Flood detail (-F -D) report

This report is displayed when both the -F and -D options are specified with the trmdstat command. It displays the contents of flood event records. The information that is presented in this report is derived from EZZ8650I, EZZ8651I, EZZ8654I, EZZ8655I, EZZ8677I, and EZZ8678I types of syslog messages.

Data that is related to SYN floods, interface floods, and EE XID floods is shown in separate sections of the report. Data for SYN floods and EE XID floods is sorted by IP address. Data for interface floods is sorted by interface name. For the interface flood exit and continuing record types, some information about the discarded packets is also provided. This information includes the protocol discarded most frequently during the flood and the category of discards seen most frequently during the interface flood. If the interface type provides the source MAC address of the prior hop, the most frequently seen prior hop source MAC address is also provided.

>trmdstat -FD /tmp/tstlog.log
trmdstat for z/OS CS V2R1  Fri Dec  2 14:09:41 2011

Command Entered     : trmdstat -FD /tmp/tstlog.log
Log Time Interval   : Nov 11 20:35:01  - Nov 23 14:50:52
Stack Time Interval : Nov 11 20:34:41  - Nov 23 14:50:32
TRM Records Scanned : 227

                                           SYN FLOOD  Events

               Date and Time/                 Local
               Local IP Address               Port  Type SYNsRecvd   FirstAck  SYNsDiscd  SYNsTimeO   Duration  Correlator
--------------------------------------------- ----- ---- ---------- ---------- ---------- ---------- ---------- ----------
11/20/2011 18:18:15.58                          360   E                                                               4536
  0.0.0.0
11/20/2011 18:21:18.96                          360   X          29          0         29          1        183       4536
  0.0.0.0
11/21/2011 14:59:57.18                          452   E                                                               4583
  192.168.105.25
11/21/2011 15:02:46.79                          452   X         197          0        194        257        169       4583
  192.168.105.25
11/21/2011 16:59:39.97                          444   E                                                               4586
  192.168.105.25
11/21/2011 17:02:28.24                          444   X         198          0        195        257        168       4586
  192.168.105.25
11/21/2011 19:26:42.40                          345   E                                                               4610
  ::
11/21/2011 19:28:21.93                          345   X         499          0        495        257         99       4610
  ::
11/21/2011 18:41:44.76                          345   E                                                               4589
  2001:db8:0:3:9:42:103:132
11/21/2011 18:44:33.71                          345   X         198          1        195        256        168       4589
  2001:db8:0:3:9:42:103:132

                                           Interface FLOOD  Events

   Date and Time/          Interface       Type  Duration    Discard   Correlator/ ----------------Most Frequent--------------------
  Last     Last Source IP/                                   Count/    ProbeID     -----Overall-----   -------Source MAC Data-------
  Count    Dest Address                                      Percent               Proto/  Category/      SrcMAC/  Proto/  Category/
                                                                                   Percent Percent        Percent  Percent Percent
11/22/2011 00:53:07.29     LOSAQDIO4         E                  1000       4751
           192.168.105.50                                         89   04070010
           192.168.105.25
11/22/2011 00:58:09.65     LOSAQDIO4         C        266      21022       4751         6     Queue  000D602432AE       6     Queue
     20023 192.168.105.50                                         95   04070011        95        94            95     100        99
           192.168.105.25
11/22/2011 00:59:10.70     LOSAQDIO4         X        324      21022       4751         6     Queue  000D602432AE       6     Queue
     20023 192.168.105.50                                         95   04070014        95        94            95     100        99
           192.168.105.25
11/22/2011 00:53:29.78     OSAQDIO46         E                  1000       4752
           2001:db8::20a:5eff:fe04:8f16                           94   04070010
           2001:db8::4039:900:540e:3d0
11/22/2011 00:58:33.62     OSAQDIO46         C        269      16814       4752         6     Queue  00062A714400       6     Queue
     15815 2001:db8::20a:5eff:fe04:8f16                           92   04070011        94        93            93     100        99
           2001:db8::4039:900:540e:3d0
11/22/2011 00:59:33.69     OSAQDIO46         X        325      16821       4752         6     Queue  00062A714400       6     Queue
     15822 2001:db8::20a:5eff:fe04:8f16                           79   04070014        94        93            93     100        99
           2001:db8::4039:900:540e:3d0
11/23/2011 14:46:31.78     OSAQDIO46         E                  1000       4832
           2001:db8::20a:5eff:fe04:8f16                          100   04070010
           2001:db8::4039:900:610e:3d0
11/23/2011 14:50:32.28     OSAQDIO46         X        225       6018       4832         6     Queue  00062A714400       6     Queue
      5019 2001:db8::20a:5eff:fe04:8f16                           51   04070014        83        73            83     100        88
           2001:db8::4039:900:610e:3d0

