Cisco NBAR (Network based application recognition) Graphs!!

Templates, scripts for templates, scripts and requests for templates.

Moderators: Developers, Moderators

efly
Posts: 4
Joined: Thu Dec 11, 2003 4:17 pm
Location: Charlotte, NC

Cisco NBAR (Network based application recognition) Graphs!!

Post by efly »

Hello all,

I have been working with the Cisco NBAR MIB and can help someone along with the breaking down the details of the MIB[s] involved with this feature. This would be the first open sourced development that I know of for this information. I am not a programmer but I am a network engineer and know about this mib in depth.

For those of you that don't know what NBAR does: NBAR can be enabled on Cisco router interfaces and it collects data on 75 different applications and stores #packets, #bytes and 5min bit rate of each Application. Starting with IOS version 12.2(15T) is can be polled via SNMP. I have been successfully SNMP polling this MIB and know pretty much all you would need to get a pretty solid script started. It could provide the same information that FlowScan does but with less router configuration and more application information.

If anyone would be willing to work with me on this project I would be glad to provide you with all I know to get the ball rolling.

Let me know

EFLY
Deano
Cacti User
Posts: 101
Joined: Wed Oct 29, 2003 7:08 am
Contact:

Post by Deano »

I could be very interested - I may in fact have an immediate requirement.

I cant get a supported router with the rigth IOS until next week though. I'm downloading the MIB to have a look.

If we started with the basics and I just wanted Bytes for say HTTP,HTTPS,FTP,ICMP,DNS(UDP&TCP) + Others for 1 interface what would be the best part of the MIB to start with ?

How have you found the NBAR load on the CPU - which platfroms and what sort of bandwidths have you tried. I could have uses on both 256K lines on 1720s up to 160 Mb/s of Inet Traffic through 7206 G1s and 6509 MSFC

Deano
efly
Posts: 4
Joined: Thu Dec 11, 2003 4:17 pm
Location: Charlotte, NC

Post by efly »

Deano,

I sent you a PM..

EFLY
RyanT
Posts: 11
Joined: Tue Dec 02, 2003 11:07 am

Re: Cisco NBAR (Network based application recognition) Graph

Post by RyanT »

Hello,

I am in the middle of a project using Cacti to report NBar data. Which OID did you end up using? What is the best way to graph the data?

Thanks!!
User avatar
cdukes
Cacti User
Posts: 61
Joined: Tue Mar 26, 2002 1:25 pm
Location: Morrisville, NC
Contact:

NBAR

Post by cdukes »

Hi,
I too would be very interested in this.
Can you do an export of your templates for this (if you are using 0.84) so that I can play around with it?

I work for an ISP that is all Cisco -- and lots of it. So I have a wide range of gear to play with.
Regards,
Clayton
Deano
Cacti User
Posts: 101
Joined: Wed Oct 29, 2003 7:08 am
Contact:

Post by Deano »

Ok. We're testing (myself and Efly) an NBAR query and related templates now. Hopefully we'll be in a position to publish soon.

Within my test bed I have a query pulling back Bits/Sec and Pkts/Sec for selected protocols from selected NBAR enabled interfaces. These stats are from the NBAR "All Stats" table in the MIB.

Unfortunately the "TopN" stats need SNMP write access to setup. Cacti has now method for this and currently I'm not sure my coding is sufficient to write a robust script that could configure them.

Deano
User avatar
cdukes
Cacti User
Posts: 61
Joined: Tue Mar 26, 2002 1:25 pm
Location: Morrisville, NC
Contact:

Post by cdukes »

Deano wrote:I'm not sure my coding is sufficient to write a robust script that could configure them.
Configure what...the Cisco devices?
I may be able to help, just let me know what you need exactly.

-Clayton
Deano
Cacti User
Posts: 101
Joined: Wed Oct 29, 2003 7:08 am
Contact:

Post by Deano »

Ok graphs from the "All Stats" NBAR Mib now available - see here

Deano
RyanT
Posts: 11
Joined: Tue Dec 02, 2003 11:07 am

Post by RyanT »

I have sucuessfully deployed cacti to report nbar statistics, works great. Here is a the cisco document about the NBAR MIB. Also, I have sucuessfully used UCD to configure a router for the top-N feature. I will publish the commands with cacti config soon.

Also, the cnpdAllStats(inPKTS,OutPKTS,INBytes,Outbytes) stats are not a per second number. It reports total Packets/bytes since the router was last rebooted. The only OID I found usefull is the cnpdallstatsbitrate.

I found the following urls very useful...

http://www.cisco.com/univercd/cc/td/doc ... tpdmib.htm

http://www.cisco.com/warp/public/732/Tech/qos/nbar/

Have Fun!!!
Attachments
CISCO-NBAR-PROTOCOL-DISCOVERY-MIB.oid.txt
(4.74 KiB) Downloaded 894 times
Deano
Cacti User
Posts: 101
Joined: Wed Oct 29, 2003 7:08 am
Contact:

Post by Deano »

The Packets and Bytes variables do indeed report running totals - in exactly the same way as many other snmp counters do (like the interface traffic/packet counters)- So they're configured as "counters" and Cacti/RRD works out the rate between poll intervals.

