Go to Home Page
Questions?
Call 1-800-572-5517
 
  Go to Home Page  
  See all products
  See price schedules
  See manuals, tutorials, articles
  Download a free 30-day trial
  See user testimonials
  About Pacific Systems Group
 
 
SMF Tools
  See SMF Record Layouts
  See Sample SMF Reports
  Learn How to Export SMF Data
  Download Free SMF Reporting Software (30 days)
 
One of the greatest SMF record parsing programming languages I've ever seen. Chief, Large Systems Services Branch, NIH
  Choose Spectrum Writer to add 4GL to your product
  Free 60-Page Book (PDF) - How to Make an SMF Report
Spectrum DCOLLECT Reporter - the 4GL DCOLLECT Report Writer.

Spectrum SMF Writer - the 4GL SMF Report Writer.

SMF type 119 Record - Subtype 96

This table shows the record layout for type 119 SMF records
(TCP/IP Statistics - OpenSSH Server Transfer Completion Record).

List of other SMF record layouts available.
List of sample SMF reports.

Purpose: OpenSSH writes SMF Type 119 records for file transfer activity and login failure information.

The kinds of SMF type 119 records for OpenSSH are:

  • Subtype 96 - Server transfer completion record
  • Subtype 97 - Client transfer completion record
  • Subtype 98 - Login failure record

Subtype 96 -- Server Transfer Completion Record.

The server transfer completion records are collected when the sftp-server (regular or "internal-sftp") or the server side of scp completes processing of one of the following file transfer subcommands:

  • Creating, uploading, downloading, renaming or removing files
  • Creating and removing directories
  • Changing the file permissions, UIDs, or GIDs
  • Creating symbolic links

For scp, only file downloading or uploading apply. A common format for the record is used for each sftp file transfer operation, so the record contains an indication of which subcommand was performed

The SMF type 119 records utilize a common structure. Each record is organized as follows:

  • SMF header
  • Self-defining section containing pointers to:
  • TCP/IP identification section (identifies system, stack etc)
  • Sections containing the data for the record

It's easy to report on SMF 119 data! (Jump to sample reports)

SMF Spectrum Writer
We have a low-cost 4GL report writer especially for SMF files. It's called Spectrum SMF Writer.

Spectrum SMF Writer handles the difficult SMF record parsing for you automatically. You just specify which fields you want to see.

Spectrum SMF Writer also converts the arcane date and time fields and reformats them into an attractive report.

Plus, Spectrum SMF Writer can export SMF data as comma delimited files to use on your PC.
 
Try It FREE Now!

SMF Type 119 Record -- TCP/IP Statistics - OpenSSH Server Transfer Completion Record
Offset
(Dec.)
Offset
(Hex)
NameLengthFormatDescription
00SMF119S96_
LEN
2binary
Record length. This field and the next field (total of four bytes) form the RDW (record descriptor word). See “Standard SMF Record Header” on page 13-1 for a detailed description.
22SMF119S96_
SEG
2binary
Segment descriptor (see record length field).
44SMF119S96_
FLG
1binary
System indicator Bit Meaning When Set 0 New record format 1 Subtypes used 2 Reserved. 3-6 Version indicators* 7 System is running in PR/SM mode.*See “Standard SMF Record Header” on page 13-1 for a detailed description.
55SMF119S96_
RTY
1binary
Record type 119 (X'77').
66SMF119S96_
TME
4binary
Time since midnight, in hundredths of a second, that the record was moved into the SMF buffer.
10ASMF119S96_
DTE
4packed
Date when the record was moved into the SMF buffer, in the form 0cyydddF. See “Standard SMF Record Header” on page 13-1 for a detailed description.
14ESMF119S96_
SID
4EBCDIC
System identification (from the SMFPRMxx SID parameter).
1812SMF119S96_
SSI
4EBCDIC
Subsystem identification.
2216SMF119S96_
STY
2binary
Record subtype.
Self Defining Section
2418SMF119S96_
TRN
2binary
Number of triplets in this record. A triplet is a set of three SMF fields (offset/length/number values) that defines a section of the record. The offset is the offset from the RDW.
261A--2binary
Reserved.
281CSMF119S96_
IDOff
4binary
Offset to TCP/IP identification section from RDW.
3220SMF119S96_
IDLen
2binary
Length of TCP/IP identification section.
3422SMF119S96_
IDNum
2binary
Number of TCP/IP identification sections.
3624SMF119S96_
S1Off
4Binary
Offset to first data section
4028SMF119S96_
S1Len
2Binary
Length of first data section
422ASMF119S96_
S1Num
2Binary
Number of first data sections
442CSMF119S96_
S2Off
4Binary
Offset to 2nd data section
4830SMF119S96_
S2Len
2Binary
Length of 2nd data section
5032SMF119S96_
S2Num
2Binary
Number of 2nd data sections
5234SMF119S96_
S3Off
4Binary
Offset to 3rd data section
5638SMF119S96_
S3Len
2Binary
Length of 3rd data section
583ASMF119S96_
S3Num
2Binary
Number of 3rd data sections
603CSMF119S96_
S4Off
4Binary
Offset to 4th data section
6440SMF119S96_
S4Len
2Binary
Length of 4th data section
6642SMF119S96_
S4Num
2Binary
Number of 4th data sections
6844SMF119S96_
S5Off
4Binary
Offset to 5th data section
7248SMF119S96_
S5Len
2Binary
Length of 5th data section
744ASMF119S96_
S5Num
2Binary
Number of 5th data sections
764CSMF119S96_
S6Off
4Binary
Offset to 6th data section
8050SMF119S96_
S6Len
2Binary
Length of 6th data section
8252SMF119S96_
S6Num
2Binary
Number of 6th data sections
Common TCP/IP identification section for OpenSSH

