Tips / Tricks – 7/2/15 (update)

Updated.  Added update to the packet capture section below, included pcap export!

ISPF editor

  • Want more real estate in your ISPF editor?   In an editing session enter EDSET in the command line, then check the line marked:
      X Remove action bars in ISPF edit and view panels
    This will remove the menu bars and give you more room.   If you haven’t already, I’d clear these two settings in the main menu ISPF settings also.

ispf_set

Unix System Services

  • These commands will help you find / list APF authorized binaries in USS.  First one finds apf auth with sticky bit (suid) set.  These could be great targets for exploits.  Second finds all apf authorized binaries (no dll’s or shared object files).  The ls -E is just a switch to ls, you can use separately to show the extended flags.  an “a” in the display (e.g.  a-s-) means the apf auth bit is set.
    • find / -type f -ext a \( -perm -2000 -o -perm -4000 \) -exec ls -l {} \;
    • find / -type f -ext a -exec ls -E {} \;|grep -v .so|grep -v .dll

Packet Captures – TCP/IP Networking

  • Getting a packet capture on a mainframe is a non-trivial event.  I’ll save you the trouble of digging up all the requisite tutorials and lay down my version here:

There are 4 major components to this effort:
1) A trace writer proc, put in your favorite PROCLIB, created with JCL such as:

2) The TCPIP packet trace functionality. Started with a command like this from the master console or SDSF – (check the link at the bottom for more filter options):

3) Then, start the writer and execute the capture by issuing the following commands:

4) Using the IPCS functionality to format the trace into a spool file.  I use JCL like this (Make sure to modify datasets to match your system):

Bonus Step 5)  If you want to export the dump to a pcap file, readable by tcpdump, wireshark and the like, substitute step 4 JCL (the inline portion after DD* only) for something like the following:

Then I like to use USS copy and sftp (make sure you use something that does strict binary transfer) to dump the file to your PC and open with Wireshark.  Enjoy!

That’s it .. simple right?

Here’s some useful links:

TCPIP Packet Tracing

How to collect packet trace on z/OS

V TCPIP,,PKT command syntax

ZOS IP Diagnosis Guide (SNIFFER CTRACE and others syntax)