








	*SMF Tools*

SMF type 119 Record - Subtype 11

This table shows the record layout for type 119 SMF records
(zERT Security Session Attributes Event).

List of other SMF record layouts available.
List of sample SMF reports.

Purpose: Transmission Control Protocol/Internet Protocol (TCP/IP) writes type 119 records to collect statistics about Telnet servers and clients, FTP servers and clients, and API activity and stack usage information.

SMF type 119 records contain unique stack identification sections designed to eliminate the confusion of the type 118 records. They provide uniformity of date and time (UTC), common record format (self-defining section and TCP/IP identification section), and support for IPv6 addresses and expanded field sizes (64 bit versus 32 bit) for some counters.zERT connection detail records are written to record important information about the cryptographic protection of TCP connections and Enterprise Extender (EE) connections.

Subtype 11 records are written for six different events:

Cryptographic protection attributes at connection initiation (zERT Connection Init)
Change to the connection's cryptographic protection attributes (zERT Change)
Cryptographic protection attributes at connection termination (zERT Connection Term)
Cryptographic protection attributes at short connection termination (zERT Short Connection Term). In this case, there is no associated zERT Connection Init record for the subject connection.
zERT function enabled (zERT Enabled)
zERT function disabled (zERT Disabled)
The format of the zERT connection detail record is the same for all event types.

It's easy to report on SMF 119 data! (Jump to sample reports)

We have a low-cost 4GL report writer especially for SMF files. It's called Spectrum SMF Writer.

Spectrum SMF Writer handles the difficult SMF record parsing for you automatically. You just specify which fields you want to see.

Spectrum SMF Writer also converts the arcane date and time fields and reformats them into an attractive report.

Plus, Spectrum SMF Writer can export SMF data as comma delimited files to use on your PC.

