1NFSWATCH(8) System Manager's Manual NFSWATCH(8)
2
6 nfswatch - monitor an NFS server
7
9 nfswatch [ -dst dsthost ] [ -src srchost ] [ -server serverhost ] [
10 -all ] [ -dev device ] [ -allif ] [ -f filelist ] [ -lf logfile ] [ -sf
11 snapfile ] [ -map mapfile ] [ -T maxtime ] [ -t timeout ] [ -fs ] [ -if
12 ] [ -auth ] [ -procs ] [ -procs3 ] [ -clients ] [ -usage ] [ -l ] [ -bg
13 ]
14
16 nfswatch monitors all incoming network traffic to an NFS file server
17 and divides it into several categories. The number and percentage of
18 packets received in each category is displayed on the screen in a con‐
19 tinuously updated display. The screen is updated every ten seconds by
20 default; this time period is called an interval.
21 On Irix: You must be the super-user to invoke nfswatch or it must be
23 installed setuid to ``root.'' On SunOS 4.x and SunOS 5.x (Solaris
24 2.x): You must be the super-user to invoke nfswatch or it must be
25 installed setuid to ``root.'' On System V Release 4: You must be the
26 super-user to invoke nfswatch or it must be installed setuid to
27 ``root.'' On Ultrix or DEC OSF/1: Any user can invoke nfswatch once
28 the super-user has enabled promiscuous-mode operation using pfcon‐
29 fig(8). (For example, "pfconfig +p +c -a".) On Linux: You must be the
30 super-user to invoke nfswatch or it must be installed setuid to
31 ``root.''
32 By default, nfswatch monitors all packets destined for the current
34 host. An alternate destination host to watch for may be specified
35 using the -dst argument. If a source host is specified with the -src
36 argument, then only packets arriving at the destination host which were
37 sent by the source host are monitored. Traffic between a specific
38 server and its clients may be watched by specifying the name of the
39 server with the -server argument. If the -all argument is given, then
40 all NFS traffic on the network is monitored. It is usually desirable
41 to specify the -all option whenever using the -server option.
42 The nfswatch screen is divided into three parts. The first part, at
44 the top of the screen, is made up of three lines. The first line dis‐
45 plays the name of the host being monitored, the current date and time,
46 and the time elapsed since the start of monitoring. The second line
47 displays the total number of packets received during the most recent
48 interval, and the third line displays the total number of packets
49 received since monitoring started. These two lines display three num‐
50 bers each: the total number of packets on the network, the total number
51 of packets received by the destination host (possibly subject to being
52 only from the specified source host), and the number of packets dropped
53 by the monitoring interface due to buffer space limitations. Dropped
54 packets are not included in the packet monitoring totals.
55 The second part of the screen divides the received packets into 16 cat‐
57 egories. Each category is displayed with three numbers: the number of
58 packets received this interval, the percentage this represents of all
59 packets received by the host during this interval, and the total number
60 of packets received since monitoring started. The packet categories
61 are not mutually exclusive; some packets may be counted in more than
62 one category (for example, NFS packets are also UDP packets). The cat‐
63 egories in this section and their meanings are:
64 NFS3 Read
66 NFS v3 requests which primarily result in a file system read
67 being performed (read file, read directory, etc.).
68 NFS3 Write
70 NFS v3 requests which primarily result in a file system write
71 being performed (write file, rename file, create file, delete
72 file, etc.).
73 NFS Read
75 NFS requests which primarily result in a file system read being
76 performed (read file, read directory, etc.).
77 NFS Write
79 NFS requests which primarily result in a file system write being
80 performed (write file, rename file, create file, delete file,
81 etc.).
82 NFS Mount
84 NFS mount requests.
85 YP/NIS/NIS+
87 Sun NIS (Yellow Pages) and NIS+ requests.
88 RPC Authorization
90 All RPC reply packets fall into this category, because RPC
91 replies do not contain the protocol number, and thus cannot be
92 classified as anything else. (If the -all argument is given,
93 then you will see all the RPC replies on the network in this
94 category.)
95 Other RPC Packets
97 All RPC requests which do not fall into one of the above cate‐
98 gories.
