SMARTRACE to capture only outbound SYN packets

Document ID : KB000118423
Last Modified Date : 24/10/2018
Show Technical Document Details
Question:
How can a trace containing only outbound SYN packets be captured using Netmaster?
This would be helpful to get get a sense of how much traffic originating on the mainframe goes to outside destinations. No data packets needed.
Answer:
From /SMART create a trace definition starting with the definition type of New TCP Trace.

The first screen contains the name, description and the stack to be accessed.
Command ===>                                                       Page 1 of 4
Name ............... SYNTRACE   
Description ........Trace only SYN packets                        
                                           
Trace Packets with:                                                         
  TCP/IP Stack .......+ TCPIP                                           
  Interface Name .....+                                                   
  Local Host ..........,                                                    
  Local Ports .........                                                     
  Foreign Host ........                                                   
  Foreign Ports .......       
                                           

The second screen filters to collect SYN packets only. It is necessary to filter out ACK SYN packets here as well, so an expression is needed to do so.
Command ===>                                                       Page 2 of 4

Trace Packets with:
  TCP Flags .......+ SYN and not ACK                                         ,
              (SYN,ACK,PSH,RST,URG,FIN or an expression e.g. SYN and not ACK)


Screen 3 remains blank.

Screen 4 contains the  max number of records to be kept in the trace. Maximum is 9999.
Command ===>                                                       Page 4 of 4

Trace Options:
  Trace Limit ............... 9999   (Number of packets)
  Stop At Limit? ............ YES    (Yes or No)
  Trace Expiry .............. 1:00   (hhh:mm)

Stop Options:
  Packets After Stop......... 0    (Number of packets after stop condition met)

The remaining parameters on that page can be set as desired.
It would make sense to stop the trace after 9999 connections and start it again if needed.
That retains all the SYN packets for 9999 connections -both in and outbound.  Netmaster has no way of limiting to inbound only.

Once the trace ends,  select it with EX to export to libpcap format, where it is then possible to filter on outbound only packets.