How to use MRTG to log specific protocol traffic using SNMP and Cisco’s NBAR
[LEFT][SIZE=3][B][URL="http://www.servercare.nl/Lists/Posts/Post.aspx?ID=5"]How to use MRTG to log specific protocol traffic using SNMP and Cisco’s NBAR[/URL][/B][/SIZE]
[B]Introduction [/B]
We've all seen these nifty graphs that some sites seem to be able to provide.
[URL="http://www.syncpuls.com/traffic/10.10.1.250_101.html"][IMG]http://www.servercare.nl/Lists/Photos/121207_1611_HowtouseMRT1.png[/IMG][/URL]
This particular overview shows us the in- and outbound traffic that goes over my ADSL link over the last 24 hours. The nice thing about it is that the tool used here is capable of showing you longer periods of time, a day, a week, a month or even up to a year it will show you the trends of the growth of your traffic volume, helping you to decide when to upgrade that link, or ban p2p tools from your network.
This article is –not- about simply implementing that, the tool used here is MRTG, it will run under Linux and Windows (in my case windows) and uses perl. In fact, the MRTG website gives you more than enough information on how to get things going. Instead; we want to dive in deeper and view specific information about the specific protocols going over the interfaces.
This article assumes you know to a certain extend how to get information from you routers using SNMP (Simple Network Management Protocol). It goes more in depth on that: what if you are only interested in certain sub-protocols? For example: suppose you have a customer using terminal server over an SDSL link, and this customers reports that things are slow, usually between 12:00 and 14:00 hours. Would it not be great to be able to see an overview of all kinds of traffic around that time?
Cisco has something called [URL="http://en.wikipedia.org/wiki/NBAR"]NBAR[/URL] ([COLOR=black]Network Based Application Recognition) [/COLOR]in it's IOS, this will make this kind of information available, and the good news is, we can read it using SNMP!
This opens it up for the use of MRTG…
[IMG]http://www.servercare.nl/Lists/Photos/121207_1611_HowtouseMRT2.png[/IMG]
Here you can see an example of one interface showing us HP-printing traffic, as well as HTTP traffic on that interface over the last 24 hours. This data came from a typical office environment, as you can see from the HTTP traffic ;-)
[B]Where to start [/B]
To begin, you'll need a number of things:
[LIST][*]MRTG [url=http://oss.oetiker.ch/mrtg/]MRTG - Tobi Oetiker's MRTG - The Multi Router Traffic Grapher[/url][/LIST]
In our case we have installed the Windows version, and we are running it as a service. How to do this is not part of this article, but the listed webpage has details on how to approach this., it can be found here: [url=http://oss.oetiker.ch/mrtg/doc/mrtg-nt-guide.en.html]MRTG - The MRTG 2.16.2 Windows Installation Guide[/url] MRTG uses Perl, so you'll need this as part of MRTG.
[LIST][*]Net-SNMP [url=http://net-snmp.sourceforge.net/docs/man/snmpwalk.html]Manpage of SNMPWALK[/url][/LIST]
We'll be using the snmpwalk as well as the snmpget utilities.
[LIST][*]Cisco MIBs for NBAR, and dependencies:[/LIST]
[url=http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&step=2&mibName=CISCO-NBAR-PROTOCOL-DISCOVERY-MIB]Cisco SNMP Object Navigator[/url]
It is important to make sure the following Cisco MIB is copied to the /share/snmp/mibs directory under the Net-SNMP tools:
CISCO-NBAR-PROTOCOL-DISCOVERY-MIB.txt
Better yet, why not put all the dependencies there too? (if not there already) This will later help snmpwalk.exe and snmpget.exe to understand what information is being gathered.
Once all is installed, we can start…
[B]The basics [/B]
Suppose a router is located at IP 172.24.1.1
We want to make sure the router supports NBAR on the correct interface(s). If the router is recent (>2003, and has a fairly recent IOS, you'll have a pretty good chance of it supporting NBAR). Typically we are only interested in one or two interfaces to see what exactly is going on protocol-wise.
Telnet or ssh into the router and check (sho run) the configuration, go into the interface you'll want monitored. (enable (if needed)), conf t, and select the interface.
To enable NBAR for this interface give the command: 'ip nbar protocol-discovery'.
Get out of config mode, and check with:
'show ip nbar protocol-discovery interface yourinterface X stats bit-rate top-n 5'
(where "yourinterface" can be something like: Fast Ethernet X or Tunnel Y for example)
Next step is to make sure NBAR understands all the port mappings, for example, you may want to manually add the RDP protocol:
'ip nbar custom rdp tcp 3389'
More info on the port mappings:
show ip nbar port-map
Also note that printer is typically port 515, you may want to add hp-print or something like that to capture port tcp 9100, typically used by the HP Jetdirect boxes.
