1NFSWATCH(8) System Manager's Manual NFSWATCH(8)
2
6 nfswatch - monitor an NFS server
7
9 nfswatch [ -dst dsthost ] [ -src srchost ] [ -server serverhost ] [
10 -all ] [ -dev device ] [ -allif ] [ -f filelist ] [ -lf logfile ] [ -sf
11 snapfile ] [ -map mapfile ] [ -T maxtime ] [ -t timeout ] [ -fs ] [ -if
12 ] [ -auth ] [ -procs ] [ -procs3 ] [ -clients ] [ -usage ] [ -l ] [ -bg
13 ]
14
16 nfswatch monitors all incoming network traffic to an NFS file server
17 and divides it into several categories. The number and percentage of
18 packets received in each category is displayed on the screen in a con‐
19 tinuously updated display. The screen is updated every ten seconds by
20 default; this time period is called an interval.
21 On Irix: You must be the super-user to invoke nfswatch or it must be
23 installed setuid to ``root.'' On SunOS 4.x and SunOS 5.x (Solaris
24 2.x): You must be the super-user to invoke nfswatch or it must be in‐
25 stalled setuid to ``root.'' On System V Release 4: You must be the su‐
26 per-user to invoke nfswatch or it must be installed setuid to ``root.''
27 On Ultrix or DEC OSF/1: Any user can invoke nfswatch once the super-
28 user has enabled promiscuous-mode operation using pfconfig(8). (For
29 example, "pfconfig +p +c -a".) On Linux: You must be the super-user to
30 invoke nfswatch or it must be installed setuid to ``root.''
31 By default, nfswatch monitors all packets destined for the current
33 host. An alternate destination host to watch for may be specified us‐
34 ing the -dst argument. If a source host is specified with the -src ar‐
35 gument, then only packets arriving at the destination host which were
36 sent by the source host are monitored. Traffic between a specific
37 server and its clients may be watched by specifying the name of the
38 server with the -server argument. If the -all argument is given, then
39 all NFS traffic on the network is monitored. It is usually desirable
40 to specify the -all option whenever using the -server option.
41 The nfswatch screen is divided into three parts. The first part, at
43 the top of the screen, is made up of three lines. The first line dis‐
44 plays the name of the host being monitored, the current date and time,
45 and the time elapsed since the start of monitoring. The second line
46 displays the total number of packets received during the most recent
47 interval, and the third line displays the total number of packets re‐
48 ceived since monitoring started. These two lines display three numbers
49 each: the total number of packets on the network, the total number of
50 packets received by the destination host (possibly subject to being
51 only from the specified source host), and the number of packets dropped
52 by the monitoring interface due to buffer space limitations. Dropped
53 packets are not included in the packet monitoring totals.
54 The second part of the screen divides the received packets into 16 cat‐
56 egories. Each category is displayed with three numbers: the number of
57 packets received this interval, the percentage this represents of all
58 packets received by the host during this interval, and the total number
59 of packets received since monitoring started. The packet categories
60 are not mutually exclusive; some packets may be counted in more than
61 one category (for example, NFS packets are also UDP packets). The cat‐
62 egories in this section and their meanings are:
63 NFS3 Read
65 NFS v3 requests which primarily result in a file system read be‐
66 ing performed (read file, read directory, etc.).
67 NFS3 Write
69 NFS v3 requests which primarily result in a file system write
70 being performed (write file, rename file, create file, delete
71 file, etc.).
72 NFS Read
74 NFS requests which primarily result in a file system read being
75 performed (read file, read directory, etc.).
76 NFS Write
78 NFS requests which primarily result in a file system write being
79 performed (write file, rename file, create file, delete file,
80 etc.).
81 NFS Mount
83 NFS mount requests.
84 YP/NIS/NIS+
86 Sun NIS (Yellow Pages) and NIS+ requests.
87 RPC Authorization
89 All RPC reply packets fall into this category, because RPC
90 replies do not contain the protocol number, and thus cannot be
91 classified as anything else. (If the -all argument is given,
92 then you will see all the RPC replies on the network in this
93 category.)
94 Other RPC Packets
96 All RPC requests which do not fall into one of the above cate‐
97 gories.
