FTP Analysis via SMF Records, FTP Server Exits and Logging ...Mar 06, 2006 · A file transferred...

FTP Analysis via SMF Records, FTP Server Exits and Logging, and CTRACE

SHARE Session 3961SHARE Session 3961March 6, 2006March 6, 2006

David ChengDavid ChengApplied Expert Systems, Inc.Applied Expert Systems, Inc.

[email protected]@aesclever.com

Copyright (C) 2006 Applied Expert Systems, Inc. 2

Agenda

�� FTP BackgroundFTP Background�� Data type, structure and modeData type, structure and mode�� Active FTPActive FTP�� Passive FTPPassive FTP�� FTP Commands and RepliesFTP Commands and Replies

�� FTP Diagnostic/Performance DataFTP Diagnostic/Performance Data�� FTP Server Exits FTP Server Exits �� FTP SMF RecordsFTP SMF Records�� SMF Type 118 vs. Type 119SMF Type 118 vs. Type 119�� FTP Server LoggingFTP Server Logging�� Component Trace Component Trace –– IP packet traceIP packet trace�� FTP Analysis/TuningFTP Analysis/Tuning


FTP Data Type – how data is interpreted by the receiver�� FTP always transfer data in 8FTP always transfer data in 8--bit bytes; this is called the bit bytes; this is called the transfer sizetransfer size

�� ASCIIASCII�� Default data typeDefault data type�� Each line of data is terminated by CRLF (XEach line of data is terminated by CRLF (X’’0D0A0D0A’’))�� Translation is always required; even between 2 ASCII hosts:Translation is always required; even between 2 ASCII hosts:

ASCII ASCII --> NVT> NVT--ASCII ASCII --> ASCII> ASCII(NVT(NVT--ASCII : Network Virtual Terminal ASCII as defined in the TELNET ASCII : Network Virtual Terminal ASCII as defined in the TELNET protocol.)protocol.)

�� If MVS is the receiving side, data will be translated to EBCDIC,If MVS is the receiving side, data will be translated to EBCDIC, CRLF CRLF replaced with MVS record boundaries replaced with MVS record boundaries –– according to SITE/LOCSITE according to SITE/LOCSITE parmsparms: : RECFM and LRECLRECFM and LRECL

�� EBCDICEBCDIC�� 88--bit EBCDIC bytes are transferred as they are bit EBCDIC bytes are transferred as they are –– no translationno translation

�� IMAGEIMAGE�� Contiguous bits packed into the 8Contiguous bits packed into the 8--bit FTP transfer byte sizebit FTP transfer byte size�� Normally used for binary dataNormally used for binary data�� More efficient method to transfer data between 2 similar ASCII hMore efficient method to transfer data between 2 similar ASCII hostsosts


Data Type ComparisonEBCDIC -> EBCDIC, 29*80 chars: 2320 bytes

0.3200.3202320 bytes2320 bytesIMAGEIMAGE

0.2600.2602349 bytes2349 bytes29 extra byte:29 extra byte:XX’’1515’’ (NL in EBCDIC)(NL in EBCDIC)

EBCDICEBCDIC

0.3300.3302378 bytes2378 bytes29*2 extra bytes:29*2 extra bytes:XX’’0D0A0D0A’’ (CRLF in ASCII)(CRLF in ASCII)ASCII data transferred, then ASCII data transferred, then converted to EBCDICconverted to EBCDIC

ASCIIASCII

Response Time Response Time (seconds)(seconds)

Bytes transferredBytes transferredData TypeData Type


FTP Data Structure – how data is stored by the receiver

�� FileFile�� Has no internal structureHas no internal structure�� Contiguous sequence of bytesContiguous sequence of bytes�� Most widely implementedMost widely implemented

�� RecordRecord�� File is made up of sequential records; ASCII type with File is made up of sequential records; ASCII type with

CRLF sequencesCRLF sequences�� z/OS only supports Record structure with z/OS only supports Record structure with streamstream

mode transfermode transfer�� Page Page –– not supported in z/OSnot supported in z/OS


FTP Data Mode – how data is transmitted

�� StreamStream�� Transmitted as stream of bytes; with very little or no extra Transmitted as stream of bytes; with very little or no extra

processingprocessing�� BlockBlock

�� Transmitted as a series of data blocks, each block is preceded Transmitted as a series of data blocks, each block is preceded by a header by a header -- count and descriptorcount and descriptor

�� z/OS only supports Block mode with data type EBCDICz/OS only supports Block mode with data type EBCDIC�� A file transferred between 2 z/OS systems in Block mode will A file transferred between 2 z/OS systems in Block mode will

preserve its record structure (e.g., variable length records)preserve its record structure (e.g., variable length records)�� CompressCompress

�� Transmitted in a compressed formatTransmitted in a compressed format�� Simple compression algorithm Simple compression algorithm –– send duplicated bytes in a twosend duplicated bytes in a two--

byte sequence, followed by a onebyte sequence, followed by a one--byte fillerbyte filler�� In z/OS Compress requires data type EBCDICIn z/OS Compress requires data type EBCDIC


Control / Data Connections

�� Control connectionControl connection�� A communication path between the Client and Server for the A communication path between the Client and Server for the

exchange of commands & repliesexchange of commands & replies�� FTP Server Port 21FTP Server Port 21�� Connection stays up during the whole session, in which Connection stays up during the whole session, in which

many files may be transferredmany files may be transferred�� Data connectionData connection

�� A full duplex connection over which data is transferred, in a A full duplex connection over which data is transferred, in a specified mode and typespecified mode and type

�� FTP Server Port 20 (for active FTP)FTP Server Port 20 (for active FTP)�� Usually one for each file transferUsually one for each file transfer


Active FTP

�� Server initiates Server initiates data connectiondata connection to the clientto the client�� Client connects from a random unprivileged port (N > Client connects from a random unprivileged port (N >

1024) to the FTP server1024) to the FTP server’’s port 21s port 21�� Client starts listening to port N+1 and sends the FTP Client starts listening to port N+1 and sends the FTP

command PORT N+1 to the FTP servercommand PORT N+1 to the FTP server�� PORT h1,h2,h3,h4,p1,p2PORT h1,h2,h3,h4,p1,p2

h1,h2,h3,h4 is the clienth1,h2,h3,h4 is the client’’s IP address, p1,p2 is the client s IP address, p1,p2 is the client port number in an 8 bit high, low bit orderport number in an 8 bit high, low bit order

�� The Server will then connect back to the clientThe Server will then connect back to the client’’s specified s specified data port from its local data port (port 20)data port from its local data port (port 20)


FTP Data Session – Active Mode

FTP ClientFTP Client FTP ServerFTP Server�� Port X Port X PORT, IP address, port YPORT, IP address, port Y Port 21Port 21�� Port XPort X PORT command successfulPORT command successful Port 21Port 21�� Port XPort X ACKACK Port 21Port 21


FTP Active Mode in Details

FTP ClientFTP Client FTP ServerFTP ServerPort X Port X SYNSYN Port 21Port 21Port XPort X SYN ACKSYN ACK Port 21Port 21Port XPort X ACKACK Port 21Port 21