SMF Type 119 Record -- zERT Security Session Attributes Event
Offset (Dec.)	Offset (Hex)	Name	Length	Format	Description
0	0	SMF119LEN	2	binary	Record length. This field and the next field (total of four bytes) form the RDW (record descriptor word).
2	2	SMF119SEG	2	binary	Segment descriptor (see record length field).
4	4	SMF119FLG	1	binary	System indicator Bit Meaning When Set 0 New record format 1 Subtypes used 2 Reserved. 3-6 Version indicators 7 System is running in PR/SM mode.
5	5	SMF119RTY	1	binary	Record type 119 77').
6	6	SMF119TME	4	binary	Time since midnight, in hundredths of a second, that the record was moved into the SMF buffer.
10	A	SMF119DTE	4	packed	Date when the record was moved into the SMF buffer, in the form 0cyydddF. See “Standard SMF Record Header” on page 13-1 for a detailed description.
14	E	SMF119SID	4	EBCDIC	System identification (from the SMFPRMxx SID parameter).
18	12	SMF119SSI	4	EBCDIC	Subsystem identification.
22	16	SMF119STY	2	binary	Record subtype.
Self Defining Section
24	18	SMF119TRN	2	binary	Number of triplets in this record (7)
26	1A	--	2	binary	Reserved.
28	1C	SMF119IDOff	4	Binary	Offset to TCP/IP identification section
32	20	SMF119IDLen	2	Binary	Length of TCP/IP identification section
34	22	SMF119IDNum	2	Binary	Number of TCP/IP identification sections
36	24	SMF119S1Off	4	Binary	Offset to zERT connection detail common section
40	28	SMF119S1Len	2	Binary	Length of zERT connection detail common section
42	2A	SMF119S1Num	2	Binary	Number of zERT connection detail common section
44	2C	SMF119S2Off	4	Binary	Offset to IP filter-specific section
48	30	SMF119S2Len	2	Binary	Length of IP filter-specific section
50	32	SMF119S2Num	2	Binary	Number of IP filter-specific sections
52	34	SMF119S3Off	4	Binary	Offset to TLS protocol attributes section
56	38	SMF119S3Len	2	Binary	Length of TLS protocol attributes section
58	3A	SMF119S3Num	2	Binary	Number of TLS protocol attributes sections
60	3C	SMF119S4Off	4	Binary	Offset to SSH protocol attributes section
64	40	SMF119S4Len	2	Binary	Length of SSH protocol attributes section
66	42	SMF119S4Num	2	Binary	Number of SSH protocol attributes sections
68	44	SMF119S5Off	4	Binary	Offset to IPSec protocol attributes section
72	48	SMF119S5Len	2	Binary	Length of IPSec protocol attributes section
74	4A	SMF119S5Num	2	Binary	Number of IPSec protocol attributes sections
76	4C	SMF119S6Off	4	Binary	Offset to certificate DNs section
80	50	SMF119S6Len	2	Binary	Length of certificate DNs section
82	52	SMF119S6Num	2	Binary	Number of certificate DNs sections
TCP/IP stack identification section For the zERT connection detail record, the TCP/IP stack identification section indicates STACK as the subcomponent and X'08' (event record) as the record reason. (Offset from beginning of record: SMF119IDOff)
0	0	SMF119TI_ SYSName	8	EBCDIC	System name from SYSNAME in IEASYSxx
8	8	SMF119TI_ SysplexName	8	EBCDIC	Sysplex name from SYSPLEX in COUPLExx
16	10	SMF119TI_ Stack	8	EBCDIC	TCP/IP stack name
24	18	SMF119TI_ ReleaseID	8	EBCDIC	z/OS Communications Server TCP/IP release identifier
32	20	SMF119TI_ Comp	8	EBCDIC	TCP/IP subcomponent (right padded with blanks): FTPC FTP Client FTPS FTP server IP IP layer STACK Entire TCP/IP stack TCP TCP layer TN3270C TN3270 Client TN3270S TN3270 server UDP UDP layer
40	28	SMF119TI_ ASName	8	EBCDIC	Started task qualifier or address space name of address space that writes this SMF record
48	30	SMF119TI_ UserID	8	EBCDIC	User ID of security context under which this SMF record is written
56	38	--	2	EBCDIC	Reserved
58	3A	SMF119TI_ ASID	2	Binary	ASID of address space that writes this SMF record
60	3C	SMF119TI_ Reason	1	Binary	Reason for writing this SMF record: X'08' Event record X'C0' Interval statistics record, more records follow X'80' Interval statistics record, last record in set X'60' End-of-statistics record, more records follow X'20' End-of-statistics record, last record in set X'50' Shutdown starts record, more records follow X'10' Shutdown starts record, last record in set
61	3D	--	3	EBCDIC	Reserved
zERT connection detail common section. (Subtype 11) Every zERT connection detail record has one of these sections(Offset from beginning of record: SMF119S1Off)
0	0	SMF119SC_ SAEvent_ Type	1	Binary	Event type: X'01': Connection initiation X'02': Change in cryptographic attributes X'03': Connection termination X'04': Short connection termination (Connection terminates within 10 seconds of being established. No associated Connection initiation record is written.) X'05': zERT Enabled (all remaining fields in this section are unused and set to 0) X'06': zERT Disabled (all remaining fields in this section are unused and set to 0)
1	1	SMF119SC_ SASecProtos	1	Binary	Cryptographic security protocols for the connection. Zero or more of these flags may be specified: X'00': No recognized cryptographic protection X'80': TLS/SSL X'40': SSH X'20': IPSec
2	2	SMF119SC_ SAFlags	1	Binary	Flags: X'80': IPv6 connection X'40': AT-TLS cryptographic data protection operations are bypassed for this connection as part of a stack optimization for intra-host connections. Only AT-TLS peer authentication operations are executed in this case.
3	3	SMF119SC_ SASecFlags	1	Binary	IP security Flags: x'80': IP security is enabled x'40': IPv6 security is enabled x'20': IP filtering done for connection
4	4	SMF119SC_ SAIPProto	1	Binary	IP Protocol value: X'06': TCP X'11': UDP
5	5	SMF119SC_ SA_ Rsvd1	3	Binary	Reserved
8	8	SMF119SC_ SAJobname	8	EBCDIC	Jobname associated with the socket
16	10	SMF119SC_ SAJobID	8	EBCDIC	Job ID associated with the socket
24	18	SMF119SC_ SAUserID	8	EBCDIC	z/OS® user ID associated with the socket
32	20	SMF119SC_ SASTime	4	Binary	Time of day of connection establishment in 1/100 seconds since midnight (using Coordinated Universal Time (UTC))
36	24	SMF119SC_ SASDate	4	Packed	Date of connection establishment (UTC)
40	28	SMF119SC_ SAETime	4	Binary	Time connection ended in 1/100 seconds since midnight (using Coordinated Universal Time (UTC))
