FTP Server Exit - Aesclever.com

FTP Analysis via SMF Records, FTPServer Exits and Logging, and CTRACESHARE Session 3961February 28, 2005David ChengApplied Expert Systems, Inc.davec@aesclever.com

Agenda FTP Background Active FTP Passive FTP FTP commands and replies FTP Diagnostic Data FTP Server Exits FTP SMF Records SMF Type 118 vs. Type 119 FTP Server Logging Component Trace – IP packet trace FTP Analysis Sample FTP Server Exit CodeCopyright (C) 2005 Applied Expert Systems, Inc. 2

Control / Data ConnectionsControl connection A communication path between the Client and Server forthe exchange of commands & replies FTP Server Port 21 Connection stays up during the whole session, in whichmany files may be transferredData connection A full duplex connection over which data is transferred, ina specified mode and type FTP Server Port 20 (for active FTP) Usually one for each file transferCopyright (C) 2005 Applied Expert Systems, Inc. 3

Active FTP Server initiates data connection to the client Client connects from a random unprivileged port (N >1024) to the FTP server’s s port 21 Client starts listening to port N+1 and sends the FTPcommand PORT N+1 to the FTP server PORT h1,h2,h3,h4,p1,p2h1,h2,h3,h4 is the client’s s IP address, p1,p2 is the clientport number in an 8 bit high, low bit order The Server will then connect back to the client’s s specifieddata port from its local data port (port 20)Copyright (C) 2005 Applied Expert Systems, Inc. 4

FTP Active ModeFTP ClientPort XPort XPort XPort XPort XPort XPort YPort YPort YPort YFTP ServerSYN Port 21SYN ACK Port 21ACK Port 21PORT, IP address, port Y Port 21PORT command successful Port 21LIST, RETR, or STOR, etc. Port 21SYN Port 20SYN ACK Port 20ACK Port 20Data segments and ACKs Port 20Copyright (C) 2005 Applied Expert Systems, Inc. 5

FTP Data Session – Active ModeFTP Client Port X PORT, IP address, port Y Port X Port XFTP ServerPort 21PORT, IP address, port Y Port 21PORT command successful Port 21ACK Port 21Copyright (C) 2005 Applied Expert Systems, Inc. 6

Active FTPFTP ClientFTP Server1674 PORT 1675 21ACK1675 connect 20ACKCopyright (C) 2005 Applied Expert Systems, Inc. 7

Passive FTP Client initiates data connection to the server Firewall friendly When opening an FTP connection, the client opens 2random unprivileged ports locally (N > 1024 and N+1) The first port contacts the server on port 21 Client issues the PASV command (the PASV commandtakes no parameters) The server then opens a random port and sends ReplyCode 227 back to the client (similar to the PORTcommand) The client then initiates the connection from port N+1 toport P on the server to transfer dataCopyright (C) 2005 Applied Expert Systems, Inc. 8

FTP Passive ModeFTP ClientFTP ServerPort XSYN Port 21Port X SYN ACK Port 21Port XACK Port 21Port XPort XPort ZPort ZPort ZPort XPort ZPASV Port 21PASV OK, IP address, Port Y Port 21SYNPort YSYN ACKPort YACKPort YLIST, RETR, or STOR, etc. Port 21Data segments and ACKs Port 20Copyright (C) 2005 Applied Expert Systems, Inc. 9

Passive FTPFTP ClientFTP Server1673 PASV 21“227 Enter Passive Mode” 20201674 connect 2020ACKCopyright (C) 2005 Applied Expert Systems, Inc. 10

FTP CommandsCommands and Replies are sent across the controlconnection and are in plain text.Commands are 3 or 4 bytes characters, each withoptional parameters.The FTP commands specify the parameters for: the data connection (port) transfer mode data representation type and structure the nature of file system operation (store, retrieve,append, delete, etc.)Copyright (C) 2005 Applied Expert Systems, Inc. 11

Sample FTP CommandsAccess Control: USER PORT TYPE QUITTransfer: MODE RETR STORUser identificationData port specificationData representation (ASCII, EBCDIC, Image)Terminates a USER and the control connectionTransfer mode (Stream, Block, Compress)Server -> > Client file transferClient -> > Server file transferService: DELEDeletes a Server file LISTDirectory listing RNFRRenames from RNTORenames to (RNFR must be immediately followed by a RNTO command)Copyright (C) 2005 Applied Expert Systems, Inc. 12

FTP Replies Synchronization of requests and actions in the filetransfer process Guarantee that the user process always knows the stateof Server Every command must generate at least one reply An FTP reply consists of a 3-digit 3number (i.e., 3alphanumeric characters) followed by some text The number is intended for use by the software todetermine what to do next; the text is intended for thehuman user There may be more than one reply, in which case thesemultiple replies must be easily distinguishedCopyright (C) 2005 Applied Expert Systems, Inc. 13