Port X Port X PORT, IP address, port YPORT, IP address, port Y PPort 21ort 21Port XPort X PORT command successfulPORT command successful Port 21Port 21Port XPort X LIST, RETR, or STOR, etc.LIST, RETR, or STOR, etc. Port 21Port 21Port Y Port Y SYNSYN Port 20Port 20Port YPort Y SYN ACKSYN ACK Port 20Port 20Port YPort Y ACKACK Port 20Port 20Port Y Port Y Data segments and Data segments and ACKsACKs Port 20Port 20


Active FTP

FTP ClientFTP Client FTP ServerFTP Server

16741674 PORT 1675 PORT 1675 2121ACKACK

16751675 connectconnect 2020ACKACK


Passive FTP

�� Client initiates data connection to the serverClient initiates data connection to the server�� Firewall friendlyFirewall friendly�� When opening an FTP connection, the client opens 2 When opening an FTP connection, the client opens 2

random unprivileged ports locally (N > 1024 and N+1)random unprivileged ports locally (N > 1024 and N+1)�� The first port contacts the server on port 21The first port contacts the server on port 21�� Client issues the PASV command (the PASV command Client issues the PASV command (the PASV command

takes no parameters)takes no parameters)�� The server then opens a random port and sends Reply The server then opens a random port and sends Reply

Code 227 back to the client (similar to the PORT Code 227 back to the client (similar to the PORT command)command)

�� The client then initiates the connection from port N+1 to The client then initiates the connection from port N+1 to port P on the server to transfer dataport P on the server to transfer data


Passive FTP

FTP ClientFTP Client FTP ServerFTP Server

16731673 PASV PASV 2121““227 Entering Passive Mode (IP 227 Entering Passive Mode (IP AddrAddr, Port #), Port #)””



FTP Passive Mode in Details

FTP ClientFTP Client FTP ServerFTP ServerPort X Port X SYNSYN Port 21Port 21Port X Port X SYN ACKSYN ACK Port 21Port 21Port XPort X ACKACK Port 21Port 21

Port X Port X PASVPASV PPort 21ort 21Port XPort X RC 227, IP address, Port YRC 227, IP address, Port Y Port 21Port 21Port Z Port Z SYNSYN Port YPort YPort ZPort Z SYN ACKSYN ACK Port YPort YPort ZPort Z ACKACK Port YPort YPort XPort X LIST, RETR, or STOR, etc.LIST, RETR, or STOR, etc. Port 21Port 21Port Z Port Z Data segments and Data segments and ACKsACKs Port 20Port 20


FTP Commands

�� Commands and Replies are sent across the control Commands and Replies are sent across the control connection and are in plain text.connection and are in plain text.

�� Commands are 3 or 4 bytes characters, each with Commands are 3 or 4 bytes characters, each with optional parameters.optional parameters.

�� The FTP commands specify the parameters for:The FTP commands specify the parameters for:�� the data connection (port)the data connection (port)�� transfer modetransfer mode�� data representation type and structuredata representation type and structure�� the nature of file system operation (store, retrieve, the nature of file system operation (store, retrieve,

append, delete, etc.)append, delete, etc.)


Sample FTP CommandsAccess Control:Access Control:�� USERUSER User identificationUser identification�� PORTPORT Data port specification Data port specification �� TYPETYPE Data representation (ASCII, EBCDIC, Image)Data representation (ASCII, EBCDIC, Image)�� QUITQUIT Terminates a USER and the control connection Terminates a USER and the control connection

Transfer:Transfer:�� MODEMODE Transfer mode (Stream, Block, Compress)Transfer mode (Stream, Block, Compress)�� RETRRETR Server Server --> Client file transfer> Client file transfer�� STORSTOR Client Client --> Server file transfer> Server file transfer

Service:Service:�� DELEDELE Deletes a Server file Deletes a Server file �� LISTLIST Directory listingDirectory listing�� RNFRRNFR Renames from <old file name>Renames from <old file name>�� RNTORNTO Renames to <new file name>Renames to <new file name>(RNFR must be immediately followed by a RNTO command)(RNFR must be immediately followed by a RNTO command)


FTP Replies

�� Synchronization of requests and actions in the file Synchronization of requests and actions in the file transfer processtransfer process

�� Guarantee that the user process always knows the state Guarantee that the user process always knows the state of Serverof Server

�� Every command must generate at least one replyEvery command must generate at least one reply�� An FTP reply consists of a 3An FTP reply consists of a 3--digit number (i.e., 3 digit number (i.e., 3

alphanumeric characters) followed by some textalphanumeric characters) followed by some text�� The number is intended for use by the software to The number is intended for use by the software to

determine what to do next; the text is intended for the determine what to do next; the text is intended for the human userhuman user

�� There may be more than one reply, in which case these There may be more than one reply, in which case these multiple replies must be easily distinguishedmultiple replies must be easily distinguished


FTP Reply Code�� 1yz1yz Positive preliminary replyPositive preliminary reply�� 2yz2yz Positive completion reply (a new command may be sent)Positive completion reply (a new command may be sent)�� 3yz3yz Positive intermediate reply (another command Positive intermediate reply (another command must be sent)must be sent)�� 4yz4yz Transient negative reply (command can be reTransient negative reply (command can be re-- issued later)issued later)�� 5yz5yz Permanent negative reply (command should not be retried)Permanent negative reply (command should not be retried)

�� x0zx0z Syntax errorSyntax error�� x1zx1z InformationInformation�� x2zx2z ConnectionsConnections�� x3zx3z Authentication and accountingAuthentication and accounting�� x4zx4z UnspecifiedUnspecified�� x5zx5z File system statusFile system status


Sample FTP Reply Codes�� 150150 File status okay; about to open data connection.File status okay; about to open data connection.�� 226226 Transfer completeTransfer complete�� 227227 Entering passive mode {h1,h2,h3,h4,p1,p2}Entering passive mode {h1,h2,h3,h4,p1,p2}�� 250250 Requested file action okay, completed.Requested file action okay, completed.�� 257257 "PATHNAME" created."PATHNAME" created.�� 350350 Requested file action pending further information.Requested file action pending further information.�� 450450 Requested file action not taken. File unavailable (e.g., file bRequested file action not taken. File unavailable (e.g., file busy).usy).�� 550 550 Requested action not taken. File unavailable (e.g., file not Requested action not taken. File unavailable (e.g., file not

found, no access).found, no access).�� 451451 Requested action aborted. Local error in processing.Requested action aborted. Local error in processing.�� 551551 Requested action aborted. Page type unknown.Requested action aborted. Page type unknown.�� 452452 Requested action not taken. Insufficient storage space in Requested action not taken. Insufficient storage space in

system.system.�� 552552 Requested file action aborted. Exceeded storage allocation (forRequested file action aborted. Exceeded storage allocation (for

current directory or data set).current directory or data set).�� 553553 Requested action not taken.Requested action not taken.


