Trace Output Formatted for PCAP
IBM i has two ways to trace network traffic: Communications Trace, and Trace Connection.
By Dawn May08/02/2017
IBM i has two ways to trace network traffic:
- Communications Trace
Communications trace is a service function that allows data that flows over a communications line (such as Ethernet) to be collected for analysis.
- Trace Connection (TRCCNN)
Trace Connection is a service function that provides output similar to the general communications trace, but it collects the trace data at the Licensed Internal Code (LIC) TCP/IP layer. TRCCNN is useful when your data is encrypted with SSL or IP security as TRCCNN collects the data before encryption and after decryption. (You may want to read about Functional Usage Capabilities to restrict who can use this command.)
In 7.1 the DMPCMNTRC command was enhanced. The “format” parameter now supports the *PCAP special value to dump the trace in PCAP format. You no longer need to create a data area as you did in the 6.1 release.
You can also dump Trace Connection (TRCCNN) traces in PCAP format. The STMF parameter was added to the TRCCNN command in the 7.1 release. Saving TRCCNN data in PCAP format is also simple – note the stream file name has .cap as the file extension.
TRCCNN SET(*OFF) TRCTBL(TCPIP) OUTPUT(*STMF) TOSTMF('/path/file.cap' *YES)There are a couple of helpful IBM Support Articles on this topic:
Dawn May is an IBM i consultant. She owns Dawn May Consulting, LLC in the Greater Boston area. Dawn is a former IBM senior technical staff member.