCsea) cluster and contains the SUNWmibii, SUNWsacom, SUNWsadmi, and SUNWsasnm packages. In addition, SyMON contains a more comprehensive SNMP agent and client system for monitoring hosts.
The UCD-SNMP package is a popular, freely-available SNMP client/server combination for many hosts. This software builds on many different Unix flavors and provides an SNMP agent and clients for acquiring and setting variables. In addition, UCD-SNMP provides a
program to view the tree structure of an MIB and receive OID values.
Additional MIBs from vendors can be loaded into UCD-SNMP. For example,
I loaded Network Appliances Filer MIB to query the box on the disk
usage for all of its volumes.
I'll quickly describe the steps to download and install UCD-SNMP with
The UCD-SNMP's home page is at http://ucd-snmp.ucdavis.edu/,
and the distribution can be downloaded from its anonymous FTP site, ftp://ucd-snmp.ucdavis.edu. Download
the latest version, decompress and untar the file into a working
cd into it.
./configure --help, view the different
configuration options, and choose any that apply to your needs. If
you're going to use a Perl SNMP module later on, you'll want to use the
--enable-shared library to build a shared
library. If you want to install this someplace other than
/usr/local, you'll need to use the
./configure with all the options you want.
This will check the capabilities of your system and compiler and
set up the codes to compile and run properly. Finally,
make install to install it in its final location.
If you want the uptime of the SNMP agent, run the following command
using the UCD-SNMP
% snmpwalk 10.1.2.3 community system.sysUpTime
system.sysUpTime.0 = Timeticks: (1216034184) 140 days, 17:52:21.84
The first argument to
snmpwalk is the IP address or name
of the SNMP agent. The next (optional) argument is the community name
that grants access to the SNMP agent.
If you want to build and use
tkmib, build and install the
Perl SNMP and Tk modules. This is described below.
Perl SNMP Modules
There are two different SNMP modules that allow you to get/set SNMP variables from Perl.
SNMP.pm, and links against UCD-SNMP's
libsnmp.solibrary. The current version, 1.8.1, is available from the CPAN archive (ftp://ftp.funet.fi/pub/languages/perl/CPAN/authors/id/GSM). Get the latest version and run the following commands. The installation will ask for the location of the UCD-SNMP. Use the
libdirectory from the prefix given to the
./configurestep above. If you did not use a
--prefix=command line option to
./configure, the location will be
% gzcat SNMP-1.8.1.tar.gz | tar xf -
% cd SNMP-1.8.1
% perl Makefile.PL
Where are the libsnmp.a include files? [/usr/local/include/ucd-snmp]
Where is libsnmp.a installed? [/usr/local/lib]
Checking if your kit is complete...
Processing hints file hints/solaris.pl
Writing Makefile for SNMP
Enter host and community for SNMP tests: [localhost private]
The last line is the hostname and community name of a host to test SNMP against. If you don't have a box with an SNMP agent, don't worry; it's not crucial.
tkmib running, you'll need to download and install
the Perl Tk module. The latest version, 800.015, is available at
Follow the same steps as above for the SNMP module:
% gzcat Tk800.015.tar.gz | tar xf -
% cd Tk800.015
% perl Makefile.PL
perl is installed in
PPM for perl5.00503
Test Compiling config/signedchar.c
Test Compiling config/Ksprintf.c
Test Compiling config/tod.c
/usr/X/bin/xmkmf suggests /usr/openwin
Using -L/usr/openwin/lib to find /usr/openwin/lib/libX11.so.4
Using -I/usr/openwin/include to find /usr/openwin/include/X11/Xlib.h
% make test
% make install
Make sure the
Makefile.PL found the X include and library files you
want. The installed
tkmib should now run. You may need to
fix the first line of
tkmib to point to the correct
version of Perl.
Sun's SyMON does a great job of monitoring hosts for events using SNMP, but it doesn't record and plot data. For monitoring the short- and long-term capacity issues, I'll examine the multirouter traffic grapher (MRTG) and Cricket tools.
Both MRTG and Cricket generate HTML pages containing GIFs or PNGs (a
new image format that does not have the patent issues GIF does) of
recorded data. Plots are generated showing multiple timespans, from
daily to yearly. The binary data files do not grow
over time. Both are freely available on the Web, written in Perl, use
SNMP_Session Perl module described above, and use C code to store
and graph data. Typically, a
crontab entry is set up to run the data
collection tool every five minutes.
Cricket and MRTG are, however, installed and set up in completely different manners. MRTG is simpler to install and set up, while Cricket is faster and more flexible. MRTG forks a separate process for each image or data update, while Cricket dynamically loads the RRDtool library. Cricket does not generate the images until a user points his or her browser at a CGI script that generates the images on the fly.
Both tools are widely used in the network community for measuring everything from the backplane bandwidth usage on Cisco routers, to the amount of traffic passing through a particular port on a switch, to the CPU usage on routers.