Identifies the system and stack information associated with the SMF record.

For the server transfer completion record (subtype 96), the TCP/IP identification section indicates either SFTPS (sftp-server) or SCPS (server side of scp) as the OpenSSH subcomponent and x'08' (event record) as the record reason.

(Offset from beginning of record: SMF119S96_IDOff)
00SMF119S96_
SSH_
TI_
SYSName
8EBCDIC
System name from SYSNAME in IEASYSxx
88SMF119S96_
SSH_
TI_
SysplexName
8EBCDIC
Sysplex name from SYSPLEX in COUPLExx
1610SMF119S96_
SSH_
TI_
Stack
8EBCDIC
TCP/IP stack name
2418SMF119S96_
SSH_
TI_
ReleaseID
8EBCDIC
z/OS release identifier
3220SMF119S96_
SSH_
TI_
Comp
8EBCDIC
OpenSSH subcomponent (right-padded with blanks):
  • SFTPS sftp server
  • SFTPC sftp client SCPS scp server
  • SCPC scp client
  • SSHD sshd daemon
4028SMF119S96_
SSH_
TI_
ASName
8EBCDIC
Started task qualifier or address space name of address space that writes this SMF record
4830SMF119S96_
SSH_
TI_
UserID
8EBCDIC
User ID of security context under which this SMF record is written 56 38 Reserved 2 Binary Reserved
583ASMF119S96_
SSH_
TI_
ASID
2Binary
ASID of address space that writes this SMF record
603CSMF119S96_
SSH_
TI_
Reason
1Binary
Reason for writing this SMF record
  • x'08' Event record
613DSMF119S96_
SSH_
TI_
RecordID
1Binary
Record ID
623E--2EBCDIC
Reserved
Common security section for OpenSSH

Identifies the security information associated with the SMF record.

When the authentication method being used is Control Socket and the ssh connection information cannot be collected from the control socket, the EBCDIC fields in this section are set to blanks and the binary fields are set to x'0000' Unknown.

(Offset from beginning of record: SMF119S96_S1Off)
00SMF119S96_
SSH_
SSHV
16EBCDIC
OpenSSH version
1610SMF119S96_
SSH_
SSLV
32EBCDIC
OpenSSL version
4830SMF119S96_
SSH_
ZlibV
16EBCDIC
zlib version
6440SMF119S96_
SSH_
ProtoV
8EBCDIC
Protocol version (right-padded with blanks):
'SSHV1' Protocol version 1
'SSHV2' Protocol version 2
7248SMF119S96_
SSH_
AuthMethod
2Binary
Authentication method being used:
x'0000' Unknown
x'0001' None
x'0002' Password
x'0003' Public key
x'0004' Host-based
x'0005' Rhosts
x'0006' RhostsRSA
x'0007' RSA
x'0008' Keyboard-interactive
x'0009' Challenge-response
x'000A' Control socket 1
744ASMF119S96_
SSH_
Cipher
2Binary
Cipher type being used:
x'0000' Unknown
x'0001' None

Possible values when protocol version 1:
x'0002' 3DES
x'0003' Blowfish
x'0004' DES

