GTF trace data

When a 3270 IDS incident occurs, trace records are written to an active generalized trace facility (GTF).

Use the following command to start GTF. To prevent prompting, add the NOPROMPT option to the GTF procedure parameter, which enables starting an automated GTF procedure.

S GTF.GTF,DSN=USER.TRACE,DISP=OLD,MEMBER=GTFF90
AHL121I TRACE OPTION INPUT INDICATED FROM MEMBER GTFF90 OF PDS SYS1.PARMLIB
AHL103I TRACE OPTIONS SELECTED--USR
00 AHL125A RESPECIFY TRACE OPTIONS OR REPLY U
REPLY 00,U
AHL031I GTF INITIALIZATION COMPLETE

Use the following command to stop GTF.

P GTF
AHL006I GTF ACKNOWLEDGES STOP COMMAND                    
AHL904I THE FOLLOWING TRACE DATASETS CONTAIN TRACE DATA : 
        USER.TRACE

For more information about using GTF, see The Generalized Trace Facility (GTF) in z/OS MVS Diagnosis: Tools and Service Aids.

Collecting GTF trace data

Event ID (EID) records are always written to available GTF which allows the writing of the EID when a 3270 IDS incident occurs. Up to DSCOUNT outbound PIUs and the inbound PIU that caused the incident are written.

The following example shows a sample GTF procedure.

//GTFNEW PROC MEMBER=GTFPARM
//IEFPROC EXEC PGM=AHLGTF,'PARM=MODE=EXT,DEBUG=NO,TIME=YES',
// TIME=1440,REGION=4M
//IEFRDER DD DSNAME=SYS1.TRACE,UNIT=SYSDA,SPACE=(TRK,20),
// DISP=(NEW,KEEP)
//SYSLIB DD DSN=SYS1.PARMLIB(&MEMBER),DISP=SHR

The following example shows a sample GTF SYS1.PARMLIB(GTFF90) member. F90 is the EID of the 3270 IDS trace records. FEF, FF0, and FF1 are VTAM® buffer trace EIDs.

TRACE=USRP
USR=(F90,FEF,FF0,FF1)

Formatting GTF trace data

Use the IPCS GTFTRACE command to format the collected generalized trace facility (GTF) data for a 3270 Intrusion Detection Services (IDS) incident.

GTFTRACE DSN('USER.TRACE') USR(F90)

For more information about the GTFTRACE command, see z/OS MVS IPCS Commands.

For each 3270 IDS incident, up to DSCOUNT outbound PIUs are traced. The inbound PIU, which contained the data stream that caused the incident to be found and recorded, is also traced. Each trace record contains information about the incident.

The following example shows the formatted 3270 IDS trace records.

USRFD F90 ASCB 00F8EE00            JOBN JHACKER                                                         
                                                 **** 3270 Data Stream Error ****                     
        (1)3270    NETA.TCPM0001    /NETA.TSO0002         LRC(000,000)    OUTBOUND    COMPLETE SEGMENT
        (2)Time    UTC 2016/01/25 20:47:56.476213  LOC 2016/01/25 15:47:56.476213 
        (3)Event   Token 0000000001  SID  EAABEEC3 31E8DB02  Buffer 01 of 01                           
        (4)IPAddr  192.168.98.254..61691
        (5)Overlap Row 009  Col 016 Offset 00665                                     
        (6)OUT     SEQ X'0001'  Offset 00598  Length 00039                                                     
        (7)                                40404040 40404040 D1C1C3D2 E2D6D540 40404040  *        JACKSON     *
                                           40404040 00000000 00000000                    *    ........        *
        (8)IN      SEQ X'0001'  Offset 00284  Length 00039                                                     
        (9)                                40404040 40404040 F1F2F3F4 F5F6F7F8 F9404040  *        123456789   *
                                           40404040 114AE9F6 F14040D7                    *    .¢Z61  P        *
       (10)Buffer  UTC 2016/01/25 20:47:26.450328  LOC 2016/01/25 15:47:26.450328                              
       (11)VTAM    TH=40000000 00000000 00010001 00000001 1800000B 00580001 051F  RH=0380C0
       (12)        SEQ 0001-0001           F5C21140 402901C0 40F4F040 40E44040 40404040  *5B.  ..{ 40  U      *
                                           404040C3 C8D9C9E2 E3C9C1D5 40404040 40404008  *   CHRISTIAN       .*
…
                                           114DC829 01C0E9C5 F94040D7 40C8E240 40D44040  *.(H..{ZE9  P HS  M  * 
                                           40D4C1E2 D6D54040 40404040 40404011 4DF02901  * MASON         .(0..* 
                                           C06CF6C3 4040D740 4040C940 40404040 D1C1C3D2  *{%6C  P   I     JACK* 
                                           E2D6D540 40404040 40404040 114ED829 01C06DF6  *SON         .+Q..{_6*
…
                                           40404040 40404040 40C8C5E7 E2E3D9C9 D5C74DF0  *         HEXSTRING(0*
                                           F05D4011 5D7E1D60                             *0) .)=.-            *
        (13)       GMT-01/25/2016 20:47:56.476251  LOC-01/25/2016 15:47:56.476251                              

