1NFSWATCH(8)                 System Manager's Manual                NFSWATCH(8)
2
3
4

NAME

6       nfswatch - monitor an NFS server
7

SYNOPSIS

9       nfswatch  [  -dst  dsthost  ] [ -src srchost ] [ -server serverhost ] [
10       -all ] [ -dev device ] [ -allif ] [ -f filelist ] [ -lf logfile ] [ -sf
11       snapfile ] [ -map mapfile ] [ -T maxtime ] [ -t timeout ] [ -fs ] [ -if
12       ] [ -auth ] [ -procs ] [ -procs3 ] [ -clients ] [ -usage ] [ -l ] [ -bg
13       ]
14

DESCRIPTION

16       nfswatch  monitors  all  incoming network traffic to an NFS file server
17       and divides it into several categories.  The number and  percentage  of
18       packets  received in each category is displayed on the screen in a con‐
19       tinuously updated display.  The screen is updated every ten seconds  by
20       default; this time period is called an interval.
21
22       On  Irix:  You  must be the super-user to invoke nfswatch or it must be
23       installed setuid to ``root.''  On SunOS  4.x  and  SunOS  5.x  (Solaris
24       2.x):  You  must  be  the  super-user  to invoke nfswatch or it must be
25       installed setuid to ``root.''  On System V Release 4: You must  be  the
26       super-user  to  invoke  nfswatch  or  it  must  be  installed setuid to
27       ``root.''  On Ultrix or DEC OSF/1: Any user can  invoke  nfswatch  once
28       the  super-user  has  enabled  promiscuous-mode  operation using pfcon‐
29       fig(8).  (For example, "pfconfig +p +c -a".)  On Linux: You must be the
30       super-user  to  invoke  nfswatch  or  it  must  be  installed setuid to
31       ``root.''
32
33       By default, nfswatch monitors all  packets  destined  for  the  current
34       host.   An  alternate  destination  host  to watch for may be specified
35       using the -dst argument.  If a source host is specified with  the  -src
36       argument, then only packets arriving at the destination host which were
37       sent by the source host are  monitored.   Traffic  between  a  specific
38       server  and  its  clients  may be watched by specifying the name of the
39       server with the -server argument.  If the -all argument is given,  then
40       all  NFS  traffic on the network is monitored.  It is usually desirable
41       to specify the -all option whenever using the -server option.
42
43       The nfswatch screen is divided into three parts.  The  first  part,  at
44       the  top of the screen, is made up of three lines.  The first line dis‐
45       plays the name of the host being monitored, the current date and  time,
46       and  the  time  elapsed since the start of monitoring.  The second line
47       displays the total number of packets received during  the  most  recent
48       interval,  and  the  third  line  displays  the total number of packets
49       received since monitoring started.  These two lines display three  num‐
50       bers each: the total number of packets on the network, the total number
51       of packets received by the destination host (possibly subject to  being
52       only from the specified source host), and the number of packets dropped
53       by the monitoring interface due to buffer space  limitations.   Dropped
54       packets are not included in the packet monitoring totals.
55
56       The second part of the screen divides the received packets into 16 cat‐
57       egories.  Each category is displayed with three numbers: the number  of
58       packets  received  this interval, the percentage this represents of all
59       packets received by the host during this interval, and the total number
60       of  packets  received  since monitoring started.  The packet categories
61       are not mutually exclusive; some packets may be counted  in  more  than
62       one category (for example, NFS packets are also UDP packets).  The cat‐
63       egories in this section and their meanings are:
64
65       NFS3 Read
66              NFS v3 requests which primarily result in  a  file  system  read
67              being performed (read file, read directory, etc.).
68
69       NFS3 Write
70              NFS  v3  requests  which primarily result in a file system write
71              being performed (write file, rename file,  create  file,  delete
72              file, etc.).
73
74       NFS Read
75              NFS  requests which primarily result in a file system read being
76              performed (read file, read directory, etc.).
77
78       NFS Write
79              NFS requests which primarily result in a file system write being
80              performed  (write  file,  rename file, create file, delete file,
81              etc.).
82
83       NFS Mount
84              NFS mount requests.
85
86       YP/NIS/NIS+
87              Sun NIS (Yellow Pages) and NIS+ requests.
88
89       RPC Authorization
90              All RPC reply packets  fall  into  this  category,  because  RPC
91              replies  do  not contain the protocol number, and thus cannot be
92              classified as anything else.  (If the -all  argument  is  given,
93              then  you  will  see  all the RPC replies on the network in this
94              category.)
95
96       Other RPC Packets
97              All RPC requests which do not fall into one of the  above  cate‐
98              gories.
99
100       TCP Packets
101              Packets sent using the Transmission Control Protocol.
102
103       UDP Packets
104              Packets sent using the User Datagram Protocol.
105
106       ICMP Packets
107              Packets sent using the Internet Control Message Protocol.
108
109       Routing Control
110              Routing Information Protocol (RIP) packets.
