8

I'm trying to graph network usage on my router for a specific interface using data from SNMP. I know that ifInOctets/ifOutOctets is only 32 bit and will overflow for high speeds and make my graphs look dumb, but it looks like the differences in values returned by ifInOctets/ifOutOctets and ifHCInOctets/ifHCOutOctets aren't always identical. I've tested a few times by using snmpwalk | grep InOctets and subtracting the values. Sometimes I see that the change in the 32-bit counter is significantly less (more than 50%) than the change in the 64-bit version, and sometimes I see it go the other way with the 64-bit counter showing a smaller delta.

Am I missing something in the way that the 64-bit counters should be read, or is there just a difference in how their data gets updated? The 32-bit numbers match up with what's in /proc/net/dev, so I'm inclined to believe them more, but the wrapping issue makes them unusable when the speed gets too high:

dumb graphs with rollover

Here are a few examples, each snmpwalk was run about 10 seconds apart:

$ snmpwalk  -c public -v2c 192.168.1.1 | grep -i InOctets.2
IF-MIB::ifInOctets.2 = Counter32: 2291487255
IF-MIB::ifHCInOctets.2 = Counter64: 2901400127083

$ snmpwalk  -c public -v2c 192.168.1.1 | grep -i InOctets.2
IF-MIB::ifInOctets.2 = Counter32: 2297202283
IF-MIB::ifHCInOctets.2 = Counter64: 2901400298056

32-bit change: 5715028

64-bit change: 170973

$ snmpwalk  -c public -v2c 192.168.1.1 | grep -i InOctets.2
IF-MIB::ifInOctets.2 = Counter32: 2297528566
IF-MIB::ifHCInOctets.2 = Counter64: 2901400453366

32-bit change: 326283

64-bit change: 155310

pettazz
  • 181
  • 1
  • 1
  • 3
  • Which version of SNMP protocol are you using? SNMP V2C and V3 has 64 bit support. – Mircea Vutcovici Oct 20 '16 at 22:05
  • Currently using v2c – pettazz Oct 20 '16 at 22:08
  • What kind of router are you using? Is it Linux based? Which distribution is it running? – Mircea Vutcovici Oct 20 '16 at 22:10
  • Asus RT-AC66U, running asuswrt-merlin – pettazz Oct 20 '16 at 22:12
  • 1
    May be you just hit a bug, like this one: https://sourceforge.net/p/net-snmp/bugs/2741/ – drookie Oct 21 '16 at 03:58
  • 1
    With a gigabit interface running at full speed, the 32-bit counters can roll over in about 40 seconds, so I'm still suspicious that rollover might be biting you. Could you **show** us the problem? Show us the output from that `snmpwalk|grep InOctets` at two fairly-close times, so that we can **see** the difference between the changes in 32-bit and 64-bit stats? – MadHatter Oct 21 '16 at 06:05
  • Updated with a few examples. Also I don't think the 32 bit counter is always rolling over that often. I added an example of when I do see the rollover in my graph, so it's pretty obvious when it happens. – pettazz Oct 21 '16 at 15:26
  • I agree with you, plus the 64-bit values don't give any reason to suspect rollover, either. That is downright weird, and might have to be addressed to Asus. – MadHatter Oct 22 '16 at 05:52

2 Answers2

0

I'd say you shouldn't run over whole tree of SNMP OIDs, it takes a significant amount of time. Could you try snmpbulkwalk -c public -v2c 192.168.1.1 InOctets.2 and snmpbulkwalk -c public -v2c 192.168.1.1 ifHCInOctets.2 instead? But anyway, that difference looks weird. Do you have other SNMP devices to compare with?

0

RFC 2233 adopted expanded 64-bit counters for high capacity interfaces in which 32-bit counters do not provide enough capacity and wrap too fast.

https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/26007-faq-snmpcounter.html