44	2C	SMF119SC_ SAEDate	4	Packed	Date connection end, set when event type (SMF119SC_SAEvent_Type) is connection termination or short connection termination otherwise, 0
48	30	SMF119SC_ SARIP	16	Binary	Remote connection endpoint IP address. If SMF119SC_SAFlags indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field.
64	40	SMF119SC_ SALIP	16	Binary	Local connection endpoint IP address. If SMF119SC_SAFlags indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field.
80	50	SMF119SC_ SARPort	2	Binary	Remote port
82	52	SMF119SC_ SALPort	2	Binary	Local port
84	54	SMF119SC_ SAConnID	4	Binary	Transport layer connection ID
88	58	SMF119SC_ SAInBytes	8	Binary	Inbound byte count since connection started
96	60	SMF119SC_ SAOutBytes	8	Binary	Outbound byte count since connection started
104	68	SMF119SC_ SAInSegDG	8	Binary	Inbound TCP segment or UDP datagram count since connection started
112	70	SMF119SC_ SAOutSegDG	8	Binary	Outbound TCP segment or UDP datagram count since connection started
120	78	SMF119SC_ SA_ Rsvd2	8	Binary	Reserved
zERT IP filter-specific section. (Subtype 11) This section is present if IP filtering is active and an IP filter rule applies to the connection (SMF119SC_SAIPFiltering flag is set in SMF119SC_SASecFlags). The IP filter section is not included for intra-host connections because IP filtering is not done for those connections.(Offset from beginning of record: SMF119S2Off)
0	0	SMF119SC_ IPFlt_ OutAct	1	Binary	Outbound IP filtering behavior: X'01': Outbound traffic permitted in the clear X'02': Outbound traffic permitted with IPSec protection X'03': Outbound traffic denied X'00' if no associated outbound filter rule). A change in this attribute causes a protection state change record to be written.
1	1	SMF119SC_ IPFlt_ InbAct	1	Binary	Inbound IP filtering behavior: X'01': Inbound traffic permitted in the clear X'02': Inbound traffic permitted with IPSec protection X'03': Inbound traffic denied X'00' if no associated inbound filter rule). A change in this attribute causes a protection state change record to be written.
2	2	SMF119SC_ IPFlt_ Rsvd1	2	Binary	Reserved
4	4	SMF119SC_ IPFlt_ OutRuleName	40	EBCDIC	Outbound traffic IP filter rule name (blank if no associated outbound filter rule)
44	2C	SMF119SC_ IPFlt_ OutRuleExt	8	EBCDIC	Outbound traffic IP filter rule name extension (blank if no associated outbound filter rule or the filter rule has no rule name extension value)
52	34	SMF119SC_ IPFlt_ InRuleName	40	EBCDIC	Inbound traffic IP filter rule name (blank if no associated inbound filter rule)
92	5C	SMF119SC_ IPFlt_ InRuleExt	8	EBCDIC	Inbound traffic IP filter rule name extension (blank if no associated inbound filter rule or the filter rule has no rule name extension value)
zERT TLS protocol attributes section. (Subtype 11) This section will be present if the connection is protected by TLS or SSL. A change in most of these attributes will cause a protection state change record to be written. The attributes that do not cause a change record are noted as "Information only".(Offset from beginning of record: SMF119S3Off)
0	0	SMF119SC_ TLS_ Prot_ Ver	2	Binary	Protocol version: X'0000': Unknown version X'0200': SSLv2 X'0300': SSLv3 X'0301': TLSv1.0 X'0302': TLSv1.1 X'0303': TLSv1.2
2	2	SMF119SC_ TLS_ Source	1	Binary	Source of the TLS/SSL information in this record: X'01': Stream observation X'02': Cryptographic protocol provider Information only
3	3	SMF119SC_ TLS_ Handshake_ Type	1	Binary	Handshake type: X'01': Full handshake X'02': Abbreviated handshake Information only
4	4	SMF119SC_ TLS_ Handshake_ Role	1	Binary	Local handshake role: X'00': Unknown X'01': Client X'02': Server X'03': Server with client authentication Information only
5	5	SMF119SC_ TLS_ Rsvd1	2	Binary	Reserved
7	7	SMF119SC_ TLS_ Session_ ID_ Len	1	Binary	Length of TLS session ID value in bytes. Information only
8	8	SMF119SC_ TLS_ Session_ ID	32	Binary	TLS session ID (left justified). Information only
40	28	SMF119SC_ TLS_ Protocol_ Provider	16	EBCDIC	Source of the information in this record (padded with trailing blanks): "Observation": Information was observed by the TCP/IP stack, not supplied by a CPP. This value is used when SMF119SC_TLS_Source is set to 1. "IBM System SSL" : System SSL other values may be added in the future. Information only
56	38	SMF119SC_ TLS_ Neg_ Cipher	6	EBCDIC	Negotiated cipher suite identifier. If the TLS version is SSLv3 or higher, this is a four character value in the first 4 bytes of this field, padded with trailing blanks. Refer to the TLS Cipher Suite registry for a complete list of the 4-hexadecimal-character values. If the TLS version is SSLv2, then all 6 bytes are used: '010080': 128-bit RC4 with MD5 '020080': 40-bit RC4 with MD5 '030080': 128-bit RC2 with MD5 '040080': 40-bit RC2 with MD5 '050080': 128-bit IDEA with MD5 '060040': DES with MD5 '0700C0': 3DES with MD5
62	3E	SMF119SC_ TLS_ CS_ Enc_ Alg	2	Binary	The symmetric encryption algorithm used by the cipher suite: X'0000': Unknown X'0001': None X'0002': DES X'0003': DES 40 X'0004': 3DES X'0005': RC2 40 X'0006': RC2 128 X'0007': RC2 X'0008': RC4 40 X'0009': RC4 128 X'000A': RC4 256 X'000B': RC4 X'000C': AES CBC 128 X'000D': AES CBC 192 X'000E': AES CBC 256 X'000F': AES CTR 128 X'0010': AES CTR 192 X'0011': AES CTR 256 X'0012': AES GCM 128 X'0013': AES GCM 256 X'0014': AES CCM 128 X'0015': AES CCM 256 X'0016': AES CCM8 128 X'0017': AES CCM8 256 X'0018': AES 256 X'0019': Blowfish X'001A': Blowfish CBC X'001B': CAST 128 CBC X'001C': ARCFOUR 128 X'001D': ARCFOUR 256 X'001E': ARCFOUR X'001F': Rijndael CBC X'0020': ACSS X'0021': ARIA 128 CBC X'0022': ARIA 256 CBC X'0023': ARIA 128 GCM X'0024': ARIA 256 GCM X'0025': Camellia 128 CBC X'0026': Camellia 256 CBC X'0027': Camellia 128 GCM X'0028': Camellia 256 GCM X'0029': ChaCha20 Poly1305 X'002A': IDEA CBC X'002B': SEED CBC X'002C': Fortezza X'002D': GOST28147 X'002E': TwoFish CBC 256 X'002F': TwoFish CBC X'0030': TwoFish CBC 192 X'0031': TwoFish CBC 128 X'0032': Serpent CBC 256 X'0033': Serpent CBC 192 X'0034': Serpent CBC 128
