The first entry to fill in is the Host Name field. It is shown in Figure 7.3 with an IP address of 10.0.0.1 (the m0n0wall firewall is used as an example in this section).The Read Community field is set to “public”.This corresponds to the value shown in Figure 7.1 and is the default value for a device, unless you changed it. Once these two settings are correct, you can click the Start button. If Getif successfully communicates with the device, the line of text at the bottom will read “Sysinfo variables OK”, as shown.
Other devices may show more information—for example, the D-Link 900AP+ configured in Figure 7.2 will display information as shown in Figure 7.4 when you enter its IP address and click Start. Notice the SysName, ifNumber, and SysServices fields have been filled in along with some other data.
Once you have basic SNMP connectivity with the device, you’re ready to begin monitoring.
Retrieving Device Interface Information
The next Getif tab is labeled Interfaces. Click this and you’ll see two empty white boxes. Now click the Start button and it will query your device for what network interfaces it supports and replace the empty boxes with (potentially) several rows of data. Figure 7.5 shows the interfaces reported by m0n0wall.
Figure 7.4 Getif Query Results from D-Link 900AP+
A total of seven interfaces are shown.The last three, ppp0, s10, and faith0 are all shown as down in the admin and oper columns. If your m0n0wall system is running slip or ppp, you may see different results here. Interface number 4 is the standard local loopback interface at 127.0.0.1 and can usually be ignored.
The first three interfaces are the most interesting.The Ethernet interface names are sis0 and sis1.
Other systems might report eth0 and eth1.These interfaces correspond to the local and WAN Ethernet ports on the m0n0wall device. A clue for which port is which is provided by the IP address column.This column shows that one interface is 10.0.1.1 and the other interface is 69.17.112.245 (the static IP of the WAN Internet connection).Therefore, in this example, sis0 is likely the local Ethernet port and sis1 is likely the WAN Ethernet port.The very first interface is wi0.This corre- sponds to the wireless radio card in the m0n0wall running at IP 10.0.0.1. On Linux-based systems, this would likely appear as wlan0 or ath0.
What have we achieved so far? Quite a lot! We’re remotely querying our router, m0n0wall in this case, and seeing all the interfaces available along with some basic data about them. Be sure to use the horizontal scroll bar to see what other information is available. Some devices will report the Medium Access Control (MAC) address (sometimes referred to as the “Hardware” or “Ethernet” address) in the phys column, along with the corresponding hardware vendor.
Exploring the SNMP OIDs
So far so good, but what we really want to see is some interface statistics—for example, how much traffic is flowing through each port? To find that information, we need to explore the MIB treefor the device.
1. Click the MBrowsertab, then expand the following entries by clicking the plus(+) sign next to them:
Figure 7.5 m0n0wall Interfaces Reported by SNMP
iso org dod internet mgmt mib-2 interfaces
2. Click the word interfaces (instead what should now be a minus sign “–”) sign next to it so that it’s highlighted.
3. Click the Startbutton.The white area immediately below should fill with entries.This is shown in Figure 7.6.
4. We’re almost done. In the bottom window, scroll down until you find the line that begins:
.interfaces.ifTable.ifEntry.ifInOctets.1
This shows the hierarchy of the MIB tree starting at interfaces (.interfaces), stepping through a table of all the interfaces (ifTable), then displaying each individual interface entry (ifEntry), followed finally by a specific value for that interface, reported as the number of incoming octets of data (ifInOctets).To the right of that is the actual number of octets received so far.
If you click other items in this lower window, the upper window will update and more Figure 7.6 Browsing the m0n0wall MIB Tree to Find Interface Statistics
Graphing the Data
Now that we’ve identified the interfaces and data we wish to view, we can tell Getif to build a graph to show what is happening over time.
Continuing from the previous section, find the interface variables you wish to graph. For example, you might wish to show all the traffic data for all interfaces on one graph.To do this, per- form the following:
1. Find the data you want in the lower white window pane.
2. Click the Add To Graphbutton for each line. Getif will automatically move down to the next item when you do this.Therefore, if you click Add To Graph three times, and then find the line
.interfaces.ifTable.ifEntry.ifOutOctets.1
and again click three times, you will end up with six elements being graphed.
3. Select the Graph tab at the top.
4. Click Startand the graph will begin plotting. Figure 7.8 shows a similar graph that has been running for a while. In the middle of the run is a large and then small bump corre- sponding to first a download and then an upload speed test.
Figure 7.7 Amount of Data Received on Interface 1
Under the Hood: How the Hack Works
The Getif program is doing quite a few things behind the scenes to make this as simple as possible, as will become clear in later sections of this chapter.
First, the opening Parameters tab and the adjacent Interfaces tab have some “canned” SNMP queries which use known OIDs from a standard MIB to fill the screen.This is a convenient shortcut to browsing the MIB tree to find individual values. One of the reasons the m0n0wall and D-Link devices returned different results for SysName and other values is that there is no strict standard for these values, so the “canned” queries worked better for the Linksys device than the (FreeBSD-based) m0n0wall firewall.
The MBrowser tab uses a precompiled MIB which contains all the OID numbers as well as cor- responding descriptions of each value. It displays this in hierarchical tree form to make it easier to browse the data. When you click Start in the MBrowser tab, it “walks” the OID tree and queries for the OID values below that point.This also includes filling arrays of values, like data for each interface.
Finally, the graphing function automatically queries the device with the OIDs specified at the requested interval and then charts the results.