98 TCP Packets
100 Packets sent using the Transmission Control Protocol.
101 UDP Packets
103 Packets sent using the User Datagram Protocol.
104 ICMP Packets
106 Packets sent using the Internet Control Message Protocol.
107 Routing Control
109 Routing Information Protocol (RIP) packets.
110 Address Resolution
112 Address Resolution Protocol (ARP) packets. These packets are
113 not counted on System V Release 4 systems (except for SunOS
114 5.x), due to limitations of the dlpi(7) interface.
115 Reverse Addr Resol
117 Reverse Address Resolution Protocol (RARP) packets. These pack‐
118 ets are not counted on System V Release 4 systems (except for
119 SunOS 5.x), due to limitations of the dlpi(7) interface.
120 Ethernet/FDDI Bdcst
122 Ethernet (or FDDI) broadcast packets. These packets are des‐
123 tined for and received by all hosts on the local network. These
124 packets are not counted on System V Release 4 systems (except
125 for SunOS 5.x), due to limitations of the dlpi(7) interface.
126 Other Packets
128 A catch-all for any packets not counted in any of the above cat‐
129 egories.
130 The third part of the display shows the mounted file systems exported
132 by the file server for mounting through NFS. If nfswatch is monitoring
133 the same host it is being run on, these file systems are listed by path
134 name. Otherwise, the program attempts to decode the server's major and
135 minor device numbers for the file system, and displays them in paren‐
136 theses. (If the -all argument is given, the name of the server is also
137 shown.) With each file system, three numbers are displayed: the number
138 of NFS requests for this file system received during the interval, the
139 percentage this represents of all NFS requests received by the host,
140 and the total number of NFS requests for this file system received
141 since monitoring started. Up to 1024 file systems will be monitored by
142 nfswatch and recorded in the log file, but only as many as will fit (2
143 * (LINES - 16)) will be displayed on the screen.
144 If the -map mapfile option is specified, nfswatch will read pairs of
146 file system device specifications (as described above) and the proper
147 names of the file systems from mapfile. Each line should contain a
148 string representing what nfswatch would normally print, and then sepa‐
149 rated from that by whitespace, the name that is preferred. For exam‐
150 ple,
151 myhost(7,24) /homedirs
153 If the -f filelist option is specified, a list of file names (one per
155 line) is read from filelist, and the traffic to these individual files
156 is also monitored. The files must reside in file systems exported by
157 the file server. When this option is specified, the third section of
158 the screen will display counters for these files, instead of for the
159 mounted file systems. Up to 1024 individual files will be monitored by
160 nfswatch and recorded in the log file, but only as many as will fit (2
161 * (LINES - 16)) will be displayed on the screen.
162 If the -procs or -procs3 option is specified, then instead of showing
164 per-file or per-file system statistics, nfswatch shows the frequency of
165 each NFS procedure (RPC call) (or as many as will fit on the screen).
166 For each procedure, some timing statistics are also displayed; these
167 include the number of completed operations (request and response seen)
168 during the interval, the average response time during the interval (in
169 milliseconds), the standard deviation from the average during the in‐
170 terval, and the maximum response time over all time.
171 If the -clients option is specified, then instead of showing per-file
173 or per-file system statistics, nfswatch shows the operation rate of
174 each NFS client of the specified server(s) (or as many as will fit on
175 the screen).
176 It should be noted here that only NFS requests, made by client ma‐
178 chines, are counted in the NFS packet monitoring area. The NFS traffic
179 generated by the server in response to these requests is not counted.
180 If the -auth option is specified, then the display will show packet
182 counts divided up by user name (or user id, if the login name is not in
183 the local password file). This information is decoded from the
184 AUTH_UNIX authentication part of each RPC packet. nfswatch only de‐
185 codes AUTH_UNIX authenticators, the other types of authentication
186 (e.g., AUTH_DES) are lumped into a single bucket for each authentica‐
187 tion type.
188
190 When logging is on, nfswatch writes one entry to the log file each in‐
191 terval. The information printed to the log file is easily readable,
192 and basically contains a copy of all information on the screen. Addi‐
193 tionally, any NFS traffic to file systems or individual files which was
194 not printed on the screen (due to space limitations) is printed in the
195 log file. Finally, in the log file, the NFS traffic to file systems
196 and individual files is further broken down into counts of how many
197 times each specific NFS procedure was called.