C:C:\\Windows>ftp 137.72.43.247Windows>ftp 137.72.43.247Connected to 137.72.43.247.Connected to 137.72.43.247.220220--FTPD1 IBM FTP CS V1R4 at S390, 21:05:48 on 2004FTPD1 IBM FTP CS V1R4 at S390, 21:05:48 on 2004--0707--20.20.220 Connection will close if idle for more than 5 minutes.220 Connection will close if idle for more than 5 minutes.User (137.72.43.247:(none)): p390User (137.72.43.247:(none)): p390331 Send password please.331 Send password please.Password:Password:

RC 220 Service ready for new user

- : continuation

RC 331 User name OK, need password


FTP Diagnostics Data

�� Connection attemptsConnection attempts�� Client identificationClient identification�� Active vs. Passive FTPActive vs. Passive FTP�� FTP commandsFTP commands�� FTP repliesFTP replies�� ThroughputThroughput�� PORT command hacking (FTP bounce attack)PORT command hacking (FTP bounce attack)


FTP Diagnostics/Performance Data

�� Published Record Types or APIPublished Record Types or API�� NonNon--intrusive, lower overheadintrusive, lower overhead�� EventEvent--drivendriven

�� True realTrue real--time datatime data�� FTP Server exits and SMF exitsFTP Server exits and SMF exits

�� PollingPolling�� Comm Server Network Management APIComm Server Network Management API�� Only SMF data is availableOnly SMF data is available



�� FTP Server ExitsFTP Server Exits�� FTCHKIP FTCHKIP –– open connectionopen connection�� FTCHKPWD FTCHKPWD –– password verificationpassword verification�� FTCHKCMD FTCHKCMD –– FTP commandFTP command�� FTPOSTPR FTPOSTPR –– FTP command completionFTP command completion�� FTCHKJES FTCHKJES –– Job submissionJob submission�� FTPSMFEX FTPSMFEX –– FTP server SMF recordFTP server SMF record

�� SMF records (Type 118 or 119)SMF records (Type 118 or 119)

�� FTP Server Logon FTP Server Logon FauilureFauilure�� FTP Server Transfer CompletionFTP Server Transfer Completion�� FTP Client Transfer CompletionFTP Client Transfer Completion�� TCP Connection InitiationTCP Connection Initiation�� TCP Connection TerminationTCP Connection Termination



�� Logging/TracingLogging/Tracing�� FTPLOGGING, ANONYMOUSFTPLOGGING (FTP FTPLOGGING, ANONYMOUSFTPLOGGING (FTP

Server)Server)�� TRACE, DEBUG (FTP Server)TRACE, DEBUG (FTP Server)�� Packet trace Packet trace –– detailed analysis at protocol leveldetailed analysis at protocol level

�� NOT for monitoring purposeNOT for monitoring purpose�� Performance penalty (e.g., APAR PQ84192)Performance penalty (e.g., APAR PQ84192)


FTP Server User Exits

�� R1 R1 --> parameter list, which is a series of pointers to > parameter list, which is a series of pointers to valuesvalues

�� The first word of the parameter list always points to the The first word of the parameter list always points to the return code (RC). RC=0 upon entry to an exit. If RC is return code (RC). RC=0 upon entry to an exit. If RC is not 0, user will receive a negative replynot 0, user will receive a negative reply

�� The second word of the parameter list always points to a The second word of the parameter list always points to a word containing the number of parameters that followword containing the number of parameters that follow

�� APFAPF--authorizedauthorized�� STEPLIB DD in the FTPD procSTEPLIB DD in the FTPD proc�� RACF considerationRACF consideration


FTP Server Exit - FTCHKIP

FTCHKIP is called at the initial stage of login or FTCHKIP is called at the initial stage of login or whenever the user issues an OPEN commandwhenever the user issues an OPEN command�� ClientClient’’s IP address (IPV4) and ports IP address (IPV4) and port�� ServerServer’’s IP address (IPV4) and ports IP address (IPV4) and port�� Socket address structure (IPV4 or IPV6) for Socket address structure (IPV4 or IPV6) for

the clientthe client’’s control s control connecitonconneciton�� Socket address structure (IPV4 or IPV6) for Socket address structure (IPV4 or IPV6) for

the serverthe server’’s control connections control connection�� Session IDSession ID


FTP Server Exit - FTCHKPWD

FTCHKPWD is called after the user enters the passwordFTCHKPWD is called after the user enters the password�� ClientClient’’s user IDs user ID�� ClientClient’’s passwords password�� User dataUser data�� Number of bad passwords input in this logon attemptNumber of bad passwords input in this logon attempt�� Socket address structure for the clientSocket address structure for the client’’s control s control

connectionconnection�� Socket address structure for the serverSocket address structure for the server’’s control s control

connectionconnection�� Session IDSession ID


FTP Server Exit - FTCHKCMD

FTCHKCMD is called whenever the client enters a FTCHKCMD is called whenever the client enters a commandcommand�� ClientClient’’s user IDs user ID�� CommandCommand�� Command parametersCommand parameters�� Current directory type: MVS, HFSCurrent directory type: MVS, HFS�� File type: SEQ, JES, SQLFile type: SEQ, JES, SQL�� Current working directoryCurrent working directory�� Address of a buffer for command modificationAddress of a buffer for command modification


FTP Server Exit - FTPOSTPRFTPOSTPR is called upon completion of the FTP commands RETR, FTPOSTPR is called upon completion of the FTP commands RETR, STOR, STOU, APPE, DELE, and RNTO STOR, STOU, APPE, DELE, and RNTO

�� ClientClient’’s user IDs user ID�� ClientClient’’s IP addresss IP address�� ClientClient’’s ports port�� Current directory type: MVS, HFSCurrent directory type: MVS, HFS�� Current working directoryCurrent working directory�� Current file type: SEQ, JES, SQLCurrent file type: SEQ, JES, SQL�� FTP reply codeFTP reply code�� FTP reply stringFTP reply string�� FTP command codeFTP command code�� Current CONDDISP setting: C for catalog, D for deleteCurrent CONDDISP setting: C for catalog, D for delete


FTP Server Exit - FTPOSTPR

�� Close reason code:Close reason code:�� 0 0 –– transfer completed normallytransfer completed normally�� 4 4 –– transfer completed w/errortransfer completed w/error

see FTP reply code and text stringsee FTP reply code and text string�� 8 8 –– transfer completed w/socket transfer completed w/socket erroserros�� 12 12 –– transfer abortedtransfer aborted�� 16 16 –– transfer aborted w/SQL file errorstransfer aborted w/SQL file errors

�� Dataset name or HFS file nameDataset name or HFS file name�� Bytes transferredBytes transferred�� Socket address structure for the clientSocket address structure for the client’’s control sessions control session�� Socket address structure for the serverSocket address structure for the server’’s control sessions control session�� Session IDSession ID�� Address of scratch pad area (256 bytes)Address of scratch pad area (256 bytes)


FTP Server Exit - FTPSMFEX

�� FTPSMFEX is called before a type 118 SMF (FTP FTPSMFEX is called before a type 118 SMF (FTP server) record is written to SMFserver) record is written to SMF

�� Type 119 SMF records must use the systemType 119 SMF records must use the system--wide SMF wide SMF exits IEFU83, IEFU84 and IEFU85exits IEFU83, IEFU84 and IEFU85

�� R1 R1 --> the following parameter list:> the following parameter list:�� Pointer to the return codePointer to the return code�� Pointer to the type 118 SMF recordPointer to the type 118 SMF record

�� On entry, the return code is set to 0. A return code of 0 On entry, the return code is set to 0. A return code of 0 specifies that the SMF record will be writtenspecifies that the SMF record will be written