111
112       Address Resolution
113              Address  Resolution  Protocol  (ARP) packets.  These packets are
114              not counted on System V Release  4  systems  (except  for  SunOS
115              5.x), due to limitations of the dlpi(7) interface.
116
117       Reverse Addr Resol
118              Reverse Address Resolution Protocol (RARP) packets.  These pack‐
119              ets are not counted on System V Release 4  systems  (except  for
120              SunOS 5.x), due to limitations of the dlpi(7) interface.
121
122       Ethernet/FDDI Bdcst
123              Ethernet  (or  FDDI)  broadcast packets.  These packets are des‐
124              tined for and received by all hosts on the local network.  These
125              packets  are  not  counted on System V Release 4 systems (except
126              for SunOS 5.x), due to limitations of the dlpi(7) interface.
127
128       Other Packets
129              A catch-all for any packets not counted in any of the above cat‐
130              egories.
131
132       The  third  part of the display shows the mounted file systems exported
133       by the file server for mounting through NFS.  If nfswatch is monitoring
134       the same host it is being run on, these file systems are listed by path
135       name.  Otherwise, the program attempts to decode the server's major and
136       minor  device  numbers for the file system, and displays them in paren‐
137       theses.  (If the -all argument is given, the name of the server is also
138       shown.)  With each file system, three numbers are displayed: the number
139       of NFS requests for this file system received during the interval,  the
140       percentage  this  represents  of all NFS requests received by the host,
141       and the total number of NFS requests  for  this  file  system  received
142       since monitoring started.  Up to 1024 file systems will be monitored by
143       nfswatch and recorded in the log file, but only as many as will fit  (2
144       * (LINES - 16)) will be displayed on the screen.
145
146       If  the  -map  mapfile option is specified, nfswatch will read pairs of
147       file system device specifications (as described above) and  the  proper
148       names  of  the  file  systems from mapfile.  Each line should contain a
149       string representing what nfswatch would normally print, and then  sepa‐
150       rated  from  that by whitespace, the name that is preferred.  For exam‐
151       ple,
152
153                             myhost(7,24)     /homedirs
154
155       If the -f filelist option is specified, a list of file names  (one  per
156       line)  is read from filelist, and the traffic to these individual files
157       is also monitored.  The files must reside in file systems  exported  by
158       the  file  server.  When this option is specified, the third section of
159       the screen will display counters for these files, instead  of  for  the
160       mounted file systems.  Up to 1024 individual files will be monitored by
161       nfswatch and recorded in the log file, but only as many as will fit  (2
162       * (LINES - 16)) will be displayed on the screen.
163
164       If  the  -procs or -procs3 option is specified, then instead of showing
165       per-file or per-file system statistics, nfswatch shows the frequency of
166       each  NFS  procedure (RPC call) (or as many as will fit on the screen).
167       For each procedure, some timing statistics are  also  displayed;  these
168       include  the number of completed operations (request and response seen)
169       during the interval, the average response time during the interval  (in
170       milliseconds),  the  standard  deviation  from  the  average during the
171       interval, and the maximum response time over all time.
172
173       If the -clients option is specified, then instead of  showing  per-file
174       or  per-file  system  statistics,  nfswatch shows the operation rate of
175       each NFS client of the specified server(s) (or as many as will  fit  on
176       the screen).
177
178       It  should  be  noted  here  that  only  NFS  requests,  made by client
179       machines, are counted in the NFS packet monitoring area.  The NFS traf‐
180       fic  generated  by  the  server  in  response  to these requests is not
181       counted.
182
183       If the -auth option is specified, then the  display  will  show  packet
184       counts divided up by user name (or user id, if the login name is not in
185       the local  password  file).   This  information  is  decoded  from  the
186       AUTH_UNIX  authentication  part  of  each  RPC  packet.   nfswatch only
187       decodes AUTH_UNIX authenticators, the  other  types  of  authentication
188       (e.g.,  AUTH_DES)  are lumped into a single bucket for each authentica‐
189       tion type.
190

LOGFILE

192       When logging is on, nfswatch writes one entry  to  the  log  file  each
193       interval.   The information printed to the log file is easily readable,
194       and basically contains a copy of all information on the screen.   Addi‐
195       tionally, any NFS traffic to file systems or individual files which was
196       not printed on the screen (due to space limitations) is printed in  the
197       log  file.   Finally,  in the log file, the NFS traffic to file systems
198       and individual files is further broken down into  counts  of  how  many
199       times each specific NFS procedure was called.
200
201       The information in the nfswatch log file can be summarized easily using
202       the nfslogsum(8L) program.
203

