Network Working Group S. Waldbusser
Request for Comments: 1757 Carnegie Mellon University
Obsoletes: 1271 February 1995
Category: Standards Track
Remote Network Monitoring Management Information Base
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in TCP/IP-based internets.
In particular, it defines objects for managing remote network
Table of Contents
1. The Network Management Framework ...................... 22. Overview .............................................. 32.1 Remote Network Management Goals ...................... 32.2 Textual Conventions .................................. 52.3 Structure of MIB ..................................... 52.3.1 The Ethernet Statistics Group ...................... 62.3.2 The History Control Group .......................... 62.3.3 The Ethernet History Group ......................... 62.3.4 The Alarm Group .................................... 62.3.5 The Host Group ..................................... 62.3.6 The HostTopN Group ................................. 72.3.7 The Matrix Group ................................... 72.3.8 The Filter Group ................................... 72.3.9 The Packet Capture Group ........................... 72.3.10 The Event Group ................................... 73. Control of Remote Network Monitoring Devices .......... 73.1 Resource Sharing Among Multiple Management Stations .. 83.2 Row Addition Among Multiple Management Stations ...... 104. Conventions ........................................... 115. Definitions ........................................... 116. Acknowledgments ....................................... 897. References ............................................ 898. Security Considerations ............................... 90
9. Author's Address ...................................... 9010. Appendix: Changes from RFC 1271 ...................... 911. The Network Management Framework
The Internet-standard Network Management Framework consists of three
components. They are:
STD 16, RFC 1155  which defines the SMI, the mechanisms used
for describing and naming objects for the purpose of management.
STD 16, RFC 1212  defines a more concise description mechanism,
which is wholly consistent with the SMI.
STD 17, RFC 1213  which defines MIB-II, the core set of managed
objects for the Internet suite of protocols.
STD 15, RFC 1157  which defines the SNMP, the protocol used for
network access to managed objects.
The Framework permits new objects to be defined for the purpose of
experimentation and evaluation.
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. Within a given MIB module,
objects are defined using RFC 1212's OBJECT-TYPE macro. At a
minimum, each object has a name, a syntax, an access-level, and an
The name is an object identifier, an administratively assigned name,
which specifies an object type. The object type together with an
object instance serves to uniquely identify a specific instantiation
of the object. For human convenience, we often use a textual string,
termed the object descriptor, to also refer to the object type.
The syntax of an object type defines the abstract data structure
corresponding to that object type. The ASN.1 language is used for
this purpose. However, RFC 1155 purposely restricts the ASN.1
constructs which may be used. These restrictions are explicitly made
The access-level of an object type defines whether it makes "protocol
sense" to read and/or write the value of an instance of the object
type. (This access-level is independent of any administrative
The implementation-status of an object type indicates whether the
object is mandatory, optional, obsolete, or deprecated.
Remote network monitoring devices, often called monitors or probes,
are instruments that exist for the purpose of managing a network.
Often these remote probes are stand-alone devices and devote
significant internal resources for the sole purpose of managing a
network. An organization may employ many of these devices, one per
network segment, to manage its internet. In addition, these devices
may be used for a network management service provider to access a
client network, often geographically remote.
The objects defined in this document are intended as an interface
between an RMON agent and an RMON management application and are not
intended for direct manipulation by humans. While some users may
tolerate the direct display of some of these objects, few will
tolerate the complexity of manually manipulating objects to
accomplish row creation. These functions should be handled by the
While most of the objects in this document are suitable for the
management of any type of network, there are some which are specific
to managing Ethernet networks. These are the objects in the
etherStatsTable, the etherHistoryTable, and some attributes of the
filterPktStatus and capturBufferPacketStatus objects. The design of
this MIB allows similar objects to be defined for other network
types. It is intended that future versions of this document and
additional documents will define extensions for other network types
such as Token Ring and FDDI.
2.1. Remote Network Management Goals
o Offline Operation
There are sometimes conditions when a management
station will not be in constant contact with its
remote monitoring devices. This is sometimes by
design in an attempt to lower communications costs
(especially when communicating over a WAN or
dialup link), or by accident as network failures
affect the communications between the management
station and the probe.
For this reason, this MIB allows a probe to be
configured to perform diagnostics and to collect
statistics continuously, even when communication with
the management station may not be possible or
efficient. The probe may then attempt to notify
the management station when an exceptional condition
occurs. Thus, even in circumstances where
communication between management station and probe is
not continuous, fault, performance, and configuration
information may be continuously accumulated and
communicated to the management station conveniently
o Proactive Monitoring
Given the resources available on the monitor, it
is potentially helpful for it continuously to run
diagnostics and to log network performance. The
monitor is always available at the onset of any
failure. It can notify the management station of the
failure and can store historical statistical
information about the failure. This historical
information can be played back by the management
station in an attempt to perform further diagnosis
into the cause of the problem.
o Problem Detection and Reporting
The monitor can be configured to recognize
conditions, most notably error conditions, and
continuously to check for them. When one of these
conditions occurs, the event may be logged, and
management stations may be notified in a number of
o Value Added Data
Because a remote monitoring device represents a
network resource dedicated exclusively to network
management functions, and because it is located
directly on the monitored portion of the network, the
remote network monitoring device has the opportunity
to add significant value to the data it collects.
