AVC-Export:Monitoring

From DocWiki

Revision as of 10:18, 11 December 2012 by Jbarozet (Talk | contribs)
Jump to: navigation, search



Contents




Application Name

NBAR Application name provides the information regarding the L7 level information for a particular flow, e.g HTTP, FTP, SIP etc.. There is an ID exported by ART, which explains which application this flow belongs to. The Application-ID is divided into two parts: Engine-ID:Classification-id.

First 8 bits provides the information about engine, which classified this flow. For example: IANA-L4, CANA-L3 etc. The rest of the 24 bits provides information about the application, for example 80 (HTTP) etc. The CLI for this field is:

collect application name


It is exported against FNF field ID 95. It is supported in both the export formats i.e. netflow-v9 and IPFIX. With this CLI, only the application ID would be exported. The application-id would be a number which may not be understood by collector. To resolve this issue, there is an option to export the mapping table between the application ID and the application name. This option is configurable under flow exporter command. Here is the cli:

flow exporter <my-exporter>
 option application-table


If you want to get more information regarding the various attributes of a particular application, you can configure the following option under the flow exporter:

flow exporter <my-exporter>
 option application-attribute


The option command results in periodic export of Network Based Application Recognition (NBAR) application attributes to the collector. The following application attributes are sent to the collector per protocol:

Attribute Description
Category Provides first-level categorization for each application.
Sub-Category Provides second-level categorization for each application.
Application-Group Groups applications that belong to the same networking application.
P2P-Technology Specifies whether the application is based on peer-to-peer technology or not.
Tunnel-Technology Specifies whether the application tunnels the traffic of other protocols or not.
Encrypted Specifies whether the application is an encrypted networking protocol or not. 
 The optional timeout can alter the frequency at which reports are sent.


The following command can be used to display the option tables exported to the collector for application name mapping and attributes:


R9#show flow exporter templates 
Flow Exporter MYEXPORTER:

[SNIP]

Client: Option options application-name
  Exporter Format: IPFIX (Version 10)
  Template ID    : 261
  Source ID      : 0
  Record Size    : 83
  Template layout
  _____________________________________________________________________________
  |                 Field                   |    ID | Ent.ID | Offset |  Size |
  -----------------------------------------------------------------------------
  | APPLICATION ID                          |    95 |        |      0 |     4 |
  | application name                        |    96 |        |      4 |    24 |
  | application description                 |    94 |        |     28 |    55 |
  -----------------------------------------------------------------------------
  Client: Option options application-attributes
  Exporter Format: IPFIX (Version 10)
  Template ID    : 262
  Source ID      : 0
  Record Size    : 130
  Template layout
  _____________________________________________________________________________
  |                 Field                   |    ID | Ent.ID | Offset |  Size |
  -----------------------------------------------------------------------------
  | APPLICATION ID                          |    95 |        |      0 |     4 |
  | application category name               | 12232 |      9 |      4 |    32 |
  | application sub category name           | 12233 |      9 |     36 |    32 |
  | application group name                  | 12234 |      9 |     68 |    32 |
  | p2p technology                          |   288 |        |    100 |    10 |
  | tunnel technology                       |   289 |        |    110 |    10 |
  | encrypted technology                    |   290 |        |    120 |    10 |
  -----------------------------------------------------------------------------

[SNIP]


The following show commands can be used to display NBAR option tables:

  • display all the application ID and the name mapping

R9#show flow exporter option application table

Engine: prot (IANA_L3_STANDARD, ID: 1)

appID  Name                      Description
-----  ----                      -----------
1:8    egp                       Exterior Gateway Protocol
1:47   gre                       General Routing Encapsulation
1:1    icmp                      Internet Control Message Protocol
1:88   eigrp                     Enhanced Interior Gateway Routing Protocol

[SNIP]


  • display the NBAR field extraction format which concatenates App ID|Sub-classification ID|Value

R9#show ip nbar parameter extraction

 Protocol        Parameter            ID
 --------        ---------            --
 smtp            sender               4666370
 smtp            server               4666369
 pop3            server               2176001
 sip             source               4273154
 sip             destination          4273153
 nntp            group-name           1848321
 http            referer              209924
 http            user-agent           209923
 http            host                 209922
 http            url                  209921
R9#


PA Metrics

PA provides the basic metrics for both TCP and UDP protocols and for both IPv4 and IPv6. Some of the metrics are dynamically exported in the form of the delta value for the interval. These include the client/server bytes and packets metrics. In addition, PA server/client bytes/packets metrics are for layer-3 measurements and in a TCP flow are counted up to the second FIN. The rest of the metrics are relatively static and remain the same across different export intervals.

