Network Performance Monitoring

The first step in performance analysis is figuring out what to monitor. It starts with identifying the hardware devices themselves. If the specific devices are already known, skip to the next section.

Let's start with an example on how to determine the physical devices to monitor.

Once we have narrowed down the devices we are interested in monitoring, we need to determine the pieces of information that are available and useful to us. On a network router, the most useful piece of information is usually the amount of traffic moving through it. Each device has variations of the same basic questions: "What is the demand for resources?" and "What is the availability of resources?" For example, How many jobs are being printed per minute (demand)? How many jobs can be printed per minute (availability)?

Let's start making some lists of the basic, most useful information to gather for common devices. For network routers this means network traffic. How much data is coming in and how much is going out and on which interfaces?

For servers there are four key areas which are the most common performance bottlenecks:

When a server is performing slowly, it usually is not because the whole system is slow. It is much more probable that there is a performance bottleneck somewhere that is causing the whole operation to be slow. Just like a chain is only as strong as the weakest link, a system is only as fast as its slowest component.

A system with an insufficient amount of memory will spend lots of time writing to the disk in order to service all of its requests. While memory on disk is plentiful, it is also at least 100,000 times slower (nano vs milli), which can drastically reduce a systems apparent performance. In such a case, simply adding more memory can bring the system up to it's expected operating speed. This is one potential reason for the slow performance of our small office example. Monitoring memory usage would tell us for sure.

These four are the corner stone. Beyond them, server performance is based upon the application coding and configuration. For instance with all databases, proper indexing is crucial for even adequate, and especially, good performance.

Now that we've covered the basic ideas and devices, we will move on to other general topics before narrowing our focus. Refer to the appendix for comprensive lists of the most useful information to monitor for common devices. Please email me with any suggestions for these lists.

Even with our small office example one can see how monitoring can produce a lot of data. Imagine tracking the input and output rates from one switch for 20 computers, input and output from the dsl router, cpu/disk/memory/network stats from the server every few minutes and entering the values into a spreadsheet for graphing. Obviously this is ridiculous for a human to do. What if we worked in a large office environment with 1000 workstations, 50 servers, 5 locations and 15 routers? Fortunately there are two technologies that exist in order to help us with monitoring.

Net-SNMP, previously known as UCD-SNMP, is the primary open source tool set for working with SNMP on Unix systems. The tools within this distrubtion that we are mainly interested in are snmpwalk, snmpget and snmpd.

Snmpwalk will connect to an SNMP enabled device and retrieve a listing of available variables. Once we have this we can determine the individual datum that we want to monitor. Note that vishnu is the name of my computer.

    # snmpwalk -c monitor vishnu
    
    SNMPv2-MIB::sysDescr.0 = STRING: FreeBSD vishnu.adaptableit.com 5.2.1-RELEASE-p4...
    SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.255
    DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (33494608) 3 days, 21:02:26.08
    SNMPv2-MIB::sysContact.0 = STRING: root@adaptableit.com
    SNMPv2-MIB::sysName.0 = STRING: vishnu.adaptableit.com
    SNMPv2-MIB::sysLocation.0 = STRING: home
    SNMPv2-MIB::sysServices.0 = INTEGER: 12
    SNMPv2-MIB::sysORLastChange.0 = Timeticks: (2) 0:00:00.02
    ...
    

The next utility, snmpget, is used to retreive the value of a particular variable. Let's say we saw IF-MIB::ifInOctets.1 = Counter32: 225802189 in the snmpwalk listing and wanted to monitor it. We can use snmpget to request the value for this one variable.

    # snmpget -c monitor -Oqv vishnu IF-MIB::ifInOctets.1
    
    225873290
     

This variable is from the interface message information block (IF-MIB) and is a 32-bit counter (Counter32, meaning maximum of 4.3 billion) of the number of bytes input (InOctets) to interface (if) 1 (.1). The basic usage is snmpget device password OID where OID can be a textual or numeric description of a variable. Password, also called a community name, is defined by the snmp enabled device. With the first version of snmp, the community name provided a rudimentary password authentication scheme. It is not secure and is useful only for read only monitoring of non-sensitive data.