FTP Server Exit Installation

�� APFAPF--authorize the load libraryauthorize the load library�� Add the load library to STEPLIB in the FTPD Add the load library to STEPLIB in the FTPD

procproc�� If RACF Program Control is active: SETROPTS If RACF Program Control is active: SETROPTS

WHEN(PROGRAM), you must define FTP exits WHEN(PROGRAM), you must define FTP exits to RACF class PROGRAMto RACF class PROGRAM

�� Restart the FTP Daemon (for FTCHKIP)Restart the FTP Daemon (for FTCHKIP)


FTP Server Exit Installation

Sample RACF Definition for FTCHKIP:Sample RACF Definition for FTCHKIP:RDEFINE PROGRAM RDEFINE PROGRAM FTCHKIPFTCHKIPADDMEM(ADDMEM(‘‘loadlibloadlib’’//volservolser/NOPADCHK/NOPADCHK) UACC(READ)) UACC(READ)

……SETR WHEN(PROGRAM) REFRESHSETR WHEN(PROGRAM) REFRESH

Without proper RACF definition, FTP client will get the Without proper RACF definition, FTP client will get the following error when logging in:following error when logging in:

550 PASS COMMAND FAILED 550 PASS COMMAND FAILED -- _PASSWD() ERROR: EDC5157I AN _PASSWD() ERROR: EDC5157I AN INTERNAL ERROR OCURREDINTERNAL ERROR OCURRED


Verify FTP Server Exits

�� Start the FTP Server with the Start the FTP Server with the ““TRACETRACE””parameter; e.g., S FTPD,PARM=TRACEparameter; e.g., S FTPD,PARM=TRACE

�� Check for the following messages in SYSLOG:Check for the following messages in SYSLOG:

BPXF024I (FTPD) Jan 5 18:01:34 ftpd 33619980 : DM1009 main: FTCHKIP successfully loaded

BPXF024I (AESDJC1) Jan 6 02:01:57 ftps 16843115 : RX0625 main: chkpwdexit successfully loaded

BPXF024I (AESDJC1) Jan 6 02:01:58 ftps 16843115 : RX0641 main: chkcmdexit successfully loaded

BPXF024I (AESDJC1) Jan 6 02:01:58 ftps 16843115 : RX0696 main: FTPOSTPR successfully loaded


FTP Server SMF Record

�� FTP commandFTP command�� FTP type: SEQ, JES, SQLFTP type: SEQ, JES, SQL�� Client IP address and portClient IP address and port�� Server IP address and portServer IP address and port�� Local user IDLocal user ID�� Data format: A: ASCII, E: EBCDIC, I: image Data format: A: ASCII, E: EBCDIC, I: image

(binary), D: double byte, U: UCS(binary), D: double byte, U: UCS--22


FTP Server SMF Record - Continued

�� Mode Mode –– S: stream, B: block. C : compressedS: stream, B: block. C : compressed�� Start/End time of transmissionStart/End time of transmission�� Bytes transferredBytes transferred�� FTP reply codeFTP reply code�� Dataset/member/file namesDataset/member/file names


FTP Client SMF Record

�� FTP commandFTP command�� Client IP address and portClient IP address and port�� Server IP address and portServer IP address and port�� Data formatData format�� Transfer modeTransfer mode�� Start/End time of transmissionStart/End time of transmission�� Byte countByte count�� Dataset/file nameDataset/file name


Enable TCP/IP SMF Recording

�� SMFPRMxx SMFPRMxx –– make sure that 118/119 is not make sure that 118/119 is not being excluded from recordingbeing excluded from recording

�� SMF Type 119 is available only in z/OS V1R2 SMF Type 119 is available only in z/OS V1R2 and later releasesand later releases

�� SMF Type 118 and Type 119 can coSMF Type 118 and Type 119 can co--existexist�� To get FTP To get FTP ServerServer SMF record, configure FTP SMF record, configure FTP

DATA as follows:DATA as follows:�� 118: 118: SMF STDSMF STD�� 119: 119: SMF TYPE119SMF TYPE119


Enable TCP/IP SMF Recording

�� To get FTP Client SMF record, configure TCP/IP To get FTP Client SMF record, configure TCP/IP PROFILE as follows:PROFILE as follows:�� 118 118

SMFCONFIG SMFCONFIG FTPCLIENTFTPCLIENT ……�� 119 119

SMFCONFIG SMFCONFIG …… TYPE119 FTPCLIENTTYPE119 FTPCLIENT ……


Verify SMF Recording

� System Level – issue the “D SMF,O” operator command, verify:� SMFPRMxx member� SMF parameters

� TCP/IP Level – issue the “NETSTAT,CONFIG” command� Check the SMF Parameters listing; e.g.,

SMF Parameters: Type 118:

TcpInit: 00 TcpTerm: 00 FTPClient: 00 TN3270Client: 00 TcpIpStats: 00

Type 119: TcpInit: Yes TcpTerm: Yes FTPClient: YesTcpIpStats: Yes IfStats: Yes PortStats: Yes Stack: Yes UdpTerm: Yes TN3270Client: Yes


Verify SMF Recording� FTP Server – start the FTP server with the “TRACE” parameter;

e.g., S FTPD,PARM=TRACE� Look for the write_smf_record messages; e.g.,

250 Transfer completed successfully.

BPXF024I (AESDJC1) Jan 6 02:02:08 ftps 16843115 : RU1463 write_smf_record: entered with type 4

BPXF024I (AESDJC1) Jan 6 02:02:08 ftps 16843115 : RU0754 write_smf_record_119: entered with type 4.

� FTP Client – start the FTP client with the “trace” parameter, or issue the “debug” command from an FTP client session; e.g., ftp 137.72.43.247 (trace

� Look for the following messages: CU1963, CU1463, CU2241; e.g.,

250 Transfer completed successfully. EZA1617I 2320 bytes transferred in 0.160 seconds. Transfer

rate 14.50 Kbytes/sec. CU1963 write_smf_record: entered with type 16. CU1463 write_smf_record_119: entered with type 16.

CU2241 write_smf_record: length of smfrecord: 224


Obtaining SMF data in real-time

�� SMF ExitsSMF Exits�� IEFU83, IEFU84, IEFU85IEFU83, IEFU84, IEFU85�� MVS Dynamic Exits Facility allows multiple MVS Dynamic Exits Facility allows multiple

exits to coexits to co--existexist�� z/OS CS Network Management Interfacez/OS CS Network Management Interface

�� SYSTCPSM interfaceSYSTCPSM interface�� Type 119 SMF records onlyType 119 SMF records only�� Requires Requires ““pollingpolling”” –– not as realnot as real--time as exitstime as exits


Sample FTP Session 1ftp 137.72.43.243EZA1450I IBM FTP CS V2R8 1999 336 15:35 UTC

EZA1554I Connecting to: 137.72.43.243 port: 21.

220-FTPD1 IBM FTP CS V1R2 at p390.svo.test.com, 15:51:13 on 2002-08-16.

220 Connection will close if idle for more than 5 minutes.

EZA1459I NAME (137.72.43.243:P390):

p390EZA1701I >>> USER p390331 Send password please.

EZA1789I PASSWORD:

EZA1701I >>> PASS230 P390 is logged on. Working directory is "AESDJC1.".