                                           XID FLOOD  Events

                                    Local IP Address/                  -----XID timeouts-----     Last
     Date and Time               Last Source IP Address          Type  Threshold      Flood       Count     Duration   Correlator
----------------------  ---------------------------------------  ----  ----------  ----------  ----------  ----------  ----------
11/11/2011 20:34:41.48  192.168.105.53                             E            2                       3                      36
                        192.168.105.50
11/11/2011 20:38:34.53  192.168.105.53                             X                       15          17         233          36
                        192.168.105.50
11/12/2011 03:53:55.49  2001:db8::9:42:105:53                      E            2                      14                      43
                        2001:db8::20a:5eff:fe04:8f16
11/12/2011 03:58:50.37  2001:db8::9:42:105:53                      X                       13          26         295          43
                        2001:db8::20a:5eff:fe04:8f16
The following information describes the areas of the SYN flood detail report.
Date and Time
Specifies the date and time.
Local IP Address
Specifies the bound IP address.
Local Port
Specifies the bound port number.
Type
Specifies the entry to or exit from constrained state.
E
enter
X
exit
SYNsRecvd
The number of handshakes started during SYN flood. Present only on EXIT records.
FirstAck
The number of handshakes completed during SYN flood. Present only on EXIT records.
SYNsDiscd
The number of SYNs randomly discarded during SYN flood. Present only on EXIT records.
SYNsTimeO
The number of SYNs timing out during SYN flood. Present only on EXIT records.
Duration
Specifies the duration of flood in seconds. Present only on EXIT records.
Correlator
Specifies the trace correlator.
The following describes the areas of the interface flood events report.
Date and Time
Specifies the date and time.
Interface
The name of the interface experiencing the interface flood condition.
Type
Specifies flood entry, flood exit, or continuing flood condition.
E
enter
X
exit
C
continuing
Duration
The number of seconds since the start of the interface flood was detected. Duration is displayed in both continuing and exit records.
Discard Count/Percent
Discard Count
On interface flood entry, this is the number of discarded inbound packets or not processed packets that triggered the interface flood detection. On interface flood exit or continuation, this is the number of inbound packets discarded or not processed since the interface flood was detected.
Discard Percent
On interface flood entry, this is the percentage of total packets received that were discarded and that triggered the interface flood detection. On interface flood exit or continuation, this is the percentage of total packets received that were discarded on the interface since the interface flood was detected.
Correlator/ProbeID
Correlator
Specifies the trace correlator.
ProbeID
Specifies the IDS probeID that generated this event.
Last Count
The consecutive number of discarded packets for the interface that have the same source IP address as the last discarded packet. If the previously discarded packet's source IP address is not the same as the last discarded packet's source IP address, the count is one. Reported for interface flood continuing and exit record types.
Last Source IP/Dest Address
Last Source IP address
Source IP address of the last packet discarded on this interface during the interface flood condition.
Destination Address
Local IP address associated with the interface when the interface flood was detected.
Most Frequent
This data is tracked from the time the interface flood is detected until the interface flood ends. The counts do not include the initial discards that contributed to the interface flood detection.

