NAME
nfswatch - monitor an NFS server
SYNOPSIS
nfswatch [ -dst dsthost ] [ -src srchost ] [ -server serverhost ] [
-all ] [ -dev device ] [ -allif ] [ -f filelist ] [ -lf logfile ] [ -sf
snapfile ] [ -map mapfile ] [ -T maxtime ] [ -t timeout ] [ -fs ] [ -if
] [ -auth ] [ -procs ] [ -procs3 ] [ -clients ] [ -usage ] [ -l ] [ -bg
]
DESCRIPTION
nfswatch monitors all incoming network traffic to an NFS file server
and divides it into several categories. The number and percentage of
packets received in each category is displayed on the screen in a
continuously updated display. The screen is updated every ten seconds
by default; this time period is called an interval.
On Irix: You must be the super-user to invoke nfswatch or it must be
installed setuid to ‘‘root.’’ On SunOS 4.x and SunOS 5.x (Solaris
2.x): You must be the super-user to invoke nfswatch or it must be
installed setuid to ‘‘root.’’ On System V Release 4: You must be the
super-user to invoke nfswatch or it must be installed setuid to
‘‘root.’’ On Ultrix or DEC OSF/1: Any user can invoke nfswatch once
the super-user has enabled promiscuous-mode operation using
pfconfig(8). (For example, "pfconfig +p +c -a".) On Linux: You must
be the super-user to invoke nfswatch or it must be installed setuid to
‘‘root.’’
By default, nfswatch monitors all packets destined for the current
host. An alternate destination host to watch for may be specified
using the -dst argument. If a source host is specified with the -src
argument, then only packets arriving at the destination host which were
sent by the source host are monitored. Traffic between a specific
server and its clients may be watched by specifying the name of the
server with the -server argument. If the -all argument is given, then
all NFS traffic on the network is monitored. It is usually desirable
to specify the -all option whenever using the -server option.
The nfswatch screen is divided into three parts. The first part, at
the top of the screen, is made up of three lines. The first line
displays the name of the host being monitored, the current date and
time, and the time elapsed since the start of monitoring. The second
line displays the total number of packets received during the most
recent interval, and the third line displays the total number of
packets received since monitoring started. These two lines display
three numbers each: the total number of packets on the network, the
total number of packets received by the destination host (possibly
subject to being only from the specified source host), and the number
of packets dropped by the monitoring interface due to buffer space
limitations. Dropped packets are not included in the packet monitoring
totals.
The second part of the screen divides the received packets into 16
categories. Each category is displayed with three numbers: the number
of packets received this interval, the percentage this represents of
all packets received by the host during this interval, and the total
number of packets received since monitoring started. The packet
categories are not mutually exclusive; some packets may be counted in
more than one category (for example, NFS packets are also UDP packets).
The categories in this section and their meanings are:
NFS3 Read
NFS v3 requests which primarily result in a file system read
being performed (read file, read directory, etc.).
NFS3 Write
NFS v3 requests which primarily result in a file system write
being performed (write file, rename file, create file, delete
file, etc.).
NFS Read
NFS requests which primarily result in a file system read being
performed (read file, read directory, etc.).
NFS Write
NFS requests which primarily result in a file system write being
performed (write file, rename file, create file, delete file,
etc.).
NFS Mount
NFS mount requests.
YP/NIS/NIS+
Sun NIS (Yellow Pages) and NIS+ requests.
RPC Authorization
All RPC reply packets fall into this category, because RPC
replies do not contain the protocol number, and thus cannot be
classified as anything else. (If the -all argument is given,
then you will see all the RPC replies on the network in this
category.)
Other RPC Packets
All RPC requests which do not fall into one of the above
categories.
TCP Packets
Packets sent using the Transmission Control Protocol.
UDP Packets
Packets sent using the User Datagram Protocol.
ICMP Packets
Packets sent using the Internet Control Message Protocol.
Routing Control
Routing Information Protocol (RIP) packets.
Address Resolution
Address Resolution Protocol (ARP) packets. These packets are
not counted on System V Release 4 systems (except for SunOS
5.x), due to limitations of the dlpi(7) interface.
Reverse Addr Resol
Reverse Address Resolution Protocol (RARP) packets. These
packets are not counted on System V Release 4 systems (except
for SunOS 5.x), due to limitations of the dlpi(7) interface.
Ethernet/FDDI Bdcst
Ethernet (or FDDI) broadcast packets. These packets are
destined for and received by all hosts on the local network.
These packets are not counted on System V Release 4 systems
(except for SunOS 5.x), due to limitations of the dlpi(7)
interface.
Other Packets
A catch-all for any packets not counted in any of the above
categories.