EZA1460I Command:

binEZA1701I >>> TYPE I200 Representation type is Image

EZA1460I Command:

get 'aesdjc1.xmi' 'aesdjc1.xmi' (replaceEZA1701I >>> PORT 137,72,43,240,6,139200 Port request OK.

EZA1701I >>> RETR 'aesdjc1.xmi'125 Sending data set AESDJC1.XMI FIXrecfm 80

250 Transfer completed successfully. EZA1617I 166400 bytes transferred in 2.180 seconds. Transfer rate 76.33 Kbytes

/sec.


Sample FTP Session 1 – logging by FTP Exits

FTP OPEN CONNECTION,IP=137.72.43.240,PORT= 1674,TIME=14:51:13.67

FTP CMD=USER ,USER= ,TIME=14:51:16.01,ARG=p390

FTP CMD=PASS ,USER=P390 ,TIME=14:51:17.81,ARG=

FTP LOGIN,USER=P390 ,TIME=14:51:17.81

FTP CMD=TYPE ,USER=P390 ,TIME=14:51:23.03,ARG=I

FTP CMD=PORT ,USER=P390 ,TIME=14:51:34.37,ARG=137,72,43,240,6,139

FTP CMD=RETR ,USER=P390 ,TIME=14:51:34.40,ARG='aesdjc1.xmi'

FTP POST,CMD=RETR,USER=P390 ,IP=137.72.43.240,TYPE=MVS/SEQ,RC=250,REASON=0,TIME=14:51:36.93

FTCHKIPFTCHKCMD

FTPOSTPR

FTCHKPWD

FTCHKCMD

FTCHKCMDFTCHKCMD

FTCHKCMD


Sample FTP Session 1

How to interpret the How to interpret the PORT commandcommand

PORT PORT 137,72,43,240137,72,43,240,6,139,6,139

IP Address of the client: IP Address of the client: 137.72.43.240137.72.43.240Port of the client: Port of the client: 256*6 + 139 = 1675256*6 + 139 = 1675


Sample FTP Session 1: Active FTP

FTP ClientFTP Client FTP ServerFTP Server(137.72.43.240)(137.72.43.240) (137.72.43.243)(137.72.43.243)

16741674 PORT 1675 PORT 1675 2121ACKACK



Sample FTP Session 1 – FTP Server SMF dataFTPS:RETR,IP=137.72.43.240,PORT=21/1674,RC=250,,User=P390,User=P390,Format=S/S/IFormat=S/S/I,ABND=,ABND=

Start=15:51:34,End=15:51:34,Bytes=166400,,

Elapsed=0.010sec,Throughput=16640.00KB/secElapsed=0.010sec,Throughput=16640.00KB/sec

DSN1=AESDJC1.XMI/,DSN2=/DSN1=AESDJC1.XMI/,DSN2=/

FormatFormat::Data set type: Data set type: P P –– partitioned, S partitioned, S –– sequential, H sequential, H –– HFSHFSMode:Mode: S S –– stream, B stream, B –– block, C block, C –– compressedcompressedData format:Data format: A A –– ASCII, E ASCII, E –– EBCDIC, I EBCDIC, I –– image (binary),image (binary),

D D –– doubledouble--byte, U byte, U –– UCSUCS--22



EZA1460I Command: EZA1460I Command:

put 'aesdjc1.xmi' 'aesdjc1.small'put 'aesdjc1.xmi' 'aesdjc1.small'

EZA1701I >>> EZA1701I >>> SITE SITE FIXrecfmFIXrecfm 80 LRECL=80 RECFM=FB BLKSIZE=312080 LRECL=80 RECFM=FB BLKSIZE=3120

200 SITE command was accepted 200 SITE command was accepted

EZA1701I >>> EZA1701I >>> PORT 137,72,43,240,6,142PORT 137,72,43,240,6,142

200 Port request OK. 200 Port request OK.

EZA1701I >>> EZA1701I >>> STOR 'aesdjc1.small'STOR 'aesdjc1.small'

125 Storing data set AESDJC1.SMALL 125 Storing data set AESDJC1.SMALL

451451--System completion code and reason: D37System completion code and reason: D37--04 04

451451--Data set is out of space. Data set is out of space.

451 Transfer aborted due to file error. 451 Transfer aborted due to file error.

EZA1460I Command: EZA1460I Command:

quitquit

EZA1701I >>> EZA1701I >>> QUITQUIT

221 Quit command received. Goodbye. 221 Quit command received. Goodbye.

READY READY


Sample FTP Session 2 – logging by FTP ExitsFTP CMD=SITE ,USER=P390 ,TIME=14:53:28.45,ARG=FTP CMD=SITE ,USER=P390 ,TIME=14:53:28.45,ARG=FIXrecfmFIXrecfm 80 LRECL=80 80 LRECL=80

RECFM=FB BLKSIZE=3120RECFM=FB BLKSIZE=3120

FTP CMD=PORT ,USER=P390 ,TIME=14:53:28.50,ARG=137,72,43,24FTP CMD=PORT ,USER=P390 ,TIME=14:53:28.50,ARG=137,72,43,240,6,1420,6,142

FTP CMD=STOR ,USER=P390 ,TIME=14:53:28.52,ARG='aesdjc1.smaFTP CMD=STOR ,USER=P390 ,TIME=14:53:28.52,ARG='aesdjc1.small'll'

FTP POST,CMD=STOR,USER=P390 FTP POST,CMD=STOR,USER=P390 ,IP=137.72.43.240,TYPE=MVS/SEQ,RC=451,,IP=137.72.43.240,TYPE=MVS/SEQ,RC=451,REASON=4REASON=4,TIME=14:53:29.61,TIME=14:53:29.61

FTP REPLY=Transfer aborted due to file error.FTP REPLY=Transfer aborted due to file error.

FTP CMD=QUIT ,USER=P390 ,TIME=14:53:31.48,ARG=FTP CMD=QUIT ,USER=P390 ,TIME=14:53:31.48,ARG=


Sample FTP Session 2 – FTP Server SMF RecordFTPS:STOR,IP=137.72.43.240,PORT=21/1674,FTPS:STOR,IP=137.72.43.240,PORT=21/1674,RC=451RC=451,,

User=P390,Format=S/S/I,ABND=User=P390,Format=S/S/I,ABND=

Start=15:53:28,End=15:53:29,Bytes=166400,Start=15:53:28,End=15:53:29,Bytes=166400,

Elapsed=0.500sec,Throughput=332.80KB/secElapsed=0.500sec,Throughput=332.80KB/sec

DSN1=AESDJC1.SMALL/,DSN2=/DSN1=AESDJC1.SMALL/,DSN2=/

Reply Code 451: Requested action aborted. Local Reply Code 451: Requested action aborted. Local error in processing.error in processing.


Some Unique data in Type 119

�� SelfSelf--defining sections (triplets)defining sections (triplets)�� NumberNumber of data sectionsof data sections�� OffsetOffset to data sectionsto data sections�� LengthLength of data sectionsof data sections

�� TCP/IP identification sectionTCP/IP identification section�� This is the first section in every type 119 recordThis is the first section in every type 119 record�� System name from SYSNAME in System name from SYSNAME in IEASYSxxIEASYSxx�� SysplexSysplex name from SYSPLEX in name from SYSPLEX in COUPLExxCOUPLExx�� TCP/IP stack name, etc.TCP/IP stack name, etc.