FTP Reply Code1yz2yz3yz4yz5yzPositive preliminary replyPositive completion reply (a new command may be sent)Positive intermediate reply (another command must be sent)Transient negative reply (command can be re- issued later)Permanent negative reply (command should not be retried)x0zx1zx2zx3zx4zx5zSyntax errorInformationConnectionsAuthentication and accountingUnspecifiedFile system statusCopyright (C) 2005 Applied Expert Systems, Inc. 14

Sample FTP Reply Codes 150 File status okay; about to open data connection. 226 Transfer complete 227 Entering passive mode {h1,h2,h3,h4,p1,p2} 250 Requested file action okay, completed. 257 "PATHNAME" created. 350 Requested file action pending further information. 450 Requested file action not taken. File unavailable (e.g., file busy). b 550 Requested action not taken. File unavailable (e.g., file notfound, no access). 451 Requested action aborted. Local error in processing. 551 Requested action aborted. Page type unknown. 452 Requested action not taken. Insufficient storage space insystem. 552 Requested file action aborted. Exceeded storage allocation (forcurrent directory or data set). 553 Requested action not taken.Copyright (C) 2005 Applied Expert Systems, Inc. 15

C:\Windows>ftp 137.72.43.247Connected to 137.72.43.247.220-FTPD1 IBM FTP CS V1R4 at S390, 21:05:48 on 2004-0707-20.220 Connection will close if idle for more than 5 minutes.User (137.72.43.247:(none)): p390331 Send password please.Password:Note return code 220 (Serviceready for new user) and returncode 331(User name OK, needpassword.)Copyright (C) 2005 Applied Expert Systems, Inc. 16

FTP Diagnostics Data Connection attempts Client identification Active vs. Passive FTP FTP commands FTP replies Throughput PORT command hacking (FTP bounce attack)Copyright (C) 2005 Applied Expert Systems, Inc. 17

FTP Diagnostics DataEvent-driven, non-intrusive, lower overhead FTP Server Exits FTCHKIP – open connection FTCHKPWD – password verification FTCHKCMD – FTP command FTPOSTPR – FTP command completion FTCHKJES – Job submission FTPSMFEX – FTP server SMF record SMF records (Type 118 or 119) FTP Server SMF record FTP Client SMF record FTPLOGGING, ANONYMOUSFTPLOGGING (FTP Server) TRACE, DEBUG (FTP Server)Packet trace – detailed analysis at protocol levelCopyright (C) 2005 Applied Expert Systems, Inc. 18

FTP Server User ExitsR1 -> > parameter list, which is a series of pointers tovaluesThe first word of the parameter list always points to thereturn code (RC). RC=0 upon entry to an exit. If RC isnot 0, user will receive a negative replyThe second word of the parameter list always points to aword containing the number of parameters that followAPF-authorizedSTEPLIB DD in the FTPD procRACF considerationCopyright (C) 2005 Applied Expert Systems, Inc. 19

FTP Server Exit - FTCHKIPFTCHKIP is called at the initial stage of login orwhenever the user issues an OPEN command Client’s s IP address (IPV4) and port Server’s s IP address (IPV4) and port Socket address structure (IPV4 or IPV6) forthe client’s s control connection Socket address structure (IPV4 or IPV6) forthe server’s s control connection Session IDCopyright (C) 2005 Applied Expert Systems, Inc. 20

FTP Server Exit - FTCHKPWDFTCHKPWD is called after the user enters the password Client’s s user ID Client’s s password User data Number of bad passwords input in this logon attempt Socket address structure for the client’s s controlconnection Socket address structure for the server’s s controlconnection Session IDCopyright (C) 2005 Applied Expert Systems, Inc. 21

FTP Server Exit - FTCHKCMDFTCHKCMD is called whenever the client enters acommand Client’s s user ID Command Command parameters Current directory type: MVS, HFS File type: SEQ, JES, SQL Current working directory Address of a buffer for command modificationCopyright (C) 2005 Applied Expert Systems, Inc. 22

FTP Server Exit - FTPOSTPRFTPOSTPR is called upon completion of the FTP commands RETR,STOR, STOU, APPE, DELE, and RNTOClient’s s user IDClient’s s IP addressClient’s s portCurrent directory type: MVS, HFSCurrent working directoryCurrent file type: SEQ, JES, SQLFTP reply codeFTP reply stringFTP command codeCurrent CONDDISP setting: C for catalog, D for deleteCopyright (C) 2005 Applied Expert Systems, Inc. 23

FTP Server Exit - FTPOSTPRClose reason code: 0 – transfer completed normally 4 – transfer completed w/errorsee FTP reply code and text string 8 – transfer completed w/socket errors 12 – transfer aborted 16 – transfer aborted w/SQL file errorsDataset name or HFS file nameBytes transferredSocket address structure for the client’s s control sessionSocket address structure for the server’s s control sessionSession IDAddress of scratch pad area (256 bytes)Copyright (C) 2005 Applied Expert Systems, Inc. 24