PA keeps exporting the measurements as long as the flow stays active. As a consequence, the collector might occasionally observe zero values for dynamic metrics such as the client/server bytes/packets. For all the UDP flows, the TCP related metrics such as ART metrics would be zero. Another note for the Input/Output interface metrics is that these are corresponding to the interface from which the flow enters/leaves the box.

All the PA metrics can be exported either through Netflow v9 or IPFIX protocol. PA metrics are summarized below.


Field Name Export ID CLI Description
Application ID 95 collect application name exports application ID field (coming from NBAR2) to reporting tool.
Client Bytes 1 collect counter client bytes Total bytes sent by initiator of the connection. Counted up to the second FIN if for a TCP flow.
Client Packets 2 collect counter client packets Total packets sent by initiator of the connection. Counted up to the second FIN if for a TCP flow.
Interface Input 10 collect interface input Interface name from which flow is entering the box.
Interface Output 14 collect interface output Interface name from which flow is exiting out the box.
Server Bytes 23 collect counter server bytes Total bytes sent by responder of the connection. Counted up to the second FIN if for a TCP flow.
Server Packets 24 collect counter server packets Total packets sent by responder of the connection. Counted up to the second FIN if for a TCP flow.
Datalink Mac Source Address Input 56 collect datalink mac source address input MAC address of source device from Input side
IPv4 DSCP 195 collect ipv4 dscp IPv4 DSCP value
IPv6 DSCP 195 collect ipv6 dscp IPv6 DSCP value


ART Metrics


Field Name Export ID CLI Description
Client Network Time [sum/min/max]
  • 42084 (sum)
  • 42085 (max)
  • 42086 (min)
  • collect art client network time sum
  • collect art client network time minimum
  • collect art client network time maximum
The round trip time between SYN-ACK & ACK and also called Client Network Delay (CND). CND = T8 – T5
Server Network Time [sum/min/max]
  • 42087(sum)
  • 42088(max)
  • 42089(min)
  • collect art server network time sum
  • collect art server network time minimum
  • collect art server network time maximum
The round trip time between SYN & SYN-ACK and also called Server Network Delay (SND).