Possible values when protocol version 2:
x'0005' 3des-cbc
x'0006' blowfish-cbc
x'0007' cast128-cbc
x'0008' arcfour128
x'0009' arcfour256
x'000A' arcfour
x'000B' aes128-cbc
x'000C' aes192-cbc
x'000D' aes256-cbc
x'000E' aes128-ctr
x'000F' aes192-ctr
x'0010' aes256-ctr
x'0011' rijndael-cbc@lysator.liu.se
x'0012' acss@openssh.org

764CSMF119S96_
SSH_
MAC
2Binary
MAC algorithm being used:
x'0000' Unknown
x'0001' None (protocol version 1)
x'0002' hmac-md5
x'0003' hmac-sha1
x'0004' umac-64@openssh.com
x'0005' hmac-ripemd160
x'0006' hmac-sha1-96
x'0007' hmac-md5-96
x'0008' hmac-ripemd160openssh.com
784ESMF119S96_
SSH_
COMP
2Binary
Compression method being used:
x'0000' Unknown
x'0001' None (no)
x'0002' zlib (yes)
x'0003' zlib@openssh.com (delayed)
Subtype 96 - Server transfer completion record specific section

The TCP connection Initiation record is collected whenever a TCP connection is opened. This record contains pertinent information about the connection available at the time of its opening.

(Offset from beginning of record: SMF119S96_S2Off)
00SMF119S96_
SSH_
FSOper
1Binary
sftp subcommand code (for scp, only get and put apply):
x'01' rmdir
x'02' rm
x'03' rename
x'04' get
x'05' put
x'06' chmod
x'07' chown or chgrp
x'08' mkdir
x'09' symlink 1 1 Reserved 3 EBCDIC Reserved
44SMF119S96_
SSH_
FSCmd
4EBCDIC
sftp subcommand (the values are right-padded with blanks, and for scp, only GET and PUT apply):
RMD Remove directory
RM Remove file
RENM Rename file
GET Download file from the server
PUT Upload file to the server
CHMD Change file permission bits
CHOW Change file owner or group
MKD Create directory
SLNK Create symbolic link
88SMF119S96_
SSH_
FSRIP
16Binary
Remote IP address (client)
2418SMF119S96_
SSH_
FSLIP
16Binary
Local IP address (server)
4028SMF119S96_
SSH_
FSRPort
2Binary
Remote port number (client)
422ASMF119S96_
SSH_
FSLPort
2Binary
Local port number (server)
442CSMF119S96_
SSH_
FSSUser
8EBCDIC
Client User ID on server
5234SMF119S96_
SSH_
FSTType
1EBCDIC
Data transfer type:
A ASCII
B Binary
5335SMF119S96_
SSH_
FSMode
1EBCDIC
Transfer mode:
C Compressed
S Stream 54 36 Reserved 2 Binary Reserved
5638SMF119S96_
SSH_
FSSTime
4Binary
Transmission start time of day
603CSMF119S96_
SSH_
FSSDate
4Packed
Transmission start date
6440SMF119S96_
SSH_
FSETime
4Binary
Transmission end time of day
6844SMF119S96_
SSH_
FSEDate
4Packed
Transmission end date
7248SMF119S96_
SSH_
FSDur
4Binary
File transmission duration in units of 1/100 seconds
764CSMF119S96_
SSH_
FSBytes
8Binary
Transmission byte count; 64-bit integer
8454SMF119S96_
SSH_
FSStat
4EBCDIC
Server execution status (right-padded with blanks):
OK Success
FAIL Failure
8858SMF119S96_
SSH_
FSCH1
8Binary
Previous read/write/execute permissions of owner/group/other (in octal format) when chmod is used or the previous UID when chown or chgrp is used.
9660SMF119S96_
SSH_
FSGP1
8Binary
Previous GID when chown or chgrp is used.
10468SMF119S96_
SSH_
FSCH2
8Binary
New read/write/execute permissions of owner/group/other (in octal) when chmod is used or the new UID when chown or chgrp is used.
11270SMF119S96_
SSH_
FSGP2
8Binary
New GID when chown or chgrp is used.
Subtype 96 - host name section for the server transfer completion record.
(Offset from beginning of record: SMF119S96_S3Off)
00SMF119S96_
SSH_
FSHostname_
raw
variableEBCDIC
Host name
Subtype 96 - First associated path name section for the server transfer completion record. This section represents the server z/OS UNIX path name associated with the sftp or scp operation.
(Offset from beginning of record: SMF119S96_S4Off)
00SMF119S96_
SSH_
FSPath1_
raw
variableEBCDIC
z/OS UNIX path name associated with the sftp or scp command. When the subcommand is rename or symlink, this refers to the previous path name.
Subtype 96 - Second associated path name section for the server transfer completion record. This section represents the server z/OS UNIX file name associated with the rename or symlink subcommand.
(Offset from beginning of record: SMF119S96_S5Off)
00SMF119S96_
SSH_
FSPath2_
raw
variableEBCDIC
Second z/OS UNIX path name associated with rename or symlink subcommand. This is the new path name.

