[Milberg09] Chapter 14. Network I/O: Monitoring

Chapter 14. Network I/O: Monitoring

Let's begin our discussion of network I/O monitoring by revisiting our old standby, netstat, which displays overall network statistics. Probably one of the most common commands you will type is netstat -in:

Code View: Scroll / Show All

# netstat -in

Name  Mtu   Network     Address              Ipkts  Ierrs    Opkts Oerrs Coll
en1   1500  link#2      2a.21.70.0.90.6   21005666      0   175389     0    0
en1   1500  10.153      10.153.3.7        21005666      0   175389     0    0
en0   1500  link#3      2a.21.70.0.90.5  328241182      0    1189      0    0
en0   1500  172.29.128  172.29.137.205   328241182      0    1189      0    0
lo0   16896 link#1                           62223      0   62234      0    0
lo0   16896 127         127.0.0.1            62223      0   62234      0    0

					    

Here is a key to the output fields:

• Name — Interface name

• Mtu — Interface Maximum Transfer Unit (MTU) size

• Network — The actual network address to which the interface connects

• Address — Media Access Control (MAC) or IP address

• Ipkts — Total number of packets received by the interface

• Ierrs — Number of errors reported back from the interface

• Opkts — Number of packets transmitted from the interface

• Oerrs — Number of error packets transmitted from the interface

• Coll — Number of collisions on the adapter (if you're using Ethernet, you won't see anything here)

Another handy netstat flag is -m. This option lets you view the kernel memory allocation statistics, including mbuf memory requests (and buffer size), amount of memory in use, and failures by CPU:

Code View: Scroll / Show All

# netstat -m

Kernel malloc statistics:
******* CPU 0 *******
By size           inuse     calls failed   delayed    free   hiwat    freed
32                  194      5203      0         2      62   2620         0
64                  484      3926      0         7      28   2620         0
128                 309     14913      0         8     875   1310         0
256                 392    214494      0        22     136   2620         0
512                2060  26183179      0       261      60   3275         0
1024                 31      2714      0         8      25   1310         0
2048                587      1237      0       292       5   1965         0
4096                  9      8367      0         2       2    655         0
8192                  2        12      0         2       1    327         0
16384               224       354      0        29       2    163         0
32768                48       183      0        13       3     81         0
65536                84       142      0        42       0     81         0
131072                3         4      0         0      51    102         0
******* CPU 1 *******
By size           inuse     calls failed   delayed    free   hiwat    freed
32                   17        96      0         0     111    2620        0
64                  295      1214      0         5      25    2620        0
128                 151     93806      0         5     713    1310        0
256                  83       273      0         5      29    2620        0
512                1577  86936634      0       199      23    3275        0
1024                  4        18      0         2       4    1310        0
2048                515       516      0       257       1    1965        0
4096                  1       707      0         0       1     655        0
8192                  1         1      0         1       4     327        0
16384                32        32      0         4       0     163        0
32768                52       193      0        15       5      90        0
65536                34        34      0        17       0      81        0
131072                0         0      0         0      44      88        0

					    

If you're using Ethernet, you can also use the entstat command to display device driver statistics:

# entstat -d en1

-------------------------------------------------------------
ETHERNET STATISTICS (en1) :
Device Type: 10/100 Mbps Ethernet PCI Adapter II (1410ff01)
Hardware Address: 00:02:55:6f:c9:9b
Elapsed Time: 5 days 12 hours 14 minutes 46 seconds

Transmit Statistics:                          Receive Statistics:
--------------------                          -------------------
Packets: 803536                               Packets: 2095253
Bytes: 511099654                              Bytes: 1099945394
Interrupts: 520                               Interrupts: 2074913
Transmit Errors: 0                            Receive Errors: 0
Packets Dropped: 0                            Packets Dropped: 0
                                              Bad Packets: 0
Max Packets on S/W Transmit Queue: 38
S/W Transmit Queue overflow: 0
Current S/W+H/W Transmit Queue Length: 1

Broadcast Packets: 535                        Broadcast Packets: 997476

The entstat output provides a potpourri of information. You won't see many collisions because you'll probably be working in a switched environment. Look for transmit errors, and make sure they're not increasing too fast.

