NFSWATCH(8L)NFSWATCH(8L)NAMEnfswatch - monitor an NFS server
SYNOPSISnfswatch [ -dst dsthost ] [ -src srchost ] [ -server serverhost ] [ -all
] [ -dev device ] [ -allif ] [ -f filelist ] [ -lf logfile ] [ -sf
snapfile ] [ -map mapfile ] [ -T maxtime ] [ -t timeout ] [ -fs ] [ -if ]
[ -auth ] [ -procs ] [ -clients ] [ -usage ] [ -l ] [ -bg ]
DESCRIPTIONnfswatch monitors all incoming network traffic to an NFS file server and
divides it into several categories. The number and percentage of packets
received in each category is displayed on the screen in a continuously
updated display. The screen is updated every ten seconds by default;
this time period is called an interval.
On Irix: You must be the super-user to invoke nfswatch or it must be
installed setuid to ``root.'' On SunOS 4.x and SunOS 5.x (Solaris 2.x):
You must be the super-user to invoke nfswatch or it must be installed
setuid to ``root.'' On System V Release 4: You must be the super-user
to invoke nfswatch or it must be installed setuid to ``root.'' On Ultrix
or DEC OSF/1: Any user can invoke nfswatch once the super-user has
enabled promiscuous-mode operation using pfconfig(8). (For example,
"pfconfig +p +c -a".)
By default, nfswatch monitors all packets destined for the current host.
An alternate destination host to watch for may be specified using the
-dst argument. If a source host is specified with the -src argument,
then only packets arriving at the destination host which were sent by the
source host are monitored. Traffic between a specific server and its
clients may be watched by specifying the name of the server with the
-server argument. If the -all argument is given, then all NFS traffic on
the network is monitored. It is usually desirable to specify the -all
option whenever using the -server option.
The nfswatch screen is divided into three parts. The first part, at the
top of the screen, is made up of three lines. The first line displays
the name of the host being monitored, the current date and time, and the
time elapsed since the start of monitoring. The second line displays the
total number of packets received during the most recent interval, and the
third line displays the total number of packets received since monitoring
started. These two lines display three numbers each: the total number
of packets on the network, the total number of packets received by the
destination host (possibly subject to being only from the specified
source host), and the number of packets dropped by the monitoring
interface due to buffer space limitations. Dropped packets are not
included in the packet monitoring totals.
The second part of the screen divides the received packets into 16
categories. Each category is displayed with three numbers: the number
of packets received this interval, the percentage this represents of all
packets received by the host during this interval, and the total number
Page 1
NFSWATCH(8L)NFSWATCH(8L)
of packets received since monitoring started. The packet categories are
not mutually exclusive; some packets may be counted in more than one
category (for example, NFS packets are also UDP packets). The categories
in this section and their meanings are:
ND Read
Sun Network Disk read requests. Only servers which serve clients
running SunOS 3.5 or less should display non-zero counts in this
section. This field is only counted when nfswatch is run on a SunOS
4.x system; other versions of nfswatch count these packets as
``other.''
ND Write
Sun Network Disk write requests. Only servers which serve clients
running SunOS 3.5 or less should display non-zero counts in this
section. This field is only counted when nfswatch is run on a SunOS
4.x system; other versions of nfswatch count these packets as
``other.''
NFS Read
NFS requests which primarily result in a file system read being
performed (read file, read directory, etc.).
NFS Write
NFS requests which primarily result in a file system write being
performed (write file, rename file, create file, delete file, etc.).
NFS Mount
NFS mount requests.
YP/NIS/NIS+
Sun NIS (Yellow Pages) and NIS+ requests.
RPC Authorization
All RPC reply packets fall into this category, because RPC replies
do not contain the protocol number, and thus cannot be classified as
anything else. (If the -all argument is given, then you will see
all the RPC replies on the network in this category.)
Other RPC Packets
All RPC requests which do not fall into one of the above categories.
TCP Packets
Packets sent using the Transmission Control Protocol.
UDP Packets
Packets sent using the User Datagram Protocol.
ICMP Packets
Packets sent using the Internet Control Message Protocol.
Page 2
NFSWATCH(8L)NFSWATCH(8L)
Routing Control
Routing Information Protocol (RIP) packets.
Address Resolution
Address Resolution Protocol (ARP) packets. These packets are not
counted on System V Release 4 systems (except for SunOS 5.x), due to
limitations of the dlpi(7) interface.
Reverse Addr Resol
Reverse Address Resolution Protocol (RARP) packets. These packets
are not counted on System V Release 4 systems (except for SunOS
5.x), due to limitations of the dlpi(7) interface.
Ethernet/FDDI Bdcst
Ethernet (or FDDI) broadcast packets. These packets are destined
for and received by all hosts on the local network. These packets
are not counted on System V Release 4 systems (except for SunOS
5.x), due to limitations of the dlpi(7) interface.
Other Packets
A catch-all for any packets not counted in any of the above
categories.
The third part of the display shows the mounted file systems exported by
the file server for mounting through NFS. If nfswatch is monitoring the
same host it is being run on, these file systems are listed by path name.
