NAME¶
nfswatch - monitor an NFS server
SYNOPSIS¶
nfswatch [
-dst dsthost ] [
-src srchost ] [
-server serverhost ] [
-all ] [
-dev device
] [
-allif ] [
-f filelist ] [
-lf logfile
] [
-sf snapfile ] [
-map mapfile ] [
-T
maxtime ] [
-t timeout ] [
-fs ] [
-if ] [
-auth ] [
-procs ] [
-procs3 ] [
-clients ] [
-usage ] [
-l ] [
-bg ]
DESCRIPTION¶
nfswatch monitors all incoming network traffic to an NFS file server and
divides it into several categories. The number and percentage of packets
received in each category is displayed on the screen in a continuously updated
display. The screen is updated every ten seconds by default; this time period
is called an
interval.
On Irix: You must be the super-user to invoke
nfswatch or it must
be installed setuid to ``root.''
On SunOS 4.x and SunOS 5.x (Solaris
2.x): You must be the super-user to invoke
nfswatch or it must be
installed setuid to ``root.''
On System V Release 4: You must be the
super-user to invoke
nfswatch or it must be installed setuid to
``root.''
On Ultrix or DEC OSF/1: Any user can invoke
nfswatch
once the super-user has enabled promiscuous-mode operation using
pfconfig(8). (For example, "pfconfig +p +c -a".)
On
Linux: You must be the super-user to invoke
nfswatch or it must be
installed setuid to ``root.''
By default,
nfswatch monitors all packets destined for the current host.
An alternate destination host to watch for may be specified using the
-dst argument. If a source host is specified with the
-src
argument, then only packets arriving at the destination host which were sent
by the source host are monitored. Traffic between a specific server and its
clients may be watched by specifying the name of the server with the
-server argument. If the
-all argument is given, then all NFS
traffic on the network is monitored. It is usually desirable to specify the
-all option whenever using the
-server option.
The
nfswatch screen is divided into three parts. The first part, at the
top of the screen, is made up of three lines. The first line displays the name
of the host being monitored, the current date and time, and the time elapsed
since the start of monitoring. The second line displays the total number of
packets received during the most recent interval, and the third line displays
the total number of packets received since monitoring started. These two lines
display three numbers each: the total number of packets on the network, the
total number of packets received by the destination host (possibly subject to
being only from the specified source host), and the number of packets dropped
by the monitoring interface due to buffer space limitations. Dropped packets
are not included in the packet monitoring totals.
The second part of the screen divides the received packets into 16 categories.
Each category is displayed with three numbers: the number of packets received
this interval, the percentage this represents of all packets received by the
host during this interval, and the total number of packets received since
monitoring started. The packet categories are not mutually exclusive; some
packets may be counted in more than one category (for example, NFS packets are
also UDP packets). The categories in this section and their meanings are:
- NFS3 Read
- NFS v3 requests which primarily result in a file system read being
performed (read file, read directory, etc.).
- NFS3 Write
- NFS v3 requests which primarily result in a file system write being
performed (write file, rename file, create file, delete file, etc.).
- NFS Read
- NFS requests which primarily result in a file system read being performed
(read file, read directory, etc.).
- NFS Write
- NFS requests which primarily result in a file system write being performed
(write file, rename file, create file, delete file, etc.).
- NFS Mount
- NFS mount requests.
- YP/NIS/NIS+
- Sun NIS (Yellow Pages) and NIS+ requests.
- RPC Authorization
- All RPC reply packets fall into this category, because RPC replies do not
contain the protocol number, and thus cannot be classified as anything
else. (If the -all argument is given, then you will see all the RPC
replies on the network in this category.)
- Other RPC Packets
- All RPC requests which do not fall into one of the above categories.
- TCP Packets
- Packets sent using the Transmission Control Protocol.
- UDP Packets
- Packets sent using the User Datagram Protocol.
- ICMP Packets
- Packets sent using the Internet Control Message Protocol.
- Routing Control
- Routing Information Protocol (RIP) packets.
- Address Resolution
- Address Resolution Protocol (ARP) packets. These packets are not counted
on System V Release 4 systems (except for SunOS 5.x), due to limitations
of the dlpi(7) interface.
- Reverse Addr Resol
- Reverse Address Resolution Protocol (RARP) packets. These packets are not
counted on System V Release 4 systems (except for SunOS 5.x), due to
limitations of the dlpi(7) interface.
- Ethernet/FDDI Bdcst
- Ethernet (or FDDI) broadcast packets. These packets are destined for and
received by all hosts on the local network. These packets are not counted
on System V Release 4 systems (except for SunOS 5.x), due to limitations
of the dlpi(7) interface.
- Other Packets
- A catch-all for any packets not counted in any of the above
categories.
The third part of the display shows the mounted file systems exported by the
file server for mounting through NFS. If
nfswatch is monitoring the
same host it is being run on, these file systems are listed by path name.