The final utility is snmpd. This is the daemon component of the Net-SNMP package that allows us to start making system information available to the network. We can configure the daemon by editing the snmpd.conf configuration file or using the snmpconf utility. The snmpconf utility will generate an snmpd.conf file in the current directory. This file then needs to be moved. Depending on the platform, snmpd will expect to find snmpd.conf in various locations. Refer to the man page to figure out where it goes.

Here is a a sample snmpd.conf file. This configuration tells the server to provide read only SNMPv1 statistics to the community name monitor and only to the localhost. Change 'localhost' to the name of the computer running cacti, if the monitor and monitored are different systems.

    # rocommunity: a SNMPv1/SNMPv2c read-only access community name
    #   arguments:  community [default|hostname|network/bits] [oid]
    rocommunity	    monitor localhost
    # syslocation: String with the location of the system
    syslocation	    home
    syscontact	    root@adaptableit.com
    # Describes a system that does IP, TCP and SMTP (12 if no SMTP)
    sysservices	    76
    # Monitor capacity utilization of all disks
    includeAllDisks 5%
    # Run remote scripts

Once this file is in place, start the daemon and use snmpwalk to make sure values can be retreived from it.

snmpd.conf extract
    exec echotest /bin/echo hello world

    # snmpwalk -c monitor vishnu 1.3.6.1.4.1.2021.8
    
    UCD-SNMP-MIB::extIndex.1 = INTEGER: 1
    UCD-SNMP-MIB::extNames.1 = STRING: echotest
    UCD-SNMP-MIB::extCommand.1 = STRING: /bin/echo hello world
    UCD-SNMP-MIB::extResult.1 = INTEGER: 0
    UCD-SNMP-MIB::extOutput.1 = STRING: hello world
    UCD-SNMP-MIB::extErrFix.1 = INTEGER: 0
    UCD-SNMP-MIB::extErrFixCmd.1 = STRING: 
    

/opt/snmp/bin/pageouts.sh
    #!/bin/sh

    /usr/bin/vmstat -s |\
     /usr/bin/grep "swap pager pages paged out" |\
     /usr/bin/awk '{print $1}'

/opt/snmp/bin/pageins.sh
    #!/bin/sh

    /usr/bin/vmstat -s |\
     /usr/bin/grep "swap pager pages paged in" |\
     /usr/bin/awk '{print $1}'

snmpd.conf extract
    exec pageouts /opt/snmp/bin/pageouts.sh
    exec pageins /opt/snmp/bin/pageins.sh

    # ./pageouts.sh 
    
    4533
    
    # ./pageins.sh 
    
    667
    
    # snmpwalk -c monitor vishnu 1.3.6.1.4.1.2021.8
    
    UCD-SNMP-MIB::extIndex.1 = INTEGER: 1
    UCD-SNMP-MIB::extIndex.2 = INTEGER: 2
    UCD-SNMP-MIB::extNames.1 = STRING: pageouts
    UCD-SNMP-MIB::extNames.2 = STRING: pageins
    UCD-SNMP-MIB::extCommand.1 = STRING: /opt/snmp/bin/pageouts.sh
    UCD-SNMP-MIB::extCommand.2 = STRING: /opt/snmp/bin/pageins.sh
    UCD-SNMP-MIB::extResult.1 = INTEGER: 0
    UCD-SNMP-MIB::extResult.2 = INTEGER: 0
    UCD-SNMP-MIB::extOutput.1 = STRING: 4533
    UCD-SNMP-MIB::extOutput.2 = STRING: 667
    UCD-SNMP-MIB::extErrFix.1 = INTEGER: 0
    UCD-SNMP-MIB::extErrFix.2 = INTEGER: 0
    UCD-SNMP-MIB::extErrFixCmd.1 = STRING: 
    UCD-SNMP-MIB::extErrFixCmd.2 = STRING: 
    

MRTG was originally written by Tobias Oetiker and has had many contributions from others. This program is still widely used today for the purpose it was designed for: to graph network traffic. MRTG is a complete package, requiring no additional software. It handles data retreival from SNMP sources, round robin database creation and storage, graphing and comes with scripts for web page creation. MRTG runs on both Unix and Windows platforms.

This program works great and is very easy to install. On the MRTG site there are tutorials that walk one through setting it up for ones platform. The basic procedure is: compile, install, run a configuration script for the device, then put mrtg in cron to run every 5 minutes. That's it!

