Setting up a HiperSockets network traffic analyzer

7.1 LPAR mode

A HiperSockets™ network traffic analyzer (NTA) runs in an LPAR and monitors LAN traffic between LPARs.

Before you begin

  • Your Linux® instance must run in LPAR mode.
  • On the SE, the LPARs must be authorized for analyzing and being analyzed.
    Tip: Do any authorization changes before you configure the NTA device. If you must activate the NTA after SE authorization changes, set the qeth device offline, set the sniffer attribute to 1, and set the device online again.
  • You need a traffic-dumping tool such as tcpdump.
  • You need a mainframe system that supports HiperSockets network traffic analyzer. HiperSockets network traffic analyzer became available for System z10® in March 2010.

About this task

The HiperSockets NTA is available to trace both layer 3 and layer 2 network traffic, but the analyzing device itself must be configured as a layer 3 device. The analyzing device is a dedicated NTA device and cannot be used as a regular network interface.

Procedure

Perform the following steps:
Linux setup:
  1. Ensure that the qeth device driver was compiled into the Linux kernel or that the qeth device driver was loaded as a module.
  2. Configure a HiperSockets interface dedicated to analyzing with the layer2 sysfs attribute set to 0 and the sniffer sysfs attribute set to 1.
    For example, assuming the HiperSockets interface is hsi0 with device bus-ID 0.0.a1c0:
    # chzdev qeth -e -a a1c0 layer2=0 sniffer=1 
    The chzdev command also sets the device online. To make the change persistent across reboots, omit the -a option. For more information about chzdev, see chzdev - Configure IBM Z devices.
    Alternatively, for the running configuration only:
    # znetconf -a a1c0 -o layer2=0 -o sniffer=1 
    The znetconf command also sets the device online. For more information about znetconf, see znetconf - List and configure network devices. The qeth device driver automatically sets the buffer_count attribute to 128 for the analyzing device.
  3. Activate the device (no IP address is needed):
    # ip link set hsi0 up
  4. Switch the interface into promiscuous mode:
    # tcpdump -i hsi0

Results

The device is now set up as a HiperSockets network traffic analyzer.

Hint: A HiperSockets network traffic analyzer with no free empty inbound buffers might have to drop packets. Dropped packets are reflected in the "dropped counter" of the HiperSockets network traffic analyzer interface and reported by tcpdump.
Example:
# ip -s link show dev hsi0
...
    RX: bytes  packets  errors  dropped overrun mcast
    223242     6789     0       5       0       176
...
# tcpdump -i hsi0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on hsi1, link-type EN10MB (Ethernet), capture size 96 bytes
...
5 packets dropped by kernel