The table above is based on the description provided by IBM in its "MVS Systems Management Facilities (SMF)" manual.

Sample Report from SMF 119 Subtype 2 Records
Showing Information about TCP Connections


The sample SMF report below was created with Spectrum SMF Writer, the low-cost 4GL SMF report writer.

In this report, we read as input the SMF file and select just the type 119 subtype 2 TCP Connection Termination records. (See SMF 119 Subtype 2 record layout.) The report shows information about terminated TCP connections, including start time, end time and computed elapsed time. It also shows the total number of bytes sent and received during the connection and the termination code. Our record layout also expands the 1-byte termination code into a readable descriptive text. The report is grouped by TCP/IP Stack and Resource. The report includes subtotals for each Resource.

All of this with just a few lines of code!
Why not install a Spectrum SMF Writer trial right now and start making your own SMF reports!

These Spectrum SMF Writer Statements:


INPUT:  SMF119 LIST(YES)

INCLUDEIF: SMF119RTY=119 AND SMF119STY=2

COMPUTE: MY_DURATION(2) = #MAKETIME(
               ((#MAKENUM(SMF119AP_TTEDATE) * 86400)
                  + #MAKENUM(SMF119AP_TTETIME))
             - ((#MAKENUM(SMF119AP_TTSDATE) * 86400)
                  + #MAKENUM(SMF119AP_TTSTIME))
                                   )

TITLE: 'Z/OS TCP DAILY CONNECTIONS REPORT'
TITLE: 'SYSTEM:' SMF119TI_SYSNAME
       'SYSPLEX:' SMF119TI_SYSPLEXNAME
       'STACK:' SMF119TI_STACK
TITLE: 'SORTED BY STACK AND RESOURCE NAME'

COLUMNS: SMF119AP_TTRNAME('RESOURCE')
         SMF119AP_TTSDATE('DATE/STARTED')
         SMF119AP_TTSTIME('TIME/STARTED')
         SMF119AP_TTEDATE('DATE/ENDED')
         SMF119AP_TTETIME('TIME/ENDED')
         MY_DURATION('CONNECTION/DURATION/HH:MM:SS.SS' ACCUM
                     TP'ZZ:ZZ:Z9.99')
         SMF119AP_TTINBYTES('INBOUND/BYTES')
         SMF119AP_TTOUTBYTES('OUTBOUND/BYTES')
         SMF119AP_TTTERMCODE(HEX 'TERM/CODE')
         SMF119AP_TTTERMCODE_DESC('TERM CODE DESC')

SORT:    SMF119TI_STACK
         SMF119AP_TTRNAME
         SMF119AP_TTSDATE
         SMF119AP_TTSTIME

BREAK:   SMF119AP_TTRNAME

 

Produce This SMF Report:


                                              Z/OS TCP DAILY CONNECTIONS REPORT
                                    SYSTEM: ST1      SYSPLEX: SYPROD    STACK: S01QDAS
                                             SORTED BY STACK AND RESOURCE NAME

                                                    CONNECTION
            DATE      TIME       DATE      TIME      DURATION      INBOUND        OUTBOUND    TERM
 RESOURCE STARTED    STARTED    ENDED      ENDED    HH:MM:SS.SS     BYTES          BYTES      CODE     TERM CODE DESC
 ________ ________ ___________ ________ ___________ ___________ ______________ ______________ ____ _______________________

 FTPTA5   03/21/09 14:04:06.81 03/21/09 14:04:07.46        0.65        257,537          3,052  61  CLIENT SENT RESET
 FTPTA5   03/21/09 14:05:35.59 03/21/09 14:05:45.67       10.08         27,043            329  52  APPL ISSUED CLOSE
 FTPTA5   03/21/09 14:12:13.81 03/21/09 14:12:14.51        0.70        257,537          3,052  61  CLIENT SENT RESET
 FTPTA5   03/21/09 14:12:27.35 03/21/09 14:12:37.42       10.07         27,043            329  52  APPL ISSUED CLOSE
 FTPTA5   03/21/09 15:30:34.96 03/21/09 15:30:35.64        0.68        257,537          3,052  61  CLIENT SENT RESET
 FTPTA5   03/21/09 15:35:13.92 03/21/09 15:35:24.00       10.08         27,043            329  52  APPL ISSUED CLOSE
 *** TOTAL FOR FTPTA5   (    6 ITEMS)                     32.26        853,740         10,143
 