You need to learn to troubleshoot collision and error problems before you even begin to think about tuning. As an alternative, you can use netstat -v which provides similar information.

14.1. netpmon

netpmon [-o File] [-d] [-T n] [-P] [-t] [-v] [-O ReportType ...]
   [-i Trace_File -n Gennames_File]

The netpmon command reports information about CPU usage as it relates to the network. It also provides data about network device driver I/O, Internet socket calls, and various other statistics.

Similar to its other trace brethren, tprof and filemon, netpmon starts a trace and runs in the background until you stop it with the trcstop command. I like netpmon because it really gives you a detailed overview of network activity and also captures data for trending and analysis (although it's not as useful as nmon for the latter purpose). In the following example, we'll use a trace buffer size of 2 million bytes:

# netpmon -T 2000000 -o /tmp/net.out

Wed Sep  5 05:30:27 2007
System: AIX 5.3 Node: lpar7ml162f_pub Machine: 00C22F2F4C00

Run trcstop to signal the end of the trace:

# trcstop

# [netpmon: Reporting started]

[netpmon: Reporting completed]
[               4 traced cpus                ]
[         245.464 secs total preempt time    ]

[netpmon: 164.813 secs in measured interval]

Let's look at the data. Here is just a small sampling of the output:

# more net.out

Process CPU Usage Statistics:
-----------------------------
                                                    Network
Process (top 20)             PID  CPU Time   CPU %    CPU %
----------------------------------------------------------
UNKNOWN                    15920  151.2735  36.558    0.000
UNKNOWN                     7794  104.8801  25.346    0.000
UNKNOWN                     6876   73.8785  17.854    0.000
UNKNOWN                     5402   50.6225  12.234    0.000
xmwlm                      13934   15.0469   3.636    0.000
-ksh                        5040    0.0371   0.009    0.000
getty                      18688    0.0280   0.007    0.000
sshd:                      28514    0.0224   0.005    0.000
syncd                      10068    0.0212   0.005    0.000

gil                         3870    0.0163   0.004    0.004
swapper                        0    0.0135   0.003    0.000
spray                       5400    0.0085   0.002    0.000
send-mail                  18654    0.0084   0.002    0.000
rmcd                       15026    0.0081   0.002    0.000
ping                        5036    0.0068   0.002    0.000
ksh                        26642    0.0062   0.002    0.000
trcstop                     5404    0.0057   0.001    0.000

As you can see, little overall network I/O activity was going on during this time. The top section of the output is most important. It helps you gain an understanding of which processes are eating up network I/O time.

The lsattr command, which we used in Chapter 13 to view hardware parameters, is another tool you'll use frequently to display statistics about your interfaces. The attributes reported by this command are configured using either the chdev or the no command. Let's display the driver parameters using lsattr:

# lsattr -El en0

alias4               IPv4 Alias including Subnet Mask            True
alias6               IPv6 Alias including Prefix Length         True
arp           on     Address Resolution Protocol (ARP)           True
authority            Authorized Users                            True
broadcast            Broadcast Address                           True
mtu           1500   Maximum IP Packet Size for This Device      True
netaddr              Internet Address                            True
netaddr6             IPv6 Internet Address                       True
netmask              Subnet Mask                                 True
prefixlen            Prefix Length for IPv6 Internet Address     True
remmtu        576    Maximum IP Packet Size for REMOTE Networks  True
rfc1323              Enable/Disable TCP RFC 1323 Window Scaling  True
security      none   Security Level                              True
state         detach Current Interface Status                    True
tcp_mssdflt          Set TCP Maximum Segment Size                True
tcp_nodelay          Enable/Disable TCP_NODELAY Option           True
tcp_recvspace        Set Socket Buffer Space for Receiving       True
tcp_sendspace        Set Socket Buffer Space for Sending         True

Sometimes, I also like to use the spray command to troubleshoot possible problems (although oftentimes this command is blocked because it's not very secure). The spray command sends a one-way stream of packets from your host to the remote host machines and reports the number of packets dropped as well as the number of packets transferred:

# /usr/etc/spray lpar8test  -c 2000 -l 1400 -d 1

sending 2000 packets of length 1402 to
        lpar8test ...
        34 packets (1.700%) dropped by lpar8test
        23667 packets/second, 33181234 bytes/second

In the preceding example, 2,000 packets were sent to the lpar8test host, with a delay of one microsecond. Each packet consisted of 1,400 bytes.

