Setting up a HiperSockets network traffic analyzer

Red Hat Enterprise Linux 9.2 LPAR mode

A HiperSockets network traffic analyzer (NTA) runs in an LPAR and monitors LAN traffic between LPARs.

Before you begin

  • Your Linux® instance must run in LPAR mode.
  • On the SE, the LPARs must be authorized for analyzing and being analyzed.
    Tip: SE authorization changes for the HiperSockets network traffic analyzer require re-creating the device by ungrouping and regrouping (see Removing a qeth group device and Creating a qeth group device). Do any authorization changes before you configure the NTA device.
  • You need a traffic-dumping tool such as tcpdump.

About this task

HiperSockets NTA is available to trace both layer 3 and layer 2 network traffic, but the analyzing device itself must be configured as a layer 3 device. The analyzing device is a dedicated NTA device and cannot be used as a regular network interface.

Linux setup:

Ensure that the qeth device driver module was loaded.

Procedure

Perform the following steps:

  1. Configure a HiperSockets interface dedicated to analyzing with the layer2 sysfs attribute set to 0 and the sniffer sysfs attribute set to 1.
    For example, assuming the HiperSockets interface is enca1c0 with device bus-ID 0.0.a1c0:
    # znetconf -a a1c0 -o layer2=0 -o sniffer=1 
    The znetconf command also sets the device online. For more information about znetconf, see znetconf - List and configure network devices. The qeth device driver automatically sets the buffer_count attribute to 128 for the analyzing device.
  2. Activate the device (no IP address is needed):
    # ip link set enca1c0 up
  3. Switch the interface into promiscuous mode:
    # tcpdump -i enca1c0

Results

The device is now set up as a HiperSockets network traffic analyzer.

Hint: A HiperSockets network traffic analyzer with no free empty inbound buffers might have to drop packets. Dropped packets are reflected in the "dropped counter" of the HiperSockets network traffic analyzer interface and reported by tcpdump.
Example:
# ip -s link show dev enca1c0
...
    RX: bytes  packets  errors  dropped overrun mcast
    223242     6789     0       5       0       176
...
# tcpdump -i enca1c0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enca1c0, link-type EN10MB (Ethernet), capture size 96 bytes
...
5 packets dropped by kernel