198 The information in the nfswatch log file can be summarized easily using
200 the nfslogsum(8L) program.
201
203 nfswatch also allows several commands to be entered at its prompt dur‐
204 ing execution. The prompt is displayed on the last line of the screen.
205 For most commands, feedback describing the effect of the command is
206 printed on the same line as the prompt. The commands are:
207 ^L Clear and redraw the screen.
209 a Switches the display to show statistics on individual users.
211 c Switches the display to show statistics on NFS client hosts in‐
213 stead of per-file or per-filesystem information.
214 f Toggle the display of mounted file systems and the display of
216 individual files in the NFS packet monitoring area. This com‐
217 mand is only meaningful if the -f filelist option was specified
218 on the command line. (If the display is showing NFS procedures
219 or clients, then this command switches the display to show file
220 systems.)
221 p Switches the display to show statistics on NFS procedures in‐
223 stead of per-file or per-filesystem information.
224 P Switches the display to show statistics on NFS v3 procedures in‐
226 stead of per-file or per-filesystem information.
227 l Toggle the logging feature. If logging is off it is
229 (re)started; if logging is on, it is turned off.
230 n Toggle display of host names or host numbers in client mode. By
232 default, client mode displays host names. However, this may not
233 be sufficient for determining the names of unknown remote hosts,
234 since domain names are not displayed. This command tells nf‐
235 swatch to display host numbers instead, enabling each host to be
236 uniquely identified.
237 s Take a ``snapshot'' of the current screen and save it to a file.
239 This is useful to record occasional copies of the data when the
240 logfile is not needed.
241 u Toggle the sort key for the display of mounted file systems in
243 the NFS packet monitoring area. By default, these are sorted by
244 file system name, but they can also be sorted in declining order
245 of percent usage.
246 - Decrease the cycle time (interval length) by ten seconds. This
248 will take effect after the next screen update.
249 + Increase the cycle time (interval length) by ten seconds. This
251 will take effect after the next screen update.
252 < Decrease the cycle time (interval length) by one second. This
254 will take effect after the next screen update.
255 > Increase the cycle time (interval length) by one second. This
257 will take effect after the next screen update.
258 ] Scroll forward through the bottom part of the display, if there
260 are files/file systems/clients/procedures not being displayed
261 due to lack of space.
262 [ Scroll back.
264 q Exit nfswatch. Using the interrupt key will also cause nfswatch
266 to exit.
267 Typing any other character will cause a help screen to be displayed.
269
271 nfswatch can usually be run without arguments and will obtain useful
272 results. However, for those occasions when the defaults are not good
273 enough, the following options are provided:
274 -dst dsthost
276 Monitor packets destined for dsthost instead of the local host.
277 -src srchost
279 Restrict packets being counted to those sent by srchost.
280 -server serverhost
282 Restrict packets being counted to those sent to or from server‐
283 host.
284 -all Monitor packets to and from all NFS servers on the local net‐
286 work.
287 -dev device
289 On non-DEC systems: Use network interface device device to read
290 packets from. By default, nfswatch will use the system's de‐
291 fault network device for an Internet datagram. On Ultrix or DEC
292 OSF/1: device specifies the packet filter interface from which
293 to read packets. You can specify interfaces either by their ac‐
294 tual names (such as ln0) or by their generic packet filter in‐
295 terface names (pfN, for N a small integer). By default, pf0
296 (the first configured interface that supports the packet filter)
297 is used.
298 -allif Read packets from all configured network interfaces, instead of
300 a single device. On Irix: The first five (0-4) of each of the
301 following devices are checked: ec, et, fxp, enp, and epg. If
302 configured, they will be monitored. On SunOS: The first five le
303 (0-4) devices, the first five ie (0-4) devices, and the first
304 five fddi (0-4) devices are checked, and if configured, will be
305 monitored. On System V Release 4: The first five emd (0-4) de‐
306 vices are checked, and if configured, will be monitored. On Ul‐
307 trix and DEC OSF/1: The first ten pf devices (0-9) are checked,
308 and if configured, will be monitored.
309 -f filelist
311 Read a list of file names (one per line) from filelist and moni‐
312 tor the NFS traffic to these files in addition to the normal
313 monitoring of exported file systems.