FTP Server Exit - FTCHKJESFTCHKJES is called if the server is in FILETYPE=JESmode and the client tries to submit a jobClient’s s user IDCurrent logical recordNumber of bytes in the bufferJES LRECL being usedLogical record numberTotal number of bytes transferred so farUnique client IDJES RECFMJES user exit anchorSocket address structure for the client’s s control sessionSocket address structure for the server’s s control sessionSession IDAddress of scratchpad buffer (256 bytes)Copyright (C) 2005 Applied Expert Systems, Inc. 25

FTP Server Exit - FTPSMFEX FTPSMFEX is called before a type 118 SMF (FTPserver) record is written to SMF Type 119 SMF records must use the system-wide SMFexits IEFU83, IEFU84 and IEFU85 R1 -> > the following parameter list: Pointer to the return code Pointer to the type 118 SMF record On entry, the return code is set to 0. A return code of 0specifies that the SMF record will be writtenCopyright (C) 2005 Applied Expert Systems, Inc. 26

FTP Server Exit Installation APF-authorize the load library Add the load library to STEPLIB in the FTPDproc If RACF Program Control is active: SETROPTSWHEN(PROGRAM), you must define FTP exitsto RACF class PROGRAM Restart the FTP Daemon (for FTCHKIP)Copyright (C) 2005 Applied Expert Systems, Inc. 27

FTP Server Exit InstallationSample RACF Definition for FTCHKIP:RDEFINE PROGRAM FTCHKIPADDMEM(‘loadlibloadlib’/volser/NOPADCHK) UACC(READ)…SETR WHEN(PROGRAM) REFRESHWithout proper RACF definition, FTP client will get thefollowing error when logging in:550 PASS COMMAND FAILED - _PASSWD() ERROR: EDC5157I ANINTERNAL ERROR OCURREDCopyright (C) 2005 Applied Expert Systems, Inc. 28

Verify FTP Server Exits Start the FTP Server with the “TRACE”parameter; e.g., S FTPD,PARM=TRACE Check for the following messages in SYSLOG:BPXF024I (FTPD) Jan 5 18:01:34 ftpd 33619980 : DM1009 main:FTCHKIP successfully loadedBPXF024I (AESDJC1) Jan 6 02:01:57 ftps 16843115 : RX0625 main:chkpwdexit successfully loadedBPXF024I (AESDJC1) Jan 6 02:01:58 ftps 16843115 : RX0641 main:chkcmdexit successfully loadedBPXF024I (AESDJC1) Jan 6 02:01:58 ftps 16843115 : RX0696 main:FTPOSTPR successfully loadedCopyright (C) 2005 Applied Expert Systems, Inc. 29

FTP Server SMF Record FTP command FTP type: SEQ, JES, SQL Client IP address and port Server IP address and port Local user ID Data format: A: ASCII, E: EBCDIC, I: image(binary), D: double byte, U: UCS-2Copyright (C) 2005 Applied Expert Systems, Inc. 30

FTP Server SMF Record - Continued Mode – S: stream, B: block. C : compressed Start/End time of transmission Bytes transferred FTP reply code Dataset/member/file namesCopyright (C) 2005 Applied Expert Systems, Inc. 31

FTP Client SMF Record FTP command Client IP address and port Server IP address and port Data format Transfer mode Start/End time of transmission Byte count Dataset/file nameCopyright (C) 2005 Applied Expert Systems, Inc. 32

Enable TCP/IP SMF Recording SMFPRMxx – make sure that 118/119 is notbeing excluded from recording SMF Type 119 is available only in z/OS V1R2and later releases SMF Type 118 and Type 119 can co-exist To get FTP Server SMF record, configure FTPDATA as follows: 118: SMF STD 119: SMF TYPE119Copyright (C) 2005 Applied Expert Systems, Inc. 33

Enable TCP/IP SMF Recording To get FTP Client SMF record, configure TCP/IPPROFILE as follows: 118SMFCONFIG FTPCLIENT … 119SMFCONFIG … TYPE119 FTPCLIENT …Copyright (C) 2005 Applied Expert Systems, Inc. 34

Verify SMF RecordingSystem Level – issue the “D SMF,O” operator command, verify: SMFPRMxx member SMF parametersTCP/IP Level – issue the “NETSTAT,CONFIG” command Check the SMF Parameters listing; e.g.,SMF Parameters:Type 118:TcpInit: 00 TcpTerm: 00 FTPClient: 00TN3270Client: 00 TcpIpStats: 00Type 119:TcpInit: Yes TcpTerm: Yes FTPClient: YesTcpIpStats: Yes IfStats: Yes PortStats: YesStack: Yes UdpTerm: Yes TN3270Client: YesCopyright (C) 2005 Applied Expert Systems, Inc. 35

