Why are incomplete packets saved when exporting a packet trace

There are three places in the process of collecting and exporting the trace that would cause incomplete packets in the sniffer file.

• If the ABBREV keyword was specified when collecting the trace (on the VARY PKTTRACE or VARY OSAENTA command), no more than the specified number of bytes (default is 200) is collected per packet. If the full packet content is required for analysis, then do not specify ABBREV.

• The LRECL specified for the target data set (the one allocated to the SNIFFER DD when running the IPCS command to export the file) must be large enough to contain the largest packet in the trace plus a fixed overhead (38 bytes).

• The SNIFFER option on the IPCS CTRACE command also has a limit on the size of exported. If not specified, the default length is 200 (and is limited to LRECL-38).

Additional notes:

• For GigaBit Ethernets, jumbo frames may be enabled. If that is the case on your system, then specify the LRECL and SNIFFER limit to account for 9000 byte packets.

• The maximum LRECL that can be specified for a RECFM=VB data set is 32756. This means that packet truncation cannot be avoided if the following situations:

• If a SYSTCPDA CTRACE is collected on a system with traffic over LOOPBACK, SameHost, XCF, or iQDIO (HiperSocket) devices, these packets can be up to 64K.

• If SEGMENTATIONOFFLOAD is specified on the IPCONFIG or IPCONFIG6, the outbound packets in a SYSTCPDA CTRACE will be the offload buffers (not the individual packets) which can be up to 56K.

Account for the maximum packet size (MTU) that will occur in the packet trace when performing the export to the sniffer format. For a typical Ethernet (MTU=1500 bytes) the following commands (or equivalent JCL) can be used within the IPCS session:

    ALLOC FILE(SNIFFER) DA(sniffer.data.set) NEW RECFM(V B) LRECL(1538) ...
    CTRACE COMP(SYSTCPxx) FULL OPTIONS((SNIFFER(1500)))