-- vim:syntax=mib formatoptions=

SACT-JUNKIE-MIB DEFINITIONS ::= BEGIN

IMPORTS
	securactive FROM SACT-ROOT-MIB
	OBJECT-TYPE, MODULE-IDENTITY, Counter64, Gauge32 FROM SNMPv2-SMI
	TruthValue FROM SNMPv2-TC;

sactJunkieModule MODULE-IDENTITY
	LAST-UPDATED "201101310000Z"
	ORGANIZATION "SecurActive SA"
	CONTACT-INFO "info@securactive.net"
	DESCRIPTION  "Junkie MIB"
	REVISION     "201404300000Z"
	DESCRIPTION  "Change malloc unit"
	REVISION     "201210300000Z"
	DESCRIPTION  "Fix typo"
	REVISION     "201209070000Z"
	DESCRIPTION  "Addition of denied parsers count"
	REVISION     "201205040000Z"
	DESCRIPTION  "Dup detection delay is now in milliseconds"
	REVISION     "201107080000Z"
	DESCRIPTION  "Add statistics about RAM consumption"
	REVISION     "201101310000Z"
	DESCRIPTION  "Rename a few files and objects in order to respect established conventions"
	REVISION     "201011040000Z"
	DESCRIPTION  "Initial version"
	::= { securactive 1 }

junkieSystem  OBJECT IDENTIFIER ::= { sactJunkieModule 1 }
junkieSniffer OBJECT IDENTIFIER ::= { sactJunkieModule 2 }
junkieParser  OBJECT IDENTIFIER ::= { sactJunkieModule 3 }
junkieMemory  OBJECT IDENTIFIER ::= { sactJunkieModule 4 }

junkieVersion OBJECT-TYPE
	SYNTAX OCTET STRING
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION "The version of the sniffer currently installed"
	::= { junkieSystem 1 }

sourceTable OBJECT-TYPE
	SYNTAX SEQUENCE OF sourceEntry
	MAX-ACCESS not-accessible
	STATUS current
	DESCRIPTION
		"This table displays all available statistics per packet source."
	::= { junkieSniffer 1 }

sourceEntry OBJECT-TYPE
	SYNTAX SourceEntry
	MAX-ACCESS not-accessible
	STATUS current
	DESCRIPTION "A source of network packets."
	INDEX { sourceName }
	::= { sourceTable 1 }

SourceEntry ::= SEQUENCE {
	sourceName OCTET STRING,
	receivedCount Counter64,
	droppedCount Counter64,
	processedCount Counter64,
	duplicateCount Counter64,
	capBytes Counter64,
	wireBytes Counter64
}

sourceName OBJECT-TYPE
	SYNTAX OCTET STRING
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION "the name of the packet source."
	::= { sourceEntry 1 }

receivedCount OBJECT-TYPE
	SYNTAX Counter64
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"How many packets were received by the kernel for this source
		 (as reported by libpcap)."
	::= { sourceEntry 2 }

droppedCount OBJECT-TYPE
	SYNTAX Counter64
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"How many packets were dropped by the kernel for this source
		 (as reported by libpcap). If you experience a lot of dropped
		 packets you may want to try to increased receive buffer sizes
		 (sysctl net.core.rmem_max)."
	::= { sourceEntry 3 }

processedCount OBJECT-TYPE
	SYNTAX Counter64
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"How many packets were handled to the parsing process
		 (this may be less than receivedCount because some received
		 packets may still be waiting in receive buffer)."
	::= { sourceEntry 4 }

duplicateCount OBJECT-TYPE
	SYNTAX Counter64
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"Amongst all processed packets, how many were rejected because
		 considered duplicates.
		 If you have a high ratio of duplicates you may want to check your mirroring."
	::= { sourceEntry 5 }

capBytes OBJECT-TYPE
	SYNTAX Counter64
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION "Number of bytes captured on this source."
	::= { sourceEntry 6 }

wireBytes OBJECT-TYPE
	SYNTAX Counter64
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"Number of bytes on wire for this source. If you do not truncate
		 packets when reading the packet source then this is equal to capBytes."
	::= { sourceEntry 7 }


dupDetectionDelay OBJECT-TYPE
	SYNTAX Integer32
	UNITS "milliseconds"
	MAX-ACCESS read-write
	STATUS current
	DESCRIPTION
		"Number of milliseconds between two packets that can't be duplicates.
		 Set to zero to disable deduplication altogether."
	::= { junkieSniffer 2 }

