Real-time TCP/IP network monitoring NMI

Network management applications can use the z/OS® Communications Server real-time TCP/IP network monitoring NMI to programmatically obtain data in real time. The network management applications obtain the data by performing the following steps:
  • Connect to one of the real-time NMI interfaces. Use the NETMONITOR profile statement to enable these interfaces in the TCP/IP stack.
  • Invoke the TMI copy buffer interface to copy the real-time data to application storage.
Table 1 shows the real-time NMI interfaces that are described in this topic.
Table 1. Real-time NMI interfaces
Interface name Description
SYSTCPDA Real-time TCP/IP packet and data trace NMI
SYSTCPCN Real-time TCP connection SMF NMI
SYSTCPOT Real-time OSAENTA packet trace NMI
SYSTCPSM Real-time SMF NMI
SYSTCPER Real-time zERT Detail SMF NMI
SYSTCPES Real-time zERT Summary SMF NMI

Each of the interfaces described in this section provides a unique type of data to be processed by the end user, but the general interface by which the data is obtained is essentially the same. The records are retrieved using a common data layout, although the records themselves might differ in format depending on the interface.

Tip: New SMF 119 records might be added with new releases. If you write an application that processes the SMF 119 records from these NMIs, design the application to receive SMF 119 records that it might not recognize.

The information provided by each interface is as follows.

Table 2. Interface descriptions
Interface Description
Real-time TCP/IP packet and data trace NMI (SYSTCPDA) Using this interface, applications can obtain a copy of network packets (for example, packet trace records) or data trace records that are buffered by the TCP⁄IP stack's packet or data trace functions. The packet trace function, data trace function, or both must be enabled with the VARY TCPIP,,PKTTRACE command or VARY TCPIP,,DATTRACE command. See z/OS Communications Server: IP System Administrator's Commands for more information about using the Vary command.
Real-time TCP connection SMF NMI (SYSTCPCN) Using this interface, applications can be notified when TCP connections are established or terminated in a near real-time fashion. SYSTCPCN provides applications with a copy of records indicating a TCP connection initiation or termination. These records are presented in the same format as SMF type 119 TCP connection initiation and termination records (for example, subtype 1 and 2 records). The interface can also be used to provide records describing existing TCP connections. This interface does not require TCP⁄IP SMF recording to be active.
Real-time TCP/IP OSAENTA trace NMI (SYSTCPOT) Using this interface, applications can obtain copies of network packets and records that are buffered by the TCP/IP OSAENTA trace functions. The OSAENTA Trace function must be enabled using the VARY TCPIP,,OSAENTA command. See z/OS Communications Server: IP System Administrator's Commands for more information about using the Vary command.
Real-time SMF NMI (SYSTCPSM) The records provided through the interface are type 119 SMF records. The specific subtypes that are provided are:
  • FTP client transfer completion records (subtype 3)
  • TCP/IP profile event record (subtype 4)
  • TN3270E Telnet server session initiation and termination records (subtypes 20 and 21)
  • TSO Telnet client connection initiation and termination records (subtypes 22 and 23)
  • DVIPA status change and DVIPA removed records (subtypes 32 and 33)
  • DVIPA target added and removed records (subtypes 34 and 35)
  • DVIPA target server started and ended records (subtypes 36 and 37)
  • CSSMTP event records (subtypes 48 - 52)
  • FTP server transfer completion records (subtype 70)
  • FTP daemon configuration records (subtype 71)
  • FTP server logon failure records (subtype 72)
  • IKE tunnel and dynamic tunnel event records (subtypes 73 - 78)
  • Manual tunnel activation and deactivation records (subtypes 79 and 80)

Except for the MVS™ SMF header, these records are identical in format to SMF records created by TCP⁄IP. Some fields in the MVS SMF header are not set.

These records offer several key advantages over SMF records:
  • They do not require that TCP⁄IP SMF record capturing is activated.
  • They are presented to the application in a buffered format (for example, when several SMF records are created within a short time interval, they are collected and passed to the application as a group of records instead of individual records).
In addition to these records, more records are available across this interface that are not currently available from TCP⁄IP SMF records processing:
  • FTP server transfer initiation records (subtype 100)
  • FTP client transfer initiation records (subtype 101)
  • FTP client login failure records (subtype 102)
  • FTP client session records (subtype 103)
  • FTP server session records (subtype 104)

See Real-time SMF NMI: FTP SMF type 119 subtypes 100-104 record formats for more information about these records.
Real-time zERT Detail SMF NMI (SYSTCPER) Using this interface, applications can be notified when z/OS Encryption Readiness Technology (zERT) connection detail records are generated in a near real-time fashion. SYSTCPER provides applications with a copy of records that describe the cryptographic protection attributes at TCP and Enterprise Extender (EE) connection initiation or termination, or whenever the cryptographic protection attributes change during the lifetime of the connection. Records are only reported for those TCP and EE connections that terminate at the local TCP/IP stack. These records are presented in the same format as SMF type 119 zERT connection detail records (subtype 11) . The interface can also be used to provide records describing the cryptographic protection attributes for existing TCP and EE connections. This interface does not require TCP/IP SMF recording to be active.
Real-time zERT Summary SMF NMI (SYSTCPES) Using this interface, applications can be notified when z/OS Encryption Readiness Technology (zERT) summary records are generated in a near real-time fashion. SYSTCPES provides applications with a copy of records that describe the cryptographic protection attributes and usage statistics of security sessions used by TCP and EE connections that terminate at the local TCP/IP stack. These records are presented in the same format as SMF type 119 zERT summary records (subtype 12). These records are provided at regular SMF intervals. This interface does not require TCP/IP SMF recording to be active.