Otherwise, the program attempts to decode the server's major and minor
device numbers for the file system, and displays them in parentheses.
(If the -all argument is given, the name of the server is also shown.)
With each file system, three numbers are displayed: the number of NFS
requests for this file system received during the interval, the
percentage this represents of all NFS requests received by the host, and
the total number of NFS requests for this file system received since
monitoring started. Up to 1024 file systems will be monitored by
nfswatch and recorded in the log file, but only as many as will fit (2 *
(LINES - 16)) will be displayed on the screen.
If the -map mapfile option is specified, nfswatch will read pairs of file
system device specifications (as described above) and the proper names of
the file systems from mapfile. Each line should contain a string
representing what nfswatch would normally print, and then separated from
that by whitespace, the name that is preferred. For example,
myhost(7,24) /homedirs
If the -f filelist option is specified, a list of file names (one per
line) is read from filelist, and the traffic to these individual files is
also monitored. The files must reside in file systems exported by the
file server. When this option is specified, the third section of the
screen will display counters for these files, instead of for the mounted
file systems. Up to 1024 individual files will be monitored by nfswatch
and recorded in the log file, but only as many as will fit (2 * (LINES -
Page 3
NFSWATCH(8L)NFSWATCH(8L)
16)) will be displayed on the screen.
If the -procs option is specified, then instead of showing per-file or
per-file system statistics, nfswatch shows the frequency of each NFS
procedure (RPC call) (or as many as will fit on the screen). For each
procedure, some timing statistics are also displayed; these include the
number of completed operations (request and response seen) during the
interval, the average response time during the interval (in
milliseconds), the standard deviation from the average during the
interval, and the maximum response time over all time.
If the -clients option is specified, then instead of showing per-file or
per-file system statistics, nfswatch shows the operation rate of each NFS
client of the specified server(s) (or as many as will fit on the screen).
It should be noted here that only NFS requests, made by client machines,
are counted in the NFS packet monitoring area. The NFS traffic generated
by the server in response to these requests is not counted.
If the -auth option is specified, then the display will show packet
counts divided up by user name (or user id, if the login name is not in
the local password file). This information is decoded from the AUTH_UNIX
authentication part of each RPC packet. nfswatch only decodes AUTH_UNIX
authenticators, the other types of authentication (e.g., AUTH_DES) are
lumped into a single bucket for each authentication type.
LOGFILE
When logging is on, nfswatch writes one entry to the log file each
interval. The information printed to the log file is easily readable,
and basically contains a copy of all information on the screen.
Additionally, any NFS traffic to file systems or individual files which
was not printed on the screen (due to space limitations) is printed in
the log file. Finally, in the log file, the NFS traffic to file systems
and individual files is further broken down into counts of how many times
each specific NFS procedure was called.
The information in the nfswatch log file can be summarized easily using
the nfslogsum(8L) program.
COMMANDSnfswatch also allows several commands to be entered at its prompt during
execution. The prompt is displayed on the last line of the screen. For
most commands, feedback describing the effect of the command is printed
on the same line as the prompt. The commands are:
^L Clear and redraw the screen.
a Switches the display to show statistics on individual users.
c Switches the display to show statistics on NFS client hosts instead
of per-file or per-filesystem information.
Page 4
NFSWATCH(8L)NFSWATCH(8L)
f Toggle the display of mounted file systems and the display of
individual files in the NFS packet monitoring area. This command is
only meaningful if the -f filelist option was specified on the
command line. (If the display is showing NFS procedures or clients,
then this command switches the display to show file systems.)
p Switches the display to show statistics on NFS procedures instead of
per-file or per-filesystem information.
l Toggle the logging feature. If logging is off it is (re)started; if
logging is on, it is turned off.
n Toggle display of host names or host numbers in client mode. By
default, client mode displays host names. However, this may not be
sufficient for determining the names of unknown remote hosts, since
domain names are not displayed. This command tells nfswatch to
display host numbers instead, enabling each host to be uniquely
identified.
s Take a ``snapshot'' of the current screen and save it to a file.
This is useful to record occasional copies of the data when the
logfile is not needed.
u Toggle the sort key for the display of mounted file systems in the
NFS packet monitoring area. By default, these are sorted by file
system name, but they can also be sorted in declining order of
percent usage.
- Decrease the cycle time (interval length) by ten seconds. This will
take effect after the next screen update.
+ Increase the cycle time (interval length) by ten seconds. This will
take effect after the next screen update.
< Decrease the cycle time (interval length) by one second. This will
take effect after the next screen update.
> Increase the cycle time (interval length) by one second. This will
take effect after the next screen update.
] Scroll forward through the bottom part of the display, if there are
files/file systems/clients/procedures not being displayed due to
lack of space.
[ Scroll back.
q Exit nfswatch. Using the interrupt key will also cause nfswatch to
exit.
Typing any other character will cause a help screen to be displayed.