Otherwise, the program attempts to decode the server's major and minor device
numbers for the file system, and displays them in parentheses. (If the
-all argument is given, the name of the server is also shown.) With
each file system, three numbers are displayed: the number of NFS requests for
this file system received during the interval, the percentage this represents
of all NFS requests received by the host, and the total number of NFS requests
for this file system received since monitoring started. Up to 1024 file
systems will be monitored by
nfswatch and recorded in the log file, but
only as many as will fit (2 * (LINES - 16)) will be displayed on the screen.
If the
-map mapfile option is specified,
nfswatch will read
pairs of file system device specifications (as described above) and the proper
names of the file systems from
mapfile. Each line should contain a
string representing what
nfswatch would normally print, and then
separated from that by whitespace, the name that is preferred. For example,
myhost(7,24) /homedirs
If the
-f filelist option is specified, a list of file names (one
per line) is read from
filelist, and the traffic to these individual
files is also monitored. The files must reside in file systems exported by the
file server. When this option is specified, the third section of the screen
will display counters for these files, instead of for the mounted file
systems. Up to 1024 individual files will be monitored by
nfswatch and
recorded in the log file, but only as many as will fit (2 * (LINES - 16)) will
be displayed on the screen.
If the
-procs or
-procs3 option is specified, then instead of
showing per-file or per-file system statistics,
nfswatch shows the
frequency of each NFS procedure (RPC call) (or as many as will fit on the
screen). For each procedure, some timing statistics are also displayed; these
include the number of completed operations (request and response seen) during
the interval, the average response time during the interval (in milliseconds),
the standard deviation from the average during the interval, and the maximum
response time over all time.
If the
-clients option is specified, then instead of showing per-file or
per-file system statistics,
nfswatch shows the operation rate of each
NFS client of the specified server(s) (or as many as will fit on the screen).
It should be noted here that only NFS
requests, made by client machines,
are counted in the NFS packet monitoring area. The NFS traffic generated
by
the server in response to these requests is not counted.
If the
-auth option is specified, then the display will show packet
counts divided up by user name (or user id, if the login name is not in the
local password file). This information is decoded from the AUTH_UNIX
authentication part of each RPC packet.
nfswatch only decodes AUTH_UNIX
authenticators, the other types of authentication (e.g., AUTH_DES) are lumped
into a single bucket for each authentication type.
LOGFILE¶
When logging is on,
nfswatch writes one entry to the log file each
interval. The information printed to the log file is easily readable, and
basically contains a copy of all information on the screen. Additionally, any
NFS traffic to file systems or individual files which was not printed on the
screen (due to space limitations) is printed in the log file. Finally, in the
log file, the NFS traffic to file systems and individual files is further
broken down into counts of how many times each specific NFS procedure was
called.
The information in the
nfswatch log file can be summarized easily using
the
nfslogsum(8) program.
COMMANDS¶
nfswatch also allows several commands to be entered at its prompt during
execution. The prompt is displayed on the last line of the screen. For most
commands, feedback describing the effect of the command is printed on the same
line as the prompt. The commands are:
- ^L
- Clear and redraw the screen.
- a
- Switches the display to show statistics on individual users.
- c
- Switches the display to show statistics on NFS client hosts instead of
per-file or per-filesystem information.
- f
- Toggle the display of mounted file systems and the display of individual
files in the NFS packet monitoring area. This command is only meaningful
if the -f filelist option was specified on the command line.
(If the display is showing NFS procedures or clients, then this command
switches the display to show file systems.)
- p
- Switches the display to show statistics on NFS procedures instead of
per-file or per-filesystem information.
- P
- Switches the display to show statistics on NFS v3 procedures instead of
per-file or per-filesystem information.
- l
- Toggle the logging feature. If logging is off it is (re)started; if
logging is on, it is turned off.
- n
- Toggle display of host names or host numbers in client mode. By default,
client mode displays host names. However, this may not be sufficient for
determining the names of unknown remote hosts, since domain names are not
displayed. This command tells nfswatch to display host numbers
instead, enabling each host to be uniquely identified.
- s
- Take a ``snapshot'' of the current screen and save it to a file. This is
useful to record occasional copies of the data when the logfile is not
needed.
- u
- Toggle the sort key for the display of mounted file systems in the NFS
packet monitoring area. By default, these are sorted by file system name,
but they can also be sorted in declining order of percent usage.
- -
- Decrease the cycle time (interval length) by ten seconds. This will take
effect after the next screen update.
- +
- Increase the cycle time (interval length) by ten seconds. This will take
effect after the next screen update.
- <
- Decrease the cycle time (interval length) by one second. This will take
effect after the next screen update.
- >
- Increase the cycle time (interval length) by one second. This will take
effect after the next screen update.
- ]
- Scroll forward through the bottom part of the display, if there are
files/file systems/clients/procedures not being displayed due to lack of
space.
- [
- Scroll back.
- q
- Exit nfswatch. Using the interrupt key will also cause
nfswatch to exit.
Typing any other character will cause a help screen to be displayed.
OPTIONS¶
nfswatch can usually be run without arguments and will obtain useful
results. However, for those occasions when the defaults are not good enough,
the following options are provided:
- -dst dsthost
- Monitor packets destined for dsthost instead of the local
host.
- -src srchost
- Restrict packets being counted to those sent by srchost.