Before using spray, make sure the sprayd daemon isn't commented out of the inetd daemon (the default configuration in AIX), and don't forget to refresh inetd. If you're seeing a substantial number of dropped packets, that obviously is not good.

14.2. Monitoring NFS

This section covers the use of the nmon, topas, nfsstat, nfs, nfs4cl, and netpmon commands to monitor the Network File System (NFS). For NFS tuning, you could use a tool such as topas or nmon initially because these commands provide a nice dashboard view of what is happening in your system. Remember that NFS performance problems might not be related to your NFS subsystem at all; your bottleneck could be on the network or, from a server perspective, related to CPU or disk I/O. Running a tool such as topas or nmon can quickly help you get a sense of what the real issues are.

Consider a system that has two CPUs and is running AIX 5.3 TL_6. The report in Figure 14.1 shows nmon output from an NFS perspective.

Figure 14.1. NFS nmon output

Look at all the information that is available to you from an NFS (client and server) perspective using nmon! There are no current bottlenecks at all on this system.

Although topas has improved recently with its ability to capture data, nmon might still be a better first choice. While topas provides a front end similar to nmon, nmon is more useful in terms of long-term trending and analysis.

14.3. nfsstat

The nfsstat tool is arguably the most important tool you'll work with as you monitor your network. This command displays all types of information about NFS and remote procedure calls (RPCs). You can use nfsstat as a monitoring tool to troubleshoot problems and also employ it for performance tuning.

Depending on the flags you use, you can have nfsstat display NFS client or server information. The command can also show the actual usage count of file system operations. This detail helps you understand exactly how each file system is utilized, so that you can know how to best tune your system. Look at the client flag (c) first.

The r flag generates the RPC information:

# nfsstat -cr

Client rpc:
Connection oriented
calls      badcalls   badxids    timeouts   newcreds   badverfs   timers
14348      1          0          0          0          0           0
nomem      cantconn   interrupt
0          0          0
Connectionless
calls      badcalls   retrans    badxids    timeouts   newcreds   badverfs
23         0          0          0          0          0           0

timers     nomem      cantsend
0          0          0

Here's a rundown of the connection-oriented parameters:

• calls — Number of RPC calls received

• badcalls — Number of calls rejected by the RPC layers

• badxids — Number of times a server reply was received that did not correspond to any outstanding call

• timeouts — Number of times calls timed out while waiting for replies from the server

• newcreds — Number of times authentication information was refreshed

• badverfs — Number of times a call failed due to a bad verifier in the response

If you notice a large number of timeouts or badxids, you could benefit by increasing the timeo parameter with the mount command (details to come).

Next, look at the NFS information by using the n flag:

# nfsstat -cn

Client nfs:
calls      badcalls   clgets     cltoomany
14348      1          0          0
Version 2: (0 calls)
null       getattr    setattr    root       lookup     readlink    read
0 0%       0 0%       0 0%       0 0%       0 0%       0 0%        0 0
wrcache    write      create     remove     rename     link        symlink
0 0%       0 0%       0 0%       0 0%       0 0%       0 0%        0 0%
mkdir      rmdir      readdir    statfs
0 0%       0 0%       0 0%       0 0
Version 3: (14348 calls)
null       getattr    setattr    lookup     access     readlink    read
0 0%       3480 24%   5 0%       1790 12%   5742 40%   0 0%        30 0%
write      create     mkdir      symlink    mknod      remove      rmdir
44 0%      3 0%       0 0%       0 0%       0 0%       3 0%        0 0%
rename     link       readdir    readdir+   fsstat     fsinfo      pathconf
0 0%       2 0%       3 0%       3195 22%   5 0%       2 0%        0 0%