64	40	SMF119SC_ TLS_ CS_ Msg_ Auth	2	Binary	The message authentication algorithm used by the cipher suite: X'0000': Unknown X'0001': No message authentication, or uses authenticated encryption algorithm like AES-GCM X'0002': MD2 X'0003': HMAC-MD5 X'0004': HMAC-SHA1 X'0005': HMAC-SHA2-224 X'0006': HMAC-SHA2-256 X'0007': HMAC-SHA2-384 X'0008': HMAC-SHA2-512 X'0009': AES-GMAC-128 X'000A': AES-GMAC-256 X'000B': AES-128-XCBC-96 X'000C': HMAC-SHA2-256-128 X'000D': HMAC-SHA2-384-192 X'000E': HMAC-SHA2-512-256 X'000F': HMAC-MD5-96 X'0010': HMAC-SHA1-96 X'0011': UMAC-64 X'0012': UMAC-128 X'0013': RIPEMD-160
66	42	SMF119SC_ TLS_ CS_ Kex_ Alg	2	Binary	The key exchange algorithm used by the cipher suite: X'0000': Unknown X'0001': None X'0002': RSA X'0003': RSA_EXPORT X'0004': RSA_PSK X'0005': DH_RSA X'0006': DH_RSA_EXPORT X'0007': DH_DSS X'0008': DH_ANON X'0009': DH_ANON_EXPORT X'000A': DH_DSS_EXPORT X'000B': DHE_RSA X'000C': DHE_RSA_EXPORT X'000D': DHE_DSS X'000E': DHE_DSS_EXPORT X'000F': DHE_PSK X'0010': ECDH_ECDSA X'0011': ECDH_RSA X'0012': ECDH_ANON X'0013': ECDHE_ECDSA X'0014': ECDHE_RSA X'0015': ECDHE_PSK X'0016': KRB5 X'0017': KRB5_EXPORT X'0018': PSK X'0019': SRP_SHA_RSA X'001A': SRP_SHA_DSS X'001B': SRP_SHA
68	44	SMF119SC_ TLS_ FIPS_ Mode	1	Binary	FIPS 140 mode of the TLS/SSL provider: X'00': Not in FIPS 140 mode X'01': FIPS 140 mode is enabled (80-bit strength enforced) X'02': FIPS 140 mode is enabled at level 1 (synonymous with X'01') X'03': FIPS 140 mode is enabled at level 2 (112-bit strength enforced when creating new keys or performing digital signature generation and encryption type operations. Digital signature verification, decryption using 3DES and RSA decryption with 80-bit key lengths allowed when processing already protected information). X'04': FIPS 140 mode is enabled at level 3 (112 bit or higher strength enforced as defined in NIST SP800-131A.) Information only
69	45	SMF119SC_ TLS_ CryptoFlags	1	Binary	Cryptographic operations flags: X'80': Encrypt-then-MAC processing is used All other flags reserved
70	46	SMF119SC_ TLS_ Rsvd2	2	Binary	Reserved Server certificate information
72	48	SMF119SC_ TLS_ SCert_ Signature_ Method	2	Binary	Server certificate signature method: X'0000': Unknown X'0001': None X'0002': RSA with MD2 X'0003': RSA with MD5 X'0004': RSA with SHA1 X'0005': DSA with SHA1 X'0006': RSA with SHA-224 X'0007': RSA with SHA-256 X'0008': RSA with SHA-384 X'0009': RSA with SHA-512 X'000A': ECDSA with SHA1 X'000B': ECDSA with SHA-224 X'000C': ECDSA with SHA-256 X'000D': ECDSA with SHA-384 X'000E': ECDSA with SHA-512 X'000F': DSA with SHA-224 X'0010': DSA with SHA-256
74	4A	SMF119SC_ TLS_ SCert_ Enc_ Method	2	Binary	Server certificate encryption method: X'0000': Unknown X'0001': None X'0002': RSA X'0003': DSA X'0004': ECDSA
76	4C	SMF119SC_ TLS_ SCert_ Digest_ Alg	2	Binary	Server certificate digest algorithm: X'0000': Unknown X'0001': None X'0002': MD2 X'0003': MD5 X'0004': SHA1 X'0005': SHA-224 X'0006': SHA-256 X'0007': SHA-384 X'0008': SHA-512
78	4E	SMF119SC_ TLS_ Rsvd3	1	Binary	Reserved
79	4F	SMF119SC_ TLS_ SCert_ Serial_ Len	1	Binary	Server certificate serial number length in bytes. Information only
80	50	SMF119SC_ TLS_ SCert_ Serial	20	Binary	Server certificate serial number, left justified. Information only
100	64	SMF119SC_ TLS_ SCert_ Time_ Type	1	Binary	Format of server certificate "not after" time: X'01': Coordinated Universal Time (UTC) X'02': Generalized Time (GT) Information only
101	65	SMF119SC_ TLS_ SCert_ Time	15	Binary	Server certificate "not after" time: If the time type is UTC (SMF119SC_TLS_SCert_Time_Type = X'01'), the first 13 bytes of this field contain the time in UTC format (YYMMDDhhmmssZ). If the time type is GT (SMF119SC_TLS_SCert_Time_Type = X'02'), all 15 bytes of this field contain the time in GT format (YYYYMMDDhhmmssZ). Information only
116	74	SMF119SC_ TLS_ SCert_ Key_ Type	2	Binary	Server certificate key type: X'0000': Unknown X'0001': None X'0002': RSA X'0003': DSA X'0004': Diffie-Hellman (DH) X'0005': Elliptic Curve Cryptography (ECC)
118	76	SMF119SC_ TLS_ SCert_ Key_ Len	2	Binary	Server certificate key length in bits Client certificate information
120	78	SMF119SC_ TLS_ CCert_ Signature_ Method	2	Binary	Client certificate signature method. Same values as SMF119SC_TLS_SCert_Signature_Method.
122	7A	SMF119SC_ TLS_ CCert_ Enc_ Method	2	Binary	Client certificate encryption method. Same values as SMF119SC_TLS_SCert_Enc_Method
124	7C	SMF119SC_ TLS_ CCert_ Digest_ Alg	2	Binary	Client certificate digest algorithm. Same values as SMF119SC_TLS_SCert_Digest_Alg
126	7E	SMF119SC_ TLS_ Rsvd4	1	Binary	Reserved
127	7F	SMF119SC_ TLS_ CCert_ Serial_ Len	1	Binary	Client certificate serial number length in bytes. Information only
128	80	SMF119SC_ TLS_ CCert_ Serial	20	Binary	Client certificate serial number, left justified. Information only
148	94	SMF119SC_ TLS_ CCert_ Time_ Type	1	Binary	Format of client certificate "not after" time: X'01': Coordinated Universal Time (UTC) X'02': Generalized Time (GT) Information only
149	95	SMF119SC_ TLS_ CCert_ Time	15	Binary	Client certificate "not after" time: If the time type is UTC (SMF119SC_TLS_CCert_Time_Type = X'01'), the first 13 bytes of this field contain the time in UTC format (YYMMDDhhmmssZ). If the time type is GMT (SMF119SC_TLS_CCert_Time_Type = X'02'), all 15 bytes of this field contain the time in GMT format (YYYYMMDDhhmmssZ). Information only
164	A4	SMF119SC_ TLS_ CCert_ Key_ Type	2	Binary	Client certificate key type. Same values as SMF119SC_TLS_SCert_Key_Type.
166	A6	SMF119SC_ TLS_ CCert_ Key_ Len	2	Binary	Client certificate key length in bits
the zERT SSH protocol attributes section. (Subtype 11) This section will be present if the connection is protected by SSH. A change in most of these attributes will cause a protection state change record to be written. The attributes that do not cause a change record are noted as "Information only".(Offset from beginning of record: SMF119S4Off)