99 TCP Packets
101 Packets sent using the Transmission Control Protocol.
102 UDP Packets
104 Packets sent using the User Datagram Protocol.
105 ICMP Packets
107 Packets sent using the Internet Control Message Protocol.
108 Routing Control
110 Routing Information Protocol (RIP) packets.
111 Address Resolution
113 Address Resolution Protocol (ARP) packets. These packets are
114 not counted on System V Release 4 systems (except for SunOS
115 5.x), due to limitations of the dlpi(7) interface.
116 Reverse Addr Resol
118 Reverse Address Resolution Protocol (RARP) packets. These pack‐
119 ets are not counted on System V Release 4 systems (except for
120 SunOS 5.x), due to limitations of the dlpi(7) interface.
121 Ethernet/FDDI Bdcst
123 Ethernet (or FDDI) broadcast packets. These packets are des‐
124 tined for and received by all hosts on the local network. These
125 packets are not counted on System V Release 4 systems (except
126 for SunOS 5.x), due to limitations of the dlpi(7) interface.
127 Other Packets
129 A catch-all for any packets not counted in any of the above cat‐
130 egories.
131 The third part of the display shows the mounted file systems exported
133 by the file server for mounting through NFS. If nfswatch is monitoring
134 the same host it is being run on, these file systems are listed by path
135 name. Otherwise, the program attempts to decode the server's major and
136 minor device numbers for the file system, and displays them in paren‐
137 theses. (If the -all argument is given, the name of the server is also
138 shown.) With each file system, three numbers are displayed: the number
139 of NFS requests for this file system received during the interval, the
140 percentage this represents of all NFS requests received by the host,
141 and the total number of NFS requests for this file system received
142 since monitoring started. Up to 1024 file systems will be monitored by
143 nfswatch and recorded in the log file, but only as many as will fit (2
144 * (LINES - 16)) will be displayed on the screen.
145 If the -map mapfile option is specified, nfswatch will read pairs of
147 file system device specifications (as described above) and the proper
148 names of the file systems from mapfile. Each line should contain a
149 string representing what nfswatch would normally print, and then sepa‐
150 rated from that by whitespace, the name that is preferred. For exam‐
151 ple,
152 myhost(7,24) /homedirs
154 If the -f filelist option is specified, a list of file names (one per
156 line) is read from filelist, and the traffic to these individual files
157 is also monitored. The files must reside in file systems exported by
158 the file server. When this option is specified, the third section of
159 the screen will display counters for these files, instead of for the
160 mounted file systems. Up to 1024 individual files will be monitored by
161 nfswatch and recorded in the log file, but only as many as will fit (2
162 * (LINES - 16)) will be displayed on the screen.
163 If the -procs or -procs3 option is specified, then instead of showing
165 per-file or per-file system statistics, nfswatch shows the frequency of
166 each NFS procedure (RPC call) (or as many as will fit on the screen).
167 For each procedure, some timing statistics are also displayed; these
168 include the number of completed operations (request and response seen)
169 during the interval, the average response time during the interval (in
170 milliseconds), the standard deviation from the average during the
171 interval, and the maximum response time over all time.
172 If the -clients option is specified, then instead of showing per-file
174 or per-file system statistics, nfswatch shows the operation rate of
175 each NFS client of the specified server(s) (or as many as will fit on
176 the screen).
177 It should be noted here that only NFS requests, made by client
179 machines, are counted in the NFS packet monitoring area. The NFS traf‐
180 fic generated by the server in response to these requests is not
181 counted.
182 If the -auth option is specified, then the display will show packet
184 counts divided up by user name (or user id, if the login name is not in
185 the local password file). This information is decoded from the
186 AUTH_UNIX authentication part of each RPC packet. nfswatch only
187 decodes AUTH_UNIX authenticators, the other types of authentication
188 (e.g., AUTH_DES) are lumped into a single bucket for each authentica‐
189 tion type.
190
192 When logging is on, nfswatch writes one entry to the log file each
193 interval. The information printed to the log file is easily readable,
194 and basically contains a copy of all information on the screen. Addi‐
195 tionally, any NFS traffic to file systems or individual files which was
196 not printed on the screen (due to space limitations) is printed in the
197 log file. Finally, in the log file, the NFS traffic to file systems
198 and individual files is further broken down into counts of how many
199 times each specific NFS procedure was called.
