Skip to main content

Trace Output Formatted for PCAP

IBM i has two ways to trace network traffic: Communications Trace, and Trace Connection.

Dawn May August 2, 2017

Dump a Communications Trace was a blog I wrote back in 2009. That article reviewed the support for dumping the trace data in “packet capture” (PCAP) format and hinted that the DMPCMNTRC command would likely be updated to support this feature (without the need for a data area).

IBM i has two ways to trace network traffic:

  • Communications Trace
    Communications trace is a service function that allows data that flows over a communications line (such as Ethernet) to be collected for analysis.
     
  • Trace Connection (TRCCNN)
    Trace Connection is a service function that provides output similar to the general communications trace, but it collects the trace data at the Licensed Internal Code (LIC) TCP/IP layer. TRCCNN is useful when your data is encrypted with SSL or IP security as TRCCNN collects the data before encryption and after decryption. (You may want to read about Functional Usage Capabilities to restrict who can use this command.)

Once you have collected the trace data, it can be dumped to a spooled file or a stream file. If you chose to dump the data to a stream file, it can be saved in “packet capture” (PCAP) format and you can use other tools to analyze that data. A commonly used application for analyzing communications protocol data is Wireshark. This approach can make it easier for networking experts to analyze the communications data collected by your IBM i.

In 7.1 the DMPCMNTRC command was enhanced. The “format” parameter now supports the *PCAP special value to dump the trace in PCAP format. You no longer need to create a data area as you did in the 6.1 release.

You can also dump Trace Connection (TRCCNN) traces in PCAP format. The STMF parameter was added to the TRCCNN command in the 7.1 release.  Saving TRCCNN data in PCAP format is also simple – note the stream file name has .cap as the file extension.

TRCCNN SET(*OFF) TRCTBL(TCPIP) OUTPUT(*STMF) TOSTMF('/path/file.cap' *YES)

There are a couple of helpful IBM Support Articles on this topic:

Related Articles See more

Articles

Multitasking with Navigator for i

Dawn May

May 2, 2024

Articles

Getting Started with the Performance Data Investigator

Dawn May

April 1, 2024

Articles

Collection Services Configuration on IBM i

Dawn May

February 14, 2024

© 2024 TechChannel. All rights reserved

Key Enterprises LLC is committed to ensuring digital accessibility for techchannel.com for people with disabilities. We are continually improving the user experience for everyone, and applying the relevant accessibility standards.