0	0	SMF119SC_ SSH_ Prot_ Ver	1	Binary	Protocol version: X'01': Protocol version 1 X'02': Protocol version 2
1	1	SMF119SC_ SSH_ Source	1	Binary	Source of the SSH information in this record: X'01': Stream observation X'02': Cryptographic protocol provider Information only
2	2	SMF119SC_ SSH_ FIPS_ Mode	1	Binary	FIPS 140 mode of the SSH provider. Same values as SMF119SC_TLS_FIPS_Mode . Information only
3	3	SMF119SC_ SSH_ CryptoFlags	1	Binary	Cryptographic operations flags: X'80': Encrypt-then-MAC processing is used for inbound traffic X'40' Encrypt-then-MAC processing is used for outbound traffic All other flags reserved
4	4	SMF119SC_ SSH_ Rsvd1	4	Binary	Reserved
8	8	SMF119SC_ SSH_ Comp	8	EBCDIC	SSH subcomponent (-padded with trailing blanks): 'SFTPS': sftp server 'SFTPC': sftp client 'SCPS ' : scp server 'SCPC' : scp client 'SSH' : ssh client 'SSHD' : sshd daemon Information only
16	10	SMF119SC_ SSH_ Protocol_ Provider	16	EBCDIC	Protocol provider (padded with trailing blanks): "Observation": Information was observed by the TCP/IP stack, not supplied by a CPP. This value is used when SMF119SC_SSH_Source is set to 1. "IBM OpenSSH": z/OS-provided OpenSSH Other values may be added in the future Information only
32	20	SMF119SC_ SSH_ Auth_ Method	2	Binary	First or only peer authentication method used for this connection: X'0000': Unknown X'0001': None X'0002': Password X'0003': Public key X'0004': Host-based X'0005': Rhosts X'0006': RhostsRSA X'0007': RSA X'0008': Keyboard-interactive X'0009': Challenge-response X'000A': Control socket 1 X'000B': GSSAPI with MIC X'000C': GSSAPI Key exchange
34	22	SMF119SC_ SSH_ Auth_ Method2	2	Binary	If not 0, the last of multiple authentication methods used for this connection. Values are the same as those for SMF119SC_SSH_Auth_Method
36	24	SMF119SC_ SSH_ In_ Enc_ Alg	2	Binary	Encryption algorithm for inbound traffic. Same values as SMF119SC_TLS_CS_Enc_Alg .
38	26	SMF119SC_ SSH_ In_ Msg_ Auth	2	Binary	Message authentication algorithm for inbound traffic. Same values as SMF119SC_TLS_CS_Msg_Auth .
40	28	SMF119SC_ SSH_ Kex_ Method	2	Binary	Key exchange method. X'0000' Unknown X'0001' None X'0002' Diffie-Hellman-group-exchangeSHA256 X'0003' Diffie-Hellman-group-exchangeSHA1 X'0004' Diffie-Hellman-group14-SHA1 X'0005' Diffie-Hellman-group1-SHA1 X'0006' ECDH-SHA2-NISTP256 X'0007' ECDH-SHA2-NISTP384 X'0008' ECDH-SHA2-NISTP521 X'0009' GSS-GROUP1-SHA1 X'000A' GSS-GROUP14-SHA1 X'000B' GSS-GEX-SHA1 X'000C' ECMQV-SHA2 X'000D' GSS-* X'000E' RSA1024-SHA1 X'000F' RSA2048-SHA256
42	2A	SMF119SC_ SSH_ Out_ Enc_ Alg	2	Binary	Encryption algorithm for outbound traffic. . Same values as SMF119SC_TLS_CS_Enc_Alg .
44	2C	SMF119SC_ SSH_ Out_ Msg_ Auth	2	Binary	Message authentication algorithm for outbound traffic. Same values as SMF119SC_TLS_CS_Msg_Auth .
46	2E	SMF119SC_ SSH_ Rsvd2	2	Binary	Reserved
48	30	SMF119SC_ SSH_ SKey_ Type	2	Binary	Type of raw server key: X'0000': Unknown X'0001': None X'0002': RSA X'0003': DSA X'0004': Diffie-Hellman (DH) X'0005': Elliptic Curve Cryptography (ECC) X'0006': RSA1 (SSHV1 only) X'0007': RSA_CERT (from OpenSSH certificate) X'0008': DSA_CERT (from OpenSSH certificate) X'0009': ECDSA_CERT (from OpenSSH certificate)
50	32	SMF119SC_ SSH_ SKey_ Len	2	Binary	Length of raw server key in bits.
52	34	SMF119SC_ SSH_ CKey_ Type	2	Binary	Type of raw client key. Same values as SMF119SC_SSH_SKey_Type.
54	36	SMF119SC_ SSH_ CKey_ Len	2	Binary	Length of raw client key in bits.
56	38	SMF119SC_ SSH_ SKey_ FPLen	2	Binary	Length (in bytes) of the server public key fingerprint. If no server public key is used, then this length is set to zero. Information only
58	3A	SMF119SC_ SSH_ CKey_ FPLen	2	Binary	Length (in bytes) of the client public key fingerprint. If no client public key is used, then this length is set to zero. Information only
60	3C	SMF119SC_ SSH_ SKey_ FP	64	Binary	The server public key fingerprint (a hash of the public key used to identify that key), left justified and padded on the right with X’00’. Information only
124	7C	SMF119SC_ SSH_ CKey_ FP	64	Binary	The client public key fingerprint (a hash of the public key used to identify that key), left justified and padded on the right with X’00’. Information only Server X.509 certificate information
188	BC	SMF119SC_ SSH_ SCert_ Signature_ Method	2	Binary	Server certificate signature method. Same values as SMF119SC_TLS_SCert_Signature_Method .
190	BE	SMF119SC_ SSH_ SCert_ Enc_ Method	2	Binary	Server certificate encryption method. Same values as SMF119SC_TLS_SCert_Enc_Method .
192	C0	SMF119SC_ SSH_ SCert_ Digest_ Alg	2	Binary	Server certificate digest algorithm. Same values as SMF119SC_TLS_SCert_Digest_Alg .
194	C2	SMF119SC_ SSH_ Rsvd3	1	Binary	Reserved
195	C3	SMF119SC_ SSH_ SCert_ Serial_ Len	1	Binary	Server certificate serial number length in bytes. Information only
196	C4	SMF119SC_ SSH_ SCert_ Serial	20	Binary	Server certificate serial number, left justified. Information only
216	D8	SMF119SC_ SSH_ SCert_ Time_ Type	1	Binary	Format of server certificate "not after" time: X'01': Coordinated Universal Time (UTC) X'02': Generalized Time (GT) Information only
217	D9	SMF119SC_ SSH_ SCert_ Time	15	Binary	Server certificate "not after" time: If the time type is UTC (SMF119SC_SSH_SCert_Time_Type = X'01'), the first 13 bytes of this field contain the time in UTC format (YYMMDDhhmmssZ). If the time type is GT (SMF119SC_SSH_SCert_Time_Type = X'02'), all 15 bytes of this field contain the time in GT format (YYYYMMDDhhmmssZ). Information only
232	E8	SMF119SC_ SSH_ SCert_ Key_ Type	2	Binary	Server certificate key type. Same values as SMF119SC_TLS_SCert_Key_Type .
234	EA	SMF119SC_ SSH_ SCert_ Key_ Len	2	Binary	Server certificate key length in bits Client X.509 certificate information
236	EC	SMF119SC_ SSH_ CCert_ Signature_ Method	2	Binary	Client certificate signature method. Same values as SMF119SC_TLS_SCert_Signature_Method .
