Fairly simple question… I'm running tcpdump and trying to analyze the contents of the TCP packets between server/client. I see the "GETATTR" RPC being received, which is great! However, I want to know the file for which the RPC is being made. I'm assuming this is in the packet content. When I print the tcpdump as ASCII.
From server:
tcpdump -vvv -s 200 port 2049
14:45:38.408949 IP (tos 0x0, ttl 64, id 58408, offset 0, flags [DF], proto TCP (6), length 296)
myserver.nfs > myclient.2469839164: reply ok 240 getattr NON 3 ids 0/3 sz 0
Here and other sites show that it is possible to map to filenames. Maybe it's platform dependent? I just want to make sure there isn't an obvious option to tcpdump that I am missing.
I'm running RH5 – Kernel 2.6.32-279.el6.x86_64
Best Answer
Ok, So I think I managed to find a "workaround". You won't be able to get the filename using NFSv3 but you will be able to ge the inode.
Using Wireshark,
Save it. Now capture and filter by NFS protocol.
Search the packet
GETATTR Reply (Call in #) Regular file mode: ???.
Open this packed and expand the following:
check value fileid, this will be the inode number of the file.
on the server go to the nfs share and
With NFSv4 you see a call with the filename directly.