- -server serverhost
- Restrict packets being counted to those sent to or from
serverhost.
- -all
- Monitor packets to and from all NFS servers on the local network.
- -dev device
- On non-DEC systems: Use network interface device device to
read packets from. By default, nfswatch will use the system's
default network device for an Internet datagram. On Ultrix or DEC
OSF/1: device specifies the packet filter interface from which
to read packets. You can specify interfaces either by their actual names
(such as ln0) or by their generic packet filter interface names
(pfN, for N a small integer). By default, pf0 (the
first configured interface that supports the packet filter) is used.
- -allif
- Read packets from all configured network interfaces, instead of a single
device. On Irix: The first five (0-4) of each of the following
devices are checked: ec, et, fxp, enp, and
epg. If configured, they will be monitored. On SunOS: The
first five le (0-4) devices, the first five ie (0-4)
devices, and the first five fddi (0-4) devices are checked, and if
configured, will be monitored. On System V Release 4: The first
five emd (0-4) devices are checked, and if configured, will be
monitored. On Ultrix and DEC OSF/1: The first ten pf devices
(0-9) are checked, and if configured, will be monitored.
- -f filelist
- Read a list of file names (one per line) from filelist and monitor
the NFS traffic to these files in addition to the normal monitoring of
exported file systems.
- -lf logfile
- When logging, write information to the file logfile. The default is
nfswatch.log.
- -sf snapfile
- Write snapshots to the file snapfile. The default is
nfswatch.snap.
- -map mapfile
- Read a list of device names and file system names (one pair per line) from
mapfile and translate from one to the other when displaying file
system names.
- -T maxtime
- Terminate execution after running for maxtime seconds. This is
primarily for use with the -bg option.
- -t timeout
- Set the cycle time (interval length) to timeout seconds. The
default is 10. The cycle time may also be adjusted from the command
prompt.
- -fs
- Display the file system NFS monitoring data instead of the individual file
data. This option is only meaningful if the -f filelist
option was specified. The display may also be controlled from the command
prompt.
- -if
- Display the individual file NFS monitoring data instead of the file system
data. This option is only meaningful if the -f filelist
option was specified. The display may also be controlled from the command
prompt.
- -auth
- Display statistics on authentication packets (individual users).
- -procs
- Display statistics on NFS procedures (RPC calls) instead of per-file or
per-filesystem data.
- -procs3
- Display statistics on NFS v3 procedures (RPC calls) instead of per-file or
per-filesystem data.
- -client
- Display statistics on NFS client operation rates instead of per-file or
per-filesystem data.
- -usage
- Set file system, procedure, or client display to be sorted in declining
order of percent usage. By default, the display is sorted alphabetically.
This may also be toggled from the command prompt.
- -l
- Turn logging on at startup time. Logging is turned off by default, but may
be enabled from the command prompt.
- -bg
- Start as a daemon, running in the background. No screen updates will be
performed; all data will be written to the log file only. When started
with this option, nfswatch will print the process id of the daemon
process. To terminate nfswatch, send the process a SIGTERM signal,
or use the -T option to set the maximum execution time.
BUGS¶
To monitor NFS traffic to files and file systems,
nfswatch must extract
information from the NFS file handle. The file handle is a server-specific
item, and its contents vary from vendor to vendor and operating system to
operating system. Unfortunately, there is no server-independent way to extract
information from a file handle.
nfswatch uses a set of heuristics to
parse the file handle format used by many popular NFS servers, but in some
cases there is no way to disambiguate the file handle format, and the program
may get the wrong answer. It should, however, get the right answer for file
handles generated by the host it is running on.
nfswatch uses the Snoop (
snoop(7)) network monitoring protocol
under Irix 4.
x, the Network Interface Tap (
nit(4)) under SunOS
4.
x, the Data Link Provider Interface (
dlpi(7)) under SunOS
5.
x (Solaris 2.
x) and System V Release 4, the Packet Filter {(
packetfilter(4)) under Ultrix (4.0 or later); (
packetfilter(7))
under DEC OSF/1 (V1.3 or later)}, and the packet interface (
packet(7))
under Linux. To run on other systems, code will have to be written to read
packets from the network in promiscuous mode.
On Ultrix systems, FDDI is only supported under appropriately patched versions
of Ultrix 4.2 (the kernel modules net_common.o and pfilt.o must be replaced;
contact your Customer Support Center). Native FDDI support is standard in
Ultrix 4.3 and later systems.
SEE ALSO¶
etherfind(8c),
dlpi(7),
nit(4),
nfslogsum(8),
packetfilter(4/7),
snoop(1m),
snoop(7),
packet(7)
AUTHORS¶
David A. Curry
Purdue University
Engineering Computer Network
1285 Electrical Engineering Building
West Lafayette, IN 47907-1285
davy@ecn.purdue.edu
Jeffrey C. Mogul
Digital Equipment Corporation
Western Research Laboratory
250 University Avenue
Palo Alto, CA 94301
mogul@wrl.dec.com
Christian Iseli
Ludwig Institute for Cancer Research
UNIL - BEP
Lausanne, CH-1015
Christian.Iseli@licr.org