238	EE	SMF119SC_ SSH_ CCert_ Enc_ Method	2	Binary	Client certificate encryption method. Same values as SMF119SC_TLS_SCert_Enc_Method .
240	F0	SMF119SC_ SSH_ CCert_ Digest_ Alg	2	Binary	Client certificate digest algorithm. Same values as SMF119SC_TLS_SCert_Digest_Alg .
242	F2	SMF119SC_ SSH_ Rsvd4	1	Binary	Reserved
243	F3	SMF119SC_ SSH_ CCert_ Serial_ Len	1	Binary	Client certificate serial number length in bytes. Information only
244	F4	SMF119SC_ SSH_ CCert_ Serial	20	Binary	Client certificate serial number, left justified. Information only
264	108	SMF119SC_ SSH_ CCert_ Time_ Type	1	Binary	Format of client certificate "not after" time: X'01': Coordinated Universal Time (UTC) X'02': Generalized Time (GT) Information only
265	109	SMF119SC_ SSH_ CCert_ Time	15	Binary	Client certificate "not after" time: If the time type is UTC (SMF119SC_SSH_CCert_Time_Type = X'01'), the first 13 bytes of this field contain the time in UTC format (YYMMDDhhmmssZ). If the time type is GT (SMF119SC_SSH_CCert_Time_Type = X'02'), all 15 bytes of this field contain the time in GT format (YYYYMMDDhhmmssZ). Information only
280	118	SMF119SC_ SSH_ CCert_ Key_ Type	2	Binary	Client certificate key type. Same values as SMF119SC_TLS_SCert_Key_Type .
282	11A	SMF119SC_ SSH_ CCert_ Key_ Len	2	Binary	Client certificate key length in bits
zERT IPSec attributes section. (Subtype 11) This section will be present if the connection is protected by IPSec. A change in most of these attributes will cause a protection state change record to be written. The attributes that do not cause a change record are noted as "Information only".(Offset from beginning of record: SMF119S5Off)
0	0	SMF119SC_ IPSec_ IKETunID	4	Binary	IKE tunnel identifier. This value is displayed as Ktunid in ipsec command displays. Information only
4	4	SMF119SC_ IPSec_ IKEMajVer	1	Binary	Major version of the IKE protocol in use. Only the low-order 4 bits are used.
5	5	SMF119SC_ IPSec_ IKEMinVer	1	Binary	Minor version of the IKE protocol in use. Only the low-order 4 bits are used.
6	6	SMF119SC_ IPsec_ Rsvd1	2	Binary	Reserved
8	8	SMF119SC_ IPSec_ IKETunKeyExchRule	48	EBCDIC	Key exchange rule for this IKE tunnel (padded with trailing blanks). Information only
56	38	SMF119SC_ IPSec_ IKETunLclEndpt	16	Binary	Local IP address of tunnel endpoint. If SMF119SC_Flags in the zERT common identification section indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field.
72	48	SMF119SC_ IPSec_ IKETunRmtEndpt	16	Binary	Remote IP address of tunnel endpoint. If SMF119SC_Flags in the zERT common identification section indicates IPv6, then this is a 16-byte IPv6 address. Otherwise, it is a 4-byte IPv4 address in the first 4 bytes of the field.
88	58	SMF119SC_ IPSec_ IKETunLclAuthMeth	2	Binary	The authentication method for the local endpoint. One of the following values: X'00': Unknown or manual tunnel X'01': None X'02': RSA signature X'03': Preshared key X'04': ECDSA-256 signature X'05': ECDSA-384 signature X'06': ECDSA-521 signature X'07': Digital signature
90	5A	SMF119SC_ IPSec_ IKETunRmtAuthMeth	2	Binary	The authentication method for the remote endpoint. Same values as SMF119SC_IPSec_IKETunLclAuthMeth.
92	5C	SMF119SC_ IPSec_ IKETunAuthAlg	2	Binary	Tunnel authentication algorithm. Same values as SMF119SC_TLS_CS_Msg_Auth .
94	5E	SMF119SC_ IPSec_ IKETunEncAlg	2	Binary	Tunnel encryption algorithm. Same values as SMF119SC_TLS_CS_Enc_Alg .
96	60	SMF119SC_ IPSec_ IKETunDHGroup	2	Binary	Diffie-Hellman group used to generate the keying material for this IKE tunnel. One of the following values: X'00': Unknown or manual tunnel X'01': Group1 X'02': Group 2 X'05': Group 5 X'0E': Group 14 X'13': Group 19 X'14': Group 20 X'15': Group 21 X'18': Group 24 X'FF': No DH group used (only possible for SMF119SC_IPSec_PFSGroup, where these values are also used)
98	62	SMF119SC_ IPSec_ IKETunPseudoRandFunc	2	Binary	Pseudo-random function used for seeding keying material. One of the following values: X'00': Unknown or manual tunnel X'01': None X'02': HMAC-SHA2-256 X'03': HMAC-SHA2-384 X'04': HMAC-SHA2-512 X'05': AES-128-XCBC X'06': HMAC-MD5 X'07': HMAC-SHA1
100	64	SMF119SC_ IPSec_ IKETunLifesize	4	Binary	IKE tunnel lifesize. If not 0, this value indicates the lifesize limit for the tunnel, in Kbytes. Otherwise (value is 0), no lifesize enforced. Information only
104	68	SMF119SC_ IPSec_ IKETunLifetime	4	Binary	IKE tunnel lifetime. This value indicates the total number of minutes the tunnel remains active. Information only
108	6C	SMF119SC_ IPSec_ IKETunReauthIntvl	4	Binary	Reauthentication interval. Indicates the number of minutes between reauthentication operations. Information only
IKE Local certificate information (will be populated if
SMF119SC_IPSec_IKETunLocalAuthMethindicates RSA, ECDSA, or Digital signature and local
certificate information is available Otherwise, all fields set to zero.)
112	70	SMF119SC_ IPSec_ LclCert_ Sign_ Meth	2	Binary	Local IKE certificate signature method. Same values as SMF119SC_TLS_SCert_Signature_Method .
114	72	SMF119SC_ IPSec_ LclCert_ Enc_ Meth	2	Binary	Local IKE certificate encryption method. Same values as SMF119SC_TLS_SCert_Enc_Method .
116	74	SMF119SC_ IPSec_ LclCert_ Digest_ Alg	2	Binary	Local IKE certificate digest algorithm. Same values as SMF119SC_TLS_SCert_Digest_Alg .
118	76	SMF119SC_ IPsec_ Rsvd2	1	Binary	Reserved.
119	77	SMF119SC_ IPSec_ LclCert_ Serial_ Len	1	Binary	Local IKE certificate serial number length in bytes. Information only
120	78	SMF119SC_ IPSec_ LclCert_ Serial	20	Binary	Local IKE certificate serial number, left justified. Information only
140	8C	SMF119SC_ IPSec_ LclCert_ Time_ Type	1	Binary	Format of local IKE certificate "not after" time: X'00': Manual tunnel - unused X'01': Coordinated Universal Time (UTC) X'02': Generalized Time (GT) Information only
141	8D	SMF119SC_ IPSec_ LclCert_ Time	15	Binary	Local IKE certificate "not after" time: If the time type is UTC (SMF119SC_IPSec_LclCert_Time_Type = X'01'), the first 13 bytes of this field contain the time in UTC format (YYMMDDhhmmssZ). If the time type is GT (SMF119SC_IPSec_LclCert_Time_Type = X'02'), all 15 bytes of this field contain the time in GT format (YYYYMMDDhhmmssZ). Information only
