Ask Your Question
0

How to capture filename (path) for NFSv4 traffic using tshark

asked 2018-06-15 04:57:35 +0000

Roman gravatar image

Im using tshark to detect the most called files by specifics nfs.procedure_v3 (my capture filter for read,write getattr ...) by analyzing the amount of Fields like nfs.fattr3.fileid (inode) and nfs.fattr3.fsid. How to make it for NFSv4 which should be able to display filename and even path directly in packets. Thank you.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-06-15 19:59:42 +0000

Guy Harris gravatar image

How to make it for NFSv4 which should be able to display filename and even path directly in packets.

Not in, for example, a packet where the COMPOUND call includes a READ operation but not an OPEN operation; a READ request has just a stateid4, an offset, and a count, and the reply just contains a status and, on success, the data being read - there are no pathnames in a READ request or reply.

The best Wireshark can do is "file name snooping", which is enabled by the "Snoop FH to filename mappings" preference. and "full file name snooping", which tries to get full pathnames, not just component names, and is enabled by the "Snoop full path to filenames" preference. Those forms of snooping work for NFSv2, NFSv3, and NFSv4. They are not enabled by default, so you will have to enable them yourself, by either:

  • running Wireshark, changing them through the GUI, and saving the preferences, so that TShark will pick up those preferences;
  • manually editing the Wireshark preferences file to set nfs.file_name_snooping and nfs.file_full_name_snooping to TRUE;
  • running TShark with the command line options -o nfs.file_name_snooping:true and -o nfs.file_full_name_snooping:true to turn those preferences on for that particular instance of TShark.
edit flag offensive delete link more

Comments

Thank you Guy, I already testing it and getting some result on, for example OPEN,WRITE NFScalls with your snooping tshark hint is getting me sometimes fs.name ;-) example:

tshark -i storage -f "host my:ipv6:IP:add::ress" -Y "rpc.program == 100003 && nfs.main_opcode == 18" -o nfs.file_name_snooping:true -o nfs.file_full_name_snooping:true -T fields -e nfs.fhandle -e nfs.name

Once again thanks and now i have night ahead to play with it . :-D

Roman gravatar imageRoman ( 2018-06-15 20:37:09 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-06-15 04:57:35 +0000

Seen: 5,189 times

Last updated: Jun 15 '18