COMMANDS

205       nfswatch also allows several commands to be entered at its prompt  dur‐
206       ing execution.  The prompt is displayed on the last line of the screen.
207       For most commands, feedback describing the effect  of  the  command  is
208       printed on the same line as the prompt.  The commands are:
209
210       ^L     Clear and redraw the screen.
211
212       a      Switches the display to show statistics on individual users.
213
214       c      Switches  the  display  to  show  statistics on NFS client hosts
215              instead of per-file or per-filesystem information.
216
217       f      Toggle the display of mounted file systems and  the  display  of
218              individual  files  in the NFS packet monitoring area.  This com‐
219              mand is only meaningful if the -f filelist option was  specified
220              on  the command line.  (If the display is showing NFS procedures
221              or clients, then this command switches the display to show  file
222              systems.)
223
224       p      Switches  the  display  to  show  statistics  on  NFS procedures
225              instead of per-file or per-filesystem information.
226
227       P      Switches the display to show statistics  on  NFS  v3  procedures
228              instead of per-file or per-filesystem information.
229
230       l      Toggle   the   logging   feature.   If  logging  is  off  it  is
231              (re)started; if logging is on, it is turned off.
232
233       n      Toggle display of host names or host numbers in client mode.  By
234              default, client mode displays host names.  However, this may not
235              be sufficient for determining the names of unknown remote hosts,
236              since  domain  names  are  not  displayed.   This  command tells
237              nfswatch to display host numbers instead, enabling each host  to
238              be uniquely identified.
239
240       s      Take a ``snapshot'' of the current screen and save it to a file.
241              This is useful to record occasional copies of the data when  the
242              logfile is not needed.
243
244       u      Toggle  the  sort key for the display of mounted file systems in
245              the NFS packet monitoring area.  By default, these are sorted by
246              file system name, but they can also be sorted in declining order
247              of percent usage.
248
249       -      Decrease the cycle time (interval length) by ten seconds.   This
250              will take effect after the next screen update.
251
252       +      Increase  the cycle time (interval length) by ten seconds.  This
253              will take effect after the next screen update.
254
255       <      Decrease the cycle time (interval length) by one  second.   This
256              will take effect after the next screen update.
257
258       >      Increase  the  cycle time (interval length) by one second.  This
259              will take effect after the next screen update.
260
261       ]      Scroll forward through the bottom part of the display, if  there
262              are  files/file  systems/clients/procedures  not being displayed
263              due to lack of space.
264
265       [      Scroll back.
266
267       q      Exit nfswatch.  Using the interrupt key will also cause nfswatch
268              to exit.
269
270       Typing any other character will cause a help screen to be displayed.
271