200 The information in the nfswatch log file can be summarized easily using
202 the nfslogsum(8L) program.
203
205 nfswatch also allows several commands to be entered at its prompt dur‐
206 ing execution. The prompt is displayed on the last line of the screen.
207 For most commands, feedback describing the effect of the command is
208 printed on the same line as the prompt. The commands are:
209 ^L Clear and redraw the screen.
211 a Switches the display to show statistics on individual users.
213 c Switches the display to show statistics on NFS client hosts
215 instead of per-file or per-filesystem information.
216 f Toggle the display of mounted file systems and the display of
218 individual files in the NFS packet monitoring area. This com‐
219 mand is only meaningful if the -f filelist option was specified
220 on the command line. (If the display is showing NFS procedures
221 or clients, then this command switches the display to show file
222 systems.)
223 p Switches the display to show statistics on NFS procedures
225 instead of per-file or per-filesystem information.
226 P Switches the display to show statistics on NFS v3 procedures
228 instead of per-file or per-filesystem information.
229 l Toggle the logging feature. If logging is off it is
231 (re)started; if logging is on, it is turned off.
232 n Toggle display of host names or host numbers in client mode. By
234 default, client mode displays host names. However, this may not
235 be sufficient for determining the names of unknown remote hosts,
236 since domain names are not displayed. This command tells
237 nfswatch to display host numbers instead, enabling each host to
238 be uniquely identified.
239 s Take a ``snapshot'' of the current screen and save it to a file.
241 This is useful to record occasional copies of the data when the
242 logfile is not needed.
243 u Toggle the sort key for the display of mounted file systems in
245 the NFS packet monitoring area. By default, these are sorted by
246 file system name, but they can also be sorted in declining order
247 of percent usage.
248 - Decrease the cycle time (interval length) by ten seconds. This
250 will take effect after the next screen update.
251 + Increase the cycle time (interval length) by ten seconds. This
253 will take effect after the next screen update.
254 < Decrease the cycle time (interval length) by one second. This
256 will take effect after the next screen update.
257 > Increase the cycle time (interval length) by one second. This
259 will take effect after the next screen update.
260 ] Scroll forward through the bottom part of the display, if there
262 are files/file systems/clients/procedures not being displayed
263 due to lack of space.
264 [ Scroll back.
266 q Exit nfswatch. Using the interrupt key will also cause nfswatch
268 to exit.
269 Typing any other character will cause a help screen to be displayed.
271
273 nfswatch can usually be run without arguments and will obtain useful
274 results. However, for those occasions when the defaults are not good
275 enough, the following options are provided:
276 -dst dsthost
278 Monitor packets destined for dsthost instead of the local host.
279 -src srchost
281 Restrict packets being counted to those sent by srchost.
282 -server serverhost
284 Restrict packets being counted to those sent to or from server‐
285 host.
286 -all Monitor packets to and from all NFS servers on the local net‐
288 work.
289 -dev device
291 On non-DEC systems: Use network interface device device to read
292 packets from. By default, nfswatch will use the system's
293 default network device for an Internet datagram. On Ultrix or
294 DEC OSF/1: device specifies the packet filter interface from
295 which to read packets. You can specify interfaces either by
296 their actual names (such as ln0) or by their generic packet fil‐
297 ter interface names (pfN, for N a small integer). By default,
298 pf0 (the first configured interface that supports the packet
299 filter) is used.
300 -allif Read packets from all configured network interfaces, instead of
302 a single device. On Irix: The first five (0-4) of each of the
303 following devices are checked: ec, et, fxp, enp, and epg. If
304 configured, they will be monitored. On SunOS: The first five le
305 (0-4) devices, the first five ie (0-4) devices, and the first
306 five fddi (0-4) devices are checked, and if configured, will be
307 monitored. On System V Release 4: The first five emd (0-4)
308 devices are checked, and if configured, will be monitored. On
309 Ultrix and DEC OSF/1: The first ten pf devices (0-9) are
310 checked, and if configured, will be monitored.
311 -f filelist
313 Read a list of file names (one per line) from filelist and moni‐
314 tor the NFS traffic to these files in addition to the normal
315 monitoring of exported file systems.
316 -lf logfile
318 When logging, write information to the file logfile. The
319 default is nfswatch.log.