SND = T5 - T2

Network Time [sum/min/max]
  • 42081(sum)
  • 42082(max)
  • 42083(min)
  • collect art network time sum
  • collect art network time minimum
  • collect art network time maximum
The round trip time that is the summation of CND and SND. It is also called Network Delay (ND).
Server Response Time [sum/min/max]
  • 42074(sum)
  • 42075(max)
  • 42076(min)
  • collect art server response time sum
  • collect art server response time minimum
  • collect art server response time maximum
The time taken by an application to respond to a request. It is also called Application Delay (AD) or Application Response Time.
  • AD = RT – SND
  • min_AD = min_RT – sum_SND/no. of sessions
  • max_AD = max_RT – sum_SND/no. of sessions
  • sum_AD = sum_RT – (sum_SND*no. of responses)/no. of sessions
Response Time [sum/min/max]
  • 42071(sum)
  • 42072(max)
  • 42073(min)
  • collect art response time sum
  • collect art response time minimum
  • collect art response time maximum
The amount of time between the Client REQ and the 1st Server RESP. The Client request could contain multiple packets and we consider the time of last received client packet.
Total Response Time [sum/min/max]
  • 42077(sum)
  • 42078(max)
  • 42079(min)
  • collect art total response time sum
  • collect art total response time minimum
  • collect art total response time maximum
The total time taken from the moment the client sends the request until the 1st response packet from the server is delivered to the client. It is also known as Total Delay (TD).
  • TD = RT + CND
  • min_totalDelay = min(min_RT + sum_CND/no. of sessions, responses + min_CND)
  • max_totalDelay = max(max_RT + sum_CND/no. of sessions, sum_RT/no. of responses + max_CND)
  • sum_totalDelay = sum_RT + (sum_CND* No of responses) /no. of sessions.
Total Transaction Time [sum/min/max]
  • 42041(sum)
  • 42042(max)
  • 42043(min)
  • collect art total transaction time sum
  • collect art total transaction time minimum
  • collect art total transaction time maximum
The amount of time between the client request and the final response packet from the server. It is measured and exported on receiving either a new request from client (which indicates end of current transaction) or the first FIN packet.
ART Client Bytes / Packets
  • 231(bytes)
  • 42033(packets)
  • collect art client bytes
  • collect art client packets
Byte & Packet count for all the client packets.
  • ART client/server bytes/packets will be reported when the flow is completed or the first server response packet is received.
  • For long-lived flows, e.g. if flow duration is longer than 2 export cycles, the following behavior is expected
  • client/server bytes/packets will be reported when first server response packet is received;
  • those metrics may not be updated during the intermediate export cycle before flow is completed or transaction ends.
  • During the export cycle when flow is completed, client/server bytes/packets will be updated and reported.
ART Server Bytes / Packets
  • 232(bytes)
  • 42034(packets)
  • collect art server bytes
  • collect art server packets
Byte & Packet count for all the server packets.
  • ART client/server bytes/packets will be reported when the flow is completed or the first server response packet is received
  • For long-lived flows, e.g. if flow duration is longer than 2 export cycles, the following behavior is expected
  • client/server bytes/packets will be reported when first server response packet is received;
  • those metrics may not be updated during the intermediate export cycle before flow is completed.
  • During the export cycle when flow is completed, client/server bytes/packets will be updated and reported.
ART Count New Connections
  • 42050
  • collect art count new connections
Number of TCP sessions established (3-way handshake). It is also called Number of connections (sessions).
ART Count Responses
  • 42060
  • collect art count responses
Number of Req-Rsp pair received within the monitoring interval
Responses histogram buckets (7- bucket histogram))
  • 42061-42067
  • collect art count responses histogram
Number of responses by response time in 7-bucket histogram.
  • Threshold values for 7 buckets are 2, 5, 10, 50, 100, 500, 1000 milliseconds;
  • Bucket 1, response time < 2 milliseconds;
  • Bucket 2, response time is between 2-5 milliseconds;
  • Bucket 3, response time is between 5-10 milliseconds;
  • Bucket 4, response time is between 10-50 milliseconds;
  • Bucket 5, response time is between 50-100 milliseconds;
  • Bucket 6, response time is between 100-500 milliseconds;
  • Bucket 7, response time is between 500 - 1000 milliseconds;
  • If response time is great than 1000 milliseconds, it will be considered as timeout. This response is not considered towards the min/max/sum response time calculation. Nor is it considered for ART packets/bytes metrics calculation.
  • For example, if response time is equal to 9 milliseconds, it will goes to bucket 3;
Art Count Late Responses
  • 42068
  • collect art count late responses
Number of responses received after the max Response Time. Current threshold of timeout is 1 second. Also called Number of late responses (timeouts)
Art Count Transactions
  • 42040
  • collect art count transactions
Total number of Transactions for all TCP connections.
  • A new transaction is counted under any one of the following 3 conditions:
  1. Receiving a data packet from client request while the previous packet state is server response;
  2. Receiving a client FIN packet while the previous packet state is server response;
  3. Receiving a server FIN packet while the previous packet state is server response;
Art Count Retransmissions
  • 42036
  • collect art count retransmissions
Packet count for possible retransmitted packets with the same sequence number as the last received packet. The metric is for client retransmission only.
Art All Metrics
  • N/A
  • collect art all
Single CLI to collect all the ART related metrics in mace. This CLI works as a replacement of all the ART related collect statements in a flow record.


Top Domain, URL Hit Count Report

The list of new NBAR related fields that PA supports 15.2(4)M2 onwards are: 1) HTTPHost 2) URI and URI Statistics



QoS Class-ID, Queue Drops and Queue Hierarchy

The list of new QoS related fields that PA supports 15.2(4)M2 onwards are:

  • The QoS classification hierarchy
  • The QoS queue index
  • The QoS queue drops


Field Name Export ID CLI Description
policy qos classification hierarchy
  • 41000
  • collect policy qos classification hierarchy
Report application class of service hierarchy
policy qos queue index
  • 42128
  • collect policy qos queue drops
Queue Index
policy qos queue drops
  • 42129
  • collect policy qos queue drops
Number of drops in the queue




Rating: 5.0/5 (3 votes cast)

Personal tools