FORMAT
Purpose
Format the CTRACE record header, the IP packet header, the protocol header, and the packet data. If one of the ports is a well-known port number and the SYSTCPIS supports data for the port number, the packet data is shown.
Format
The following command was used to
obtain the example of this report.
CTRACE COMP(SYSTCPIS) SUB((TCPCS)) SHORT DSN('IBMUSER.CTRACE1')
OPTIONS((OPT FORMAT))
COMPONENT TRACE SHORT FORMAT
SYSNAME(MVS118)
COMP(SYSTCPIS)SUBNAME((TCPCS))
OPTIONS((OPT FORMAT))
DSNAME('IBMUSER.CTRACE1')
OPTIONS((Both Bootp(67,68) Cleanup(500) DelayAck(200,200) Domain(53)
Finger(79) Flags() Format(Detail) Ftp(20,21) Gain(125,250) Gopher(70)
Limit(999999999) Gmt Ntp(123) Option Noreassembly Router(520) Rpc(111)
Segment Smtp(25) Snmp(161,162) Speed(10,10) Telnet(23) Tftp(69) Time(37)
Userexit() Www(80)
))
1 **** 2002/11/20
RcdNr Sysname Mnemonic Entry Id Time Stamp Description
----- -------- -------- -------- --------------- --------------------------------
-------------------------------------------------------------------------------
2 4521 MVS118 SCAN 03030000 17:38:32.175560 Scan-Normal packet
3 From Link : ETH1 Device: LCS Ethernet Full=40
Tod Clock : 2002/11/20 17:38:32.175559 Module: EZBIPICM
Job Name : TCPCS Asid: 01F7 Tcb: 00000000
Cid : 00000000 Correlator: 10
Policy : ScanEventIcmp-rule
4 IpHeader: Version : 4 Header Length: 20
Tos : 00 QOS: Routine Normal Service
Packet Length : 40 ID Number: 0000
Fragment : DontFragment Offset: 0
TTL : 62 Protocol: ICMP CheckSum: 5914 FFFF
Source : 9.42.105.71
Destination : 9.42.104.38
5 ICMP
Type/Code : ECHO CheckSum: 5592 FFFF
Id : 0B3F Seq: 0
6 Echo Data : 12
000000 AEBCDB3D 03340A00 00000000 |...=.4......|
-------------------------------------------------------------------------------
4522 MVS118 SCAN 03030026 17:38:45.130339 Scan Normal-TCP SYN dropped
From Link : UNKNOWN Device: Unknown:0 Full=40
Tod Clock : 2002/11/20 17:38:45.130338 Module: EZBTCPCN
Job Name : FTPD1 Asid: 01F7 Tcb: 00000000
Cid : 00000020 Correlator: 11
Policy : ScanEventHigh-rule
IpHeader: Version : 4 Header Length: 20
Tos : 00 QOS: Routine Normal Service
Packet Length : 40 ID Number: 163F
Fragment : Offset: 0
TTL : 253 Protocol: TCP CheckSum: 681C FFFF
Source : 9.2.197.34
Destination : 9.42.104.38
TCP
Source Port : 46911 () Destination Port: 21 (ftp)
Sequence Number : 2397868413 Ack Number: 0
Header Length : 20 Flags: Syn
Window Size : 242 CheckSum: 4E53 B695 Urgent Data Pointer: 0000
.
.
.
===============================================================================
SYSTCPIS Trace Statistics
2,623 ctrace records processed
0 segmented trace records read
0 segmented trace records were lost
2,623 trace records read
0 records could not be validated
2,623 records passed filtering
2,623 packet trace records processed
0 data trace records processed
The following
describes numbered areas of the example.
- 1
- The date of the trace records.
- 2
- A summary line indicating the source of the trace record showing:
- The record number.
- The system name.
- The group name.
- The probe ID value (in hexadecimal).
- The time the record was moved to the trace buffer, or with the TOD option the time the trace data was captured.
- The description of the IDS event associated with the probe.
- 3
- The trace header with these fields:
- The direction of the trace record: From or To.
- The link name.
- The device type.
- Full or Abbrev with amount of trace data available.
- The time the trace record was captured.
- The module that triggered the probe.
- The job name associated when the probe was triggered.
- The ASID of the address space when the probe was triggered.
- The system tcb pointer when the probe was triggered (or zero if in SRB mode).
- The CID (communications ID) of the session.
- The Event identifier, the upper 2 bytes of the PROBEID.
- The Correlator identifier.
- The name of the current policy. This might be the policy that triggered the probe or the name of the policy the session was using at the time the probe was triggered.
- 4
- The IP header showing fields from the IPv4 4 header. The header length is the number of bytes for the header. The offset field is the number of bytes from the end of the IP header where the fragment appears. With the REASSEMBLY option active, this field always displays zeros.
- 5
- The protocol header. In this example, it is an ICMP header.
- 6
- Depending on the port number, the trace data might be formatted.
Guideline: If
possible, the check sum of the packet is calculated. If the calculated
value is X'FFFF', then the check sum is correct. If the calculated
value is X'0000', then the check sum could not be calculated. The
packet was incomplete or fragmented. Other values indicate a check
sum error.
Using the protocol numbers and the well known
port numbers, format routines are invoked to format standard packet
data records. The port number for the PORT keywords define the port
numbers to be used to invoke a format routine.
- Port
- Keyword
- 67, 68
- BOOTP
- 67, 68
- DHCP
- 53
- Domain
- 79
- Finger
- 70
- Gopher
- 520
- Rip
- 520
- Router
- 111
- RFC
- 25
- SMTP
- 23
- TELNET
- 69
- TFTP
- 37
- TIME