Wireshark · Ethereal-dev: [Ethereal-dev] nfs name snooping

Ethereal-dev: [Ethereal-dev] nfs name snooping

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Pia Sahlberg" <piabar@xxxxxxxxxxx>

Date: Wed, 22 Aug 2001 19:24:03 +0000

Hi list

Attached is the latest version of the patch to snoop NFS filename->fhandlemappings.


There are two new options:

The first option will allow ethereal to snoop all NFS v2/v3LOOKUP/CREATE/MKDIR and MOUNT v1/v2/v3 MNT packets and build an internal

list of known name->fhandle mappings.

Everytime NFS/MOUNT/KLM/NLM/HCLNFSD prints a filehandle ethereal will nowadd (nfs.name) "Filename: foo (snooped from packets x and y)"

The second option will make ethereal to print the full filename includingNFS server and path together with every fhandle.

(nfs.fullname)  "Full Name: 123.4.5.6:/pub/foo/my_file.txt"


Ethereal processes the reply packets every time it scans through the
packet list, so it can handle that files change fhandles during
a capture.
(It always updates so it uses the last seen mapping.
((there are flaws with this, by clicking on a packet it might show
 the wrong name))

(((there should be a mechanism which lets the dissector know the differencebetween being called due to a rescan of the packet list

or if it is being called due to the user clicking on the packet)))

Ethereal does not check any other packets than above.
RENAME packets: These packets should not be used since
it is not possible to deduct the resulting fhandle for the
file after the rename.
(It might become stale (i.e. it changes))
Clients will probably always do LOOKUP on the new file anyway

before any attempts to access it is made. (which will let ethereal torelearn the mapping)


REMOVE/RMDIR
These packets does not cause ethereal to forget the mapping and these
packets should not be used.

If two NFS clients have accessed the same file using say LOOKUP both clientswill use the same fhandle to refer to the same file.

If one of the clients REMOVE this file, the other client will still
try to use the (now) stale fhandle.
We want to be able to see fhandle->fname mappings also for stale fhandles.

It has been tested for NFSv2/v3. Some captures with 10.000+ packets.

The attached tgz file also contain a short description of the options whichmight be good to put in the man-page and on Richard's users guide.


TODO:
1, Someone should add the code to do this also for NFSv4.

2, Using display filters will not match the entry "nfs.name" for the
fhandles which are called from outside packet-nfs.c.
I.e. "nfs.name==foo" will not find any packets in NLM etc.


Please comment or check in if acceptable.


best regards
  ronnie sahlberg


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

Attachment: nfs_snoop.tgz
Description: application/gzip-compressed

Prev by Date: [Ethereal-dev] Introducing additional capture-stop capabilities
Next by Date: [Ethereal-dev] packet-sip patch (minor contrib)
Previous by thread: [Ethereal-dev] Introducing additional capture-stop capabilities
Next by thread: [Ethereal-dev] packet-sip patch (minor contrib)
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$