Sample MRTG daily graph for an internet router interface.

RRDTool is the next generation of MRTG, written by the same author. Tobias says it is not a replacement, but another tool used for additional purposes or even in combination with MRTG. RRDTool is of course built off of the same Round Robin Database technology. One main difference between MRTG and RRDTool is that the former collects, stores and graphs, whereas RRDTool only stores and graphs. Another key difference between the two is that RRDTool has a lot more flexibility with what it stores and what it graphs, allowing it to be used for more applications.

RRDTool has a lot of options which makes it very poweful, but comes with the cost of a steep learning curve. We'll skim over some of the basic usage before moving on. My purpose is just to give an overview of how rrdtool works.

Recall that I wrote RRDTool does not have an SNMP collector. This is actually a feature. We need to provide rrdtool with the values, which means they don't necessarily need to come from SNMP. We could store the amount of disk space a users home directory takes up. We could ping a remote office's router and store the response time. Still a further use could be storing the values of CPU temperature. Because of this, many projects have been developed to create front-end collection systems for rrdtool. We will look at one in the next section.

To store information, first we must define and create our database. The following command creates a database (bandwidth.rrd) which starts now (N). It has two data sources (DS) named 'in' and 'out'. Both are of data type COUNTER and will expect values every 300 seconds (5 minutes) with no minimum or maximum values (U:U - unknown). Finally, a round robin archive (RRA - the actual data tables) will be created for each data source by averaging the values received. Each data point is made from 1 sample. The table will store the last 432 entries. The 0.5 is safe to ignore for now.

    # rrdtool create bandwidth.rrd \
	--start N \
	DS:in:COUNTER:300:U:U \
	DS:out:COUNTER:300:U:U \
	RRA:AVERAGE:0.5:1:432

When creating the database, we have four types of datasources (DS). They are applicable to different things we wish to monitor.

Inbound network bytes is a good example of a counter, which always increases. We don't want the graph to keep going up and up. We only want to see the change per second. This tells us the rate of traffic coming into our interface.

Measuring cpu temperature or the number of people in a room would be done with a gauge. Every time we read the variable, the value is exactly what we want to know.

Derive is also a measurement of change like counter, but it can decrease. If network traffic could somehow be pulled back out of the interface they went in to, thus decreasing our counter this would be the appropriate data type. We can use it to measure the rate at which people enter or leave a room for example.

Finally, absolute is used like a counter, but when the difference has already been calculated by the device. If we have a program that tells us the number of email received since the last time we asked, we could use absolute.

Next are the consolidation functions:

As data ages, it gets overwritten. In common setups just like with MRTG, we have four tables that average daily, weekly, monthly and yearly values. They each use AVERAGE for the consolidation function. Daily requires one sample (5 minutes) to make a mark on the graph. Weekly uses 6 samples (30 minutes) to make one averaged mark. Monthly uses 24 samples (120 minutes). Yearly uses 288 samples (1440 minutes or 1 day).

This means that all four tables grow simultaneously, but at different rates. This consolidation process maintains the highest resolution for the daily graph, meaning a spike in activity shows clearly on that graph. The yearly graph has the lowest resolution. A spike of increased activity for an hour won't be noticable on the yearly graph.

Consolidation is done in a way that retains the important pieces of information and discards the rest. This decreasing resolution occurs based upon what we specify by the consolidation function. Specifying AVERAGE means, take these six 5 minute values and average them down to one 30 minute value. MINIMUM or MAXIMUM means, of these six 5 minute values, store the least or greatest one. LAST means, take the most recent of these six values.

Note again that we are not restricted on making these daily/weekly/monthly/yearly tables. These in fact mean nothing to rrdtool, it is just a useful convention carried from MRTG. We can make as many tables as we want with any consolidation function, any number of steps (samples required to make a data point) and any number of entries in the table.

The next command inserts some values in the database. First they are retrieved with the snmpget commands which we looked at earlier. Then they are fed into the rrdupdate command. rrdupdate is the same command as rrdtool update. N means now. The syntax for this command is: rrdupdate database time:value1:value2:...:valueX were X is the number of data sources.