Installing either of these packages requires some work. Because of
patent issues surrounding GIF creation code, libraries that were used
to create GIF images have been converted to generate PNG images. While
PNG images are smaller and take less time to compress, installing the
code requires the
libz libraries. You can download these
tools from the following places:
||http://www.cdrom.com/pub/infozip/zlib/||Compression library used to make PNGs|
||http://www.cdrom.com/pub/png/||PNG creation library|
||http://www.boutell.com/gd/||Graphics library for creating images|
|SNMP_Session||http://www.switch.ch/misc/leinen/snmp/perl/||Perl SNMP library|
|MRTG||http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/mrtg.html||Traffic measuring and bandwidth plotting tool|
|Cricket||http://www.munitions.com/~jra/cricket/||Traffic measuring and bandwidth plotting tool|
MRTG, written by Tobias Oetiker, generates Web pages such as the following:
Figure 2. Top-level MRTG example
Shown here is a portion of a Web page displaying network traffic, NFS operations per second, and CPU usage for a Network Appliances NFS Filer. Clicking on one of the images leads to a page showing the daily, weekly, monthly, and yearly plots. Below are the plots for the number of NFS operations per second:
Figure 3. Daily MRTG plot
Figure 4. Weekly MRTG plot
Figure 5. Monthly MRTG plot
Figure 6. Yearly MRTG plot
Once you've downloaded, configured, and compiled MRTG, it's a straightforward process to set up the monitoring of a new router or host. In this example, we will point MRTG at the SNMP running on a Solaris 2.6 host. Simply run the following commands:
% mkdir /home/blair/www/mrtg
% cp images/* /home/blair/www/mrtg/
% ./run/cfgmaker public@dagalas > dagalas.cfg
% vi dagalas.cfg
Here add the line WordDir:/home/blair/www/mrtg mentioned at the top
of the file.
Make sure all MaxBytes settings are large enough for the interface
being monitored. Sometimes cfgmaker gets this value too small and
all recorded data larger than this value will be ignored.
Add a new argument to each target in order to have the image plot the
newest data on the right, not left, side of the plot. Options[XXX]:
% ./run/mrtg dagalas.cfg
Rateup WARNING: ./run//rateup could not read the primary log file for
Rateup WARNING: ./run//rateup The backup log file for dagalas was invalid as
Rateup WARNING: ./run//rateup Can't remove dagalas.old updating log file
Rateup WARNING: ./run//rateup Can't rename dagalas.log to dagalas.old
updating log file
% ./run/mrtg dagalas.cfg
Rateup WARNING: ./run//rateup Can't remove dagalas.old updating log file
% ./run/mrtg dagalas.cfg
% ./run/indexmaker dagalas.cfg > /home/blair/www/mrtg/index.html
Finish by setting the
mrtg command in your
crontab to run every five
minutes; then just point your browser at the directory and you'll see
the new results.
The configuration file
cfgmaker creates lines like:
This will gather the traffic for port 1 of the machine named
by using the community
public for the SNMP query. You can also
define the exact OID by using the syntax:
The following example retrieves error
input and output octets/sec on interface 1. MRTG needs to graph two
values, so specify two OIDs, such as
This is where having
tkmib available to receive numeric OID
values is extremely useful.
Cricket, a relatively new tool compared to MRTG. It was written by Jeff Allen, based on Tobias Oetiker's new Round Robin Database (RRD) library.
Cricket is significantly faster than MRTG at gathering SNMP statistics and updating binary data files. It also leaves image creation to viewing time by having a CGI create the images. This saves CPU time for other purposes, though it does increase the user's wait for viewing. The other large improvement is the creation of an inheritance tree of configuration files. A top-level configuration file can set global parameters that may or may not be overridden in lower configuration files. Lower levels of the tree set more specific targets to monitor. This is extremely useful for large sites, as it lets different organizations handle different portions of the configuration tree.
A top-level page for viewing a Cricket installation, pulled directly from the Cricket author's demonstration Web site, is shown below.
Figure 7. Top-level example Cricket page
Clicking on the router link takes you to this page:
Figure 8. Second-level example Cricket page
Finally, clicking on this CPU link shows the actual statistics of the router's CPU usage:
Figure 9. Example Cricket page showing router CPU usage
More information on building a Cricket installation can be found on the
Cricket Web page.
About the author
Blair Zajac is an IT analyst at Yahoo!/GeoCities, where he focuses on Web site architecture and performance issues, including networking hardware, content storage, international distribution, server operating systems, and Web server software. He is the author of the Orca monitoring system and was a key developer of the freely available Amanda backup software system. Before moving to Yahoo!/GeoCities, he was the systems manager for the Geological and Planetary Sciences Division at Caltech, where he also received a Ph.D. in geophysics.
Advertisement: Support SunWorld, click here!
|Resources and Related Links|
|Tell Us What You Thought of This Story|
If you have technical problems with this magazine, contact email@example.com