Using tcpdump to extract NFS RPC contents

Fairly simple question… I'm running tcpdump and trying to analyze the contents of the TCP packets between server/client. I see the "GETATTR" RPC being received, which is great! However, I want to know the file for which the RPC is being made. I'm assuming this is in the packet content. When I print the tcpdump as ASCII.

From server:
tcpdump -vvv -s 200 port 2049 
14:45:38.408949 IP (tos 0x0, ttl 64, id 58408, offset 0, flags [DF], proto TCP (6), length 296)
myserver.nfs > myclient.2469839164: reply ok 240 getattr NON 3 ids 0/3 sz 0

Here and other sites show that it is possible to map to filenames. Maybe it's platform dependent? I just want to make sure there isn't an obvious option to tcpdump that I am missing.

I'm running RH5 – Kernel 2.6.32-279.el6.x86_64

Best Answer

Ok, So I think I managed to find a "workaround". You won't be able to get the filename using NFSv3 but you will be able to ge the inode.

Using Wireshark,

Go to Edit -> Preferences -> Protocols -> NFS -> check all boxes and set "Decode nfs handles as: KNFSD_LE.

Save it. Now capture and filter by NFS protocol.

Search the packet GETATTR Reply (Call in #) Regular file mode: ???.

Open this packed and expand the following:

Network File System -> obj_attributes

check value fileid, this will be the inode number of the file.

on the server go to the nfs share and

find . -inum inode

With NFSv4 you see a call with the filename directly.

Best Answer

Related Solutions

How to capture and see packet contents with tcpdump

Linux – NFS no longer mounts: rpc-statd fails to start

Related Question