Verify SMF RecordingFTP Server – start the FTP server with the “TRACE” parameter;e.g., S FTPD,PARM=TRACELook for the write_smf_record messages; e.g.,250 Transfer completed successfully.BPXF024I (AESDJC1) Jan 6 02:02:08 ftps 16843115 : RU1463write_smf_record: entered with type 4BPXF024I (AESDJC1) Jan 6 02:02:08 ftps 16843115 : RU0754write_smf_record_119: entered with type 4.FTP Client – start the FTP client with the “trace” parameter, or issue the“debug” command from an FTP client session;e.g., ftp 137.72.43.247 (traceLook for the following messages: CU1963, CU1463, CU2241; e.g.,250 Transfer completed successfully.EZA1617I 2320 bytes transferred in 0.160 seconds. Transferrate 14.50 Kbytes/sec.CU1963 write_smf_record: entered with type 16.CU1463 write_smf_record_119: entered with type 16.CU2241 write_smf_record: length of smfrecord: 224Copyright (C) 2005 Applied Expert Systems, Inc. 36

Sample FTP Session 1ftp 137.72.43.243EZA1450I IBM FTP CS V2R8 1999 336 15:35 UTCEZA1554I Connecting to: 137.72.43.243 port: 21.220-FTPD1 IBM FTP CS V1R2 at p390.svo.test.com, 15:51:13 on 2002-08-16.220 Connection will close if idle for more than 5 minutes.EZA1459I NAME (137.72.43.243:P390):p390EZA1701I >>> USER p390331 Send password please.EZA1789I PASSWORD:EZA1701I >>> PASS230 P390 is logged on. Working directory is "AESDJC1.".EZA1460I Command:binEZA1701I >>> TYPE I200 Representation type is ImageEZA1460I Command:get 'aesdjc1.xmi' 'aesdjc1.xmi' (replaceEZA1701I >>> PORT 137,72,43,240,6,139200 Port request OK.EZA1701I >>> RETR 'aesdjc1.xmi'125 Sending data set AESDJC1.XMI FIXrecfm 80250 Transfer completed successfully.EZA1617I 166400 bytes transferred in 2.180 seconds. Transfer rate 76.33 Kbytes/sec.Copyright (C) 2005 Applied Expert Systems, Inc. 37

Sample FTP Session 1 – logging byFTP ExitsFTP OPEN CONNECTION,IP=137.72.43.240,PORT= 1674,TIME=14:51:13.67FTP CMD=USER ,USER= ,TIME=14:51:16.01,ARG=p390FTP CMD=PASS ,USER=P390 ,TIME=14:51:17.81,ARG=FTP LOGIN,USER=P390 ,TIME=14:51:17.81FTP CMD=TYPE ,USER=P390 ,TIME=14:51:23.03,ARG=IFTP CMD=PORT ,USER=P390 ,TIME=14:51:34.37,ARG=137,72,43,240,6,139FTP CMD=RETR ,USER=P390 ,TIME=14:51:34.40,ARG='aesdjc1.xmi'FTCHKIPFTCHKCMDFTCHKCMDFTCHKPWDFTCHKCMDFTCHKCMDFTCHKCMDFTP POST,CMD=RETR,USER=P390,IP=137.72.43.240,TYPE=MVS/SEQ,RC=250,REASON=0,TIME=14:51:36.93FTPOSTPRCopyright (C) 2005 Applied Expert Systems, Inc. 38

Sample FTP Session 1How to interpret the PORT commandPORT 137,72,43,240,6,139,6,139IP Address of the client: 137.72.43.240Port of the client: 256*6 + 139 = 1675Copyright (C) 2005 Applied Expert Systems, Inc. 39

Sample FTP Session 1: Active FTPFTP ClientFTP Server(137.72.43.240) (137.72.43.243)1674 PORT 1675 21ACK1675 connect 20ACKCopyright (C) 2005 Applied Expert Systems, Inc. 40

Sample FTP Session 1 – FTP ServerSMF dataFTPS:RETR,IP=137.72.43.240,PORT=21/1674,RC=250,User=P390,Format=S/S/IFormat=S/S/I,ABND=Start=15:51:34,End=15:51:34,Bytes=166400,Elapsed=0.010sec,Throughput=16640.00KB/secDSN1=AESDJC1.XMI/,DSN2=/Format:Data set type: P – partitioned, S – sequential, H – HFSMode:S – stream, B – block, C – compressedData format:A – ASCII, E – EBCDIC, I – image (binary),D – double-byte, byte, U – UCS-2Copyright (C) 2005 Applied Expert Systems, Inc. 41

Sample FTP Session 2EZA1460I Command:put 'aesdjc1.xmi' 'aesdjc1.small'EZA1701I >>> SITE FIXrecfm 80 LRECL=80 RECFM=FB BLKSIZE=3120200 SITE command was acceptedEZA1701I >>> PORT 137,72,43,240,6,142200 Port request OK.EZA1701I >>> STOR 'aesdjc1.small'125 Storing data set AESDJC1.SMALL451-System completion code and reason: D37-04451-Data set is out of space.451 Transfer aborted due to file error.EZA1460I Command:quitEZA1701I >>> QUIT221 Quit command received. Goodbye.READYCopyright (C) 2005 Applied Expert Systems, Inc. 42

