Logging All Connections to the System for a Specific Port (or IP Address)

Resolving The Problem

In some cases, collecting all IP addresses that hit the system to a specific port is required.
This can easily be accomplished using filter rules and enabling the journaling option.

In this example, we will enable logging for port 443 (HTTPs).

To do this, you should start iSeries Navigator and navigate to the following path after signing
onto the system.

Network ->IP Policies -> Packet Rules

Then right click on Packet Rules and choose Rules Editor.
This will bring up a blank editing window.
Next, at the top, select Insert -> Filter. This will bring up a new window.

Step 1 - Creating the Journaled Rule for HTTPs

In the General tab, give it a name in the Set name field (journalHTTPS, in this case)

1) Action will be PERMIT
2) Direction will be INBOUND
3) Source and Destination address will both be * (unless you want to limit this to a certain IP address)
4) Journaling will be FULL



Next, click the Services tab.

1) Click the radio button for Service
2) Protocol will be TCP (unless the traffic you are trying to capture data for is some other protocol)
3) Source port will be *
4) Destination port will be 443 (HTTPs - enter whatever port here that you are interested in logging)


Then click OK.


Step 2 - Adding an Allow All Rule
There will now be a Filter Set in the editing window. Go to the next line and paste in the following text
this will allow all other traffic).

Important Note: This is very important. If this step is not done, all other traffic will be blocked)

FILTER SET permitall ACTION = PERMIT DIRECTION = * SRCADDR = * DSTADDR = *
PROTOCOL = * DSTPORT = * SRCPORT = * JRN = OFF


Step 3 - Applying the Filter Sets to the Physical Line that the Traffic Will Come Into the System On
In this step, we will apply the previously created rules to a physical line description. If you are not sure what this
should be, you should review the TCPIP configuration on the system through CFGTCP Option 1.

Make note of the line description. In this example, it is SITEETH.

1) At the top, go to Insert -> Filter Interface
2) Click the radio button for Line name and choose the name of the line:


On the Filter Sets tab:
1) Select the journaling filter from the drop down, and click Add (it must be first in the list below or it will not be logged)
2) Next, select the permitall filter and click Add. It should look as follows:


Click OK.


Step 4 - Activating the Rules
Note: If the rules created in the previous step are not correct (especially in regard to the permitall rule),
it is possible to block all traffic to the system. Therefore, if you are unfamiliar with filter rules, it is recommended
that these changes only be made during a period of maintenance when direct access to the console is possible.
The rules can be removed with the RMVTCPTBL CL command.

The editing window should look as follows:


1) Go to File -> Save and save the file with a .i3p extension.
2) Go to File -> Activate Rules. This will bring up the Activate Rules window.
3) Select the radio button for Activate only the selected file and click OK.




All connections that fit the specified rule should now be journaled. You should allow this to run for as long as is needed and then
perform the following steps to view this information.

Step 5 - Copying the Model File
In this step, a copy of the model file is created. The model file is QUSRSYS/QATOFIPF.
In this example, the copy will be called HTTPSJRN and will be created in library QGPL.
You should change this as appropriate for your environment.

CRTDUPOBJ OBJ(QATOFIPF) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QGPL) NEWOBJ(HTTPSJRN)

Step 6 - Copying the Journal to the Model File
Next, the journal should be copied to the model file.
You should use the following command (substituting your file name if it is not QGPL/HTTPSJRN).
This will create a field defined file containing the IP address information.

DSPJRN JRN(QIPFILTER) OUTPUT(*OUTFILE) OUTFILFMT(*TYPE4) OUTFILE(QGPL/HTTPSJRN)

Step 7 - Viewing the output
The output file can be viewed by simply running a null query against it.
This output could be further refined through the QRY or SQL, if so desired. Doing so is outside the realm of this technical document.

RUNQRY QRY(*NONE) QRYFILE((QGPL/HTTPSJRN))

Shift to the right (column 300) to see the IP address information.


The following SQL command could be used to select just the IP address/port info:

SELECT TFSRCA, TFSRCP, TFDSTA, TFDSTP FROM HTTPSJRN