    # rrdupdate bandwidth.rrd N:\
	`snmpget -v 1 -c monitor -Oqv localhost IF-MIB::ifInOctets.1`:\
	`snmpget -v 1 -c monitor -Oqv localhost IF-MIB::ifOutOctets.1`

We can view the data in a database with the following command. However we must specify the tame frame that we wish to see.

    # rrdtool fetch bandwidth.rrd AVERAGE -s 1083578400 -e 1083580200 
    
			     in                  out

    1083578400: 1.8408015333e+04 5.3690166667e+03
    1083580200: 4.2984583333e+02 3.7534833333e+02
    

The next large block of RRDTool's functionality comes when we wish to make graphs of our data. We can specify the datasources and databases that we want to graph from, select colors, lines, areas, thicknesses and even apply calculations to our data before graphing. The following creates a png graphic of incoming and outgoing bandwidth. Input is graphed as a green area. Output is a blue line. Below the chart we have current and average input/output values printed in bits. The bits were calculated on the fly, because our database stored bytes transfered (CDEF lines). Note that this command creates the following graph, however the above commands do not create the database used.

    /opt/csw/bin/rrdtool graph rrdtool.png \
	--imgformat=PNG \
	--start=-86400 \
	--end=-300 \
	--title="PA Cisco 2611 - Traffic - Et0/0" \
	--rigid \
	--base=1000 \
	--height=120 \
	--width=500 \
	--alt-autoscale-max \
	--lower-limit=0 \
	--vertical-label="bits per second" \
	DEF:a="/opt/cacti/rra/pa_cisco_2611_traffic_in_28.rrd":traffic_in:AVERAGE \
	DEF:b="/opt/cacti/rra/pa_cisco_2611_traffic_in_28.rrd":traffic_out:AVERAGE \
	CDEF:cdefa=a,8,* \
	CDEF:cdeff=b,8,* \
	AREA:cdefa#00CF00:"Inbound"  \
	GPRINT:cdefa:LAST:" Current\:%8.2lf %s"  \
	GPRINT:cdefa:AVERAGE:"Average\:%8.2lf %s"  \
	GPRINT:cdefa:MAX:"Maximum\:%8.2lf %s"  \
	COMMENT:"Total In:  5.75 GB\n"  \
	LINE1:cdeff#002A97:"Outbound"  \
	GPRINT:cdeff:LAST:"Current\:%8.2lf %s"  \
	GPRINT:cdeff:AVERAGE:"Average\:%8.2lf %s"  \
	GPRINT:cdeff:MAX:"Maximum\:%8.2lf %s"  \
	COMMENT:"Total Out: 1.17 GB"  \
	VRULE:1084777200#FF0000:"" 

Sample RRDTool daily graph for an internet router interface.

As one can see, the numerous options provides lots of flexibility but a high learning curve. One may ask what the difference is between the MRTG graph and the RRDTool graph. They are intentionally very close, however soon, if not already, it will be obvious how rrdtool greatly expands our functionality. RRDTool can graph more than two data sources. It can also perform math operations on the fly and graph more than just areas and lines.

Due to the functionality, it can also take a lot of time to setup rrdtool to monitor everything desired unless one is familiar with it and snmp. This is where front ends come in to play. A front end to rrdtool is a package that acts as an interface between the administrator and the rrdtool. Usually by clicking in a web browser, a set of scripts will setup monitoring agents, feed the data into rrdtool and display graphs on demand. The advantage of this is usually an easier setup. It provides a graphical method of using rrdtools features, including dynamic changes to graphs.

Another benefit is that a front end can abstract the graphs from many data points. Imagine that one is monitoring cpu, disk, network and memory statistics for 100 hosts. This means at least 400 different items being monitored and four graphs per data point for daily, weekly, monthly, and yearly RRAs. Such a setup is generating 1600 graphs! A front end can provide an abstraction layer that only displays daily graphs (only 400). A front end could potentially display only CPU graphs above 50% and only disks above 90% capacity.

There are of course downfalls to using front ends. The main being less control and less functionality with rrdtool. Since the administrator is not typing in the commands directly to rrdtool, one is limited by whatever functionality was included in the front end. In most cases, and at least initially for everybody, this is not an issue. Once the administrator starts really understanding rrdtool and its extended functionality then one can think about how to acheive the graphing results desired.