-- Stats table for parsers

parserTable OBJECT-TYPE
	SYNTAX SEQUENCE OF parserEntry
	MAX-ACCESS not-accessible
	STATUS current
	DESCRIPTION
		"This table displays all available statistics per protocolar parser."
	::= { junkieParser 1 }

parserEntry OBJECT-TYPE
	SYNTAX ParserEntry
	MAX-ACCESS not-accessible
	STATUS current
	DESCRIPTION "A row describing a parser."
	INDEX { protoName }
	::= { parserTable 1 }

ParserEntry ::= SEQUENCE {
	protoName OCTET STRING,
	frameCount Counter64,
	byteCount Counter64,
	nbInstances Gauge32
}

protoName OBJECT-TYPE
	SYNTAX OCTET STRING
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION "The name of the parsed protocol."
	::= { parserEntry 1 }

frameCount OBJECT-TYPE
	SYNTAX Counter64
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"How many frames (or, in some rare occasions, frame fragments) 
		 were handled by this parser."
	::= { parserEntry 2 }

byteCount OBJECT-TYPE
	SYNTAX Counter64
	UNITS "bytes"
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"How many bytes were handled by this parser."
	::= { parserEntry 3 }

nbInstances OBJECT-TYPE
	SYNTAX Gauge32
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"How many instances of this parser are currently running simultaneously."
	::= { parserEntry 4 }

-- More specific stats for parsers that are also multiplexers

muxerTable OBJECT-TYPE
	SYNTAX SEQUENCE OF muxerEntry
	MAX-ACCESS not-accessible
	STATUS current
	DESCRIPTION
		"This table completes the parsers table with additional statistics for
		 parsers that multiplex their payload amongst several possible subparsers
		 (for instance an IP parser multiplex its payload according to source address,
		 dest address and protocol, while a TCP parser multiplex its payload according
		 to the source and dest ports)."
	::= { junkieParser 2 }

muxerEntry OBJECT-TYPE
	SYNTAX MuxerEntry
	MAX-ACCESS not-accessible
	STATUS current
	DESCRIPTION "A row giving statistics on a given multiplexer."
	INDEX { muxerName }
	::= { muxerTable 1 }

MuxerEntry ::= SEQUENCE {
	muxerName OCTET STRING,
	muxerHashSize Gauge32,
	muxerMaxChildren Gauge32,
	muxerInfanticide Counter32,
	muxerCollisions Counter64,
	muxerLookups Counter64
}

muxerName OBJECT-TYPE
	SYNTAX OCTET STRING
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION "The name of the multiplexed protocol."
	::= { muxerEntry 1 }

muxerHashSize OBJECT-TYPE
	SYNTAX Gauge32
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION "The current hash size (in entries) for each instance of this multiplexer."
	::= { muxerEntry 2 }

muxerMaxChildren OBJECT-TYPE
	SYNTAX Gauge32
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"The max number of children allowed for each instance of this multiplexer
		 (0 for no limit)."
	::= { muxerEntry 3 }

muxerInfanticide OBJECT-TYPE
	SYNTAX Counter32
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"How many children of this multiplexer were killed due to the max number of
		 child limitation."
	::= { muxerEntry 4 }

muxerCollisions OBJECT-TYPE
	SYNTAX Counter64
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION "Number of collisions while performing children lookups."
	::= { muxerEntry 5 }

muxerLookups OBJECT-TYPE
	SYNTAX Counter64
    MAX-ACCESS read-only
    STATUS current
    DESCRIPTION
		"Number of lookups for children of this multiplexer.
		 The ratio between number of collisions and number of lookups
		 gives a good idea of the performance of this hash and weither it is
		 sized correctly."
	::= { muxerEntry 6 }

-- Memory consumption, by source

mallocerTable OBJECT-TYPE
	SYNTAX SEQUENCE OF mallocEntry
	MAX-ACCESS not-accessible
	STATUS current
	DESCRIPTION
		"This table gives informations about RAM utilisation by the sniffer, for all 
		 known source. Notice that this count the number of bytes allocated to the
		 application and not the total memory footprint, which is routinely more than
		 50% higher."
	::= { junkieMemory 1 }

mallocerEntry OBJECT-TYPE
	SYNTAX MallocEntry
	MAX-ACCESS not-accessible
	STATUS current
	DESCRIPTION "A row giving statistics on RAM consumption."
	INDEX { mallocerName }
	::= { mallocerTable 1 }