This data is reported for interface flood continuing and exit record types. The data is cumulative from the time the interface flood started until the time the record was generated.

Overall
Proto/Percent
Proto
IP protocol most frequently seen in the discarded packets. The protocol value is the protocol number or zero if the protocol value is invalid or unknown.
Percent
Percentage of times the protocol was seen in the discarded packets.
Category/Percent
Category
Discard category most frequently seen in the discarded packets. Possible values are:
Storage
Storage could not be obtained to process the packet. Storage shortages might indicate a problem in the system other than an inbound packet flood.
CheckSum
Packet had checksum error.
Malform
Malformed packet.
Dest
Destination not found. For example, the port is not active or is reserved, the matching socket not available, no listeners for the RAW protocol.
Firewall
Packet rejected by IP security.
MedHdr
Bad media header.
Forward
Packet is not for us but could not be forwarded. Some cases that prevent forwarding are bad headers or IPCONFIG NODATAGRAMFWD specified.
QOSPol
Packet dropped due to QoS policy.
IDSPol
Packet dropped due to IDS policy.
Access
Packet dropped due to NetAccess, multilevel security, or OSM access checks.
ATTLS
Packet dropped due to AT-TLS policy.
OtherPol
Packet dropped due to other configuration policy.
Queue
Queue limit (other than those specified by IDS) prevented queueing the packet for processing. For example, the SYN queue, the reassembly queue, the UDP or RAW receive queues.
OtherSyn
Syn problems other than SYN queue full.
State
State mismatch.
UnpackEr
Packet dropped due to unpacking problems.
Misc
Miscellaneous reasons not listed above. For example, TCP packet outside of TCP window, duplicate fragments found during packet reassembly.
Percent
The percentage of times the discard category was seen in the discarded packets.
Source MAC Data
Source MAC Data is reported for LCS devices and OSA QDIO devices at a microcode level that supports providing the source MAC address of the prior hop. It is not applicable for other devices. This data is reported for interface flood continuing and exit record types.
SrcMAC/Percent
SrcMAC
Source MAC of the prior hop seen most frequently in the discarded packets. The value N/A appears in the field if the device does not support providing the source MAC.
Percent
Percentage of times the most frequent source MAC was seen in the discarded packets.
Proto/Percent
Proto
The most frequent IP protocol seen in the discarded packets associated with the source MAC address. The protocol value is the protocol number or zero if the protocol value is invalid or unknown.
Percent
Percentage of times the protocol was seen in the discarded packets associated with the source MAC address.
Category/Percent
Category
The most frequent discard category seen in the discarded packets associated with the source MAC address. The possible values are the same as those listed for Most Frequent Overall Category.
Percent
Percentage of times the discard category was seen in the discarded packets associated with the source MAC address.
The following list describes the areas of the EE XID FLOOD detail report.
Date and Time
Specifies the date and time.
Local IP Address
Specifies the destination IP address of the XID flood.
Last Source IP Address
Source IP address of the last XID that timed out to this local IP address during the EE XID flood condition.
Type
Specifies the entry to or exit from constrained state.
E
Enter. Use type E for the XID timeout threshold, which is the number of XID timeouts that occurred before an EE XID flood was detected.
X
Exit. Use type X for the number of XIDs that timed out during this EE XID flood.
XID
Timeouts
Last Count
The consecutive number of XID timeouts to the local IP address that has the same source IP address as the last XID that timed out. If the previously timed out XID source IP address is not the same as the last XID time-out packet's source IP address, the count is 1.
Duration
Specifies the duration of the flood in seconds. Duration is displayed only on exit records.
Correlator
Specifies the trace correlator.
messages suppressed
The number of attack messages suppressed with attack type, date and time. This data comes from an EZZ9327I message. See in The trmdstat report general concept for a detailed description.

The interface flood events report width is 132 characters. If you are displaying or printing this report, use an output device that can accommodate this width.

Parent topic: z/OS UNIX trmdstat command report details and examples