internet traffic using RMON page 1
INTERNET TRAFFIC USING RMON
TABLE OF CONTENTS
topic Page.no
What is RMON ? 2
Goal of RMON 3
Internet traffic 3
Illustration for internet traffic 4
Monitoring difficulties 4
Internet monitoring using RMON 5
synopsis 7
Courtesy: http://www.csu.edu.au/special/auugwww96/proceedings/wang/wang.html
http://www.cs.wustl.edu/~jain/cis788-97/ftp/net_monitoring/index.htm
Prepared by: T.ANTANY , II M.C.A
Prepared by : T. ANTANY , II M.C.A
Prepared on : 14th August 2006
internet traffic using RMON page 2
What is RMON ?
Remote network monitoring (RMON) is the standard of how to monitor internet
traffic. This is a standard that is supposedly implemented by internet device vendors so
that a network using RMON-compliant devices can be monitored using RMON-
compliant software. For RMON to work, network devices, such as hubs and switches,
must be designed to support it.
RMON (Remote Network Monitoring) provides standard information that a
network administrator can use to monitor, analyze, and troubleshoot a group of
distributed local area networks (LANs) and interconnecting T-1/E-1 and T-2/E-3 lines
from a central site. RMON specifically defines the information that any network
monitoring system will be able to provide. It's specified as part of the Management
Information Base (MIB) in Request for Comments 1757 as an extension of the Simple
Network Management Protocol (SNMP). The latest level is RMON Version 2
(sometimes referred to as "RMON 2" or "RMON2").
RMON can be supported by hardware monitoring devices (known as "probes") or
through software or some combination. For example, Cisco's line of LAN switches
includes software in each switch that can trap information as traffic flows through and
record it in its MIB. A software agent can gather the information for presentation to the
network administrator with a graphical user interface. A number of vendors provide
products with various kinds of RMON support.
RMON collects nine kinds of information, including packets sent, bytes sent,
packets dropped, statistics by host, by conversations between two sets of addresses, and
certain kinds of events that have occurred. A network administrator can find out how
much bandwidth or traffic each user is imposing on the network and what Web sites are
being accessed. Alarms can be set in order to be aware of impending problems.
RMON is originally standardized by RFC 1271 in November 1991, but it is
updated by RFC 1757 in February 1995. RFC 1757 has become the standard which talks
about the implementation of RMON.
Prepared by : T. ANTANY , II M.C.A
Prepared on : 14th August 2006
internet traffic using RMON page 3
Goal of RMON
The overall goal for RMON is to allow RMON-compliant network monitoring
devices to be constructed. These devices are usually, referred to as monitors or probes,
which measure specific aspects of the network without interfering normal operations.
These devices are usually stand-alone devices and located in remote part of the network
or even across network boundaries. The RMON standard allows these devices to
communicate over the network they are monitoring. Usually, RMON is defined so that it
can be implemented in a generic network. But some specification is created for
monitoring Ethernet networks, since it is one of the most popular network used in the
internet.
What is internet traffic ?
Web traffic is the amount of data sent and received by visitors to a web site. This is
determined by the number of visitors and the number of pages they visit. Sites monitor
the incoming and outgoing traffic to see which parts or pages of their site are popular and
if there are any apparent trends, such as one specific page being viewed mostly by people
in a particular country.
The commercialization of the Internet has not only resulted in an increase of the
number of users. Probably the most important problem that arises is the accounting of the
transferred data. Traditionally, the Internet was a network between research and
educational institutions. The connected institutions usually payed a fixed fee for their
connection. Nowadays, Internet providers would like to charge their clients depending on
the volume of data they transfer. To do this, they need powerful tools that are able to
count the transferred amount of data. The higher the line speeds are, the more difficult
this is.
It is still a very common practice for providers to charge fixed monthly fees for
Internet access. Very often the only reason for this is that they have no means to do an
exact accounting for all clients.
Prepared by : T. ANTANY , II M.C.A
Prepared on : 14th August 2006
internet traffic using RMON page 4
Graphics to illustrate the internet traffic around the globe
Monitoring Internet
Internet is a network of many networks. Each individual network is owned and
operated by different organizations. Monitoring the internet is different from monitoring
a single network because in a single network, all components are usually under the
control of a single network management, but in the case of internet, each individual
network has different base layer platform and is managed by different network
management.
Monitoring difficulties
The internet is getting more and more difficult to monitor because more and more
users are added to it everyday, and there is a lack of measurements of the quality for the
internet as a whole. There is no standardized metric being used in measuring the internet.
But usually host response time, time delay, and loss rate are being measured by
individual network. The users of the internet has to measure aspects of the internet which
tell them the performance of their network applications.
There is no standardized monitoring tool for monitoring the internet. Different
people use different tools in monitoring the internet. The most common internet
monitoring tools are public domain softwares because they are available for the internet
at extremely low cost and also these public domain softwares can be easily customized.