 FTPTA6   03/21/09 14:05:38.03 03/21/09 14:05:38.70        0.67        257,537          3,052  61  CLIENT SENT RESET
 FTPTA6   03/21/09 14:07:23.60 03/21/09 14:07:33.68       10.08         27,043            329  52  APPL ISSUED CLOSE
 FTPTA6   03/21/09 14:12:29.83 03/21/09 14:12:30.50        0.67        257,537          3,052  61  CLIENT SENT RESET
 FTPTA6   03/21/09 14:17:10.02 03/21/09 14:17:20.16       10.14         27,043            329  52  APPL ISSUED CLOSE
 FTPTA6   03/21/09 15:35:16.45 03/21/09 15:35:17.21        0.76        257,537          3,052  61  CLIENT SENT RESET
 FTPTA6   03/21/09 15:36:15.10 03/21/09 15:36:25.18       10.08         27,043            329  52  APPL ISSUED CLOSE
 *** TOTAL FOR FTPTA6   (    6 ITEMS)                     32.40        853,740         10,143
 
 FTPTA7   03/21/09 14:07:26.16 03/21/09 14:07:26.86        0.70        257,537          3,052  61  CLIENT SENT RESET
 FTPTA7   03/21/09 14:08:24.36 03/21/09 14:08:34.50       10.14             70            507  52  APPL ISSUED CLOSE
 FTPTA7   03/21/09 14:17:12.60 03/21/09 14:17:13.31        0.71        257,537          3,052  61  CLIENT SENT RESET
 FTPTA7   03/21/09 14:21:40.01 03/21/09 14:21:50.08       10.07         27,043            329  52  APPL ISSUED CLOSE
 FTPTA7   03/21/09 15:36:17.53 03/21/09 15:36:18.17        0.64        257,537          3,052  61  CLIENT SENT RESET
 FTPTA7   03/21/09 15:37:11.45 03/21/09 15:37:21.53       10.08         27,043            329  52  APPL ISSUED CLOSE
 *** TOTAL FOR FTPTA7   (    6 ITEMS)                     32.34        826,767         10,321
 
 FTPTA8   03/21/09 08:09:32.96 03/21/09 15:29:02.41  7:19:29.45        274,763         15,912  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 13:17:39.42 03/21/09 14:42:50.82  1:25:11.40         47,498          2,291  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:42:57.42 03/21/09 14:43:21.38       23.96         45,921          2,291  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:43:26.45 03/21/09 15:28:27.01    45:00.56         47,498          2,291  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:50:01.00 03/21/09 15:28:26.10    38:25.10         35,513          1,537  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:51:01.03 03/21/09 14:52:28.82     1:27.79         33,273            875  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:53:05.50 03/21/09 15:28:22.53    35:17.03         33,273            875  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:53:51.74 03/21/09 14:55:51.42     1:59.68         35,306          1,537  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:56:05.98 03/21/09 15:11:31.19    15:25.21         33,066            875  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 15:12:01.80 03/21/09 15:13:30.66     1:28.86         35,266          1,537  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 15:13:45.48 03/21/09 15:17:09.41     3:23.93         38,223          2,199  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 15:18:54.59 03/21/09 15:20:07.26     1:12.67         34,273          1,537  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 15:20:22.01 03/21/09 15:28:20.73     7:58.72         33,118            875  52  APPL ISSUED CLOSE
 *** TOTAL FOR FTPTA8   (   13 ITEMS)               11:16:44.36        726,991         34,632

 
 FTPTA9   03/21/09 14:09:28.52 03/21/09 14:09:29.22        0.70        257,537          3,052  61  CLIENT SENT RESET
 FTPTA9   03/21/09 14:10:24.02 03/21/09 14:10:34.10       10.08         27,043            329  52  APPL ISSUED CLOSE
 FTPTA9   03/21/09 15:01:06.82 03/21/09 15:01:07.46        0.64        257,537          3,052  61  CLIENT SENT RESET
 FTPTA9   03/21/09 15:13:52.13 03/21/09 15:14:02.53       10.40         27,043            329  52  APPL ISSUED CLOSE

 ...

See other sample SMF reports.

Copyright 2017.
Pacific Systems Group.
All rights reserved.


Spectrum Writer 4GL - the economical alternative to SAS, Easytrieve, DYL-280...

Home | Products | Prices | Documentation | 30-Day Trials | Customer Reviews | Company | FAQ | Sample Reports | SMF Records
Send Your Comments or Questions