Cacti is a very well done, very asthetic front end for rrdtool. It provides a lot of functionality for rrdtool. Beware of its good looks and graphical interface, it is deceptively complex!

It was very easy to install cacti and start monitoring. However it took some time to figure out how to monitor additional things for which cacti did not provide templates. Work through the installation instructions provided with Cacti. What I will provide here is an overview of functionality and some procedures I discovered for customizing data sources and graphs.

Cacti supports nearly all of the rrdtool functionality, including graph objects like AREA, STACK, LINE[1-3], COMMENT, VRULE, HRULE and GPRINT. It allows dynamic reording and coloring of graph objects, lines up text, provides vertical and title text.

As with rrdtool, cacti allows input to come from SNMP or from local scripts. Data are stored in rrd files automatically and default to daily, weekly, monthly and yearly data stores.

Templates make managing cacti possible. One creates a data gathering template (i.e. for CPU utilization) which can then be applied to any device. One creates a graph template that describes how a data template will look. Any changes to the graph template instantly and automatically propagate out to all graphs on all devices utilizing that graph template. Finally device templates allow one to customize all graphs and data templates for a particular device type such as a cisco router.

Though the number of data sources, graphs and devices can grow quite large, there are a few methods used in Cacti to organize them all. Each section has the ability to filter based on host and/or key word. This allows one to view all data sources for the host vishnu. One can also, say, view only CPU graphs for all hosts. Another method is a tree, which allows one to add hosts and graphs at various locations in a graph tree. This functionality provides both easy navigation and summary pages.

Finally, one feature that may be a requirement for many sites is user access control. Cacti provides a user management facility. Clients can log in and view or customize only the graphs they have permission to view or customize. Users are authenticated either with cacti managed users, or against an ldap server.

# snmpwalk  -c monitor vishnu hrProcessorLoad

HOST-RESOURCES-MIB::hrProcessorLoad.768 = INTEGER: 10

# snmpwalk  -c monitor saraswati hrProcessorLoad
# snmpwalk  -c monitor parvati hrProcessorLoad
# snmpwalk  -c monitor parvati ssCpuRawUser.0

UCD-SNMP-MIB::ssCpuRawUser.0 = Counter32: 16416716

# snmpwalk  -c monitor parvati ssCpuRawSystem.0

UCD-SNMP-MIB::ssCpuRawSystem.0 = Counter32: 3353705

# snmpwalk  -c monitor parvati ssCpuRawNice.0

UCD-SNMP-MIB::ssCpuRawNice.0 = Counter32: 94

    # find /opt/cacti/rra -name '*.rrd' -mmin +15 -exec rm {} \;

    # rm `ls -l /opt/cacti/rra/ |grep -v "\`date +"%b %e %H:"\`"|awk '{print $9}'`

TODO:
Walkthroughs: 
    Monitor script data points.
    SNMP/Cacti Indexing
	ability to query, then retreive data based on first query.  (ie query
	number of mount points, then retrieve capacity for all mount points).

Discuss customizations I've made to default graphs:
    vrules
    colors
    load averages - stack to area

Mention errors from cmd.php

Discuss where to find data points:
    CPU Utilization - challenging, ucd/net, Net-snmp custom, Host MIB

Recall those ssCpuRawSystem, ssCpuRawNice, ssCpuRawUser statistics?  Those are
collected by the ucd/net CPU Usage data source and graph templates.  Once these
templates are setup, graphing with them is very easy.

    Load Average  - unix or ucd/net modified from stack to area, removed total
    Process Count - Host MIB
    Real/Swap Memory - custom graph memTotalSwap, memAvailSwap..
    Network traffic in/out - built in cacti
    Disk capacity - Host mib if supports, or ucd (snmpd.conf: includeAllDisks 5%)

Other interesting things:
    snmpwalk -c monitor saraswati memory
    snmpwalk -c monitor saraswati host
    By number .1.3.6.1.4.1.2021.11.51.0 or name
	HOST-RESOURCES-MIB::hrProcessorFrwID.768
    snmptranslate -On HOST-RESOURCES-MIB::hrProcessorFrwID.768
    snmptranslate .1.3.6.1.2.1.25.3.3.1.1.768