Page 5
NFSWATCH(8L)NFSWATCH(8L)OPTIONSnfswatch can usually be run without arguments and will obtain useful
results. However, for those occasions when the defaults are not good
enough, the following options are provided:
-dst dsthost
Monitor packets destined for dsthost instead of the local host.
-src srchost
Restrict packets being counted to those sent by srchost.
-server serverhost
Restrict packets being counted to those sent to or from serverhost.
-all Monitor packets to and from all NFS servers on the local network.
-dev device
On non-DEC systems: Use network interface device device to read
packets from. By default, nfswatch will use the system's default
network device for an Internet datagram. On Ultrix or DEC OSF/1:
device specifies the packet filter interface from which to read
packets. You can specify interfaces either by their actual names
(such as ln0) or by their generic packet filter interface names
(pfN, for N a small integer). By default, pf0 (the first configured
interface that supports the packet filter) is used.
-allif
Read packets from all configured network interfaces, instead of a
single device. On Irix: The first five (0-4) of each of the
following devices are checked: ec, et, fxp, enp, and epg. If
configured, they will be monitored. On SunOS: The first five le
(0-4) devices, the first five ie (0-4) devices, and the first five
fddi (0-4) devices are checked, and if configured, will be
monitored. On System V Release 4: The first five emd (0-4) devices
are checked, and if configured, will be monitored. On Ultrix and
DEC OSF/1: The first ten pf devices (0-9) are checked, and if
configured, will be monitored.
-f filelist
Read a list of file names (one per line) from filelist and monitor
the NFS traffic to these files in addition to the normal monitoring
of exported file systems.
-lf logfile
When logging, write information to the file logfile. The default is
nfswatch.log.
-sf snapfile
Write snapshots to the file snapfile. The default is nfswatch.snap.
Page 6
NFSWATCH(8L)NFSWATCH(8L)-map mapfile
Read a list of device names and file system names (one pair per
line) from mapfile and translate from one to the other when
displaying file system names.
-T maxtime
Terminate execution after running for maxtime seconds. This is
primarily for use with the -bg option.
-t timeout
Set the cycle time (interval length) to timeout seconds. The
default is 10. The cycle time may also be adjusted from the command
prompt.
-fs Display the file system NFS monitoring data instead of the
individual file data. This option is only meaningful if the -f
filelist option was specified. The display may also be controlled
from the command prompt.
-if Display the individual file NFS monitoring data instead of the file
system data. This option is only meaningful if the -f filelist
option was specified. The display may also be controlled from the
command prompt.
-auth
Display statistics on authentication packets (individual users).
-procs
Display statistics on NFS procedures (RPC calls) instead of per-file
or per-filesystem data.
-client
Display statistics on NFS client operation rates instead of per-file
or per-filesystem data.
-usage
Set file system, procedure, or client display to be sorted in
declining order of percent usage. By default, the display is sorted
alphabetically. This may also be toggled from the command prompt.
-l Turn logging on at startup time. Logging is turned off by default,
but may be enabled from the command prompt.
-bg Start as a daemon, running in the background. No screen updates
will be performed; all data will be written to the log file only.
When started with this option, nfswatch will print the process id of
the daemon process. To terminate nfswatch, send the process a
SIGTERM signal, or use the -T option to set the maximum execution
time.
Page 7
NFSWATCH(8L)NFSWATCH(8L)BUGS
To monitor NFS traffic to files and file systems, nfswatch must extract
information from the NFS file handle. The file handle is a server-
specific item, and its contents vary from vendor to vendor and operating
system to operating system. Unfortunately, there is no server-
independent way to extract information from a file handle. nfswatch uses
a set of heuristics to parse the file handle format used by many popular
NFS servers, but in some cases there is no way to disambiguate the file
handle format, and the program may get the wrong answer. It should,
however, get the right answer for file handles generated by the host it
is running on.
nfswatch uses the Snoop (snoop(7)) network monitoring protocol under Irix
4.x, the Network Interface Tap (nit(4)) under SunOS 4.x, the Data Link
Provider Interface (dlpi(7)) under SunOS 5.x (Solaris 2.x) and System V
Release 4, and the Packet Filter {(packetfilter(4)) under Ultrix (4.0 or
later); (packetfilter(7)) under DEC OSF/1 (V1.3 or later)}. To run on
other systems, code will have to be written to read packets from the
network in promiscuous mode.
On Ultrix systems, FDDI is only supported under appropriately patched
versions of Ultrix 4.2 (the kernel modules net_common.o and pfilt.o must
be replaced; contact your Customer Support Center). Native FDDI support
is standard in Ultrix 4.3 and later systems.
SEE ALSOetherfind(8c), dlpi(7), nit(4), nfslogsum(8L), packetfilter(4/7),
snoop(1m), snoop(7)AUTHORS
David A. Curry
Purdue University
Engineering Computer Network
1285 Electrical Engineering Building
West Lafayette, IN 47907-1285
davy@ecn.purdue.edu
Jeffrey C. Mogul
Digital Equipment Corporation
Western Research Laboratory
250 University Avenue
Palo Alto, CA 94301
mogul@wrl.dec.com
Page 8