OPTIONS

273       nfswatch  can  usually  be run without arguments and will obtain useful
274       results.  However, for those occasions when the defaults are  not  good
275       enough, the following options are provided:
276
277       -dst dsthost
278              Monitor packets destined for dsthost instead of the local host.
279
280       -src srchost
281              Restrict packets being counted to those sent by srchost.
282
283       -server serverhost
284              Restrict  packets being counted to those sent to or from server‐
285              host.
286
287       -all   Monitor packets to and from all NFS servers on  the  local  net‐
288              work.
289
290       -dev device
291              On  non-DEC systems: Use network interface device device to read
292              packets from.   By  default,  nfswatch  will  use  the  system's
293              default  network  device for an Internet datagram.  On Ultrix or
294              DEC OSF/1: device specifies the  packet  filter  interface  from
295              which  to  read  packets.   You can specify interfaces either by
296              their actual names (such as ln0) or by their generic packet fil‐
297              ter  interface  names (pfN, for N a small integer).  By default,
298              pf0 (the first configured interface  that  supports  the  packet
299              filter) is used.
300
301       -allif Read  packets from all configured network interfaces, instead of
302              a single device.  On Irix: The first five (0-4) of each  of  the
303              following  devices  are  checked: ec, et, fxp, enp, and epg.  If
304              configured, they will be monitored.  On SunOS: The first five le
305              (0-4)  devices,  the  first five ie (0-4) devices, and the first
306              five fddi (0-4) devices are checked, and if configured, will  be
307              monitored.   On  System  V  Release  4: The first five emd (0-4)
308              devices are checked, and if configured, will be  monitored.   On
309              Ultrix  and  DEC  OSF/1:  The  first  ten  pf  devices (0-9) are
310              checked, and if configured, will be monitored.
311
312       -f filelist
313              Read a list of file names (one per line) from filelist and moni‐
314              tor  the  NFS  traffic  to these files in addition to the normal
315              monitoring of exported file systems.
316
317       -lf logfile
318              When logging,  write  information  to  the  file  logfile.   The
319              default is nfswatch.log.
320
321       -sf snapfile
322              Write   snapshots   to   the  file  snapfile.   The  default  is
323              nfswatch.snap.
324
325       -map mapfile
326              Read a list of device names and file system names (one pair  per
327              line) from mapfile and translate from one to the other when dis‐
328              playing file system names.
329
330       -T maxtime
331              Terminate execution after running for maxtime seconds.  This  is
332              primarily for use with the -bg option.
333
334       -t timeout
335              Set  the  cycle  time (interval length) to timeout seconds.  The
336              default is 10.  The cycle time may also  be  adjusted  from  the
337              command prompt.
338
339       -fs    Display the file system NFS monitoring data instead of the indi‐
340              vidual file data.  This option is  only  meaningful  if  the  -f
341              filelist  option  was  specified.   The display may also be con‐
342              trolled from the command prompt.
343
344       -if    Display the individual file NFS monitoring data instead  of  the
345              file  system  data.   This  option  is only meaningful if the -f
346              filelist option was specified.  The display  may  also  be  con‐
347              trolled from the command prompt.
348
349       -auth  Display statistics on authentication packets (individual users).
350
351       -procs Display statistics on NFS procedures (RPC calls) instead of per-
352              file or per-filesystem data.
353
354       -procs3
355              Display statistics on NFS v3 procedures (RPC calls)  instead  of
356              per-file or per-filesystem data.
357
358       -client
359              Display statistics on NFS client operation rates instead of per-
360              file or per-filesystem data.
361
362       -usage Set file system, procedure, or client display to  be  sorted  in
363              declining  order  of  percent usage.  By default, the display is
364              sorted alphabetically.  This may also be toggled from  the  com‐
365              mand prompt.
366
367       -l     Turn  logging  on  at  startup  time.   Logging is turned off by
368              default, but may be enabled from the command prompt.
369
370       -bg    Start as a daemon, running in the background.  No screen updates
371              will  be  performed;  all  data  will be written to the log file
372              only.  When started with this option, nfswatch  will  print  the
373              process  id  of the daemon process.  To terminate nfswatch, send
374              the process a SIGTERM signal, or use the -T option  to  set  the
375              maximum execution time.
376

BUGS

378       To monitor NFS traffic to files and file systems, nfswatch must extract
379       information from the NFS file handle.  The file handle is a server-spe‐
380       cific  item,  and its contents vary from vendor to vendor and operating
381       system to operating system.  Unfortunately, there is no server-indepen‐
382       dent  way  to  extract information from a file handle.  nfswatch uses a
383       set of heuristics to parse the file handle format used by many  popular
384       NFS servers, but in some cases there is no way to disambiguate the file
385       handle format, and the program may get the wrong  answer.   It  should,
386       however, get the right answer for file handles generated by the host it
387       is running on.
388
389       nfswatch uses the Snoop (snoop(7)) network  monitoring  protocol  under
390       Irix  4.x, the Network Interface Tap (nit(4)) under SunOS 4.x, the Data
391       Link Provider Interface (dlpi(7)) under SunOS  5.x  (Solaris  2.x)  and
392       System  V  Release 4, the Packet Filter {(packetfilter(4)) under Ultrix
393       (4.0 or later); (packetfilter(7)) under DEC OSF/1 (V1.3 or later)}, and
394       the packet interface (packet(7)) under Linux.  To run on other systems,
395       code will have to be written to read packets from the network  in  pro‐
396       miscuous mode.
397
398       On  Ultrix  systems, FDDI is only supported under appropriately patched
399       versions of Ultrix 4.2 (the kernel  modules  net_common.o  and  pfilt.o
400       must  be  replaced; contact your Customer Support Center).  Native FDDI
401       support is standard in Ultrix 4.3 and later systems.
402

SEE ALSO

404       etherfind(8c),  dlpi(7),  nit(4),   nfslogsum(8L),   packetfilter(4/7),
405       snoop(1m), snoop(7), packet(7)
406

AUTHORS

408       David A. Curry
409       Purdue University
410       Engineering Computer Network
411       1285 Electrical Engineering Building
412       West Lafayette, IN 47907-1285
413       davy@ecn.purdue.edu
414
415       Jeffrey C. Mogul
416       Digital Equipment Corporation
417       Western Research Laboratory
418       250 University Avenue
419       Palo Alto, CA 94301
420       mogul@wrl.dec.com
421
422       Christian Iseli
423       Ludwig Institute for Cancer Research
424       UNIL - BEP
425       Lausanne, CH-1015
426       Christian.Iseli@licr.org
427
428
429
430Lausanne/LICR                  25 February 2005                    NFSWATCH(8)
Impressum