In NFS Version 3, the output fields include:

• calls — Number of received NFS calls

• badcalls — Number of calls rejected by the NFS layer

• clgets — Number of times a client handle was received

• cltoomany — Number of times the client handle had no unused entries

14.4. nfs4cl

If you're running NFS Version 4, you might be using the nfs4cl command more often. This command displays NFS 4 statistics and properties:

# nfs4cl showfs

Server      Remote Path          fsid                 Local Path
--------    ---------------      ---------------      ---------------

If after running this command, you see that there is no output, run the mount command to obtain more detail:

Code View: Scroll / Show All

# mount

node         mounted            mounted over      vfs  date          options
------------ ---------------    ---------------   ---- ------------ ---------------
             /dev/hd4           /                 jfs  Sep 25 13:18 rw,log=/dev/hd8
192.168.1.12 /stage/middleware  /stage/middleware nfs3 Sep 25 13:22 ro,bg,soft,intr,
                                                                    sec=sys
192.168.1.12 /userdata/20004773 /home/u0004773    nfs3 Sep 25 13:29 bg,hard,int

					    

As you can tell, in this example no file systems are mounted using NFS Version 4, only NFS Version 3.

Unlike the vast majority of performance tuning commands, nfs4cl can also be used to tune your system. You do this by using the setfsoptions subcommand to tune NFS Version 4. Another parameter you can tune is the previously mentioned timeo, which specifies the timeout value for the RPC calls to the server.

14.5. netpmon and NFS

The netpmon command can also help you troubleshoot NFS bottlenecks. In addition to monitoring many other types of network statistics, netpmon monitors for clients — both read and write subroutines and NFS RPC requests. For servers, netpmon monitors read and write requests. The command starts a trace and runs in the background until you stop it.

First, let's kick off the trace:

# netpmon -T 3000000 -o /tmp/nfrss.out

You run the trcstop command to signal the end of the trace, as the following message informs you:

# Sun Oct  7 07:06:14 2007

System: AIX 5.3 Node: lpar24ml162f_pub Machine: 00C22F2F4C00
Run trcstop command to signal end of trace.

Let's stop our trace:

# trcstop

# [netpmon: Reporting started]
[netpmon: Reporting completed

[               2 traced cpus                ]
[         245.464 secs total preempt time    ]
[netpmon: 164.813 secs in measured interval

Now, we can check out the NFS-specific information provided in the output file:

NFSv3 Client RPC Statistics (by Server):
----------------------------------------

Server                     Calls/s
----------------------------------
p650                        126.68
------------------------------------------------------------------------
Total (all servers)         126.68
Detailed NFSv3 Client RPC Statistics (by Server):
-------------------------------------------------
SERVER: p650
calls:                  5602

  call times (msec):    avg 1.408   min 0.274    max 979.611 sdev 21.310
COMBINED (All Servers)
calls:                  5602
  call times (msec):    avg 1.408   min 0.274    max 979.611 sdev 21.310

In this case, you can see the NFS Version 3 client statistics by server.

Although netpmon is a useful trace utility, its performance overhead can sometimes outweigh its benefits, particularly when you have other ways to obtain similar information. So be aware of this consideration when using this utility.

14.6. Monitoring Network Packets

Earlier, I addressed some of the very basic flags, such as -in, that you typically use with the netstat command. Using netstat, you can also monitor more detailed information about the packets themselves. For example, the -D option reports the overall number of packets received, transmitted, and dropped in your communications subsystem. The command output sorts the results by device, driver, and protocol:

Code View: Scroll / Show All

# netstat -D

Source                         Ipkts                Opkts     Idrops      Odrops
-------------------------------------------------------------------------------
ent_dev0                   238122150                 1805          0           0
ent_dev1                    17583646               301547          0           0
                ---------------------------------------------------------------
Devices Total              255705796               303352          0           0
     .
     .
     .