156	9C	SMF119SC_ IPSec_ LclCert_ Key_ Type	2	Binary	Local IKE certificate key type. Same values as SMF119SC_TLS_SCert_Key_Type .
158	9E	SMF119SC_ IPSec_ LclCert_ Key_ Len	2	Binary	Local IKE certificate key length in bits.
IKE Peer certificate information (will be populated if
SMF119SC_IPSec_IKETunRmtAuthMeth indicates RSA, ECDSA, or Digital signature
and remote certificate information is available . Otherwise, all fields set to zero.)
160	A0	SMF119SC_ IPSec_ RmtCert_ Sign_ Meth	2	Binary	Remote IKE certificate signature method. Same values as SMF119SC_TLS_SCert_Signature_Method .
162	A2	SMF119SC_ IPSec_ RmtCert_ Enc_ Meth	2	Binary	Remote IKE certificate encryption method. Same values as SMF119SC_TLS_SCert_Enc_Method .
164	A4	SMF119SC_ IPSec_ RmtCert_ Digest_ Alg	2	Binary	Remote IKE certificate digest algorithm. Same values as SMF119SC_TLS_SCert_Digest_Alg .
166	A6	SMF119SC_ IPSec_ Rsvd3	1	Binary	Reserved
167	A7	SMF119SC_ IPSec_ RmtCert_ Serial_ Len	1	Binary	Remote IKE certificate serial number length in bytes. Information only
168	A8	SMF119SC_ IPSec_ RmtCert_ Serial	20	Binary	Remote IKE certificate serial number, left justified. Information only
188	BC	SMF119SC_ IPSec_ RmtCert_ Time_ Type	1	Binary	Format of remote IKE certificate "not after" time: X'00': Manual tunnel - unused X'01': Coordinated Universal Time (UTC) X'02': Generalized Time (GT) Information only
189	BD	SMF119SC_ IPSec_ RmtCert_ Time	15	Binary	Remote IKE certificate "not after" time: If the time type is UTC (SMF119SC_IPSec_RmtCert_Time_Type = X'01'), the first 13 bytes of this field contain the time in UTC format (YYMMDDhhmmssZ). If the time type is GT (SMF119SC_IPSec_RmtCert_Time_Type = X'02'), all 15 bytes of this field contain the time in GT format (YYYYMMDDhhmmssZ). Information only
204	CC	SMF119SC_ IPSec_ RmtCert_ Key_ Type	2	Binary	Remote IKE certificate key type. Same values as SMF119SC_TLS_SCert_Key_Type .
206	CE	SMF119SC_ IPSec_ RmtCert_ Key_ Len	2	Binary	Remote IKE certificate key length in bits. IPsec (Phase 2) tunnel information
208	D0	SMF119SC_ IPSec_ TunID	4	Binary	IPSec tunnel identifier. This value is displayed as Ytunid or Mtunid in ipsec command displays. Information only
212	D4	SMF119SC_ IPSec_ TunFlags	1	Binary	IP tunnel flags: X'80': IPv6 indicator. If set, security endpoint addresses and data endpoint addresses are IPv6; otherwise, they are IPv4. X'40': FIPS 140 mode indicator. If this field is set, cryptographic operations for this tunnel are performed using cryptographic algorithms and modules that are designed to meet the FIPS 140 requirements; otherwise, cryptographic algorithms and modules that do not meet the FIPS 140 requirements might be used. All remaining bits: Reserved Information only
213	D5	SMF119SC_ IPSec_ TunType	1	Binary	Tunnel type. One of the following values: X'01': Manual IPSec tunnel X'02': Dynamic IPSec tunnel X'03': Shadow tunnel
214	D6	SMF119SC_ IPSec_ TunState	1	Binary	One of the following tunnel states: X'01': Manual or dynamic tunnel is active. X'02': Manual tunnel is inactive.
215	D7	SMF119SC_ IPSec_ Rsvd4	1	Binary	Reserved
216	D8	SMF119SC_ IPSec_ EncapMode	1	Binary	One of the following tunnel encapsulation modes: X'01': Tunnel Mode X'02': Transport Mode
217	D9	SMF119SC_ IPSec_ AuthProto	1	Binary	The protocol used for message authentication. One of the following: X'32' Encapsulating Security Payload (ESP) X'33': Authentication Header (AH)
218	DA	SMF119SC_ IPSec_ AuthAlg	2	Binary	One of the following tunnel authentication algorithms. Same values as SMF119SC_TLS_CS_Msg_Auth .
220	DC	SMF119SC_ IPSec_ EncAlg	2	Binary	One of the following tunnel encryption algorithms. Same values as SMF119SC_TLS_CS_Enc_Alg .
222	DE	SMF119SC_ IPSec_ PFSGroup	2	Binary	Diffie-Hellman group used for perfect forward secrecy. Same values as SMF119SC_IPSec_IKETunDHGroup.
224	E0	SMF119SC_ IPSec_ Lifesize	4	Binary	SA lifesize in KBytes. Zero if SMF119SC_IPSec_TunType is set to 1. Information only
228	E4	SMF119SC_ IPSec_ Lifetime	4	Binary	SA lifetime in minutes. Zero if SMF119SC_IPSec_TunType is set to 1. Information only
232	E8	SMF119SC_ IPSec_ VPNLifeExpire	4	Binary	Tunnel VPN lifetime in minutes (length of time after which the tunnel family ceases to be refreshed). Zero indicates no VPN lifetime limit is enforced. Information only
zERT Distinguished Names (DN) section. (Subtype 11) This section contains one or more variable length X.500 DNs from relevant X.509 certificates. For each security protocol used to protect the connection that is using X.509 certificates for peer authentication, subject and issuer DNs from those certificates are included in the zERT DNs section. Any change in distinguished names will cause a protection state change record to be written. If any DNs exist, there is one zERT DNs section that contains all of the DNs. For each DN included in the section, there is a 2-byte length field, a 2-byte DN type field, and a variable length DN. The following structure is used to describe the fields present for each DN. (Offset from beginning of record: SMF119S6Off)
0	0	SMF119SC_ DN_ Len	2	Binary	Length of the DN structure (includes the length of SMF119SC_DN_Len, SMF119SC_DN_Type, and SMF119SC_DN)
2	2	SMF119SC_ DN_ Type	2	Binary	Type of Distinguished Name: X'0001': IPSec Local Certificate Subject DN X'0002': IPSec Local Certificate Issuer DN X'0003': IPSec Remote Certificate Subject DN X'0004': IPSec Remote Certificate Issuer DN X'0005': TLS Server Certificate Subject DN X'0006': TLS Server Certificate Issuer DN X'0007': TLS Client Certificate Subject DN X'0008': TLS Client Certificate Issuer DN X'0009': SSH Server Certificate Subject DN X'000A': SSH Server Certificate Issuer DN X'000B': SSH Client Certificate Subject DN X'000C': SSH Client Certificate Issuer DN
4	4	SMF119SC_ DN	1024	EBCDIC	The variable length DN value (up to 1024)