USRFD F90 ASCB 00F8EE00            JOBN JHACKER
                                                 **** 3270 Data Stream Error ****
        (1)3270    NETA.TSO0002     /NETA.TCPM0001        LRC(000,000)    INBOUND     COMPLETE SEGMENT
        (2)Time    UTC 2016/01/25 20:47:56.476213  LOC 2016/01/25 15:47:56.476213
        (3)Event   Token 0000000001  SID  EAABEEC3 31E8DB02                  CODE U('E4')
        (4)IPAddr  192.168.98.254..61691
        (5)Overlap Row 009  Col 016 Offset 00665 
        (6)OUT     SEQ X'0001'  Offset 00598  Length 00039 
        (7)                                40404040 40404040 D1C1C3D2 E2D6D540 40404040  *        JACKSON     *
                                           40404040 00000000 00000000                    *    ........        *
        (8)IN      SEQ X'0007'  Offset 39044  Length 00001
        (9)                                40404040 40404040 F1F2F3F4 F5F6F7F8 F9404040  *        123456789   *
                                           40404040 114AE9F6 F14040D7                    *    .¢Z61  P        *
       (10)Buffer  UTC 2016/01/25 20:47:56.476216  LOC 2016/01/25 15:47:56.476216 
       (11)VTAM    TH=40000000 00000000 00000001 00010001 1C000058 000B0001 0298  RH=0393A0 
       (12)        SEQ 0001-0001           7D4AD811 40E9C3F1 4040E440 40404040 D4404040  *'¢Q. ZC1  U     M   * 
                                           C1D3C5E7 E8E24040 40404040 40404040 11C1F9C3  *ALEXYS          .A9C* 
                                           F54040E4 4040E240 40D44040 40D4C1E2 D6D54040  *5  U  S  M   MASON  * 
                                           40404040 40404040 4011C3C9 C3F94040 E440C8E2  *         .CIC9  U HS* 
…
                                           40E4D540 40C940D4 404040D4 C1E2D6D5 40404040  * UN  I M   MASON    * 
                                           40404040 40404011 4AC1F6F0 4040D740 40404040  *       .¢A60  P     * 
                                           40404040 F1F2F3F4 F5F6F7F8 F9404040 40404040  *    123456789       * 
                                           114AE9F6 F14040D7 40404040 40D44040 40D4C1C4  *.¢Z61  P     M   MAD* 
                                           C9E2D6D5 40404040 40404040 40114BF9 C5F54040  *ISON         ..9E5  * 
…

                                           C8C540E5 C1D3E4C5 40E3D67A 40404040 40404040  *HE VALUE TO:        *
                                           40404040 404040C8 C5E7E2E3 D9C9D5C7 4DF0F05D  *       HEXSTRING(00)*
                                           40                                            *                    *
       (13)   GMT-01/25/2016 20:47:56.476251  LOC-01/25/2016 15:47:56.476251

In the example:

(1): The network names of the primary logical unit (PLU) and secondary logical unit (SLU), the lost record counts, the direction of the packet (inbound or outbound), and the position of the RU in the traced records. Outbound packets trace the entire chain of RUs from the begin chain to the end chain. Inbound packets trace only the specific RU that caused the incident.
(2): The UTC and local time of the incident.
(3): A unique value for the incident, the session identifier, and code. IBM® service personnel use this code to identify how the incident was discovered.
(4): If Telnet is used, the IP address and port of the secondary connection.
(5): The row and column, in the 3270 display buffer, of the field where the overlay occurred. The offset is the offset in the 3270 display buffer.
(6): The location in the outbound packet when the overlay occurred.
(7): Up to 32 bytes of the outbound packet are displayed.
(8): The location in the inbound packet that caused the overlay.
(9): Up to 32 bytes of the inbound packet are displayed.
(10): The time stamp when the buffer was captured.
(11): The VTAM transmission and request headers.
(12): The RU data. The first and last sequence numbers of the RU chain that contributed to the RU are formatted.
(13): The time stamp when the trace date is recorded.