1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
|
23 Apr 2010
This is NFSWATCH Version 4.99.11. Changes from Version 4.99.10 are:
- README file converted to utf8
- Fix compile issues on Solaris and Linux alpha machines
- Add a ChangeLog file
- Add TODO note about broken strict aliasing rule
-------------------------------------------------------------------------------
15 Apr 2009
This is NFSWATCH Version 4.99.10. Changes from Version 4.99.9 are:
- use libpcap for packet capturing, thus allowing to monitor NFS
traffic also on InfiniBand and other interconnects.
- Add some TODO items...
-------------------------------------------------------------------------------
25 May 2007
This is NFSWATCH Version 4.99.9. Changes from Version 4.99.8 are:
- Improve filehandle decoding on Linux.
- Exclude known non-exports instead of guessing exports.
- Do not handle the second argument of RENAME3 and LINK3,
as it doesn't seem to work anyway.
-------------------------------------------------------------------------------
13 March 2007
This is NFSWATCH Version 4.99.8. Changes from Version 4.99.7 are:
- Handle more Linux filehandle's fsid_type
- Improve parsing of device name and instance number in dlpi
-------------------------------------------------------------------------------
30 January 2007
This is NFSWATCH Version 4.99.7. Changes from Version 4.99.6 are:
- Make per-procedure statistics work for NFSv3
- Makefile cleanups
-------------------------------------------------------------------------------
14 June 2006
This is NFSWATCH Version 4.99.6. Changes from Version 4.99.5 are:
- Fix buffer overflow problems
- Compiler warnings cleanup
- Allow compiling on IRIX (using GCC)
-------------------------------------------------------------------------------
22 November 2005
This is NFSWATCH Version 4.99.5. Changes from Version 4.99.4 are:
- Analyze NFS on TCP
- Improve total packet count display
- Allow compiling for 64-bit Solaris
- Allow compiling for older Solaris releases (5.6 and 5.7)
- Compiler warnings cleanup
-------------------------------------------------------------------------------
13 July 2005
This is NFSWATCH Version 4.99.4. Changes from Version 4.99.3 are:
- Fix NFS packet counting bug
- Improve Linux filehandle parsing
-------------------------------------------------------------------------------
2 June 2005
This is NFSWATCH Version 4.99.3. Changes from Version 4.99.2 are:
- Add xfs to the list of recognized filesystems
-------------------------------------------------------------------------------
22 April 2005
This is NFSWATCH Version 4.99.2. Changes from Version 4.99.1 are:
- Cleanup spec file for Fedora Extras
-------------------------------------------------------------------------------
25 February 2005
This is NFSWATCH Version 4.99.1. Changes from Version 4.3 are:
- Deal with NFSv3 and Linux filehandles
-------------------------------------------------------------------------------
12 February 1996
This is NFSWATCH Version 4.3. The only changes from Version 4.2 are:
- Should now compile properly on Solaris 2.5 (SunOS 5.5). Thanks
to Alexandre Oliva for the patch. As with Solaris 2.4, expect
several warnings on xdr.c.
- Added a patch to let is_exported() on SVR4 deal with symbolic links
in /etc/dfs/dfstab. Thanks to Ronald Hello for the patch.
- Added a patch to allow NFSWATCH to find out about more local file
system types (XFS on IRIX, PCFS and HSFS on SunOS). Thanks to
Andreas Stolcke for the patch.
- Added a patch to allow NFSwatch to understand Network Appliance
FAServer file handles. Thanks to Guy Harris for the patch.
-------------------------------------------------------------------------------
31 March 1995
This is NFSWATCH Version 4.2. The only changes from Version 4.1 are:
- Should now compile properly on Solaris 2.4 (SunOS 5.4), although
you should expect several warnings on xdr.c due to some annoying
discrepancies between type definitions.
- Added a workaround to a bug in Solaris 2.3 that causes
screwed up packets when the snapshot length is small.
- Added a patch to fix identification of file system devices
in Solaris 2.x.
