Here’s something to think about if you want to do your own analysis of an IBM i communications trace (comm trace) using the open-source Wireshark packet analyzer.
By default, an IBM i comm trace outputs to a printer file, which is not readable by Wireshark. But if you’ve opened a ticket with IBM to do comm trace analysis, you can request IBM to convert the comm trace printout into Wireshark format. Once converted, you just download it from a link IBM will provide.
We just finished a ticket with IBM to set up a comm trace. We put a Wireshark trace on a PC client and started a corresponding comm trace on our IBM i. When finished, we sent both traces to IBM for analysis. After analysis, IBM converted the IBM i trace to Wireshark format, and we downloaded it and gave it to our network for further analysis.
So keep this in mind the next time you need to look at network traffic coming from an IBM i partition. With IBM’s help, you can get the trace data in a open-source format your Intel- and Cisco-centric team can deal with.
Yes, I just learned about Wireshark this week. Installed QSPTLIB yesterday. I think we should talk about this in Four Hundred Guru. If you don’t want to, I will.
I’m the same as you. I didn’t know that IBM had a Wireshark conversion tool for comm trace, either. That is something I think we should talk and post in Four Hundred Guru or elsewhere.
Anybody out there have any more information or links to an IBM i Wireshark conversion tool?
In V6.1 there was a PTF that allowed DMPCMNTRC to output in *PCAP format.
in V7.1 it is builtin.
Dump Communications Trace (DMPCMNTRC)
Stream file format . . . . . . . *CMNTRC *CMNTRC, *PCAP
Thanks for the info Brian. This helps a lot.
We use comm traces to assist in diagnosing comm issues and performance problems. Dumping the trace to PCAP format and using Wireshark is so much better than scanning a spooled file.
Just used the native V7R1 PCAP support last week diagnosing a problem in a Java application that communicated with a web service to determine precise timings of transmissions and responses.
PCAP support has been available for years – since V5R3.
V5R3 & V5R4 convert trace to PCAP format supported via QSPTLIB
V6R1 – PTF for DMPCMNTRC
V7R1 – Native support for PCAP format
Thanks, Gary. I’m getting a good education on this. Looks like the next opportunity I’ll have to use wire shark on IBM I will be next month. Ted Holt is thinking about writing an article on this for Four Hundred Guru.