Sample FTP Session 2 – logging byFTP ExitsFTP CMD=SITE ,USER=P390 ,TIME=14:53:28.45,ARG=FIXrecfm 80 LRECL=80RECFM=FB BLKSIZE=3120FTP CMD=PORT ,USER=P390 ,TIME=14:53:28.50,ARG=137,72,43,240,6,1420,6,142FTP CMD=STOR ,USER=P390 ,TIME=14:53:28.52,ARG='aesdjc1.small'FTP POST,CMD=STOR,USER=P390,IP=137.72.43.240,TYPE=MVS/SEQ,RC=451,REASON=4REASON=4,TIME=14:53:29.61FTP REPLY=Transfer aborted due to file error.FTP CMD=QUIT ,USER=P390 ,TIME=14:53:31.48,ARG=Copyright (C) 2005 Applied Expert Systems, Inc. 43

Sample FTP Session 2 – FTP ServerSMF RecordFTPS:STOR,IP=137.72.43.240,PORT=21/1674,RC=451RC=451,User=P390,Format=S/S/I,ABND=Start=15:53:28,End=15:53:29,Bytes=166400,Elapsed=0.500sec,Throughput=332.80KB/secDSN1=AESDJC1.SMALL/,DSN2=/Reply Code 451: Requested action aborted. Localerror in processing.Copyright (C) 2005 Applied Expert Systems, Inc. 44

Some Unique data in Type 119Self-defining sections (triplets) Number of data sections Offset to data sections Length of data sectionsTCP/IP identification section This is the first section in every type 119 record System name from SYSNAME in IEASYSxx Sysplex name from SYSPLEX in COUPLExx TCP/IP stack name, etc.Copyright (C) 2005 Applied Expert Systems, Inc. 45

Some Unique data in Type 119 All IP addresses are in 128-bit IPv6 format IPv4-mapped format: Bytes 0-9: 0X’00’ Bytes 10-11:11: X’FF’ Bytes 12-15:15: IPv4 address Has Both Control and Data ConnectionSession Info: Remote IP address and port number Local IP address and port numberCopyright (C) 2005 Applied Expert Systems, Inc. 46

Some Unique data in Type 119 Transmission Start/End Date Transmission byte count format: 64-bit integer z/OS floating point format FTP Client record has SOCKS section whendata was transferred through a SOCKSserver IP address and port number of SOCKSserver for Control Connection SOCKS protocol version (v4 or v5)Copyright (C) 2005 Applied Expert Systems, Inc. 47

FTP Server Logging (z/OS 1.4 or later)FTP Server can log activities to SyslogD via the followingFTP.DATA options:FTPLOGGING TRUEANONYMOUSFTPLOGGING TRUENine events are logged:CONNSECUREACCESSALLOCDEALLTRANSSUBMITQUERYABENDconnectivitysecurity (TLS/SSL, Kerberos)loginfile and data set allocationfile and data set de-allocationfile transferJES job submissionSQL queryabnormal terminationEach activity logging message has a message number withinthe range from EZYFS50 to EZYFS95Copyright (C) 2005 Applied Expert Systems, Inc. 48

FTP Server TracingTRACE run-time option for FTPDTRACE and DEBUG statements in FTP.DATA TRACE is equivalent to DEBUG BAS, which includes: DEBUG CMD DEBUG INT DEBUG FSC DEBUG SOCUse the SITE command to turn on tracing dynamically only for theduration of an FTP session Requires: DEBUGONSITE TRUE be specified in FTP.DATA z/OS example : site debug=bas MS/DOS example: quote site debug=basOutput in SYSLOGCopyright (C) 2005 Applied Expert Systems, Inc. 49

CTRACE – Packet TracingSet up External Writer ProcE.g., SYS1.PROCLIB(AESWRT)://IEFPROC EXEC PGM=ITTTRCWR,REGION=0K,TIME=1440,DPRTY=15//TRCOUT01 DD DISP=SHR,DSN=trace.datasetSet up tracing parametersE.g., SYS1.PARMLIB(CTAESPRM):TRACEOPTS ON WTR(AESWRT)Copyright (C) 2005 Applied Expert Systems, Inc. 50

CTRACE – Packet TracingTo Start Tracing:TRACE CT,WTRSTART=AESWRTV TCPIP,,PKT,CLEARV TCPIP,,PKT,LINKN=ETH1,ON,FULL,PROT=TCP,IP=TRACE CT,ON,COMP=SYSTCPDA,SUB=(TCPIP),PARM=CTAESPRMTo View Tracing Status:D TRACE,WTR=AESWRTD TCPIP,,NETSTAT,DETo Stop Tracing:V TCPIP,,PKT,OFFTRACE CT,OFF,COMP=SYSTCPDA,SUB=(TCPIP)TRACE CT,WTRSTOP=AESWRT,FLUSHCopyright (C) 2005 Applied Expert Systems, Inc. 51

CTRACE – Packet Tracing Analyze one FTP session at a time Separate the Control Session fromthe Data Session Check FTP commands and replies Look for packet retransmissions andunusual long response times TCP window sizeCopyright (C) 2005 Applied Expert Systems, Inc. 52

