Managing NFS and NIS, 2nd Edition - Mike Eisler [218]
Consider the case where the server zeus exports a filesystem with NFS logging enabled. The client rome then copies the file /net/zeus/export/foo.tar.Z to its local disk. The NFS Server Logging utility records the access with a single record of the form:
Fri Jul 28 09:27:12 2000 0 rome 136663 /export/foo.tar.Z b _ o r 32721 nfs 0 *
This entry indicates that on Fri Jul 28 2000 at 09:27:12 in the morning, a file was downloaded by the host rome. The file was 136663 bytes in length and was located on the server at /export/foo.tar.Z. The file was downloaded by userID 32721 using nfs. The meaning of each field is explained in detail later in this section.
In contrast, the snoop utility generates multiple transactions:
1 0.00000 rome -> zeus NFS C LOOKUP3 FH=0222 foo.tar.Z
2 0.00176 zeus -> rome NFS R LOOKUP3 OK FH=EEAB
3 0.00026 rome -> zeus NFS C ACCESS3 FH=0222 (lookup)
4 0.00125 zeus -> rome NFS R ACCESS3 OK (lookup)
5 0.00018 rome -> zeus NFS_ACL C GETACL3 FH=EEAB mask=10
6 0.00139 zeus -> rome NFS_ACL R GETACL3 OK
7 0.00026 rome -> zeus NFS C ACCESS3 FH=EEAB (read)
8 0.00119 zeus -> rome NFS R ACCESS3 OK (read)
9 0.00091 rome -> zeus NFS C READ3 FH=EEAB at 0 for 32768
10 0.00020 rome -> zeus NFS C READ3 FH=EEAB at 32768 for 32768
11 0.00399 zeus -> rome UDP IP fragment ID=56047 Offset=0 MF=1
12 0.02736 zeus -> rome UDP IP fragment ID=56048 Offset=0 MF=1
13 0.00009 rome -> zeus NFS C READ3 FH=EEAB at 65536 for 32768
14 0.00020 rome -> zeus NFS C READ3 FH=EEAB at 98304 for 32768
15 0.00017 rome -> zeus NFS C READ3 FH=EEAB at 131072 for 8192
16 0.03482 zeus -> rome UDP IP fragment ID=56049 Offset=0 MF=1
17 0.02740 zeus -> rome UDP IP fragment ID=56050 Offset=0 MF=1
18 0.02739 zeus -> rome UDP IP fragment ID=56051 Offset=0 MF=1
A single user-level copy command translates into multiple NFS operations. The NFS client must first find the object via the LOOKUP3 operation, determine access rights to the object via the ACCESS3 and GETACL3 operations and then finally read the information from the server via multiple READ3 operations.
The NFS Server Logging mechanism was designed to emulate the FTP logging mechanism found in many FTP public domain implementations. The log generated is specifically compatible with the log format generated by the popular Washington University's FTP daemon (WU-ftpd). WU-ftpd log format was chosen because of the popularity of this particular FTP service, as well as the availability of a number of public domain and home-grown utilities that already consume WU-ftpd logs.
Each NFS log record contains the following space-separated fields:
Date
The timestamp from the start of the operation. It is represented in local time in the form of a 26-character string. The fields are constant width. The timestamp is formatted with ctime(3C). In the previous example, this was Fri Jul 28 09:27:12 2000.
ElapsedTime
For reads and writes, this is the approximate elapsed time from the first to last operation. It is truncated to whole seconds. In the previous example it is 0, meaning it took less than one second.
ClientName
Name of the system accessing the object. The name service switch is used on the server to generate the client name. This means that hostnames will be printed for those machines known within the name service. IP addresses will be printed for hostnames that are outside the name service control. In the previous example, this is rome.
TransferSize
Total number of bytes read or written. It is always 0 for operations other than read