The third part of the display shows the mounted file systems exported
by the file server for mounting through NFS. If nfswatch is monitoring
the same host it is being run on, these file systems are listed by path
name. Otherwise, the program attempts to decode the server’s major and
minor device numbers for the file system, and displays them in
parentheses. (If the -all argument is given, the name of the server is
also shown.) With each file system, three numbers are displayed: the
number of NFS requests for this file system received during the
interval, the percentage this represents of all NFS requests received
by the host, and the total number of NFS requests for this file system
received since monitoring started. Up to 1024 file systems will be
monitored by nfswatch and recorded in the log file, but only as many as
will fit (2 * (LINES - 16)) will be displayed on the screen.
If the -map mapfile option is specified, nfswatch will read pairs of
file system device specifications (as described above) and the proper
names of the file systems from mapfile. Each line should contain a
string representing what nfswatch would normally print, and then
separated from that by whitespace, the name that is preferred. For
example,
myhost(7,24) /homedirs
If the -f filelist option is specified, a list of file names (one per
line) is read from filelist, and the traffic to these individual files
is also monitored. The files must reside in file systems exported by
the file server. When this option is specified, the third section of
the screen will display counters for these files, instead of for the
mounted file systems. Up to 1024 individual files will be monitored by
nfswatch and recorded in the log file, but only as many as will fit (2
* (LINES - 16)) will be displayed on the screen.
If the -procs or -procs3 option is specified, then instead of showing
per-file or per-file system statistics, nfswatch shows the frequency of
each NFS procedure (RPC call) (or as many as will fit on the screen).
For each procedure, some timing statistics are also displayed; these
include the number of completed operations (request and response seen)
during the interval, the average response time during the interval (in
milliseconds), the standard deviation from the average during the
interval, and the maximum response time over all time.
If the -clients option is specified, then instead of showing per-file
or per-file system statistics, nfswatch shows the operation rate of
each NFS client of the specified server(s) (or as many as will fit on
the screen).
It should be noted here that only NFS requests, made by client
machines, are counted in the NFS packet monitoring area. The NFS
traffic generated by the server in response to these requests is not
counted.
If the -auth option is specified, then the display will show packet
counts divided up by user name (or user id, if the login name is not in
the local password file). This information is decoded from the
AUTH_UNIX authentication part of each RPC packet. nfswatch only
decodes AUTH_UNIX authenticators, the other types of authentication
(e.g., AUTH_DES) are lumped into a single bucket for each
authentication type.
LOGFILE
When logging is on, nfswatch writes one entry to the log file each
interval. The information printed to the log file is easily readable,
and basically contains a copy of all information on the screen.
Additionally, any NFS traffic to file systems or individual files which
was not printed on the screen (due to space limitations) is printed in
the log file. Finally, in the log file, the NFS traffic to file
systems and individual files is further broken down into counts of how
many times each specific NFS procedure was called.
The information in the nfswatch log file can be summarized easily using
the nfslogsum(8) program.
COMMANDS
nfswatch also allows several commands to be entered at its prompt
during execution. The prompt is displayed on the last line of the
screen. For most commands, feedback describing the effect of the
command is printed on the same line as the prompt. The commands are:
^L Clear and redraw the screen.
a Switches the display to show statistics on individual users.
c Switches the display to show statistics on NFS client hosts
instead of per-file or per-filesystem information.
f Toggle the display of mounted file systems and the display of
individual files in the NFS packet monitoring area. This
command is only meaningful if the -f filelist option was
specified on the command line. (If the display is showing NFS
procedures or clients, then this command switches the display to
show file systems.)
p Switches the display to show statistics on NFS procedures
instead of per-file or per-filesystem information.
P Switches the display to show statistics on NFS v3 procedures
instead of per-file or per-filesystem information.
l Toggle the logging feature. If logging is off it is
(re)started; if logging is on, it is turned off.
n Toggle display of host names or host numbers in client mode. By
default, client mode displays host names. However, this may not
be sufficient for determining the names of unknown remote hosts,
since domain names are not displayed. This command tells
nfswatch to display host numbers instead, enabling each host to
be uniquely identified.
s Take a ‘‘snapshot’’ of the current screen and save it to a file.
This is useful to record occasional copies of the data when the
logfile is not needed.
u Toggle the sort key for the display of mounted file systems in
the NFS packet monitoring area. By default, these are sorted by
file system name, but they can also be sorted in declining order
of percent usage.
- Decrease the cycle time (interval length) by ten seconds. This
will take effect after the next screen update.
+ Increase the cycle time (interval length) by ten seconds. This
will take effect after the next screen update.
< Decrease the cycle time (interval length) by one second. This
will take effect after the next screen update.
> Increase the cycle time (interval length) by one second. This
will take effect after the next screen update.
] Scroll forward through the bottom part of the display, if there
are files/file systems/clients/procedures not being displayed
due to lack of space.
[ Scroll back.
q Exit nfswatch. Using the interrupt key will also cause nfswatch
to exit.
Typing any other character will cause a help screen to be displayed.
OPTIONS
nfswatch can usually be run without arguments and will obtain useful
results. However, for those occasions when the defaults are not good
enough, the following options are provided:
-dst dsthost
Monitor packets destined for dsthost instead of the local host.
-src srchost
Restrict packets being counted to those sent by srchost.