					    

There are actually so many different ways to use netstat that the best place to start is to look at the man page for netstat and go from there. Don't be afraid to run these commands, because they won't eat up disk space or affect performance.

14.7. iptrace, ipreport, and ipfilter

The tracing tools provided within AIX are used to record detailed information about packets. Use these commands with more caution.

The tools are extremely helpful when you're trying to determine the root cause of network performance problems. Check out iptrace and ipreport first. The iptrace command records all packets received from the network interfaces. The ipreport command formats the data generated from iptrace into a readable trace report. You can also use the ipfilter command to sort the output file created from ipreport.

Let's try starting the trace and running it for one minute:

# /usr/sbin/iptrace -a -i en0 iptrace
[1]     7375

# [774252
[1] +  Done                    /usr/sbin/iptrace -a -i en0 iptrace.out

Here, you can see the trace running:

Code View: Scroll / Show All

# ps -ef | grep iptrace

root 205030 749602  0 10:57:32 pts/0 0:00 grep iptrace
root 774252      1  2 10:57:25     - 0:00 /usr/sbin/iptrace -a -i en0 iptrace.out

					    

When we're done with the trace, we need to kill the process:

# kill −1 77425
# iptrace: unload success!

Next, let's sort the file:

# ipreport -r -s iptrace.out >/ipreport.network

Now, we can examine the output, which shows the captured information about each packet, including packet size and IP address information:

# more ipreport.network

IPTRACE version: 2.0
ETH: ====( 114 bytes transmitted on interface en0 )==== 10:57:25.698790226
ETH:  [ da:bb:b8:b5:26:14 -> 6e:87:76:59:6e:cd ]  type 800 (IP)
IP:   < SRC =   172.29.135.44 >  (lpar37p682e)
IP:   < DST =   172.29.131.16 >
IP:   ip_v=4, ip_hl=20, ip_tos=16, ip_len=100, ip_id=18349, ip_off=0 DF
IP:   ip_ttl=60, ip_sum=945f, ip_p = 6 (TCP)
TCP:  <source port=22(ssh), destination port=53643 >
TCP:  th_seq=337783617, th_ack=1783353394
TCP:  th_off=8, flags<PUSH | ACK>
TCP:  th_win=65522, th_sum=0, th_urp=0
TCP:          nop
TCP:          nop
TCP:          timestamps TSVal: 0x47414604  TSEcho: 0x47826117
TCP: 00000000   520bea13 dfaefa7b e1c517d6 ce86f960   |R......{....... '|
TCP: 00000010   fdb24d69 947c8d48 fa7b6379 235d1a63   |..Mi.|.H.{cy#].c|
TCP: 00000020   840adfc2 e1b4b916 e1002983 f96fc1fb   |.......... )..o..|

As you can imagine, the trace file can become very large fairly quickly. The file for this example grew to 40 MB in less than a minute! Be very careful when running these traces because you'll run out of disk space really fast if you don't have the disk bandwidth for these files.

You can also start the trace using the System Resource Controller (SRC).

14.8. tcpdump

What about tcpdump? This command prints the headers of the packets that are captured for each network interface card (NIC). One important difference with tcpdump is that, unlike iptrace, it can look at only one network interface at a time. And because iptrace examines the entire packet from the kernel space, its results can include lots of dropped packets. With tcpdump, you can limit the amount of data to be traced. Also, you don't need to use an ipreport type of command to format the binary data because tcpdump performs both the trace and the output.

Let's run tcpdump:

# tcpdump -w tcp.out
tcpdump: listening on en0, link-type 1, capture size 96 bytes

The utility continues to capture packets until you press Ctrl+C. If any packets were dropped due to a lack of buffer space, tcpdump reports that, too:

14755 packets received by filter
0 packets dropped by kernel

13:40:28.001711 IP lpar37p682e.ssh > 172.29.131.16.53736: P
   374368029:374368077(48)

The preceding output shows that the kernel dropped no packets, which is a good thing.