Updated. Added update to the packet capture section below, included pcap export!
ISPF editor
- Want more real estate in your ISPF editor? In an editing session enter EDSET in the command line, then check the line marked:
X Remove action bars in ISPF edit and view panels
This will remove the menu bars and give you more room. If you haven’t already, I’d clear these two settings in the main menu ISPF settings also.
Unix System Services
- These commands will help you find / list APF authorized binaries in USS. First one finds apf auth with sticky bit (suid) set. These could be great targets for exploits. Second finds all apf authorized binaries (no dll’s or shared object files). The ls -E is just a switch to ls, you can use separately to show the extended flags. an “a” in the display (e.g. a-s-) means the apf auth bit is set.
- find / -type f -ext a \( -perm -2000 -o -perm -4000 \) -exec ls -l {} \;
- find / -type f -ext a -exec ls -E {} \;|grep -v .so|grep -v .dll
Packet Captures – TCP/IP Networking
- Getting a packet capture on a mainframe is a non-trivial event. I’ll save you the trouble of digging up all the requisite tutorials and lay down my version here:
There are 4 major components to this effort:
1) A trace writer proc, put in your favorite PROCLIB, created with JCL such as:
|
|
//TCPWTR PROC //IEFPROC EXEC PGM=ITTTRCWR,REGION=0K,TIME=1440 //TRCOUT01 DD DSNAME=<lib>.CTRACE1,UNIT=SYSDA, // VOL=SER=<volume>, // SPACE=(4096,(100,10),,CONTIG),DISP=(OLD), // DCB=(DSORG=PS) |
2) The TCPIP packet trace functionality. Started with a command like this from the master console or SDSF – (check the link at the bottom for more filter options):
|
|
V TCPIP,,PKT,ON,FULL,[IP=...],[PORTNUM=...] |
3) Then, start the writer and execute the capture by issuing the following commands:
|
|
TRACE CT,WTRSTART=TCPWTR,WRAP TRACE CT,ON,COMP=SYSTCPDA,SUB=(TCPIP) <respond to the WTOR xx> R XX,WTR=TCPWTR,END <do the activity you want traced here> TRACE CT,ON,COMP=SYSTCPDA,SUB=(TCPIP) R XX,WTR=DISCONNECT,END TRACE CT,OFF,COMP=SYSTCPDA,SUB=(TCPIP) TRACE CT,WTRSTOP=TCPWTR V TCPIP,,PKT,OFF |
4) Using the IPCS functionality to format the trace into a spool file. I use JCL like this (Make sure to modify datasets to match your system):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
//TCPTRFMT JOB 'format tcptrace', // 'user', // NOTIFY=&SYSUID, // MSGCLASS=H, // MSGLEVEL=(1,1) //DUMP EXEC PGM=IKJEFT01 //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //SYSTSPRT DD SYSOUT=* //PRINTER DD SYSOUT=* //SYSPROC DD DISP=SHR,DSN=SYS1.CLIST //IPCSPARM DD DISP=SHR,DSN=SYS1.PARMLIB //IPCSPRNT DD SYSOUT=* //IPCSTOC DD SYSOUT=* //IPCSDDIR DD DSN=<user>.DDIR,DISP=SHR //SYSTSIN DD * IPCS NOPARM DROPD SETD DSN('<user>.IPCS.CTRACE1') CTRACE COMP(SYSTCPDA) LOCAL FULL - OPTIONS((PACKETTRACE)) END /* |
Bonus Step 5) If you want to export the dump to a pcap file, readable by tcpdump, wireshark and the like, substitute step 4 JCL (the inline portion after DD* only) for something like the following:
|
|
IPCS NOPARM DROPD SETD DSN('<user>.IPCS.CTRACE1') ALLOC F(SNIFFER) + DATASET(PACKET.TRC) SPACE(15 15) TRACK + REUSE LRECL(8000) BLKSIZE(32000) CTRACE COMP(SYSTCPDA) FULL OPTIONS((SNIFFER(8000,TCPDUMP)) END |
Then I like to use USS copy and sftp (make sure you use something that does strict binary transfer) to dump the file to your PC and open with Wireshark. Enjoy!
|
|
$ cp "//'<user>.PACKET.TRC'" ./packet.pcap ..... (then from your pc) sftp <uss system> sftp> get packet.pcap |
That’s it .. simple right?
Here’s some useful links:
TCPIP Packet Tracing
How to collect packet trace on z/OS
V TCPIP,,PKT command syntax
ZOS IP Diagnosis Guide (SNIFFER CTRACE and others syntax)