For instance, by highlighting those hosts on the
network that generate the most traffic or errors, the
probe can give the management station precisely the
information it needs to solve a class of problems.
o Multiple Managers
An organization may have multiple management stations
for different units of the organization, for different
functions (e.g. engineering and operations), and in an
attempt to provide disaster recovery. Because
environments with multiple management stations are
common, the remote network monitoring device has to
deal with more than own management station,
potentially using its resources concurrently.
2.2. Textual Conventions
Two new data types are introduced as a textual convention in this MIB
document. These textual conventions enhance the readability of the
specification and can ease comparison with other specifications if
appropriate. It should be noted that the introduction of the these
textual conventions has no effect on either the syntax nor the
semantics of any managed objects. The use of these is merely an
artifact of the explanatory method used. Objects defined in terms of
one of these methods are always encoded by means of the rules that
define the primitive type. Hence, no changes to the SMI or the SNMP
are necessary to accommodate these textual conventions which are
adopted merely for the convenience of readers and writers in pursuit
of the elusive goal of clear, concise, and unambiguous MIB documents.
The new data types are: OwnerString and EntryStatus.
2.3. Structure of MIB
The objects are arranged into the following groups:
- ethernet statistics
- history control
- ethernet history
- packet capture
These groups are the basic unit of conformance. If a remote
monitoring device implements a group, then it must implement all
objects in that group. For example, a managed agent that implements
the host group must implement the hostControlTable, the hostTable and
All groups in this MIB are optional. Implementations of this MIB
must also implement the system and interfaces group of MIB-II .
MIB-II may also mandate the implementation of additional groups.
These groups are defined to provide a means of assigning object
identifiers, and to provide a method for managed agents to know which
objects they must implement.
2.3.1. The Ethernet Statistics Group
The ethernet statistics group contains statistics measured by the
probe for each monitored Ethernet interface on this device. This
group consists of the etherStatsTable. In the future other groups
will be defined for other media types including Token Ring and FDDI.
These groups should follow the same model as the ethernet statistics
2.3.2. The History Control Group
The history control group controls the periodic statistical sampling
of data from various types of networks. This group consists of the
2.3.3. The Ethernet History Group
The ethernet history group records periodic statistical samples from
an ethernet network and stores them for later retrieval. This group
consists of the etherHistoryTable. In the future, other groups will
be defined for other media types including Token Ring and FDDI.
2.3.4. The Alarm Group
The alarm group periodically takes statistical samples from variables
in the probe and compares them to previously configured thresholds.
If the monitored variable crosses a threshold, an event is generated.
A hysteresis mechanism is implemented to limit the generation of
alarms. This group consists of the alarmTable and requires the
implementation of the event group.
2.3.5. The Host Group
The host group contains statistics associated with each host
discovered on the network. This group discovers hosts on the network
by keeping a list of source and destination MAC Addresses seen in
good packets promiscuously received from the network. This group
consists of the hostControlTable, the hostTable, and the
2.3.6. The HostTopN Group
The hostTopN group is used to prepare reports that describe the hosts
that top a list ordered by one of their statistics. The available
statistics are samples of one of their base statistics over an
interval specified by the management station. Thus, these statistics
are rate based. The management station also selects how many such
hosts are reported. This group consists of the hostTopNControlTable
and the hostTopNTable, and requires the implementation of the host
2.3.7. The Matrix Group
The matrix group stores statistics for conversations between sets of
two addresses. As the device detects a new conversation, it creates
a new entry in its tables. This group consists of the
matrixControlTable, the matrixSDTable and the matrixDSTable.
2.3.8. The Filter Group
The filter group allows packets to be matched by a filter equation.
These matched packets form a data stream that may be captured or may
generate events. This group consists of the filterTable and the
2.3.9. The Packet Capture Group
The Packet Capture group allows packets to be captured after they
flow through a channel. This group consists of the
bufferControlTable and the captureBufferTable, and requires the
implementation of the filter group.
2.3.10. The Event Group
The event group controls the generation and notification of events
from this device. This group consists of the eventTable and the
3. Control of Remote Network Monitoring Devices
Due to the complex nature of the available functions in these
devices, the functions often need user configuration. In many cases,
the function requires parameters to be set up for a data collection
operation. The operation can proceed only after these parameters are
fully set up.
Many functional groups in this MIB have one or more tables in which
to set up control parameters, and one or more data tables in which to
place the results of the operation. The control tables are typically
read-write in nature, while the data tables are typically read-only.
Because the parameters in the control table often describe resulting
data in the data table, many of the parameters can be modified only
when the control entry is invalid. Thus, the method for modifying
these parameters is to invalidate the control entry, causing its
deletion and the deletion of any associated data entries, and then
create a new control entry with the proper parameters. Deleting the
control entry also gives a convenient method for reclaiming the
resources used by the associated data.
Some objects in this MIB provide a mechanism to execute an action on
the remote monitoring device. These objects may execute an action as
a result of a change in the state of the object. For those objects
in this MIB, a request to set an object to the same value as it
currently holds would thus cause no action to occur.