MallocerEntry ::= SEQUENCE {
	mallocerName OCTET STRING,
	mallocerTotSize Gauge32,
	mallocerNbBlocks Gauge32,
	mallocerNbAllocs Counter64
}

mallocerName OBJECT-TYPE
	SYNTAX OCTET STRING
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION "The name of the malloc source."
	::= { mallocerEntry 1 }

mallocerTotSize OBJECT-TYPE
	SYNTAX Gauge32
	UNITS "bytes"
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION "The current number of allocated bytes."
	::= { mallocerEntry 2 }

mallocerNbBlocks OBJECT-TYPE
	SYNTAX Gauge32
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"The number of individual objects that are currently allocated."
	::= { mallocerEntry 3 }

mallocerNbAllocs OBJECT-TYPE
	SYNTAX Counter64
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"How many objects were allocated (and maybe later freed).
		 This can be used to obtain an allocation rate."
	::= { mallocerEntry 4 }

guileMemory OBJECT-TYPE
	SYNTAX Gauge32
	UNITS "bytes"
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"Number of bytes in the various segments allocated by guile.
		 Notice that alive objets (ie. non garbage collected) might be
		 only sparsely scattered into these segments."
	::= { junkieMemory 2 }

arrayTable OBJECT-TYPE
	SYNTAX SEQUENCE OF arrayEntry
	MAX-ACCESS not-accessible
	STATUS current
	DESCRIPTION
		"This table gives informations about all the arrays used by the
		 sniffer. As (almost) all objects are allocated via arrays then
		 this table gives insightful informations on such things as memory
		 consumption per object type and RAM fragmentation."
	::= { junkieMemory 3 }

arrayEntry OBJECT-TYPE
	SYNTAX ArrayEntry
	MAX-ACCESS not-accessible
	STATUS current
	DESCRIPTION "A row giving statistics on a given array."
	INDEX { arrayName }
	::= { arrayTable 1 }

ArrayEntry ::= SEQUENCE {
	arrayName OCTET STRING,
	usedEntries Gauge32,
	mallocedEntries Gauge32,
	nbHoles Gauge32,
	nbChunks Gauge32,
	allocSize Integer32,
	entrySize Integer32
}

arrayName OBJECT-TYPE
	SYNTAX OCTET STRING
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION "The name of the array."
	::= { arrayEntry 1 }

usedEntries OBJECT-TYPE
	SYNTAX Gauge32
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"How many of the malloced entries are used to store a value
		 or a free list item."
	::= { arrayEntry 2 }

mallocedEntries OBJECT-TYPE
	SYNTAX Gauge32
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION "How many entries are malloced."
	::= { arrayEntry 3 }

nbHoles OBJECT-TYPE
	SYNTAX Gauge32
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"How many objects were allocated and later freed, that
		 we keep on the freelist."
	::= { arrayEntry 4 }

nbChunks OBJECT-TYPE
	SYNTAX Gauge32
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"How many chunks of memory are used to map this array.
		 The more there are, the slower the allocation/free of
		 individual entries."
	::= { arrayEntry 5 }

allocSize OBJECT-TYPE
	SYNTAX Integer32
	UNITS "bytes"
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"Size of the initial chunk of memory. Further chunks
		 are allocated bigger such that the nth chunk will be
		 n times bigger than this."
	::= { arrayEntry 6 }

entrySize OBJECT-TYPE
	SYNTAX Integer32
	UNITS "bytes"
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION "Size of a single entry."
	::= { arrayEntry 7 }

MallocLimit OBJECT-TYPE
	SYNTAX Gauge32
	UNITS "KiB"
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"Maximum amount of memory requested from the OS, after which we
		 avoid spawning new parsers.
		 No such limitation exist if set to 0."
	::= { junkieMemory 4 }

DeniedParsers OBJECT-TYPE
	SYNTAX Counter32
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
		"How many new parser creation were denied because of memory
		 limitation (Note: this can happen even if MallocLimit is 0
		 if the OS is unable to fulfill our memory requirements,
		 although Junkie - and the whole OS - is likely to misbehave
		 whenever this is the case)."
	::= { junkieMemory 5 }

END