Sample FTP Session 3 FTP Session 3: ftp to 137.72.43.247 logon on as p390 use ASCII transfer mode get ‘AESDJC1.MAIN.CNTL(ASM)AESDJC1.MAIN.CNTL(ASM)’ QuitDiagnostic Data Sources: FTP Server Exits FTP SMF Records FTPLOGGING Packet tracingCopyright (C) 2005 Applied Expert Systems, Inc. 53

Data Source: FTP Server ExitsAES824I FTP OPEN CONNECTION,IP=137.72.43.64,PORT= 3068,TIME=17:13:11.39AES826I FTP CMD=USER ,USER= ,TIME=17:13:42.9417:13:42.94,ARG=p390AES826I FTP CMD=PASS ,USER=P390 ,TIME=17:13:45.39,ARG=AES825I FTP LOGIN,USER=P390 ,TIME=17:13:45.39AES826I FTP CMD=TYPE ,USER=P390 ,TIME=17:13:48.29,ARG=AAES826I FTP CMD=PORT ,USER=P390 ,TIME=17:13:56.34,ARG=137,72,43,64,12,6,72,43,64,12,6AES826I FTP CMD=RETR ,USER=P390 ,TIME=17:13:56.35,ARG='aesdjc1.main.cntl(asm)'AES827I FTP POST,CMD=RETR,USER=P390 ,IP=137.72.43.64,TYPE=MVS/SEQ,RC=250,REASON=0,TIME=17:13:57.10AES829I FTP POST,PORT=3068,DSN=AESDJC1.MAIN.CNTL(ASM),BYTES=0 gb + 2378 bytesAES839I FTP POST,SESSIONID=FTPD100005 ,CPU,TIME=0.567 SECONDS,EXCP=209AES826I FTP CMD=QUIT ,USER=P390 ,TIME=17:13:57.72,ARG=``Copyright (C) 2005 Applied Expert Systems, Inc. 54

Data Source: FTP SMF Server RecordAES801I FTPS:RETR,IP=137.72.43.64,PORT=21/3068,RC=250,User=P390,Format=P/S/A,ABND=AES802I Start=17:13:56,End=17:13:56,Bytes=2378,Elapsed=0.020sec,Throughput=118.90KB/secAES803I DSN1=AESDJC1.MAIN.CNTL /ASM ,DSN2=/Copyright (C) 2005 Applied Expert Systems, Inc. 55

Data Source: FTPLOGGING17:13:42.18 STC00404 00000090 BPXF024I (FTPD) Jul 20 21:13:42 ftpd 50397342 : EZYFS50I ID=FTPD100005191 00000090 CONN starts Client IPaddr=::ffff:137.72.43.64 hostname=UNKNOWN17:13:45.62 STC00404 00000090 BPXF024I (P390) Jul 20 21:13:45 ftps 50397342 : EZYFS56I ID=FTPD100005192 00000090 ACCESS OK USERID=P39017:13:56.69 STC00404 00000090 BPXF024I (P390) Jul 20 21:13:56 ftps 50397342 : EZYFS60I ID=FTPD100005193 00000090 ALLOC OK Use MVS DSN=AESDJC1.MAIN.CNTL(ASM)17:13:56.73 STC00404 00000090 BPXF024I (P390) Jul 20 21:13:56 ftps 50397342 : EZYFS61I ID=FTPD100005194 00000090 ALLOC DDNAME=SYS00004 VOLSER=AES004 DSORG=PO DISP=(SHR,KEEP)17:13:56.85 STC00404 00000090 BPXF024I (P390) Jul 20 21:13:56 ftps 50397342 : EZYFS70I ID=FTPD100005195 00000090 DEALL OK Release MVS DSN=AESDJC1.MAIN.CNTL(ASM)17:13:56.98 STC00404 00000090 BPXF024I (P390) Jul 20 21:13:56 ftps 50397342 : EZYFS81I ID=FTPD100005196 00000090 TRANS MVS DSN=AESDJC1.MAIN.CNTL(ASM)17:13:57.02 STC00404 00000090 BPXF024I (P390) Jul 20 21:13:57 ftps 50397342 : EZYFS84I ID=FTPD100005197 00000090 TRANS Stru=F Mode=S Type=A Output=2378 bytes17:13:57.06 STC00404 00000090 BPXF024I (P390) Jul 20 21:13:57 ftps 50397342 : EZYFS80I ID=FTPD100005198 00000090 TRANS Reply=250 Transfer completed successfully.17:13:57.75 STC00404 00000090 BPXF024I (P390) Jul 20 21:13:57 ftps 50397342 : EZYFS52I ID=FTPD100005199 00000090 CONN ends Input=0 bytes Output=2378 bytesCopyright (C) 2005 Applied Expert Systems, Inc. 56

Packet Trace Decoding – IPCS JCL//TSO EXEC PGM=IKJEFT01,DYNAMNBR=60,// PARM='%BLSCDDIR DSNAME(&SYSUID..BATCH.DDIR) VOLUME(AES003)'//SYSPROC DD DISP=SHR,DSN=SYS1.SBLSCLI0//TRACE DD DISP=SHR,DSN=trace.dataset