We've now got the software installed and the router ready and waiting, lets start experimenting with SNMP!
First you need to understand the concept of MIB's en how to access the router's SNMP Agent IOD's. Good luck with that. For this manual it suffices to explain that for every interface, protocol, channel etc. there's an ID that looks something like:
[FONT=Courier New]1.3.6.1.4.1.9.9.244 [/FONT]
Looks like an IP on steroids doesn't it. This particular one identifies (represents) the CISCO-NBAR-PROTOCOL-DISCOVERY-MIB by the way, this is the one we'll be using to dig into SNMP and gather statistics.
Some more information on these numbers and how to use them in MRTG can be found here:
[url=http://vermeer.org/display_doc.php?doc_id=6]www.vermeer.org: Graphing Cisco Systems (NBAR) Network-based application recognition with MRTG;[/url]
And here is s nice overview of what all these numbers (Object ID's or OID's) mean:
[url=http://support.ipmonitor.com/mibs/CISCO-NBAR-PROTOCOL-DISCOVERY-MIB/oids.aspx]ipMonitor :: CISCO-NBAR-PROTOCOL-DISCOVERY-MIB: Cisco Network Based Application Recognition (NBAR) Protocol Discovery[/url]
Now that you have a better understanding of what all these numbers are, we'll start walking around in SNMP to get some information from them. If you have installed the Net-SNMP package correctly, and have copied the Cisco MIB's to the correct place, you will be able to get some names instead of numbers using the MIB information, this will help you determine what interface to access.
snmpwalk -c public -v2c 172.24.1.1 | more
Will give you a nice idea of the kind of information that can be found in the router. This info might help you find the correct interface number.
For example:
[FONT=Courier New]C:\mrtg-2.14.3\snmp\usr\bin>snmpwalk -c public -v2c 172.24.1.1 | more [/FONT]
[FONT=Courier New]SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, 2800 Software (C2800 [/FONT]
[FONT=Courier New]Technical Support: [url=http://www.cisco.com/techsupport]Cisco - Shortcut[/url] [/FONT]
[FONT=Courier New]Copyright (c) 1986-2006 by Cisco Systems, Inc. [/FONT]
[FONT=Courier New]Compiled Wed 19-Apr-06 09:18 by alnguyen [/FONT]
[FONT=Courier New]SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.576 [/FONT]
[FONT=Courier New]DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (67387120) 7 days, 19:11 [/FONT]
[FONT=Courier New]SNMPv2-MIB::sysContact.0 = STRING: [/FONT]
[FONT=Courier New]SNMPv2-MIB::sysName.0 = STRING: rt-nevo-nieu-01.nevobo.nl [/FONT]
[FONT=Courier New]SNMPv2-MIB::sysLocation.0 = STRING: [/FONT]
[FONT=Courier New]SNMPv2-MIB::sysServices.0 = INTEGER: 78 [/FONT]
[FONT=Courier New]SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00 [/FONT]
[FONT=Courier New]IF-MIB::ifNumber.0 = INTEGER: 14 [/FONT]
[FONT=Courier New]IF-MIB::ifIndex.1 = INTEGER: 1 [/FONT]
[FONT=Courier New]IF-MIB::ifIndex.2 = INTEGER: 2 [/FONT]
[FONT=Courier New]IF-MIB::ifIndex.3 = INTEGER: 3 [/FONT]
[FONT=Courier New]IF-MIB::ifIndex.4 = INTEGER: 4 [/FONT]
[FONT=Courier New]IF-MIB::ifIndex.5 = INTEGER: 5 [/FONT]
[FONT=Courier New]IF-MIB::ifIndex.6 = INTEGER: 6 [/FONT]
[FONT=Courier New]IF-MIB::ifIndex.7 = INTEGER: 7 [/FONT]
[FONT=Courier New]IF-MIB::ifIndex.8 = INTEGER: 8 [/FONT]
[FONT=Courier New]IF-MIB::ifIndex.9 = INTEGER: 9 [/FONT]
[FONT=Courier New]IF-MIB::ifIndex.10 = INTEGER: 10 [/FONT]
[FONT=Courier New]IF-MIB::ifIndex.11 = INTEGER: 11 [/FONT]
[FONT=Courier New]IF-MIB::ifIndex.12 = INTEGER: 12 [/FONT]
[FONT=Courier New]IF-MIB::ifIndex.13 = INTEGER: 13 [/FONT]
[FONT=Courier New]IF-MIB::ifIndex.14 = INTEGER: 14 [/FONT]
[FONT=Courier New]IF-MIB::ifDescr.1 = STRING: FastEthernet0/0 [/FONT]
[FONT=Courier New]IF-MIB::ifDescr.2 = STRING: FastEthernet0/1 [/FONT]
[FONT=Courier New]IF-MIB::ifDescr.3 = STRING: ATM0/0/0 [/FONT]
[FONT=Courier New]IF-MIB::ifDescr.4 = STRING: Null0 [/FONT]
[FONT=Courier New]IF-MIB::ifDescr.5 = STRING: ATM0/0/0-atm layer [/FONT]
[FONT=Courier New]IF-MIB::ifDescr.6 = STRING: ATM0/0/0.0-atm subif [/FONT]
[FONT=Courier New]IF-MIB::ifDescr.7 = STRING: ATM0/0/0-aal5 layer [/FONT]
[FONT=Courier New]IF-MIB::ifDescr.8 = STRING: ATM0/0/0.0-aal5 layer [/FONT]
[FONT=Courier New]IF-MIB::ifDescr.9 = STRING: Tunnel0 [/FONT]
[FONT=Courier New]Etc. [/FONT]
I would like to see the traffic that is going over a VPN tunnel. The above shows me that the interface I'm interested in (the Tunnel0 interface) is number 9. We'll need this information later.
