Monitoring a link with SNMP

and learn some wimpy shell scripting too


Snmp is an age-old network monitoring system. Many types of network equipment can be configured to provide snmp information when asked. There are many sorts of information snmp provides, here are but a few of the useful ones.

My objective was to use snmp to monitor how much information was going through our router in a given period. Being in the internet service provider business, this is a nice thing to know. We want to watch it's use and determine when we need to order a larger connection, and what sort of connection we will need without fear of it being overloaded. Other people might use SNMP as a primary warning system to alert them of network errors or failures. Perhaps you too would like to accumulate information about how many bytes per minute your link to the outside world is handling?

Most routers support SNMP, and workstations can too, if they run the snmp daemon, snmpd

SNMP tools are available freely on the internet. Other companies make expensive (hundreds or thousands of dollars) complete monitoring systems which have pretty icons and pager support and other things. We wont make a judgement which path is better for you, but some powerful and interesting things can be done with these freely available snmp utilities which may be definitely worth exploring.

Sunsite has some snmp software you might pick up with this link. ftp://sunsite.unc.edu/pub/Linux/system/network/admin/

Here is a typical snmp "snapshot" of the router that connects our company to the internet. This particular piece of networking equipment gave us 46K of valuable information about it. A program called "snmpwalk" generated this listing. You should use snmpwalk to learn exactly what information your network equipment is able to provide.

Here is the syntax I used to generate the above link: (entropy is the name of the router I am monitoring) To learn more about snmpwalk, read the manpage.

snmpwalk -v 1 entropy public

Once we've determined what information we want to obtain from the router, we can ask for that specific datum with the "snmpget" utility.

Here is the syntax I used to find out how much information was coming into our network from the internet. By looking over the results of snmpwalk, we determined that interface3 on our router was the link to our provider. To learn more about snmpget, read the manpage.

snmpget -v 1 entropy public interfaces.ifTable.IfEntry.ifInOctets.3
About a second later, the program returned "291713461" along with some other stuff, which is a number of bytes since the unit was powered up, or since the "scale was flipped" if your equipment runs for long lengths of time like ours does. This number alone is useless, so we'll do the same again in 60 seconds and compare the two. A simple script to do this would be like so:
#!/bin/bash
snmpget -v 1 entropy public interfaces.ifTable.IfEntry.ifInOctets.3
sleep 59s
snmpget -v 1 entropy public interfaces.ifTable.IfEntry.ifInOctets.3

This would print out a reading, and then about 60 seconds later print out another reading. This does what we asked it to do, but the smarter the programmer is, the worse (s)he is at doing simple subtraction and other 3rd-grade-level computations.


A starting point

Lets let linux's bash shell do that for us. While we're at it, let's get the information about interface 5 as well. Interface 5 is a circuit we have going to another POP, which "jjs" operates. Interface 3, once again, is a fractional T1 (384k) to our up-stream provider. First I'll show my first revision of the script and then explain it.

#!/bin/bash
date

snmpget -v 1 entropy public interfaces.ifTable.IfEntry.ifInOctets.3 |cut -b43-70 >3.in
snmpget -v 1 entropy public interfaces.ifTable.IfEntry.ifOutOctets.3 |cut -b44-70 >3.out
snmpget -v 1 entropy public interfaces.ifTable.IfEntry.ifInOctets.5|cut -b44-70 >5.in
snmpget -v 1 entropy public interfaces.ifTable.IfEntry.ifOutOctets.5|cut -b44-70 >5.out

sleep 53s

echo in 60 seconds:
echo $[`snmpget -v 1 entropy public interfaces.ifTable.IfEntry.ifInOctets.3 |cut -b43-70` - `cat 3.in`] octets were consumed by midcoast internet
echo $[`snmpget -v 1 entropy public interfaces.ifTable.IfEntry.ifOutOctets.3 |cut -b44-70` - `cat 3.out`] octets were generated by midcoast internet
echo $[`snmpget -v 1 entropy public interfaces.ifTable.IfEntry.ifInOctets.5|cut -b44-70` - `cat 5.in`] octets were generated by jjs
echo $[`snmpget -v 1 entropy public interfaces.ifTable.IfEntry.ifOutOctets.5|cut -b44-70` - `cat 5.out`] octets were consumed by jjs
date

What we did here on the first line was to pipe the output of the snmpget command into "cut". Cut is a unix program for chopping up a line of text. We used cut to chop off the description that snmpget gave us and keep the number, which we determined would start at character 43, and was done well before character 70 on that line of text. This reduced the output of snmpget to a simple number which we used a > sign to direct it into a new file named 3.in.

We also retrieved information about the output on interface3, and information about the input and the output on interface 5.


Some basic UNIX

The "shell script" is a simple text file as shown, saved as normal text to the disk. Then we changed the permissions on the file to make it executable. you might "chmod a+rx file" to make "file" an executable program.

the sleep 53s command makes the program pause for 53 seconds.

echo echos stuff to the screen.

date displays the date

`command` using the single left quote on both sides of a command will let you do a thing called process substition. It evaluates the command and you can use the output anywhere you want. Here's a good example you can try at the unix prompt:

whoami
echo `whoami` is cool

Here is what I got:

Script started on Tue May 14 19:43:05 1996
$ whoami
jp

$ echo `whoami` is cool
jp is cool

Script done on Tue May 14 19:43:21 1996

Now you know how the all important process substition can work.


Fun with math in bash:


echo $(A + B)
will add up A and B and display the result. You can also nest them to do all sorts of cool basic math:
echo $[ (A +B) / 60]
will add A and B and then divide the result by 60, and display the result.


Second Revision of the script

Here, we nested some of the math like we did in the second math example so that we could have the computer convert how many bytes-per-minute into a more useful bytes-per-second.

#!/bin/bash
date

snmpget -v 1 entropy public interfaces.ifTable.IfEntry.ifInOctets.3 |cut -b43-70 >3.in
snmpget -v 1 entropy public interfaces.ifTable.IfEntry.ifOutOctets.3 |cut -b44-70 >3.out
snmpget -v 1 entropy public interfaces.ifTable.IfEntry.ifInOctets.5|cut -b44-70 >5.in
snmpget -v 1 entropy public interfaces.ifTable.IfEntry.ifOutOctets.5|cut -b44-70 >5.out

sleep 53s

echo in 1 second, based on a 60 second average: 
echo $[ (`snmpget -v 1 entropy public interfaces.ifTable.IfEntry.ifInOctets.3 |cut -b43-70` - `cat 3.in`)   / 60 ] bytes were consumed by midcoast internet
echo $[ (`snmpget -v 1 entropy public interfaces.ifTable.IfEntry.ifOutOctets.3 |cut -b44-70` - `cat 3.out`) / 60 ] bytes were generated by midcoast internet
echo $[ (`snmpget -v 1 entropy public interfaces.ifTable.IfEntry.ifInOctets.5|cut -b44-70` - `cat 5.in`)    / 60 ] bytes were generated by jjs
echo $[ (`snmpget -v 1 entropy public interfaces.ifTable.IfEntry.ifOutOctets.5|cut -b44-70` - `cat 5.out`)  / 60 ] bytes were consumed by jjs
date

Here are the results:

Tue May 14 19:51:41 EDT 1996
in 1 second, based on a 60 second average:
19757 bytes were consumed by midcoast internet
12660 bytes were generated by midcoast internet
5818 bytes were generated by jjs
4949 bytes were consumed by jjs
Tue May 14 19:52:52 EDT 1996

The Results

This is just what we're looking for! A 384k link can transfer data at about 40,000 bytes per second, so we're at half capacity in normal operation. Figure in that our provider has probably oversold his bandwidth a bit, we should be looking for more soon.

Luckily, we will be upraded to full T1 in 3 weeks, which can carry 150,000 bytes per second maximum. If you have a 56k link, it can typically carry 6000 bytes per second maximum. T1's and 56k's have seperate send and receive channels, so it is possible to send data both ways at the same time. If you have to upgrade your link, be ready to order it a few months in advance. Keeping track of how your requirements grow over time can help you predict when an upgrade is necessary.

To monitor a modem, you would run snmpd on the linux box containing the modem, and would gather information about whatever interface snmpd chooses for ppp0 or whatever your modem is.

You might also want to use snmp software to measure the usage of the eth0 (ethernet) interface on your linux boxes or other workstations running snmpd to see which carry the most traftic.


jp@midcoast.com
Jason Philbrook