�� All IP addresses are in 128All IP addresses are in 128--bit IPv6 formatbit IPv6 format�� IPv4IPv4--mapped format:mapped format:

�� Bytes 0Bytes 0--9:9: XX’’0000’’�� Bytes 10Bytes 10--11:11: XX’’FFFF’’�� Bytes 12Bytes 12--15:15: IPv4 addressIPv4 address

�� Has Both Control and Data Connection Has Both Control and Data Connection Session Info:Session Info:�� Remote IP address and port numberRemote IP address and port number�� Local IP address and port numberLocal IP address and port number



�� Transmission Start/End DateTransmission Start/End Date�� Transmission byte count format:Transmission byte count format:

�� 6464--bit integerbit integer�� z/OS floating point formatz/OS floating point format

�� FTP Client record has SOCKS section when FTP Client record has SOCKS section when data was transferred through a SOCKS data was transferred through a SOCKS serverserver�� IP address and port number of SOCKS IP address and port number of SOCKS

server for Control Connectionserver for Control Connection�� SOCKS protocol version (v4 or v5)SOCKS protocol version (v4 or v5)


FTP Server Logging�� z/OS 1.4 or later releasez/OS 1.4 or later release�� FTP Server can log activities to FTP Server can log activities to SyslogDSyslogD via the via the

following following FTP.DATAFTP.DATA options:options:�� FTPLOGGING TRUEFTPLOGGING TRUE�� ANONYMOUSFTPLOGGING TRUEANONYMOUSFTPLOGGING TRUE

�� Nine events are logged:Nine events are logged:�� CONNCONN connectivityconnectivity�� SECURESECURE security (TLS/SSL, Kerberos)security (TLS/SSL, Kerberos)�� ACCESSACCESS loginlogin�� ALLOCALLOC file and data set allocationfile and data set allocation�� DEALLDEALL file and data set defile and data set de--allocationallocation�� TRANSTRANS file transferfile transfer�� SUBMITSUBMIT JES job submissionJES job submission�� QUERYQUERY SQL querySQL query�� ABENDABEND abnormal terminationabnormal termination

�� Each activity logging message has a message number Each activity logging message has a message number within the range of EZYFS50 to EZYFS95within the range of EZYFS50 to EZYFS95


FTP Server Tracing�� TRACE runTRACE run--time option for FTPDtime option for FTPD

�� TRACE and DEBUG statements in TRACE and DEBUG statements in FTP.DFTP.DATAATA�� TRACE is equivalent to DEBUG BAS, which includes:TRACE is equivalent to DEBUG BAS, which includes:

�� DEBUG CMDDEBUG CMD�� DEBUG INTDEBUG INT�� DEBUG FSCDEBUG FSC�� DEBUG SOCDEBUG SOC

�� Use the SITE command to turn on tracing dynamically only for theUse the SITE command to turn on tracing dynamically only for the duration duration of an FTP sessionof an FTP session�� Requires: DEBUGONSITE TRUE be specified in FTP.DATARequires: DEBUGONSITE TRUE be specified in FTP.DATA�� z/OS example : site debug=basz/OS example : site debug=bas�� MS/DOS example: quote site debug=basMS/DOS example: quote site debug=bas

�� Output in SYSLOGOutput in SYSLOG


CTRACE – Packet Tracing

�� Set up External Writer ProcSet up External Writer ProcE.g., SYS1.PROCLIB(AESWRT):E.g., SYS1.PROCLIB(AESWRT):

//IEFPROC EXEC PGM=ITTTRCWR,REGION=0K,TIME=1440,DPRTY=15//IEFPROC EXEC PGM=ITTTRCWR,REGION=0K,TIME=1440,DPRTY=15//TRCOUT01 DD DISP=SHR,DSN=//TRCOUT01 DD DISP=SHR,DSN=trace.datasettrace.dataset

�� Set up tracing parametersSet up tracing parametersE.g., SYS1.PARMLIB(CTAESPRM):E.g., SYS1.PARMLIB(CTAESPRM):

TRACEOPTS ON WTR(AESWRT)TRACEOPTS ON WTR(AESWRT)



�� To Start Tracing:To Start Tracing:�� TRACE CT,WTRSTART=AESWRTTRACE CT,WTRSTART=AESWRT�� V TCPIP,,PKT,CLEARV TCPIP,,PKT,CLEAR�� V TCPIP,,PKT,LINKN=ETH1,ON,FULL,PROT=TCP,IP=<V TCPIP,,PKT,LINKN=ETH1,ON,FULL,PROT=TCP,IP=<ipip addraddr>>�� TRACE CT,ON,COMP=SYSTCPDA,SUB=(TCPIP),PARM=CTAESPRMTRACE CT,ON,COMP=SYSTCPDA,SUB=(TCPIP),PARM=CTAESPRM

�� To View Tracing Status:To View Tracing Status:�� D TRACE,WTR=AESWRTD TRACE,WTR=AESWRT

�� Verify that the external writer is activeVerify that the external writer is active�� D TCPIP,,NETSTAT,DED TCPIP,,NETSTAT,DE

�� Verify that Verify that TrRecCntTrRecCnt is nonis non--zero and incrementingzero and incrementing

�� To Stop Tracing:To Stop Tracing:�� V TCPIP,,PKT,OFFV TCPIP,,PKT,OFF�� TRACE CT,OFF,COMP=SYSTCPDA,SUB=(TCPIP)TRACE CT,OFF,COMP=SYSTCPDA,SUB=(TCPIP)�� TRACE CT,WTRSTOP=AESWRT,FLUSHTRACE CT,WTRSTOP=AESWRT,FLUSH



�� Analyze one FTP session at a timeAnalyze one FTP session at a time�� Separate the Control Session from Separate the Control Session from

the Data Sessionthe Data Session�� Check FTP commands and repliesCheck FTP commands and replies�� Look for packet retransmissions and Look for packet retransmissions and

unusual long response timesunusual long response times�� TCP window sizeTCP window size



�� FTP Session 3:FTP Session 3:�� ftp to 137.72.43.247ftp to 137.72.43.247�� logon on as p390logon on as p390�� use ASCII transfer modeuse ASCII transfer mode�� get get ‘‘AESDJC1.MAIN.CNTL(ASM)AESDJC1.MAIN.CNTL(ASM)’’�� QuitQuit

�� Diagnostic Data Sources:Diagnostic Data Sources:�� FTP Server ExitsFTP Server Exits�� FTP SMF RecordsFTP SMF Records�� FTPLOGGINGFTPLOGGING�� Packet tracingPacket tracing


Data Source: FTP Server ExitsAES824I FTP OPEN CONNECTION,IP=137.72.43.64,PORT= 3068,TIME=AES824I FTP OPEN CONNECTION,IP=137.72.43.64,PORT= 3068,TIME=17:13:11.3917:13:11.39