Lets look a little closer…
[FONT=Courier New]snmpwalk -m ALL -c public -v2c 172.24.1.1 1.3.6.1.4.1.9.9.244 | more [/FONT]
Gives us more detailed information about NBAR, as 1.3.6.1.4.1.9.9.244 is the CISCO-NBAR-PROTOCOL-DISCOVERY-MIB. Now we get to see (amongst other information) a list of the different protocols we might want to check:
[FONT=Courier New]C:\mrtg-2.14.3\snmp\usr\bin>snmpwalk -m ALL -c public -v2c 172.24.1.1 1.3.6.1.4.1.9.9.244 [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusPdEnable.1 = INTEGER: false(2) [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusPdEnable.2 = INTEGER: false(2) [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusPdEnable.3 = INTEGER: false(2) [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusPdEnable.4 = INTEGER: false(2) [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusPdEnable.5 = INTEGER: false(2) [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusPdEnable.6 = INTEGER: false(2) [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusPdEnable.7 = INTEGER: false(2) [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusPdEnable.8 = INTEGER: false(2) [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusPdEnable.9 = INTEGER: true(1) [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusPdEnable.10 = INTEGER: true(1) [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusPdEnable.11 = INTEGER: false(2) [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusPdEnable.12 = INTEGER: true(1) [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusPdEnable.13 = INTEGER: false(2) [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusPdEnable.14 = INTEGER: false(2) [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusLastUpdateTime.1 = Timeticks: (0) 0:00:00.00 [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusLastUpdateTime.2 = Timeticks: (0) 0:00:00.00 [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusLastUpdateTime.3 = Timeticks: (0) 0:00:00.00 [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusLastUpdateTime.4 = Timeticks: (0) 0:00:00.00 [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusLastUpdateTime.5 = Timeticks: (0) 0:00:00.00 [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusLastUpdateTime.6 = Timeticks: (0) 0:00:00.00 [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusLastUpdateTime.7 = Timeticks: (0) 0:00:00.00 [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusLastUpdateTime.8 = Timeticks: (0) 0:00:00.00 [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusLastUpdateTime.9 = Timeticks: (6888779) 19:08:07.79 [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusLastUpdateTime.10 = Timeticks: (6888779) 19:08:07.79 [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusLastUpdateTime.11 = Timeticks: (0) 0:00:00.00 [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusLastUpdateTime.12 = Timeticks: (66110432) 7 days, 15:38:24.32 [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusLastUpdateTime.13 = Timeticks: (0) 0:00:00.00 [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdStatusLastUpdateTime.14 = Timeticks: (0) 0:00:00.00 [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsProtocolName.9.1 = STRING: "ftp" [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsProtocolName.9.2 = STRING: "http" [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsProtocolName.9.3 = STRING: "egp" [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsProtocolName.9.4 = STRING: "gre" [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsProtocolName.9.5 = STRING: "icmp" [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsProtocolName.9.6 = STRING: "eigrp" [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsProtocolName.9.7 = STRING: "ipinip" [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsProtocolName.9.8 = STRING: "ipsec" [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsProtocolName.9.9 = STRING: "ospf" [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsProtocolName.9.10 = STRING: "bgp" [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsProtocolName.9.11 = STRING: "cuseeme" [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsProtocolName.9.12 = STRING: "dhcp" [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsProtocolName.9.13 = STRING: "dns" [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsProtocolName.9.14 = STRING: "finger" [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsProtocolName.9.15 = STRING: "gopher" [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsProtocolName.9.16 = STRING: "secure-http" [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsProtocolName.9.17 = STRING: "imap" [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsProtocolName.9.18 = STRING: "secure-imap" [/FONT]
[FONT=Courier New]Etc. [/FONT]
The rdp protocol we added manually (custom) in this particular case is number 81. (not shown) In this list we [I]only[/I] see the interfaces where we have enabled NBAR on, in the above example; interface number 9, which happens to be the tunnel we are interested in. The conclusion is that I want to look at interface number 9, with protocol number 81. The complete list will also show us that we can select cnpdAllStartInPkts on interface 8 protocol 81. Since we have the MIB's we can do this like this:
[FONT=Courier New]snmpget -m ALL -c public -v2c 172.24.1.1 CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsInPkts.9.81 [/FONT]
(notice we are now using snmp[I]get[/I] instead of snmpwalk)
This produces the following output:
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsInPkts.9.81 = Counter32: 30678687 packets [/FONT]
This is close to the information we are after, but I'd rather have bytes instead of packets:
[FONT=Courier New]C:\mrtg-2.14.3\snmp\usr\bin>snmpget -m ALL -c public -v2c 172.24.1.1 CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsInBytes.9.81 [/FONT]
[FONT=Courier New]CISCO-NBAR-PROTOCOL-DISCOVERY-MIB::cnpdAllStatsInBytes.9.81 = Counter32: 1180202481 bytes [/FONT]
If we would not use the MIB names, we should use the numbers:
[FONT=Courier New]snmpget -m ALL -c public -v2c 172.24.1.1 1.3.6.1.4.1.9.9.244.1.2.1.1.5.9.81 [/FONT]
This will result in the same output, and since we are using the MIB information (-m ALL) we can also check the output to confirm that we are indeed listing the cnpdAllStatsInBytes.9.81 counter.
[B]Getting it into MRTG [/B]
We are getting there! We now know exactly what SNMP IOD agent to list, so now lets translate this into MRTG. I would advise to make a include file that seperates the NBAR info from the rest of the config. We do this by creating a .inc file, and referring to it in the main .cfg file, like was done here:
[URL]http://www.geocities.com/aisvc/howto/mrtgcfg.html[/URL]
As shown on the [URL="http://www.vermeer.org/"]www.vermeer.org[/URL] pages we have the following information in the .inc file (in this example we monitor the RDP as well as Printer protocols)
[FONT=Courier New]## [/FONT]
[FONT=Courier New]## rdp Traffic Analysis [/FONT]
[FONT=Courier New]## [/FONT]
[FONT=Courier New]Target[nbar-rdp]:1.3.6.1.4.1.9.9.244.1.2.1.1.5.9.81&1.3.6.1.4.1.9.9.244.1.2.1.1.6.9.81:public@172.24.1.1 [/FONT]
[FONT=Courier New]SetEnv[nbar-rdp]: MRTG_INT_IP="" MRTG_INT_DESCR="" [/FONT]
[FONT=Courier New]Directory[nbar-rdp]: nbar [/FONT]
[FONT=Courier New]MaxBytes[nbar-rdp]: 10000000 [/FONT]
[FONT=Courier New]Title[nbar-rdp]: Cisco Nbar Protocol Analysis [/FONT]
[FONT=Courier New]PageTop[nbar-rdp]: [/FONT]
[FONT=Courier New]## [/FONT]
[FONT=Courier New]## printer Traffic Analysis [/FONT]
[FONT=Courier New]## [/FONT]
[FONT=Courier New]Target[nbar-printer]:1.3.6.1.4.1.9.9.244.1.2.1.1.5.9.47&1.3.6.1.4.1.9.9.244.1.2.1.1.6.9.47:public@172.24.1.1 [/FONT]
[FONT=Courier New]SetEnv[nbar-printer]: MRTG_INT_IP="" MRTG_INT_DESCR="" [/FONT]
[FONT=Courier New]Directory[nbar-printer]: nbar [/FONT]
[FONT=Courier New]MaxBytes[nbar-printer]: 10000000 [/FONT]
[FONT=Courier New]Title[nbar-printer]: Cisco Nbar Protocol Analysis [/FONT]
[FONT=Courier New]PageTop[nbar-printer]: [/FONT]
Simply restart the mrtg service to make the data show up in a sepereate NBAR directory created under the root directory used by MRTG.
I hope this article helped you on your way, let me know if it did[/LEFT]