Packet Trace Decoding – IPCS OutputIPCS PRINT LOG FOR USER AESDJC1 1 17:15:42 07/20/04_____________________________________________________________________________________________________COMPONENT TRACE FULL FORMATSYSNAME(P390)COMP(SYSTCPDA)SUBNAME((TCPIP))z/OS TCP/IP Packet Trace Formatter, (C) IBM 2000-2004, 2004, 2003.293FILE(TRACE')**** 2004/07/20RcdNr Sysname Mnemonic Entry Id Time Stamp Description----- -------- -------- -------- --------------- --------------------------------11 P390 PACKET 00000001 21:13:11.369759 Packet TraceFrom Interface : ETH1 Device: LCS Ethernet Full=48 FTod Clock : 2004/07/20 21:13:11.369745Sequence # : 0 Flags: Pkt Ver2Source Port : 3068 Dest Port: 21 Asid: 0034 4 TCB: 00000000IpHeader: Version : 4 Header Length: 20Tos : 00 QOS: Routine Normal ServicePacket Length : 48 ID Number: BEFDFragment : DontFragment Offset: 0TTL : 128 Protocol: TCP CheckSum: CD202 FFFFSource : 137.72.43.64Destination : 137.72.43.247TCPSource Port : 3068 () Destination Port: 21 (ftp)Sequence Number : 834806980 Ack Number: 0Header Length : 28 Flags: SynWindow Size : 64240 CheckSum: BBCF FFFF Urgent Data Pointer: 0000Option : Max Seg Size Len: 4 MSS: 1460Option : NOPOption : NOPOption : SACK PermittedIP Header : 20Copyright (C) 2005 Applied Expert Systems, Inc. 58

Packet Trace – SummaryCopyright (C) 2005 Applied Expert Systems, Inc. 59

Packet Trace – FTP Control SessionCopyright (C) 2005 Applied Expert Systems, Inc. 60

Packet Trace – FTP Data SessionCopyright (C) 2005 Applied Expert Systems, Inc. 61

How to Analyze FTP Global usage patterns: How many FTPs doesthe installation run and when Heavy users: Typically may be responsible for80% of the workload Heavy data set usage: Often moved around orduplicates made for security and otherredundancy reasons Failures: Who and Why FTP performance analysis: throughput Unauthorized attemptsCopyright (C) 2005 Applied Expert Systems, Inc. 62

FTP Analysis - Global UsagePatterns Total FTP sessions Total FTP bytes FTP server vs. FTP client activities When are heavy FTPs done? Are gigabyte file transfers done?Copyright (C) 2005 Applied Expert Systems, Inc. 63

FTP Analysis - Heavy Data Set Usage Which data sets are most heavily used? Certain type? SEQ/ JES/ SQL? Can reposition or copy data sets for betterperformance?Copyright (C) 2005 Applied Expert Systems, Inc. 64

FTP Analysis - Failures Are there any failures? Logon failure vs. data transfer failure When do failures occur? Who are the top failing clients? What are the top failing datasets? At a specific time of day? Correlated with heavy usage?Copyright (C) 2005 Applied Expert Systems, Inc. 65

FTP Historical Trending andAnalysis Number of server/client sessions Types of transfers (SEQ/SQL/JES) Amount of transfers Failures Heavy usage hours Throughput Workload analysis = proactive problemdiagnosticsCopyright (C) 2005 Applied Expert Systems, Inc. 66

Additional Information IP Configuration Reference (SC31-8776) Sample FTP server exit code in SEZAINST: FTCHKCMD FTCHKIP FTCHKJES FTCHKPWD FTPOSTPR RFC 959 (Postel and Reynolds 1985)Copyright (C) 2005 Applied Expert Systems, Inc. 67

FTCHKIP TITLE 'FTCHKIP - FTP OPEN CONNECTION EXIT'************************************************************************ ** FTCHKIP - FTP OPEN CONNECTION EXIT ** ** INPUT PARM LIST (Z/OS V1R4 MAPPING): ** +0 -> RC ** +4 -> NUMBER OF FOLLOWING PARMS ** +8 -> REMOTE IP ADDRESS (IPV4) ** +12 -> HALFWORD REMOTE PORT NUMBER (IPV4) ** +16 -> LOCAL IP ADDRESS (IPV4) *• +20 -> HALFWORD LOCAL PORT NUMBER (IPV4) *• +24 THROUGH +32: NOT USED BY THIS PROGRAM ** ** RETURN CODES: ** N/A ** ** WTO MSG FORMAT: ** FTCHKIP: IP=XXX.XXX.XXX.XXX,PORT=NNNNN,TIME=HH:MM:SS:TH ** ** SAMPLE OUTPUT: ** FTCHKIP: IP=137.72.43.141 ,PORT=01310,TIME=16:44:45.12 ** ** THIS IS UNSUPPORTED CODE WHICH IS PROVIDED ON AN "AS IS" BASIS. ** ANY EXPRESSED OR IMPLIED WARRANTIES ARE DISCLAIMED. ** YOU MAY NOT USE OR DISTRIBUTE THIS PROGRAM OR ANY DERIVATIVE WORKS ** IN ANY FORM FOR COMMERCIAL PURPOSES. ** ** COPYRIGHT (C) 2004 APPLIED EXPERT SYSTEMS, INC. ** UNPUBLISHED - ALL RIGHTS RESERVED. ** ************************************************************************Copyright (C) 2005 Applied Expert Systems, Inc. 68

