Using SmartTrace in menu mode is slightly less simple than Line Command mode; but offers more comprehensive and powerful trace management. Although the PT line command provide the quickest way to start a packet trace, it is limited in its ability to select packets to be included in the trace. You can end up with too many packets. This is important because the SMARTTRACE parameter group limits the number of packets in a PT trace (1000 packets maximum). When the limit is exceeded, the oldest packet is removed and replaced by a new packet.
In menu mode, you create your own custom trace definitions. The definitions provides the following features:
For example, you want to know if an unauthorized FTP server is being used in the network. You can define a TCP trace to include all packets containing FTP commands directed to a port number other than port 21.
For example, a telnet session is always being disconnected by the remote server. To disconnect a session, the remote server needs to issue a TCP RST flag. You can define a TCP trace with a stop condition that scans for the TCP RST flag. Using this definition, packets are traced up to the moment a TCP RST flag is issued by the remote server.
All menu mode functions are accessed from the Packet Tracing Menu.
The Packet Tracing Menu enables you to manage and perform advanced packet tracing functions.
To access the Packet Tracing Menu
The Packet Tracing Menu appears.
Note: For information about the menu, press F1 (Help).
The following definition types are available for you to create SmartTrace definitions:
Provides field criteria specific to the TCP protocol. This is commonly used for tracing TCP applications such as Telnet or FTP.
Provides field criteria specific to the UDP protocol. This is commonly used for tracing UDP applications such as SNMP.
Provides field criteria specific to the ICMP protocol. ICMP generates error messages and conditions that are normally acted upon by the IP stack. ICMP is used by the PING and TRACERT commands.
Provides field criteria for general tracing.
Provides field criteria for a special type of TCP trace. These definitions let you trace packets in specified TCP connections that are initiated after the trace is activated. This type of trace provides initial TCP handshake tracing for each connection and creates a separate trace entry per connection.
Trace definition samples are provided as templates for you to define traces. These definitions describe common network conditions and events that are worth tracing.
Packet tracing often results in many packet entries, most of which are not relevant. SmartTrace provides the following types of selection criteria to help limit the trace output:
Limits the captured packets based on the specified criteria.
Stops a trace automatically based on the specified criteria and optionally performs a specified action. The stop criteria apply only to packets that pass the capture criteria.
(Multiple TCP Connection trace only) Limits tracing to TCP packets that pass the specified connection selection criteria. The criteria applies only to new TCP connections initiated at the time the trace starts. The normal Capture and Stop criteria is then applied to each TCP packet.
Example: Trace New Connections Between Specific Hosts
The following example selects only newly-initiated TCP connections with a local host of 172.31.255.255, local port of 1123, and a foreign host of 172.16.0.0.
PROD-------- SmartTrace : Multiple TCP Connection Trace Details --------------
Command ===> Page 1 of 4
Name ...............
Description ........
Trace Each Connection With:
TCP/IP Stack .......+
Local Host .......... 172.31.255.255
Local Ports ......... 1123
Foreign Host ........ 172.16.0.0
Foreign Ports........
Example: Capture Packets with Specific Flags and Data
The following example selects only the TCP packets in the previous example that have a TCP flag of SYN, ACK, or PSH, and contains the string USER between positions 1 and 20 of the TCP data.
PROD--------- SmartTrace : Multiple TCP Connection Trace Details --------------
Command ===> Page 2 of 4
After the Initial Packets, Trace Packets with:
TCP Flags .......+ SYN or ACK or PSH
(SYN,ACK,PSH,RST,URG,FIN or an expression e.g. SYN and not ACK)
. Packet Data (Following TCP Header) ----------------------------------------.
| Start |
| Oper Data Format Pos. Length |
| 1 LIKE USER ASCII 1 20 |
Example: Stop Tracing on the TCP RST Flag
The following example stops the trace when a captured packet has a TCP flag of RST.
PROD--------- SmartTrace : Multiple TCP Connection Trace Details --------------
Command ===> Page 3 of 4
Stop After Tracing a Packet with:
TCP Flags .......+ RST
(SYN,ACK,PSH,RST,URG,FIN or an expression e.g. SYN and not ACK)
TCP Window Size ...........+
Example: Stop Tracing After a Specified Number of Packets
The following example stops the trace when 2000 packets are captured.
PROD--------- SmartTrace : Multiple TCP Connection Trace Details --------------
Command ===> Page 4 of 4
Trace Options:
Trace Limit ............... 2000 (Number of packets)
Stop At Limit? ............ YES (Yes or No)