- Added the "qeN" devices for Sun's SQE board (Quad Ethernet).
-------------------------------------------------------------------------------
1 December 1993
This is NFSWATCH Version 4.1. It lets you monitor NFS requests to any given
machine, or the entire local network. It mostly monitors NFS client traffic
(NFS requests); it also monitors the NFS reply traffic from a server in
order to measure the response time for each RPC.
This is primarily a release to fix bugs that were present in the previous
release. The following changes and bug fixes have been made since NFSWATCH
4.0:
- Compiles and runs under Solaris 2.2 and Solaris 2.3.
- Compiles and runs under DEC OSF/1 V1.3 and later.
- The NFS procedure display code has been fixed.
- Now understands Auspex file handles (thanks to Guy Harris).
- Now understands IRIX file handles (thanks to Jim Patterson).
- Now saves "-procs" output in the log file (thanks to Gary Schaps).
- The screendump feature now works properly on Solaris 2.x systems
(thanks to Gerry Singleton).
- The mechanism by which NFS file handles are parsed has been split
out into a separate module and completely redesigned. It is now
independent of the platform on which nfswatch is running, and uses
a variety of heuristics to figure out what the file handle
represents. Doubtless these heuristics will fail in some cases;
we have not been able to test the code against all possible NFS
servers.
If you find that nfswatch is not properly decoding a file handle
from one of your servers (say, foo.bar.com), you can help us out
by doing
% nfswatch -dst foo.bar.com -fhdebug
and capturing a page or two of the output. Then mail it to us,
and also tell us exactly what software is running on the server
(e.g., "DEC OSF/1 V1.3"). We cannot promise to fix the problem,
of course.
The following features and bug fixes appeared in NFSWATCH 4.0:
- NFSWATCH now runs on Sun SPARC machines under SunOS 5.x (Solaris
2.x) using the Data Link Provider Interface (DLPI), dlpi(7).
- NFSWATCH now runs on Silicon Graphics machines under IRIX 4.0
using the snoop(7) interface. It should also work on versions 3.2
and 3.3 (you'll need "-lbsd" on 3.2). Thanks to Tim Hudson of
Mincom Pty for the patches.
- NFSWATCH "almost" works on System V Release 4 systems. There are
some problems with the fact that Solaris 2.x uses DLPI 2.0 (good),
but most SVR4s out there still use DLPI 1.3 (bad). I've had a few
beta testers working on it, but they have not yet gotten it to
work. If you manage to get it working, *please* send patches.
- NFSWATCH now keeps track of timing information in the procedure
display, showing how quickly NFS calls receive replies. Thanks to
Peter Phillips of the University of British Columbia for the code.
- NFSWATCH now has an authenticator display, which shows the username
or user id of the originator of each packet. Thanks again to Peter
Phillips for the code.
- A first pass at support for FDDI interfaces has been added. The
support is better on some systems than others, as described below:
IRIX40: Has not been tested, and almost definitely will not work
"as is". The packet header that's read into from snoop
probably needs to be different. Send us patches if you
get it to work.
SUNOS4: Has been tested on a Sun-4/380 under SunOS 4.1.2. Works
with the SunNet FDDI/DX boards.
SUNOS5: Has not been tested, but "should" work. Send us patches
if it doesn't.
SVR4: Has not been tested, but "should" work. Send us patches if
it doesn't. (And if you get the rest of it working; see
above.)
ULTRIX: Works with Ultrix V4.2 or later *only*. All flavors of
Ultrix 4.2 (including 4.2A, 4.2B, 4.2C) require kernel
patches before you can use the FDDI code. Obtain the
patched versions of net_common.o and pfilt.o from your
Customer Support Center.
- A new option, "-server hostname" has been added to watch all the
traffic between a server and its clients; this is equivalent to
"src == hostname || dst == hostname", which is not specifiable
using the other options. Thanks again to Peter Phillips for the
patches.
- A new option, "-map", is available to help translate file system
device names to "english" names, e.g. "/usr" instead of
"fs1(7,23)". Thanks yet again to Peter Phillips.