-server serverhost
Restrict packets being counted to those sent to or from
serverhost.
-all Monitor packets to and from all NFS servers on the local
network.
-dev device
On non-DEC systems: Use network interface device device to read
packets from. By default, nfswatch will use the system’s
default network device for an Internet datagram. On Ultrix or
DEC OSF/1: device specifies the packet filter interface from
which to read packets. You can specify interfaces either by
their actual names (such as ln0) or by their generic packet
filter interface names (pfN, for N a small integer). By
default, pf0 (the first configured interface that supports the
packet filter) is used.
-allif Read packets from all configured network interfaces, instead of
a single device. On Irix: The first five (0-4) of each of the
following devices are checked: ec, et, fxp, enp, and epg. If
configured, they will be monitored. On SunOS: The first five le
(0-4) devices, the first five ie (0-4) devices, and the first
five fddi (0-4) devices are checked, and if configured, will be
monitored. On System V Release 4: The first five emd (0-4)
devices are checked, and if configured, will be monitored. On
Ultrix and DEC OSF/1: The first ten pf devices (0-9) are
checked, and if configured, will be monitored.
-f filelist
Read a list of file names (one per line) from filelist and
monitor the NFS traffic to these files in addition to the normal
monitoring of exported file systems.
-lf logfile
When logging, write information to the file logfile. The
default is nfswatch.log.
-sf snapfile
Write snapshots to the file snapfile. The default is
nfswatch.snap.
-map mapfile
Read a list of device names and file system names (one pair per
line) from mapfile and translate from one to the other when
displaying file system names.
-T maxtime
Terminate execution after running for maxtime seconds. This is
primarily for use with the -bg option.
-t timeout
Set the cycle time (interval length) to timeout seconds. The
default is 10. The cycle time may also be adjusted from the
command prompt.
-fs Display the file system NFS monitoring data instead of the
individual file data. This option is only meaningful if the -f
filelist option was specified. The display may also be
controlled from the command prompt.
-if Display the individual file NFS monitoring data instead of the
file system data. This option is only meaningful if the -f
filelist option was specified. The display may also be
controlled from the command prompt.
-auth Display statistics on authentication packets (individual users).
-procs Display statistics on NFS procedures (RPC calls) instead of per-
file or per-filesystem data.
-procs3
Display statistics on NFS v3 procedures (RPC calls) instead of
per-file or per-filesystem data.
-client
Display statistics on NFS client operation rates instead of per-
file or per-filesystem data.
-usage Set file system, procedure, or client display to be sorted in
declining order of percent usage. By default, the display is
sorted alphabetically. This may also be toggled from the
command prompt.
-l Turn logging on at startup time. Logging is turned off by
default, but may be enabled from the command prompt.
-bg Start as a daemon, running in the background. No screen updates
will be performed; all data will be written to the log file
only. When started with this option, nfswatch will print the
process id of the daemon process. To terminate nfswatch, send
the process a SIGTERM signal, or use the -T option to set the
maximum execution time.
BUGS
To monitor NFS traffic to files and file systems, nfswatch must extract
information from the NFS file handle. The file handle is a server-
specific item, and its contents vary from vendor to vendor and
operating system to operating system. Unfortunately, there is no
server-independent way to extract information from a file handle.
nfswatch uses a set of heuristics to parse the file handle format used
by many popular NFS servers, but in some cases there is no way to
disambiguate the file handle format, and the program may get the wrong
answer. It should, however, get the right answer for file handles
generated by the host it is running on.
nfswatch uses the Snoop (snoop(7)) network monitoring protocol under
Irix 4.x, the Network Interface Tap (nit(4)) under SunOS 4.x, the Data
Link Provider Interface (dlpi(7)) under SunOS 5.x (Solaris 2.x) and
System V Release 4, the Packet Filter {(packetfilter(4)) under Ultrix
(4.0 or later); (packetfilter(7)) under DEC OSF/1 (V1.3 or later)}, and
the packet interface (packet(7)) under Linux. To run on other systems,
code will have to be written to read packets from the network in
promiscuous mode.
On Ultrix systems, FDDI is only supported under appropriately patched
versions of Ultrix 4.2 (the kernel modules net_common.o and pfilt.o
must be replaced; contact your Customer Support Center). Native FDDI
support is standard in Ultrix 4.3 and later systems.
SEE ALSO
etherfind(8c), dlpi(7), nit(4), nfslogsum(8), packetfilter(4/7),
snoop(1m), snoop(7), packet(7)
AUTHORS
David A. Curry
Purdue University
Engineering Computer Network
1285 Electrical Engineering Building
West Lafayette, IN 47907-1285
davy@ecn.purdue.edu
Jeffrey C. Mogul
Digital Equipment Corporation
Western Research Laboratory
250 University Avenue
Palo Alto, CA 94301
mogul@wrl.dec.com
Christian Iseli
Ludwig Institute for Cancer Research
UNIL - BEP
Lausanne, CH-1015
Christian.Iseli@licr.org