Managing NFS and NIS, 2nd Edition - Mike Eisler [213]
host
Captures all traffic directed to or originating from the host specified. The following example captures all traffic destined to or coming from the host rome :
# snoop host rome
Note that the host keyword is not required when the specified hostname does not conflict with the name of another snoop primitive. The previous snoop host rome command could have been invoked without the host keyword, and it would have generated the same output.
port nfs
Captures NFS traffic regardless of the version. Note that MOUNT, NLM and Portmapper traffic is not captured. Useful once the mount has already occurred. The following two examples capture all NFS protocol traffic involving the host rome. A logical AND operation is implied by the juxtaposition of two boolean expressions. The two filters are equivalent:
# snoop host rome port nfs
# snoop host rome and port nfs
port 111
Captures rpcbind and portmapper traffic. Useful during filesystem mount negotiation. This example captures all rpcbind traffic on the network:
# snoop port 111
rpc prog [,vers [,proc]]
Use rpc 100005 to capture MOUNT protocol related traffic. Useful during the mount process. The following example displays all MOUNT protocol traffic between the hosts zeus and rome:
# snoop rpc 100005 host zeus rome
Use rpc 100021 to capture NLM traffic. Useful for tracking lock manager related traffic. The following example captures all NFS Version 3 Network Lock Manager traffic between hosts zeus and rome. Note that NLM v4 is used for NFS Version 3:
# snoop host zeus host rome rpc 100021,4
Publicly available diagnostics
Only a handful of publicly available NFS diagnostic tools exist at the time of this writing. The ethereal/tethereal network analyzer introduced in Chapter 13 provides detailed information for diagnosis of NFS problems at the protocol level. The NFSWATCH utility is mainly used to monitor NFS traffic over the network. The nfsbug and SATAN utilities are used to report potential security problems on NFS servers.
ethereal / tethereal
As described in Chapter 13, ethereal/tethereal can be used to capture network traffic and decode it to a great level of detail. Since ethereal/tethereal can decode NFS Version 2 and NFS Version 3 packets, it can be used to debug NFS communication, permissions, performance, and data corruption problems. It is very similar in functionality to snoop. It provides powerful filtering and is available for a diverse set of platforms where snoop is not.
Consider the example presented in the previous snoop section, where the NFS client rome attempts to access the contents of the filesystems exported by the server zeus through the /net automounter path:
rome% ls -la /net/zeus/export
total 5
dr-xr-xr-x 3 root root 3 Jul 31 22:51 .
dr-xr-xr-x 2 root root 2 Jul 31 22:40 ..
drwxr-xr-x 3 root other 512 Jul 28 16:48 eng
dr-xr-xr-x 1 root root 1 Jul 31 22:51 home
rome% ls /net/zeus/export/home
/net/zeus/export/home: Permission denied
The network traffic is captured into the /tmp/ethereal.cap file concurrently with the operation. Note that only traffic between rome and zeus is captured:
rome# tethereal -w /tmp/ethereal.cap host rome and host zeus
46 ^C
rome# tethereal -r /tmp/ethereal.cap
1 0.000000 rome -> zeus PORTMAP V2 GETPORT Call XID 0x398fd3ea
2 0.003138 zeus -> rome PORTMAP V2 GETPORT Reply XID 0x398fd3ea
3 0.003328 rome -> zeus NFS V3 NULL Call XID 0x398fd3eb
4 0.004613 zeus -> rome NFS V3 NULL Reply XID 0x398fd3eb
5 0.005823 rome -> zeus PORTMAP V2 GETPORT Call XID 0x398fca35
6 0.008871 zeus -> rome PORTMAP V2 GETPORT Reply XID 0x398fca35
7 0.009823 rome -> zeus TCP 49699 > 33168 [SYN] Seq=1251769928 Ack=0
Win=24820 Len=0
8 0.011067 zeus -> rome TCP 33168 > 49699 [SYN, ACK] Seq=3939269366
Ack=1251769929 Win=24820 Len=0
9 0.011100 rome -> zeus TCP 49699 > 33168 [ACK] Seq=1251769929
Ack=3939269367 Win=24820 Len=0
10 0.011339 rome -> zeus