SMARTRACE to capture only outbound SYN packets
Article ID: 118423
Updated On:
Products
Issue/Introduction
How can a trace containing only outbound SYN packets be captured using Netmaster?
This would be helpful to get get a sense of how much traffic originating on the mainframe goes to outside destinations. No data packets needed.
Resolution
Yes.
From /SMART create a trace definition starting with the definition type of New TCP Trace.
The first screen contains the name, description and the stack to be accessed.
Name ............... SYNTRACE
Description ........Trace only SYN packets
Trace Packets with:
TCP/IP Stack .......+ TCPIP
Interface Name .....+
Local Host ..........,
Local Ports .........
Foreign Host ........
Foreign Ports .......
The second screen filters to collect SYN packets only and the DIRECTION. It is necessary to filter out ACK SYN packets here as well, so an expression is needed to do so.
Trace Packets with:
TCP Flags .......+ SYN and not ACK ,
(SYN,ACK,PSH,RST,URG,FIN or an expression e.g. SYN and not ACK)
Packet Direction ........... (In or Out)
Screen 3 remains blank.
Screen 4 contains the max number of records to be kept in the trace. Maximum is 9999.
Trace Options:
Trace Limit ............... 9999 (Number of packets)
Stop At Limit? ............ YES (Yes or No)
Trace Expiry .............. 1:00 (hhh:mm)
Stop Options:
Packets After Stop......... 0 (Number of packets after stop condition met)
The remaining parameters on that page can be set as desired.
It would make sense to stop the trace after 9999 connections and start it again if needed.
That retains all the SYN packets for 9999 connections -both in and outbound.
Once the trace ends, select it with EX to export to libpcap format, where it is then possible to filter on outbound only packets.
Feedback