AES826I FTP CMD=USER ,USER= ,TIME=AES826I FTP CMD=USER ,USER= ,TIME=17:13:42.9417:13:42.94,ARG=p390,ARG=p390

AES826I FTP CMD=PASS ,USER=P390 ,TIME=17:13:45.39,ARG=AES826I FTP CMD=PASS ,USER=P390 ,TIME=17:13:45.39,ARG=

AES825I FTP LOGIN,USER=P390 ,TIME=17:13:45.39AES825I FTP LOGIN,USER=P390 ,TIME=17:13:45.39

AES826I FTP CMD=TYPE ,USER=P390 ,TIME=17:13:48.29,ARG=AAES826I FTP CMD=TYPE ,USER=P390 ,TIME=17:13:48.29,ARG=A

AES826I FTP CMD=PORT ,USER=P390 ,TIME=17:13:56.34,ARG=137AES826I FTP CMD=PORT ,USER=P390 ,TIME=17:13:56.34,ARG=137,72,43,64,12,6,72,43,64,12,6

AES826I FTP CMD=RETR ,USER=P390 ,TIME=17:13:56.35,ARG='aeAES826I FTP CMD=RETR ,USER=P390 ,TIME=17:13:56.35,ARG='aesdjc1.main.cntl(asm)'sdjc1.main.cntl(asm)'

AES827I FTP POST,CMD=RETR,USER=P390 ,IP=137.72.43.64,TYPE=MVAES827I FTP POST,CMD=RETR,USER=P390 ,IP=137.72.43.64,TYPE=MVS/SEQ, S/SEQ, RC=250,REASON=0,TIME=17:13:57.10RC=250,REASON=0,TIME=17:13:57.10

AES829I FTP POST,PORT=3068,DSN=AESDJC1.MAIN.CNTL(ASM),BYTES=0 AES829I FTP POST,PORT=3068,DSN=AESDJC1.MAIN.CNTL(ASM),BYTES=0 gbgb + 2378 bytes+ 2378 bytes

AES839I FTP POST,SESSIONID=FTPD100005 ,AES839I FTP POST,SESSIONID=FTPD100005 ,CPU TIME=0.567 SECONDS,EXCP=209CPU TIME=0.567 SECONDS,EXCP=209

AES826I FTP CMD=QUIT ,USER=P390 ,TIME=17:13:57.72,ARG=``AES826I FTP CMD=QUIT ,USER=P390 ,TIME=17:13:57.72,ARG=``


Data Source: FTP SMF Server Record

AES801I FTPS:RETR,IP=137.72.43.64,PORT=21/3068,RC=250,User=P390 AES801I FTPS:RETR,IP=137.72.43.64,PORT=21/3068,RC=250,User=P390 ,Format=P/S/A,ABND=,Format=P/S/A,ABND=

AES802I Start=17:13:56,End=17:13:56,Bytes=2378,Elapsed=0.020sec,AES802I Start=17:13:56,End=17:13:56,Bytes=2378,Elapsed=0.020sec,Throughput=118.90KB/secThroughput=118.90KB/sec

AES803I DSN1=AESDJC1.MAIN.CNTL /ASM AES803I DSN1=AESDJC1.MAIN.CNTL /ASM ,DSN2= ,DSN2= //


Data Source: FTPLOGGING

17:13:42.18 STC00404 00000090 BPXF024I (FTPD) Jul 20 21:13:42 ftpd 50397342 : EZYFS50I ID=FTPD100005191 00000090 CONN starts Client IPaddr=::ffff:137.72.43.64 hostname=UNKNOWN

17:13:45.62 STC00404 00000090 BPXF024I (P390) Jul 20 21:13:45 ftps 50397342 : EZYFS56I ID=FTPD100005192 00000090 ACCESS OK USERID=P390

17:13:56.69 STC00404 00000090 BPXF024I (P390) Jul 20 21:13:56 ftps 50397342 : EZYFS60I ID=FTPD100005193 00000090 ALLOC OK Use MVS DSN=AESDJC1.MAIN.CNTL(ASM)

17:13:56.73 STC00404 00000090 BPXF024I (P390) Jul 20 21:13:56 ftps 50397342 : EZYFS61I ID=FTPD100005194 00000090 ALLOC DDNAME=SYS00004 VOLSER=AES004 DSORG=PO DISP=(SHR,KEEP)

17:13:56.85 STC00404 00000090 BPXF024I (P390) Jul 20 21:13:56 ftps 50397342 : EZYFS70I ID=FTPD100005195 00000090 DEALL OK Release MVS DSN=AESDJC1.MAIN.CNTL(ASM)

17:13:56.98 STC00404 00000090 BPXF024I (P390) Jul 20 21:13:56 ftps 50397342 : EZYFS81I ID=FTPD100005196 00000090 TRANS MVS DSN=AESDJC1.MAIN.CNTL(ASM)

17:13:57.02 STC00404 00000090 BPXF024I (P390) Jul 20 21:13:57 ftps 50397342 : EZYFS84I ID=FTPD100005197 00000090 TRANS Stru=F Mode=S Type=A Output=2378 bytes

17:13:57.06 STC00404 00000090 BPXF024I (P390) Jul 20 21:13:57 ftps 50397342 : EZYFS80I ID=FTPD100005198 00000090 TRANS Reply=250 Transfer completed successfully.

17:13:57.75 STC00404 00000090 BPXF024I (P390) Jul 20 21:13:57 ftps 50397342 : EZYFS52I ID=FTPD100005199 00000090 CONN ends Input=0 bytes Output=2378 bytes


Packet Trace Decoding – IPCS JCL

//TSO EXEC PGM=IKJEFT01,DYNAMNBR=60, //TSO EXEC PGM=IKJEFT01,DYNAMNBR=60, // PARM='%BLSCDDIR DSNAME(&SYSUID..BATCH.DDIR) VOLUME(AES003)' // PARM='%BLSCDDIR DSNAME(&SYSUID..BATCH.DDIR) VOLUME(AES003)' //SYSPROC DD DISP=SHR,DSN=SYS1.SBLSCLI0 //SYSPROC DD DISP=SHR,DSN=SYS1.SBLSCLI0 //TRACE DD DISP=SHR,DSN=//TRACE DD DISP=SHR,DSN=trace.datasettrace.dataset <=== INPUT <=== INPUT //IPCSPRNT DD SYSOUT=* //IPCSPRNT DD SYSOUT=* //SYSTSPRT DD SYSOUT=* //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * //SYSTSIN DD *

IPCS NOPARM IPCS NOPARM DROPD FILE(TRACE) DROPD FILE(TRACE) SETDEF NOCONFIRM PRINT NOTERM SETDEF NOCONFIRM PRINT NOTERM CTRACE DDNAME(TRACE) COMP(SYSTCPDA) + CTRACE DDNAME(TRACE) COMP(SYSTCPDA) +

SUB((TCPIP)) OPTIONS(( FTP(20,21) )) FULL GMT SUB((TCPIP)) OPTIONS(( FTP(20,21) )) FULL GMT END /* IPCS */ END /* IPCS */

// //


Packet Trace Decoding – IPCS OutputIPCS PRINT LOG FOR USER AESDJC1 IPCS PRINT LOG FOR USER AESDJC1 1 17:15:42 07/20/041 17:15:42 07/20/04

__________________________________________________________________________________________________________________________________________________________________________________________________________

COMPONENT TRACE FULL FORMAT COMPONENT TRACE FULL FORMAT

SYSNAME(P390) SYSNAME(P390)