The table above is based on the description provided by IBM in its "MVS Systems Management Facilities (SMF)" manual.

Spectrum SMF Writer - the 4GL SMF Report Writer.

Sample Report from SMF 119 Subtype 2 Records
Showing Information about TCP Connections

The sample SMF report below was created with Spectrum SMF Writer, the low-cost 4GL SMF report writer.

In this report, we read as input the SMF file and select just the type 119 subtype 2 TCP Connection Termination records. (See SMF 119 Subtype 2 record layout.) The report shows information about terminated TCP connections, including start time, end time and computed elapsed time. It also shows the total number of bytes sent and received during the connection and the termination code. Our record layout also expands the 1-byte termination code into a readable descriptive text. The report is grouped by TCP/IP Stack and Resource. The report includes subtotals for each Resource.

All of this with just a few lines of code!
Why not install a Spectrum SMF Writer trial right now and start making your own SMF reports!

These Spectrum SMF Writer Statements:


INPUT:  SMF119 LIST(YES)

INCLUDEIF: SMF119RTY=119 AND SMF119STY=2

COMPUTE: MY_DURATION(2) = #MAKETIME(
               ((#MAKENUM(SMF119AP_TTEDATE) * 86400)
                  + #MAKENUM(SMF119AP_TTETIME))
             - ((#MAKENUM(SMF119AP_TTSDATE) * 86400)
                  + #MAKENUM(SMF119AP_TTSTIME))
                                   )

TITLE: 'Z/OS TCP DAILY CONNECTIONS REPORT'
TITLE: 'SYSTEM:' SMF119TI_SYSNAME
       'SYSPLEX:' SMF119TI_SYSPLEXNAME
       'STACK:' SMF119TI_STACK
TITLE: 'SORTED BY STACK AND RESOURCE NAME'

COLUMNS: SMF119AP_TTRNAME('RESOURCE')
         SMF119AP_TTSDATE('DATE/STARTED')
         SMF119AP_TTSTIME('TIME/STARTED')
         SMF119AP_TTEDATE('DATE/ENDED')
         SMF119AP_TTETIME('TIME/ENDED')
         MY_DURATION('CONNECTION/DURATION/HH:MM:SS.SS' ACCUM
                     TP'ZZ:ZZ:Z9.99')
         SMF119AP_TTINBYTES('INBOUND/BYTES')
         SMF119AP_TTOUTBYTES('OUTBOUND/BYTES')
         SMF119AP_TTTERMCODE(HEX 'TERM/CODE')
         SMF119AP_TTTERMCODE_DESC('TERM CODE DESC')

SORT:    SMF119TI_STACK
         SMF119AP_TTRNAME
         SMF119AP_TTSDATE
         SMF119AP_TTSTIME

BREAK:   SMF119AP_TTRNAME

Produce This SMF Report:


                                              Z/OS TCP DAILY CONNECTIONS REPORT
                                    SYSTEM: ST1      SYSPLEX: SYPROD    STACK: S01QDAS
                                             SORTED BY STACK AND RESOURCE NAME

                                                    CONNECTION
            DATE      TIME       DATE      TIME      DURATION      INBOUND        OUTBOUND    TERM
 RESOURCE STARTED    STARTED    ENDED      ENDED    HH:MM:SS.SS     BYTES          BYTES      CODE     TERM CODE DESC
 ________ ________ ___________ ________ ___________ ___________ ______________ ______________ ____ _______________________

 FTPTA5   03/21/09 14:04:06.81 03/21/09 14:04:07.46        0.65        257,537          3,052  61  CLIENT SENT RESET
 FTPTA5   03/21/09 14:05:35.59 03/21/09 14:05:45.67       10.08         27,043            329  52  APPL ISSUED CLOSE
 FTPTA5   03/21/09 14:12:13.81 03/21/09 14:12:14.51        0.70        257,537          3,052  61  CLIENT SENT RESET
 FTPTA5   03/21/09 14:12:27.35 03/21/09 14:12:37.42       10.07         27,043            329  52  APPL ISSUED CLOSE
 FTPTA5   03/21/09 15:30:34.96 03/21/09 15:30:35.64        0.68        257,537          3,052  61  CLIENT SENT RESET
 FTPTA5   03/21/09 15:35:13.92 03/21/09 15:35:24.00       10.08         27,043            329  52  APPL ISSUED CLOSE
 *** TOTAL FOR FTPTA5   (    6 ITEMS)                     32.26        853,740         10,143
 
 FTPTA6   03/21/09 14:05:38.03 03/21/09 14:05:38.70        0.67        257,537          3,052  61  CLIENT SENT RESET
 FTPTA6   03/21/09 14:07:23.60 03/21/09 14:07:33.68       10.08         27,043            329  52  APPL ISSUED CLOSE
 FTPTA6   03/21/09 14:12:29.83 03/21/09 14:12:30.50        0.67        257,537          3,052  61  CLIENT SENT RESET
 FTPTA6   03/21/09 14:17:10.02 03/21/09 14:17:20.16       10.14         27,043            329  52  APPL ISSUED CLOSE
 FTPTA6   03/21/09 15:35:16.45 03/21/09 15:35:17.21        0.76        257,537          3,052  61  CLIENT SENT RESET
 FTPTA6   03/21/09 15:36:15.10 03/21/09 15:36:25.18       10.08         27,043            329  52  APPL ISSUED CLOSE
 *** TOTAL FOR FTPTA6   (    6 ITEMS)                     32.40        853,740         10,143
 
 FTPTA7   03/21/09 14:07:26.16 03/21/09 14:07:26.86        0.70        257,537          3,052  61  CLIENT SENT RESET
 FTPTA7   03/21/09 14:08:24.36 03/21/09 14:08:34.50       10.14             70            507  52  APPL ISSUED CLOSE
 FTPTA7   03/21/09 14:17:12.60 03/21/09 14:17:13.31        0.71        257,537          3,052  61  CLIENT SENT RESET
 FTPTA7   03/21/09 14:21:40.01 03/21/09 14:21:50.08       10.07         27,043            329  52  APPL ISSUED CLOSE
 FTPTA7   03/21/09 15:36:17.53 03/21/09 15:36:18.17        0.64        257,537          3,052  61  CLIENT SENT RESET
 FTPTA7   03/21/09 15:37:11.45 03/21/09 15:37:21.53       10.08         27,043            329  52  APPL ISSUED CLOSE
 *** TOTAL FOR FTPTA7   (    6 ITEMS)                     32.34        826,767         10,321
 
 FTPTA8   03/21/09 08:09:32.96 03/21/09 15:29:02.41  7:19:29.45        274,763         15,912  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 13:17:39.42 03/21/09 14:42:50.82  1:25:11.40         47,498          2,291  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:42:57.42 03/21/09 14:43:21.38       23.96         45,921          2,291  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:43:26.45 03/21/09 15:28:27.01    45:00.56         47,498          2,291  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:50:01.00 03/21/09 15:28:26.10    38:25.10         35,513          1,537  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:51:01.03 03/21/09 14:52:28.82     1:27.79         33,273            875  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:53:05.50 03/21/09 15:28:22.53    35:17.03         33,273            875  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:53:51.74 03/21/09 14:55:51.42     1:59.68         35,306          1,537  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 14:56:05.98 03/21/09 15:11:31.19    15:25.21         33,066            875  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 15:12:01.80 03/21/09 15:13:30.66     1:28.86         35,266          1,537  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 15:13:45.48 03/21/09 15:17:09.41     3:23.93         38,223          2,199  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 15:18:54.59 03/21/09 15:20:07.26     1:12.67         34,273          1,537  52  APPL ISSUED CLOSE
 FTPTA8   03/21/09 15:20:22.01 03/21/09 15:28:20.73     7:58.72         33,118            875  52  APPL ISSUED CLOSE
 *** TOTAL FOR FTPTA8   (   13 ITEMS)               11:16:44.36        726,991         34,632

 
 FTPTA9   03/21/09 14:09:28.52 03/21/09 14:09:29.22        0.70        257,537          3,052  61  CLIENT SENT RESET
 FTPTA9   03/21/09 14:10:24.02 03/21/09 14:10:34.10       10.08         27,043            329  52  APPL ISSUED CLOSE
 FTPTA9   03/21/09 15:01:06.82 03/21/09 15:01:07.46        0.64        257,537          3,052  61  CLIENT SENT RESET
 FTPTA9   03/21/09 15:13:52.13 03/21/09 15:14:02.53       10.40         27,043            329  52  APPL ISSUED CLOSE

 ...

See other sample SMF reports.