320 -sf snapfile
322 Write snapshots to the file snapfile. The default is
323 nfswatch.snap.
324 -map mapfile
326 Read a list of device names and file system names (one pair per
327 line) from mapfile and translate from one to the other when dis‐
328 playing file system names.
329 -T maxtime
331 Terminate execution after running for maxtime seconds. This is
332 primarily for use with the -bg option.
333 -t timeout
335 Set the cycle time (interval length) to timeout seconds. The
336 default is 10. The cycle time may also be adjusted from the
337 command prompt.
338 -fs Display the file system NFS monitoring data instead of the indi‐
340 vidual file data. This option is only meaningful if the -f
341 filelist option was specified. The display may also be con‐
342 trolled from the command prompt.
343 -if Display the individual file NFS monitoring data instead of the
345 file system data. This option is only meaningful if the -f
346 filelist option was specified. The display may also be con‐
347 trolled from the command prompt.
348 -auth Display statistics on authentication packets (individual users).
350 -procs Display statistics on NFS procedures (RPC calls) instead of per-
352 file or per-filesystem data.
353 -procs3
355 Display statistics on NFS v3 procedures (RPC calls) instead of
356 per-file or per-filesystem data.
357 -client
359 Display statistics on NFS client operation rates instead of per-
360 file or per-filesystem data.
361 -usage Set file system, procedure, or client display to be sorted in
363 declining order of percent usage. By default, the display is
364 sorted alphabetically. This may also be toggled from the com‐
365 mand prompt.
366 -l Turn logging on at startup time. Logging is turned off by
368 default, but may be enabled from the command prompt.
369 -bg Start as a daemon, running in the background. No screen updates
371 will be performed; all data will be written to the log file
372 only. When started with this option, nfswatch will print the
373 process id of the daemon process. To terminate nfswatch, send
374 the process a SIGTERM signal, or use the -T option to set the
375 maximum execution time.
376
378 To monitor NFS traffic to files and file systems, nfswatch must extract
379 information from the NFS file handle. The file handle is a server-spe‐
380 cific item, and its contents vary from vendor to vendor and operating
381 system to operating system. Unfortunately, there is no server-indepen‐
382 dent way to extract information from a file handle. nfswatch uses a
383 set of heuristics to parse the file handle format used by many popular
384 NFS servers, but in some cases there is no way to disambiguate the file
385 handle format, and the program may get the wrong answer. It should,
386 however, get the right answer for file handles generated by the host it
387 is running on.
388 nfswatch uses the Snoop (snoop(7)) network monitoring protocol under
390 Irix 4.x, the Network Interface Tap (nit(4)) under SunOS 4.x, the Data
391 Link Provider Interface (dlpi(7)) under SunOS 5.x (Solaris 2.x) and
392 System V Release 4, the Packet Filter {(packetfilter(4)) under Ultrix
393 (4.0 or later); (packetfilter(7)) under DEC OSF/1 (V1.3 or later)}, and
394 the packet interface (packet(7)) under Linux. To run on other systems,
395 code will have to be written to read packets from the network in pro‐
396 miscuous mode.
397 On Ultrix systems, FDDI is only supported under appropriately patched
399 versions of Ultrix 4.2 (the kernel modules net_common.o and pfilt.o
400 must be replaced; contact your Customer Support Center). Native FDDI
401 support is standard in Ultrix 4.3 and later systems.
402
404 etherfind(8c), dlpi(7), nit(4), nfslogsum(8L), packetfilter(4/7),
405 snoop(1m), snoop(7), packet(7)
406
408 David A. Curry
409 Purdue University
410 Engineering Computer Network
411 1285 Electrical Engineering Building
412 West Lafayette, IN 47907-1285
413 davy@ecn.purdue.edu
414 Jeffrey C. Mogul
416 Digital Equipment Corporation
417 Western Research Laboratory
418 250 University Avenue
419 Palo Alto, CA 94301
420 mogul@wrl.dec.com
421 Christian Iseli
423 Ludwig Institute for Cancer Research
424 UNIL - BEP
425 Lausanne, CH-1015
426 Christian.Iseli@licr.org
427Lausanne/LICR 25 February 2005 NFSWATCH(8)