The bitrate variables are configured as "gauge" as of course they dont need to have the rate caclulated and its the absolute vlaue thats important.

Of course for the traffic (bits/sec) these should give the same results but for me its actually Packets/Sec for ICMP that I'm most interested in on one of my routers.

Deano
RyanT
Posts: 11
Joined: Tue Dec 02, 2003 11:07 am

Post by RyanT »

I see, very cool. I was not using Cacti correctly. Thanks for the tip!!!
efly
Posts: 4
Joined: Thu Dec 11, 2003 4:17 pm
Location: Charlotte, NC

Post by efly »

I should have some pretty sweet graphs soon. Deano I will shoot the results from a router that is running on average about 500kb/s (frame-relay) and on that interface there should be quiet a few protocols to light up the graph.

Thanks for help Deano.

--EFLY
RyanT
Posts: 11
Joined: Tue Dec 02, 2003 11:07 am

Post by RyanT »

I got the SNMP commands worked out with UCD to create the Top-n tables with Nbar. My next problem is what is the best way to have cacti create a graph. I get the following data after creating a Top 3 table:

C:\ucd\usr\bin>snmpwalk -c public 10.34.0.17 .1.3.6.1.4.1.9.9.244.1.4
enterprises.9.9.244.1.4.1.1.2.6.1 = "http"
enterprises.9.9.244.1.4.1.1.2.6.2 = "netbios"
enterprises.9.9.244.1.4.1.1.2.6.3 = "telnet"
enterprises.9.9.244.1.4.1.1.3.6.1 = Counter32: 63000
enterprises.9.9.244.1.4.1.1.3.6.2 = Counter32: 39000
enterprises.9.9.244.1.4.1.1.3.6.3 = Counter32: 7000

Any ideas?
Deano
Cacti User
Posts: 101
Joined: Wed Oct 29, 2003 7:08 am
Contact:

Post by Deano »

Because the OID has 2 Indexes youc ant crat a simple XML query. so yiu have 2 choices.

1) Hand code the OIDs of interest to you in individual data sources and graph them.

2) Create a Script + XML query which handles the multiple indexes internally and presents Cacti with a single index it can reference. (Which is how my main NBAR stuff works). This could then be reapplied to any NBAR enabled host quickly.

Option 2 is possible but I prob dont have the time for a week or so to try it myself.

Deano
RyanT
Posts: 11
Joined: Tue Dec 02, 2003 11:07 am

Post by RyanT »

Any Ideas how to handle the Top-n table changing. For Example the first time I run the table I get:

C:\ucd\usr\bin>snmpwalk -c public 10.34.0.17 .1.3.6.1.4.1.9.9.244.1.4
enterprises.9.9.244.1.4.1.1.2.6.1 = "http"
enterprises.9.9.244.1.4.1.1.2.6.2 = "telnet"
enterprises.9.9.244.1.4.1.1.2.6.3 = "citrix"
enterprises.9.9.244.1.4.1.1.2.6.4 = "ftp"
enterprises.9.9.244.1.4.1.1.2.6.5 = "egp"
enterprises.9.9.244.1.4.1.1.3.6.1 = Counter32: 16000
enterprises.9.9.244.1.4.1.1.3.6.2 = Counter32: 3000
enterprises.9.9.244.1.4.1.1.3.6.3 = Counter32: 1000
enterprises.9.9.244.1.4.1.1.3.6.4 = Counter32: 0
enterprises.9.9.244.1.4.1.1.3.6.5 = Counter32: 0

The Second Time I get:

C:\ucd\usr\bin>snmpwalk -c public 10.34.0.17 .1.3.6.1.4.1.9.9.244.1.4
enterprises.9.9.244.1.4.1.1.2.6.1 = "secure-http"
enterprises.9.9.244.1.4.1.1.2.6.2 = "netbios"
enterprises.9.9.244.1.4.1.1.2.6.3 = "telnet"
enterprises.9.9.244.1.4.1.1.2.6.4 = "citrix"
enterprises.9.9.244.1.4.1.1.2.6.5 = "ftp"
enterprises.9.9.244.1.4.1.1.3.6.1 = Counter32: 10000
enterprises.9.9.244.1.4.1.1.3.6.2 = Counter32: 3000
enterprises.9.9.244.1.4.1.1.3.6.3 = Counter32: 2000
enterprises.9.9.244.1.4.1.1.3.6.4 = Counter32: 2000
enterprises.9.9.244.1.4.1.1.3.6.5 = Counter32: 0

Thanks!!
Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests