[mrtg] Re: MRTG or SNMP Oddity

Holt Grendal holtor at yahoo.com
Mon Jan 27 17:18:40 MET 2003 


Hello all,

I still have this problem and apparently my reply message 
several days ago got rejectred due to too much quoting. Since
then I've gathered some more information and it looks like this
in an MRTG problem if you read my original post below.

FYI: In my .cfg i have Options: bits
I turned on debugging when one of these DoS attacks was going
on and here is the data I collected:

>From mrtg debug:
--base: Get Current values: 441520471, 58990350, 8 days, 5:50:19, switch-name, 1043682903)

What actually printed in the .log file for the interface:
1043682903 12194264 14227 12194264 14227

>From mrtg debug (5 mins after the above one):
--base: Get Current values: 1722929411, 64825171, 8 days, 5:55:19, switch-name, 1043683203)

What actually printed in the .log file for the interface:
1043683203 12194264 19449 12194264 19449


Those numbers captured from snmp and the numbers printed
in the *.log by mrtg do not match. I'm not sure what the units
are but whatevere they are you can clearly see the snmp values
changing while the ones printed in the mrtg log do not change.

Does anyone know why this occurs? Does anyone know what units
the values from snmp are? I know in the log its saved in bits
since I specified that.

Would switching to rrdtool help?

I wasn't able to find anything out of the ordinary in the debug
log. I had almost every option turned on.

Thanks,

Holt

> 
> -----Mensagem original-----
> De: mrtg-bounce at list.ee.ethz.ch [mailto:mrtg-bounce at list.ee.ethz.ch] Em
> nome de Holt Grendal
> Enviada em: segunda-feira, 20 de janeiro de 2003 21:21
> Para: mrtg at list.ee.ethz.ch
> Assunto: [mrtg] MRTG or SNMP Oddity
> 
> Hello all,
> 
> I'm having a strage problem with our mrtg bandwidth graphs when sudden
> spikes (DoS attacks) occur.
> 
> Lets say we have our usual 24 port switch. Port 1 is getting the main
> feed and there's other servers and what have you connected to the other
> ports.
> 
> Server A on port 10 gets DoS attacked (>20 mbit spike). The problem is
> such:
> 
> I see this 20 mbit spike on the graph of port 1 as incomming. However I
> never see this 20 mbit spike on the graph of Port 10.
> 
> The graph of Port 1 continues to update properly during the DoS attack
> however the graph of port 10 (which is receiving the attack) freezes. By
> "freezes" I mean the graph updates but uses the same data as the
> previous 5 minute run. So for example the mrtg.log would look like:
> 
> 1042963500 5128 1739 5128 1739
> 1042963200 5128 1739 5128 1739
> 1042962900 5128 1739 5128 1739
> 1042962600 5128 1739 5128 1739
> 1042962300 5134 1747 6139 2953
> 1042962000 6140 2965 6322 4774
> 1042961700 6319 4762 6322 4774
> 
> Notice how there was normal traffic paterns  up to 1042962300 then
> 1042962600 a DoS attack occured and the data just froze until the attack
> ended. It doesn't "unfreeze" until the attack ceases.
> 
> Now occasionally the graphs display a spike on the output port. For
> example during a 20 mbps attack the output graph port might display a 1
> mbps spike or so and then "freeze" up using this data until the attack
> ceases.
> 
> I thought this was because we have each port graph running as a seperate
> config file (because they output the files to seperate
> directories) and they run all at the same time, every 0,5,10,15,etc..
> 
> So I tried to spread this out by leaving some at 0,5,10, etc.. Some at
> 1,6,11,16,etc.., some at 2,8,12,18,etc.. but it did not help either much
> to my dismay.
> 
> Logging into the Cisco switch during the DoS attack and doing
> a "show int" on the involved ports clearly shows the attack going into
> port 1 and out of port 10, in bits/sec and packets/sec.
> 
> I'm beginning to think there is some kind of problem with
> SNMP. Does anyone have any ideas or have seen this type of behavior
> before?
> 
> Thank you,
> 
> Holt G.
> 

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive     http://www.ee.ethz.ch/~slist/mrtg
FAQ         http://faq.mrtg.org    Homepage     http://www.mrtg.org
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi

More information about the mrtg mailing list