314 -lf logfile
316 When logging, write information to the file logfile. The de‐
317 fault is nfswatch.log.
318 -sf snapfile
320 Write snapshots to the file snapfile. The default is nf‐
321 swatch.snap.
322 -map mapfile
324 Read a list of device names and file system names (one pair per
325 line) from mapfile and translate from one to the other when dis‐
326 playing file system names.
327 -T maxtime
329 Terminate execution after running for maxtime seconds. This is
330 primarily for use with the -bg option.
331 -t timeout
333 Set the cycle time (interval length) to timeout seconds. The
334 default is 10. The cycle time may also be adjusted from the
335 command prompt.
336 -fs Display the file system NFS monitoring data instead of the indi‐
338 vidual file data. This option is only meaningful if the -f
339 filelist option was specified. The display may also be con‐
340 trolled from the command prompt.
341 -if Display the individual file NFS monitoring data instead of the
343 file system data. This option is only meaningful if the -f
344 filelist option was specified. The display may also be con‐
345 trolled from the command prompt.
346 -auth Display statistics on authentication packets (individual users).
348 -procs Display statistics on NFS procedures (RPC calls) instead of per-
350 file or per-filesystem data.
351 -procs3
353 Display statistics on NFS v3 procedures (RPC calls) instead of
354 per-file or per-filesystem data.
355 -client
357 Display statistics on NFS client operation rates instead of per-
358 file or per-filesystem data.
359 -usage Set file system, procedure, or client display to be sorted in
361 declining order of percent usage. By default, the display is
362 sorted alphabetically. This may also be toggled from the com‐
363 mand prompt.
364 -l Turn logging on at startup time. Logging is turned off by de‐
366 fault, but may be enabled from the command prompt.
367 -bg Start as a daemon, running in the background. No screen updates
369 will be performed; all data will be written to the log file
370 only. When started with this option, nfswatch will print the
371 process id of the daemon process. To terminate nfswatch, send
372 the process a SIGTERM signal, or use the -T option to set the
373 maximum execution time.
374
376 To monitor NFS traffic to files and file systems, nfswatch must extract
377 information from the NFS file handle. The file handle is a server-spe‐
378 cific item, and its contents vary from vendor to vendor and operating
379 system to operating system. Unfortunately, there is no server-indepen‐
380 dent way to extract information from a file handle. nfswatch uses a
381 set of heuristics to parse the file handle format used by many popular
382 NFS servers, but in some cases there is no way to disambiguate the file
383 handle format, and the program may get the wrong answer. It should,
384 however, get the right answer for file handles generated by the host it
385 is running on.
386 nfswatch uses the Snoop (snoop(7)) network monitoring protocol under
388 Irix 4.x, the Network Interface Tap (nit(4)) under SunOS 4.x, the Data
389 Link Provider Interface (dlpi(7)) under SunOS 5.x (Solaris 2.x) and
390 System V Release 4, the Packet Filter {(packetfilter(4)) under Ultrix
391 (4.0 or later); (packetfilter(7)) under DEC OSF/1 (V1.3 or later)}, and
392 the packet interface (packet(7)) under Linux. To run on other systems,
393 code will have to be written to read packets from the network in pro‐
394 miscuous mode.
395 On Ultrix systems, FDDI is only supported under appropriately patched
397 versions of Ultrix 4.2 (the kernel modules net_common.o and pfilt.o
398 must be replaced; contact your Customer Support Center). Native FDDI
399 support is standard in Ultrix 4.3 and later systems.
400
402 etherfind(8c), dlpi(7), nit(4), nfslogsum(8L), packetfilter(4/7),
403 snoop(1m), snoop(7), packet(7)
404
406 David A. Curry
407 Purdue University
408 Engineering Computer Network
409 1285 Electrical Engineering Building
410 West Lafayette, IN 47907-1285
411 davy@ecn.purdue.edu
412 Jeffrey C. Mogul
414 Digital Equipment Corporation
415 Western Research Laboratory
416 250 University Avenue
417 Palo Alto, CA 94301
418 mogul@wrl.dec.com
419 Christian Iseli
421 Ludwig Institute for Cancer Research
422 UNIL - BEP
423 Lausanne, CH-1015
424 Christian.Iseli@licr.org
425Lausanne/LICR 25 February 2005 NFSWATCH(8)