Question & Answer
Question
A packet trace (SYSTCPDA or SYSTCPOT CTRACE) was collected on the z/OS system. It was then exported as a sniffer file using the IPCS CTRACE COMP(SYSTCPxx) FULL OPTIONS((SNIFFER)) command for use by other network analysts. However the resultant file did not contain the complete packets.
The tool used to format the sniffer file reported output similar to the following:
No. Time Source Destination Protocol Info
5 0.261940 10.11.12.13 192.168.170.180 TCP 3139 > 17238 [ACK] Seq=1 Ack=282 Win=65535 Len=1460
Frame 5 (1514 bytes on wire, 214 bytes captured)
Arrival Time: Dec 1, 2005 14:53:45.776505000
Time delta from previous packet: 0.259198000 seconds
Time since reference or first frame: 0.261940000 seconds
Frame Number: 5
Packet Length: 1514 bytes
Capture Length: 214 bytes
Protocols in frame: eth:ip:tcp:data
...
Answer
There are three places in the process of collecting and exporting the trace that would cause incomplete packets in the sniffer file.
If the ABBREV keyword was specified when collecting the trace (on the VARY PKTTRACE or VARY OSAENTA command), no more than the specified number of bytes (default is 200) is collected per packet. If the full packet content is required for analysis, then do not specify ABBREV.
The LRECL specified for the target data set (the one allocated to the SNIFFER DD when running the IPCS command to export the file) must be large enough to contain the largest packet in the trace plus a fixed overhead (38 bytes).
The SNIFFER option on the IPCS CTRACE command also has a limit on the size of exported. If not specified, the default length is 200 (and is limited to LRECL-38).
Additional notes:
For GigaBit Ethernets, jumbo frames may be enabled. If that is the case on your system, then specify the LRECL and SNIFFER limit to account for 9000 byte packets.
The maximum LRECL that can be specified for a RECFM=VB data set is 32756. This means that packet truncation cannot be avoided if the following situations:
If a SYSTCPDA CTRACE is collected on a system with traffic over LOOPBACK, SameHost, XCF, or iQDIO (HiperSocket) devices, these packets can be up to 64K.
If SEGMENTATIONOFFLOAD is specified on the IPCONFIG or IPCONFIG6, the outbound packets in a SYSTCPDA CTRACE will be the offload buffers (not the individual packets) which can be up to 56K.
Account for the maximum packet size (MTU) that will occur in the packet trace when performing the export to the sniffer format. For a typical Ethernet (MTU=1500 bytes) the following commands (or equivalent JCL) can be used within the IPCS session:
ALLOC FILE(SNIFFER) DA(sniffer.data.set) NEW RECFM(V B) LRECL(1538) ...
CTRACE COMP(SYSTCPxx) FULL OPTIONS((SNIFFER(1500)))
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
13 June 2018
UID
dwa1453308