- Two new options have been added to allow NFSWATCH to be run from
cron, via rsh, etc. The "-bg" option tells NFSWATCH to run in the
background, with no screen display. All information will be put
into the logfile only. The "-T maxtime" option tells NFSWATCH to
terminate execution after maxtime seconds.
- A new interactive command has been added. The "n" command toggles
the display of client names or client host numbers in client mode,
so that foreign hosts can be identified.
- The maximum number of client hosts for a single server has been
increased to 512. The maximum number of internet addresses for a
single host has been increased to 16. The maximum number of
interfaces that can be watched at one time has been increased to
16.
- The bug in which file matching did not work on Sun-3 systems has
been fixed.
- The bug in which the standard input got closed upon exit, making
the curses routines screw up, has been fixed.
- The bug causing miscompilation of nit.c on SunOS 4.0 has been
fixed.
- Note that due to limitations in the SVR4 DLPI, the ethernet broad-
cast, arp, and rarp packet counters will not be supported. Also
note that on SVR4s still using DLPI 1.3, which does not support
promiscuous mode, the "-all" and "-dst" options to NFSWATCH will
not work.
NFSWATCH has been successfully compiled and at least minimally tested on the
following architectures and operating systems:
Architecture Operating System
------------ ----------------
Sun-3 (68000) SunOS 4.1.1
Sun-4 (SPARC) SunOS 4.1.1, 4.1.2, 4.1.3
Sun-4 (SPARC) SunOS 5.1, 5.2, 5.3
DEC VAX Ultrix 4.0, 4.1, 4.2
DEC RISC Ultrix 4.0, 4.1, 4.2
DEC Alpha AXP DEC OSF/1 V1.3 and later
SGI Personal IRIS IRIX 4.0.1
SGI 4D/440 IRIX 4.0.5
To compile NFSWATCH, just say "make." The Makefile will use the "uname"
command to determine what operating system should be compiled for. If for
some reason this blows up in your face, say "make OS=foo" where "foo" is one
of the following:
Macro Value Operating System
----------- ----------------
IRIX40 Silicon Graphics IRIX 4.0
SUNOS4 Sun Microsystems SunOS 4.x
SUNOS5 Sun Microsystems SunOS 5.x (Solaris 2.x)
SVR4 AT&T System V Release 4
ULTRIX Digital Equipment Ultrix 4.x
DECOSF Digital Equipment Corp. OSF/1 V1.3 & later
On Sun systems, NFSWATCH needs to either be run as root, or made setuid root
(this is safe; it setuids itself back after opening the needed device). On
Ultrix systems, it does not need to be setuid root or run as root, but the
super-user has to enable promiscuous mode operation using pfconfig(8). On
SGI systems, it needs to be either run as root or made setuid to root. On
SVR4 systems, it needs to be either run as root or made setuid to root.
On pre-4.2 Ultrix systems, the enclosed "pfcopyall" program can be used to
change the value of the "pfcopyall" variable in the kernel so that you can
see packets sent by the host you are running on. Otherwise, these packets
will not be included in the output of NFSWATCH.
You can redistribute this program as much as you want. All we ask is that
you give credit where credit is due. If you make modifications or bug fixes,
please send them back to us, in "diff -c" format, so they can be incorporated
into the next release.
Original authors (email addresses out of date AFAIK):
Dave Curry Jeff Mogul
IBM Internet Security Services Digital Equipment Corp.
Integrated Systems Solutions Corporation Western Research Laboratory
Long Meadow Road, Mail Stop 223 250 University Avenue
Sterling Forest, NY 10979 Palo Alto, CA 94301
davy@vnet.ibm.com mogul@wrl.dec.com
Current Maintainer:
Christian Iseli
Ludwig Institute for Cancer Research and
Swiss Institute of Bioinformatics
Bâtiment Génopode, Université de Lausanne
CH-1015 Lausanne, Switzerland
c4chris@users.sourceforge.net
|