COMP(SYSTCPDA)SUBNAME((TCPIP)) COMP(SYSTCPDA)SUBNAME((TCPIP))

z/OS TCP/IP Packet Trace Formatter, (C) IBM 2000z/OS TCP/IP Packet Trace Formatter, (C) IBM 2000--2004, 2003.293 2004, 2003.293

FILE(TRACE') FILE(TRACE')

**** 2004/07/20 **** 2004/07/20

RcdNrRcdNr SysnameSysname Mnemonic Entry Id Time Stamp Description Mnemonic Entry Id Time Stamp Description

---------- ---------------- ---------------- ---------------- ------------------------------ ----------------------------------------------------------------

11 P390 PACKET 00000001 21:13:11.369759 Packet Trace 11 P390 PACKET 00000001 21:13:11.369759 Packet Trace

From Interface : ETH1 Device: LCS Ethernet FFrom Interface : ETH1 Device: LCS Ethernet Full=48 ull=48

TodTod Clock : 2004/07/20 21:13:11.369745 Clock : 2004/07/20 21:13:11.369745

Sequence # : 0 Flags: Sequence # : 0 Flags: PktPkt Ver2 Ver2

Source Port : 3068 Source Port : 3068 DestDest Port: 21 Port: 21 AsidAsid: 0034 TCB: 00000000 : 0034 TCB: 00000000

IpHeaderIpHeader: Version : 4 Header Length: 20 : Version : 4 Header Length: 20

TosTos : 00 QOS: Routine Normal Service : 00 QOS: Routine Normal Service

Packet Length : 48 ID Number: BEFD Packet Length : 48 ID Number: BEFD

Fragment : Fragment : DontFragmentDontFragment Offset: 0 Offset: 0

TTL : 128 Protocol: TCP TTL : 128 Protocol: TCP CheckSumCheckSum: D202 FFFF : D202 FFFF

Source : 137.72.43.64 Source : 137.72.43.64

Destination : 137.72.43.247 Destination : 137.72.43.247

TCP TCP

Source Port : 3068 () Destination Port: 21 (fSource Port : 3068 () Destination Port: 21 (ftp) tp)

Sequence Number : 834806980 Sequence Number : 834806980 AckAck Number: 0 Number: 0

Header Length : 28 Flags: Header Length : 28 Flags: SynSyn

Window Size : 64240 Window Size : 64240 CheckSumCheckSum: BBCF FFFF Urgent Data Pointer: 0000 : BBCF FFFF Urgent Data Pointer: 0000

Option : Max Option : Max SegSeg Size Len: 4 MSS: 1460 Size Len: 4 MSS: 1460

Option : NOP Option : NOP

Option : NOP Option : NOP

Option : SACK Permitted Option : SACK Permitted

IP Header : 20 IP Header : 20


Packet Trace – Unfiltered by Application Ports


Packet Trace – Filtered by Application Ports


Packet Trace – Zoom in on FTP Control Session


FTP Data Session: “connection reset by peer”


FTP Data Session: “connection reset by peer”


Packet Details


FTP Control Session: “451 transfer aborted”


FTP Control Session: exceptions


FTP Tuning

�� Use the right Data Type (EBCDIC vs. ASCII)Use the right Data Type (EBCDIC vs. ASCII)�� TCP Window Size: the maximum amount of data that TCP Window Size: the maximum amount of data that

can be in the network at any time for a single connection.can be in the network at any time for a single connection.�� Optimal TCP Window Size = Optimal TCP Window Size =

Bottleneck Bandwidth * RoundBottleneck Bandwidth * Round--trip Time (RTT)trip Time (RTT)�� E.g., the E.g., the slowestslowest link=45 link=45 MbitMbit/sec, RTT=20ms/sec, RTT=20ms

45 45 MbitMbit/sec * 20ms/sec * 20ms= 45,000,000 bits/sec * .020 sec= 45,000,000 bits/sec * .020 sec= 900,000 bits = 109.86 = 900,000 bits = 109.86 KBytesKBytes


FTP Tuning

�� RTTRTT�� Ping with default packet size; e.g., 256Ping with default packet size; e.g., 256�� Ping with Ping with ““averageaverage”” FTP packet sizeFTP packet size�� SMF 119 TCP Connection Termination SMF 119 TCP Connection Termination

Record (RTT Record (RTT at timeat time of connection close)of connection close)�� Packet tracePacket trace

�� Window SizeWindow Size�� SMF 119 TCP Connection Termination SMF 119 TCP Connection Termination

RecordRecord�� Packet tracePacket trace


SMF 119 TCP Connection Termination Record


How to Analyze FTP�� Global usage patterns: How many Global usage patterns: How many FTPsFTPs does does

the installation run and whenthe installation run and when�� Heavy users: Typically may be responsible for Heavy users: Typically may be responsible for

80% of the workload80% of the workload�� Heavy data set usage: Often moved around or Heavy data set usage: Often moved around or

duplicates made for security and other duplicates made for security and other redundancy reasonsredundancy reasons

�� Failures: Who and WhyFailures: Who and Why�� FTP performance analysis: throughputFTP performance analysis: throughput�� Unauthorized attemptsUnauthorized attempts


FTP Analysis - Global Usage Patterns

�� Total FTP sessionsTotal FTP sessions�� Total FTP bytes Total FTP bytes �� FTP server vs. FTP client activitiesFTP server vs. FTP client activities�� When are heavy When are heavy FTPsFTPs done?done?�� Are gigabyte file transfers done?Are gigabyte file transfers done?


FTP Analysis - Heavy Data Set Usage

�� Which data sets are most heavily used?Which data sets are most heavily used?�� Certain type? SEQ/ JES/ SQL?Certain type? SEQ/ JES/ SQL?�� Can reposition or copy data sets for better Can reposition or copy data sets for better

performance?performance?


FTP Analysis - Failures

�� Are there any failures?Are there any failures?�� Logon failure vs. data transfer failureLogon failure vs. data transfer failure�� When do failures occur?When do failures occur?�� Who are the top failing clients?Who are the top failing clients?�� What are the top failing datasets?What are the top failing datasets?�� At a specific time of day?At a specific time of day?�� Correlated with heavy usage? Correlated with heavy usage?


FTP Historical Trending and Analysis

�� Number of server/client sessionsNumber of server/client sessions�� Types of transfers (SEQ/SQL/JES)Types of transfers (SEQ/SQL/JES)�� Amount of transfersAmount of transfers�� FailuresFailures�� Heavy usage hoursHeavy usage hours�� ThroughputThroughput�� Workload analysis = proactive problem Workload analysis = proactive problem

diagnosticsdiagnostics


Additional Information

�� Open source network protocol analyzer Open source network protocol analyzer --Ethereal (Ethereal (www.ethereal.comwww.ethereal.com))

�� IP Configuration Reference (SC31IP Configuration Reference (SC31--8776)8776)�� Sample FTP server exit code in SEZAINST:Sample FTP server exit code in SEZAINST:

�� FTCHKCMDFTCHKCMD�� FTCHKIPFTCHKIP�� FTCHKPWDFTCHKPWD�� FTPOSTPRFTPOSTPR

Date post:	26-Sep-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

FTP Analysis via SMF Records, FTP Server Exits and Logging ...Mar 06, 2006 · A file transferred...

Documents