Managing NFS and NIS, 2nd Edition - Mike Eisler [198]
IP: Header checksum = 4503
IP: Source address = 131.40.52.223, caramba
IP: Destination address = 131.40.52.27, mickey
IP: No options
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 55559
UDP: Destination port = 2049 (Sun RPC)
UDP: Length = 48
UDP: Checksum = 3685
UDP:
RPC: ----- SUN RPC Header -----
RPC:
RPC: Transaction id = 969440111
RPC: Type = 0 (Call)
RPC: RPC version = 2
RPC: Program = 100003 (NFS), version = 3, procedure = 0
RPC: Credentials: Flavor = 0 (None), len = 0 bytes
RPC: Verifier : Flavor = 0 (None), len = 0 bytes
RPC:
NFS: ----- Sun NFS -----
NFS:
NFS: Proc = 0 (Null procedure)
NFS:
The Ethernet header displays the source and destination addresses as well as the type of information embedded in the packet. The IP layer displays the IP version number, flags, options, and address of the sender and recipient of the packet. The UDP header displays the source and destination ports, along with the length and checksum of the UDP portion of the packet. Embedded in the UDP frame is the RPC data. Every RPC packet has a transaction ID used by the sender to identify replies to its requests, and by the server to identify duplicate calls. The previous example shows a request from the host caramba to the server mickey. The RPC version = 2 refers to the version of the RPC protocol itself, the program number 100003 and Version 3 apply to the NFS service. NFS procedure 0 is always the NULL procedure, and is most commonly invoked with no authentication information. The NFS NULL procedure does not take any arguments, therefore none are listed in the NFS portion of the packet.
The amount of traffic on a busy network can be overwhelming, containing many irrelevant packets to the problem at hand. The use of filters reduces the amount of noise captured and displayed, allowing you to focus on relevant data. A filter can be applied at the time the data is captured, or at the time the data is displayed. Applying the filter at capture time reduces the amount of data that needs to be stored and processed during display. Applying the filter at display time allows you to further refine the previously captured information. You will find yourself applying different display filters to the same data set as you narrow the problem down, and isolate the network packets of interest.
Snoop uses the same syntax for capture and display filters. For example, the host filter instructs snoop to only capture packets with source or destination address matching the specified host:
# snoop host caramba
Using device /dev/hme (promiscuous mode)
caramba -> schooner NFS C GETATTR3 FH=B083
schooner -> caramba NFS R GETATTR3 OK
caramba -> schooner TCP D=2049 S=1023 Ack=3647506101 Seq=2611574902 Len=0 Win=24820
In this example the host filter instructs snoop to capture packets originating at or addressed to the host caramba. You can specify the IP address or the hostname, and snoop will use the name service switch to do the conversion. Snoop assumes that the hostname specified is an IPv4 address. You can specify an IPv6 address by using the inet6 qualifier in front of the host filter:
# snoop inet6 host caramba
Using device /dev/hme (promiscuous mode)
caramba -> 2100::56:a00:20ff:fea0:3390 ICMPv6 Neighbor advertisement
2100::56:a00:20ff:fea0:3390 -> caramba ICMPv6 Echo request (ID: 1294 Sequence number: 0)
caramba -> 2100::56:a00:20ff:fea0:3390 ICMPv6 Echo reply (ID: 1294 Sequence number: 0)
You can restrict capture of traffic addressed to the specified host by using the to or dst qualifier in front of the host filter:
# snoop to host caramba
Using device /dev/hme (promiscuous mode)
schooner -> caramba RPC R XID=1493500696 Success
schooner -> caramba RPC R XID=1493500697 Success
schooner -> caramba RPC R XID=1493500698 Success
Similarly you can restrict captured traffic to only packets originating from the specified host by using the from or src qualifier:
# snoop from host caramba
Using device /dev/hme (promiscuous mode)
caramba -> schooner NFS C GETATTR3 FH=B083
caramba -> schooner TCP D=2049 S=1023 Ack=3647527137