Previous | Table of Contents | Next |
Each trap sent from the Distributed Sniffer System to the management console contains nine objects that are all contained within the ngcTrapTable. These objects are identified as belonging to the Network General private enterprises subtree {1.3.6.1.4.1.110}, then are further defined according to Network Generals private MIB. For example, the sequence {1.3.6.1.4.1.110.1.1.1.1.1.1.3} identifies the object ngcTrText, which is the third object within the ngcTrapTable. The objects in the ngcTrapTable are:
Object | Description |
---|---|
ngcTrSequence | A counter of the number of NGC alarm traps generated since the agent was last initialized. |
ngcTrId | The application that generated this NGC alarm. |
ngcTrText | An ASCII string describing the NGC alarm condition/cause. |
ngcTrPriority | The priority level as set on the agent for this Class and Type of trap. |
ngcTrClass | The Class number of the described NGC alarm. |
ngcTrType | The Type number of the described NGC alarm. For each application, the alarm numbers will range from 1 to n, where n may increase as future versions of the alarm-generating applications (monitor or analyzer) detect additional network problems. |
ngcTrTime | The time that the condition or event that caused the alarm occurred. This value is given in seconds since 00:00:00 Greenwich mean time (GMT) January 1, 1970. |
ngcTrSuspect | An ASCII string describing the host that caused the NGC alarm. (Note: The current version of Expert Analyzer generates a null string for this field.) |
ngcTrDiagId | An integer identifying the diagnosis that triggered this NGC alarm. |
Trace 7.6 shows seven traps from Frames 106, 144, 237, 252, 267, 318, and 377. (Note that this trace has been filtered to show only the traps; thus, the frame numbers are not sequential.) The cause of each trap is defined by the third object, ngcTrText, which provides an ASCII text string describing the event that the Distributed Sniffer System (DSS) generated. This description starts with <SegEN01>, which is the name of the segment, ring, or link on which the trace was taken. This trace was taken on Ethernet segment number 01. Following the segment name is a textual description of the diagnosis made by the DSS real-time expert system. This description may be followed by one or more addresses and possibly by a current threshold setting that has been exceededthe description contains as much information for the network manager as can be provided in a single line of text.
The agent sends each trap as an SNMP trap PDU. The PDU header contains the fields shown at the beginning of the trace (Version, Community, Command, Enterprise, and so on). The field labeled Enterprise contains the OID of the product transmitting the trap. The number {1.3.6.1.4.1} represents {iso.org.dod.internet.private.enterprises}. The next number, 110, which was assigned by a central registration authority, represents Network General Corporation. Companies pay for a subtree under enterprises and are granted the right to administer the numbers under this subtree. Network General assigns the rest of the object identifier beyond the 110 in its MIB. The network address of the device sending the trap (the DSS Server) follows the Enterprise number.
The SNMP header also indicates the Generic Trap type. All enterprise-specific traps, such as the seven in this trace, include a Specific Trap field. These are also defined in the MIB extensions. For example, the Specific Trap type in Frame 106 has a value of 1029, which is defined in the MIB as the ngcRouterStorm object, with a textual description.
Each trap then includes the nine values of the objects from the ngcTrapTable. Note that each OID begins with the Network General private enterprises code, plus a suffix that identifies the specific object within the ngcTrapTable. For example, the OID {1.3.6.1.4.1.110.1.1.1.1.1.1.4.1} identifies the first instance of the ngcTrPriority object. Also note that, according to the definition of the ngcTrapEntry object within the NGC MIB: there is always one entry in the (ngcTrapTable), indexed by the integer value 1, meaning that this is a conceptual table that always has a single column (or just one instance).
Frame 106 (with Specific Trap = 1029) indicates a router storm, where the router identified by IP address [XXX.YYY.3.94] is broadcasting its routing tables too frequently, which wastes bandwidth unnecessarily. The Specific Trap ngcRouterStorm describes the problem: the specified router has reconfirmed one or more of its routes more frequently than seems reasonable.
Frame 144 (with Specific Trap = 1004) shows excessive repeated requests from a station called moon that exceed a threshold set at 30%. Note that the Sniffer correlates that stations IP address with the station name moon, and provides the network manager with the station name instead of the IP address for convenience. The Specific Trap ngcRequestLoops describes the problem: a station is repeating the same application request after receiving an appropriate reply.
Frame 237 (with Specific Trap = 1027) shows route flapping, where one or more routes from the indicated router [XXX.YYY.3.94] are toggling rapidly between valid and invalid. The Specific Trap ngcRouteFlapping describes the problem: the specified router has changed one or more routes from valid to invalid and back too frequently. A similar problem, but coming from other routers, is identified in Frames 267 and 318.
Frame 252 (with Specific Trap = 1028) shows that a router with IP address [XXX.YYY.3.94] has a routing table that is not stabilizing properly. In other words, several routes are rapidly exchanging position as they vie for the best route to a particular destination. The Specific Trap ngcRouteSuperceded describes the problem: the specified router has changed the metrics on one or more routes too frequently. The analyzer makes this diagnosis if any route changes between being the best route to its destination and not being the best route more than three times in one minute.
Lastly, Frame 377 (with Specific Trap = 1010) indicates multiple routers (exceeding the threshold of three in this case) to the station [XXX.YYY.3.94]. The Specific Trap ngcMultipleRouters describes the problem: the number of routers being used to gain access to a local or remote station has exceeded a threshold.
Previous | Table of Contents | Next |