FTCHKIP CSECTFTCHKIP AMODE 31FTCHKIP RMODE ANYBAKR R14,0LR R12,R15USING FTCHKIP,R12LR R10,R1STORAGE OBTAIN,LENGTH=WKLENLR R11,R1USING WKAREA,R11LM R7,R8,8(R10) R7 -> REMOTE IP ADDRESS* R8 -> HALFWORD REMOTE PORT NUMTIME DECST R0,TIMEWORKTIME BINMVC CHKMSGX,CHKMSGIMVC XPATIME,TPATED XPATIME,TIMEWORKMVC TIME,XPATIME+1** REMOTE IP ADDRESS*LA R5,IP1 -> 1ST OUTPUT POSITION* 1ST OCTETSR R2,R2ICM R2,B'0001',0(R7)Copyright (C) 2005 Applied Expert Systems, Inc. 69

CVD R2,DBMVC XPAT,EPATED XPAT,DB+6BAL R6,IPTOA* 2ND OCTETSR R2,R2ICM R2,B'0001',1(R7)CVD R2,DBMVC XPAT,EPATED XPAT,DB+6BAL R6,IPTOA* 3RD OCTETSR R2,R2ICM R2,B'0001',2(R7)CVD R2,DBMVC XPAT,EPATED XPAT,DB+6BAL R6,IPTOA* 4TH OCTETSR R2,R2ICM R2,B'0001',3(R7)CVD R2,DBMVC XPAT,EPATED XPAT,DB+6BAL R6,IPTOAS R5,=F'1' BACK UP 1 POSITIONMVI 0(R5),C' ' REPLACE WITH A BLANKCopyright (C) 2005 Applied Expert Systems, Inc. 70

** REMOTE PORT NUMBER*XC PORTNUM,PORTNUMMVC PORTNUM+2(2),0(R8)L R2,PORTNUMCVD R2,DBUNPK PORT(5),DB+5(3)OI PORT+4,X'F0'LA R1,CHKMSGXWTO MF=(E,(R1))RETURN DS 0HSTORAGE RELEASE,LENGTH=WKLEN,ADDR=(R11)SR R15,R15PR************************************************************************ ** SUBROUTINE: IPTOA - COPIES AN IP OCTET AND REMOVES LEADING BLANKS ** ** R5 -> OUTPUT AREA ** R6 = RETURN ADDRESS ** ************************************************************************IPTOA DS 0HCLI XPAT+2,C' ' 2 LEADING BLANKS?BNE CHKIP10 NO ...MVC 0(1,R5),XPAT+3 YES...MVI 1(R5),C'.' INSERT TRAILING '.'LA R5,2(,R5) -> NEXT OUTPUT POSITIONBR R6Copyright (C) 2005 Applied Expert Systems, Inc. 71

CHKIP10 DS 0HCLI XPAT+1,C' ' 1 LEADING BLANK?BNE CHKIP30 NO ...MVC 0(2,R5),XPAT+2 YES...MVI 2(R5),C'.'LA R5,3(,R5)BR R6CHKIP30 DS 0HMVC 0(3,R5),XPAT+1 NO LEADING BLANKSMVI 3(R5),C'.'LA R5,4(,R5)BR R6*===================================== END OF IPTOALTORGEPAT DC X'40202020'TPAT DC X'F020207A20207A20204B2020'*------------------------------------> MODEL WTO MSGCHKMSGI DS 0FDC AL2(CHKMSGE-*)DC AL2(0)DC C'FTCHKIP: IP='DC C' ' CLIENT IP ADDRESSDC C',PORT='DC C'PPPPP' CLIENT PORT NUMBERDC C',TIME='DC C'HH:MM:SS.TH'CHKMSGE EQU *CHKMSGL EQU *-CHKMSGI*

WKAREA DSECTDS 9DPORTNUM DS FTIMEWORK DS DXPAT DS CL4XPATIME DS CL12DB DS D*------------------------------------> START OF WTO MSGCHKMSGX DS CL(CHKMSGL)ORG CHKMSGXDS CL16IP1 DS CL3DS CIP2 DS CL3DS CIP3 DS CL3DS CIP4 DS CL3DS CL6PORT DS CL5DS CL6TIME DS CL11*

R3 EQU 3R4 EQU 4R5 EQU 5R6 EQU 6R7 EQU 7R8 EQU 8R9 EQU 9R10 EQU 10R11 EQU 11R12 EQU 12R13 EQU 13R14 EQU 14R15 EQU 15ENDCopyright (C) 2005 Applied Expert Systems, Inc. 74