Prepared by : T. ANTANY , II M.C.A
Prepared on : 14th August 2006
internet traffic using RMON page 5
Several common public domain softwares used in network monitoring are ping, ftp, and
traceroute. Ping sends a packet of user data to a specific node and the packet is echoed
back. This allows the measurement of response time and the percentage of packet loss.
Ftp transfers a file from one host to another. This allows the measurement of the data
transfer rate. Traceroute sends packets of ICMP,Internet Control Message Protocol,
messages to the host. This allows the measurement of number of hops to another host and
the performance of the route. There are many other public domain softwares for internet
monitoring. For example, arpwatch, nslookup and so on .
Right now, there is no standardized effort in monitoring the internet as a whole and
none is being researched and developed. The only way to monitoring the internet now is
to use existing public softwares and extend their functionalities. There are couple
problems with this approach. First, these public softwares are not intended for
monitoring. Their usage eats up network capacity; thus allowing only a small amount of
monitoring activities. Second, monitoring the internet is difficult and not many people are
doing it. As a result, problems are not often reported and consequently solved
infrequently. As a result, the internet performance is degrading. This phenomenon created
by the lack of monitoring is referred to "gridlock".
Internet traffic using RMON
. Traditional solutions for volume based traffic charging include:
1. Reading the SNMP Octet Counters from the Routers
Most if not all modern networking equipment offers the possibility to gather
statistics about the amount of data that was transferred via its interfaces. For this
purposes, usually counters for bytes and/or packets that are transferred over each
interface are provided. These counters can be queried using the SNMP procotol.
The disadvantage of this is that only the total amount of traffic transferred can be
accounted. It is not possible to apply different prices depending on the kind of traffic.
Additionally, since the SNMP counters are only maintained once for each hardware
port, a separate port is necessary for each client that is to be accounted. These
additional expenses for hardware make this solution very unattractive.
2. Using RMON / RMON2 probes
The RMON standard, which is described in RFC1757 [40], was designed to
provide proactive monitoring and diagnostics for distributed LAN-based networks.
Special monitoring devices, called agents or probes, allow the monitoring of critical
network segments and to set off user-defined alarms. RMON has been implemented in
Prepared by : T. ANTANY , II M.C.A
Prepared on : 14th August 2006
internet traffic using RMON page 6
special stand-alone hardware, embedded in switches and as a program running on a PC or
workstation. Communication with the probes is implemented using the SNMP protocol.
In theory, the RMON standard would be suitable for higher line speeds. It has however
shown that it is difficult to adapt RMON to protocols like 100VG-AnyLan or ATM. No
RMON implementations for those protocols are available at this time. For ATM, a first
attempt was AMON (ATM Circuit Steering MIB), which defines a way to copy traffic
from a virtual circuit (VC) to a location where an external probe can decode it. AMON -
which was proposed by Fore - has been discussed in the ATM Forum since summer
1995. However, progress has been so slow that the forum threatened to suspend the
AMON MIB group's work. In march 1996 Cisco -- although one of the founder members
of the ATM Forum -- has surprised the networking community by submitting a draft for
an ``ATM RMON MIB'' to the IETF rather than to the ATM Forum. Cisco has developed
the ATM RMON MIB without discussing it with other manufacturers of ATM hardware.
This unusual way of presenting their proposal has been the reason for controversial
discussions. It is therefore not very likely that their proposal will become a standard in
the near future. special stand-alone hardware, embedded in switches and as a program
running on a PC or workstation.
3. Using a PC or Workstation running tcpdump
The tcpdump tool mentioned above can be used to monitor all traffic that passes
through a network adapter in a PC or workstation. Using it permits as well to count the
data that is received by this network adapter. However as mentioned above the interrupt
load using tcpdump is a problem when the data is being received at higher line speeds.
When the load is getting too high, the probability for packet losses is growing. This
technique is used at a local Internet provider in Stuttgart, and it was found that even on
transfer rates of about 10 Mbit/s (standard ethernet) there is already a probability for
packet loss in the range of 1%. Obviously this solution is only practicable for lower line
speeds. It nevertheless offers maximum flexibility since a user-written program can be
used to analyze a trace of all the headers from the packets the machine receives.
Prepared by : T. ANTANY , II M.C.A
Prepared on : 14th August 2006
internet traffic using RMON page 7
Synopsis :
RMON – Remote Monitoring for Networks.
INTERNET - Network of networks.
RMON is the standard of how to monitor internet traffic.
Internet traffic is the amount of data sent and received by visitors to a web
site. This is determined by the number of visitors and the number of pages
they visit.
RMON has been implemented in special stand-alone hardware, embedded in
switches and as a program running on a PC or workstation.
Prepared by : T. ANTANY , II M.C.A
Prepared on : 14th August 2006