Remote Network Monitoring (RMON)
Remove network monitoring (RMON) is a standard monitoring specification that allows network monitors to exchange network monitoring data.
- developed by the IETF to support network monitoring and protocol analysis
- provides a standardized method of classifying network traffic
- for incident response
- allows you to perform a postmortem analysis on network logs to determine when an attack began and perhaps its source
- original RMON defined by RFC 2819
- RMON2 defined in RFC 4502
- are modifications of RMON for specialized networks
- e.g.,
- RMON Management Information Base for High Capacity Networks (HCRMON)
- defined in RFC 3272
- RMON MIB Extensions for Switched Network (SIMON)
- defined in RFC 2613
- RMON Management Information Base for High Capacity Networks (HCRMON)
- e.g.,
- original version had 10 groups:
- Statistics
- real-time LAN statistics
- e.g., utilization, collisions, CRC errors
- History
- history of selected statistics
- Alarm
- definitions for RMON SNMP traps to be set when statistics exceed defined thresholds
- Hosts
- host-specific LAN statistics
- e.g., bytes sent/received, frames sent/received
- Hosts top N
- record of N most active connections over a given time period
- Matrix
- sent-received traffic matrix between systems
- Filter
- defines packet data patterns of interest
- e.g., MAC address or TCP port
- Capture
- collect and forward packet matching the Filter
- Event
- send alerts (SNMP traps) for the Alarm group
- Token Ring
- extensions specific to Token Ring
- Statistics