Managing NFS and NIS, 2nd Edition - Mike Eisler [215]
nfs
Displays NFS traffic regardless of the version. Note that MOUNT, NLM, and Portmapper traffic is not captured. Useful once the mount has already occurred. The following example displays all NFS protocol traffic involving the host rome:
# tethereal -R "nfs and ip.addr == rome"
nfs.status
Displays all replies to successful NFS calls when nfs.status == 0 or the replies to unsuccessful NFS calls otherwise. The originating call can be obtained using the rpc.xid filter. The following example displays all NFS failures:
# tethereal -R "nfs.status != 0"
rpc
Displays all RPC traffic regardless of the program number. The following example displays all RPC traffic on the wire:
# tethereal -R "rpc"
rpc.xid
Displays the RPC call or reply matching a given Transaction ID. This is useful when the call packet is available and the matching reply is needed, or viceversa. The following example finds the RPC call and reply with transaction ID equal to 0x398f0441:
# tethereal -R "rpc.xid == 0x398f0441"
tcp.port == 111 or udp.port == 111
Displays rpcbind and portmapper traffic. Useful during filesystem mount negotiation. The following example displays all rpcbind traffic on the network:
# tethereal -R "tcp.port == 111 or udp.port == 111"
rpc.program, rpc.programversion, rpc.procedure
Use rpc.program == 100005 to capture MOUNT protocol related traffic. Useful during the mount process. The following example displays all MOUNT protocol traffic between the hosts zeus and rome:
# tethereal -R "rpc.program == 100005 and ip.addr == zeus \
and ip.addr ==
rome"
Use rpc.program == 100021 to capture NLM traffic. Useful for tracking lock manager-related traffic. The following example displays all NFS Version 3 Network Lock Manager traffic between hosts zeus and rome. Note that NLM v4 is used for NFS Version 3:
# tethereal -R "rpc.program == 100021 and rpc.programversion == 4 \
and ip.addr == rome and ip.addr == zeus"
NFSWATCH
NFSWATCH was developed by David Curry of Purdue University in the late 1980s, with some improvements to the basic framework provided by Jeff Mogul of Digital Equipment Corporation (now Compaq). It is mainly used to monitor NFS activity on a given server, or NFS activity on the local network. NFSWATCH gathers its data by monitoring the network interface of the system where it is invoked.
NFSWATCH 4.3 is the most recent version at the time of this writing, and only supports NFS Version 2 over UDP. You should be aware that at the time of this writing, a bug in the tool causes NFS Version 3 traffic to the server to incorrectly increment the NFS Version 2 counters. This is due to the fact that the tool does not check the NFS version number of the packet received.
Regardless of its current limitations, NFSWATCH is still a very useful tool whose main features are worth mentioning:
The tool categorizes the incoming network traffic and continuously updates the statistics on the display. You can also instruct the tool to create a more detailed log file of the network traffic.
It allows you to log statistics for every NFS operation, for every exported filesystem, for files for which you specify particular interest, or for NFS clients that access your server.
It reports usage of NFS clients and users of the filesystems.
It can be run interactively or remotely (via rsh), or it can be scheduled to run from cron.
Total runtime can be specified for unsupervised traffic monitoring.
NFSWATCH is available at ftp://gatekeeper.dec.com/pub/net/ip/nfs/nfswatch4.3.tar.gz. The following