To facilitate control by multiple managers, resources have to be
shared among the managers. These resources are typically the memory
and computation resources that a function requires.
3.1. Resource Sharing Among Multiple Management Stations
When multiple management stations wish to use functions that compete
for a finite amount of resources on a device, a method to facilitate
this sharing of resources is required. Potential conflicts include:
o Two management stations wish to simultaneously use
resources that together would exceed the capability of
o A management station uses a significant amount of
resources for a long period of time.
o A management station uses resources and then crashes,
forgetting to free the resources so others may
A mechanism is provided for each management station initiated
function in this MIB to avoid these conflicts and to help resolve
them when they occur. Each function has a label identifying the
initiator (owner) of the function. This label is set by the
initiator to provide for the following possibilities:
o A management station may recognize resources it owns
and no longer needs.
o A network operator can find the management station that
owns the resource and negotiate for it to be freed.
o A network operator may decide to unilaterally free
resources another network operator has reserved.
o Upon initialization, a management station may recognize
resources it had reserved in the past. With this
information it may free the resources if it no longer
Management stations and probes should support any format of the owner
string dictated by the local policy of the organization. It is
suggested that this name contain one or more of the following: IP
address, management station name, network manager's name, location,
or phone number. This information will help users to share the
resources more effectively.
There is often default functionality that the device or the
administrator of the probe (often the network administrator) wishes
to set up. The resources associated with this functionality are then
owned by the device itself or by the network administrator, and are
intended to be long-lived. In this case, the device or the
administrator will set the relevant owner object to a string starting
with 'monitor'. Indiscriminate modification of the monitor-owned
configuration by network management stations is discouraged. In
fact, a network management station should only modify these objects
under the direction of the administrator of the probe.
Resources on a probe are scarce and are typically allocated when
control rows are created by an application. Since many applications
may be using a probe simultaneously, indiscriminate allocation of
resources to particular applications is very likely to cause resource
shortages in the probe.
When a network management station wishes to utilize a function in a
monitor, it is encouraged to first scan the control table of that
function to find an instance with similar parameters to share. This
is especially true for those instances owned by the monitor, which
can be assumed to change infrequently. If a management station
decides to share an instance owned by another management station, it
should understand that the management station that owns the instance
may indiscriminately modify or delete it.
It should be noted that a management application should have the most
trust in a monitor-owned row because it should be changed very
infrequently. A row owned by the management application is less
long-lived because a network administrator is more likely to re-
assign resources from a row that is in use by one user than from a
monitor-owned row that is potentially in use by many users. A row
owned by another application would be even less long-lived because
the other application may delete or modify that row completely at its
3.2. Row Addition Among Multiple Management Stations
The addition of new rows is achieved using the method described in
RFC 1212 . In this MIB, rows are often added to a table in order
to configure a function. This configuration usually involves
parameters that control the operation of the function. The agent
must check these parameters to make sure they are appropriate given
restrictions defined in this MIB as well as any implementation
specific restrictions such as lack of resources. The agent
implementor may be confused as to when to check these parameters and
when to signal to the management station that the parameters are
invalid. There are two opportunities:
o When the management station sets each parameter object.
o When the management station sets the entry status object
If the latter is chosen, it would be unclear to the management
station which of the several parameters was invalid and caused the
badValue error to be emitted. Thus, wherever possible, the
implementor should choose the former as it will provide more
information to the management station.
A problem can arise when multiple management stations attempt to set
configuration information simultaneously using SNMP. When this
involves the addition of a new conceptual row in the same control
table, the managers may collide, attempting to create the same entry.
To guard against these collisions, each such control entry contains a
status object with special semantics that help to arbitrate among the
managers. If an attempt is made with the row addition mechanism to
create such a status object and that object already exists, an error
is returned. When more than one manager simultaneously attempts to
create the same conceptual row, only the first will succeed. The
others will receive an error.
When a manager wishes to create a new control entry, it needs to
choose an index for that row. It may choose this index in a variety
of ways, hopefully minimizing the chances that the index is in use by
another manager. If the index is in use, the mechanism mentioned
previously will guard against collisions. Examples of schemes to
choose index values include random selection or scanning the control
table looking for the first unused index. Because index values may
be any valid value in the range and they are chosen by the manager,
the agent must allow a row to be created with any unused index value
if it has the resources to create a new row.
Some tables in this MIB reference other tables within this MIB. When
creating or deleting entries in these tables, it is generally
allowable for dangling references to exist. There is no defined
order for creating or deleting entries in these tables.
The following conventions are used throughout the RMON MIB and its
Good packets are error-free packets that have a valid frame length.
For example, on Ethernet, good packets are error-free packets that
are between 64 octets long and 1518 octets long. They follow the
form defined in IEEE 802.3 section 3.2.all.
Bad packets are packets that have proper framing and are therefore
recognized as packets, but contain errors within the packet or have
an invalid length. For example, on Ethernet, bad packets have a
valid preamble and SFD, but have a bad CRC, or are either shorter
than 64 octets or longer than 1518 octets.