Setting up a HiperSockets network traffic analyzer

A HiperSockets network traffic analyzer (NTA) runs in an LPAR and monitors LAN traffic between LPARs.

Before you begin

  • Your Linux instance must not be a z/VM® guest.
  • On the SE, the LPARs must be authorized for analyzing and being analyzed.
    Tip: Do any authorization changes before configuring the NTA device. Should you need to activate the NTA after SE authorization changes, set the qeth device offline, set the sniffer attribute to 1, and set the device online again.
  • You need a traffic dumping tool such as tcpdump.

About this task

HiperSockets NTA is available to trace both layer 3 and layer 2 network traffic, but the analyzing device itself must be configured as a layer 3 device. The analyzing device is a dedicated NTA device and cannot be used as a regular network interface.

Procedure

Perform the following steps:

Linux setup:
  1. Ensure that the qeth device driver module has been loaded.
  2. Configure a HiperSockets interface dedicated to analyzing with the layer2 sysfs attribute set to 0 and the sniffer sysfs attribute set to 1.
    For example, assuming the HiperSockets interface is hsi0 with device bus-ID 0.0.a1c0: 
    # znetconf -a a1c0 -o layer2=0 -o sniffer=1
    The znetconf command also sets the device online. The qeth device driver automatically sets the buffer_count attribute to 128 for the analyzing device.
  3. Activate the device (no IP address is needed): 
    # ip link set hsi0 up
  4. Switch the interface into promiscuous mode: 
    # tcpdump -i hsi0

Results

The device is now set up as a HiperSockets network traffic analyzer.
Hint: A HiperSockets network traffic analyzer with no free empty inbound buffers might have to drop packets. Dropped packets are reflected in the "dropped counter" of the HiperSockets network traffic analyzer interface and reported by tcpdump.

Example

# ip -s link show dev hsi0
...
    RX: bytes  packets  errors  dropped overrun mcast
    223242     6789     0       5       0       176
...
# tcpdump -i hsi0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on hsi1, link-type EN10MB (Ethernet), capture size 96 bytes
...
5 packets dropped by kernel