DOKK / manpages / debian 12 / nfswatch / nfswatch.8.en
NFSWATCH(8) System Manager's Manual NFSWATCH(8)

nfswatch - monitor an NFS server

nfswatch [ -dst dsthost ] [ -src srchost ] [ -server serverhost ] [ -all ] [ -dev device ] [ -allif ] [ -f filelist ] [ -lf logfile ] [ -sf snapfile ] [ -map mapfile ] [ -T maxtime ] [ -t timeout ] [ -fs ] [ -if ] [ -auth ] [ -procs ] [ -procs3 ] [ -clients ] [ -usage ] [ -l ] [ -bg ]

nfswatch monitors all incoming network traffic to an NFS file server and divides it into several categories. The number and percentage of packets received in each category is displayed on the screen in a continuously updated display. The screen is updated every ten seconds by default; this time period is called an interval.

On Irix: You must be the super-user to invoke nfswatch or it must be installed setuid to ``root.'' On SunOS 4.x and SunOS 5.x (Solaris 2.x): You must be the super-user to invoke nfswatch or it must be installed setuid to ``root.'' On System V Release 4: You must be the super-user to invoke nfswatch or it must be installed setuid to ``root.'' On Ultrix or DEC OSF/1: Any user can invoke nfswatch once the super-user has enabled promiscuous-mode operation using pfconfig(8). (For example, "pfconfig +p +c -a".) On Linux: You must be the super-user to invoke nfswatch or it must be installed setuid to ``root.''

By default, nfswatch monitors all packets destined for the current host. An alternate destination host to watch for may be specified using the -dst argument. If a source host is specified with the -src argument, then only packets arriving at the destination host which were sent by the source host are monitored. Traffic between a specific server and its clients may be watched by specifying the name of the server with the -server argument. If the -all argument is given, then all NFS traffic on the network is monitored. It is usually desirable to specify the -all option whenever using the -server option.

The nfswatch screen is divided into three parts. The first part, at the top of the screen, is made up of three lines. The first line displays the name of the host being monitored, the current date and time, and the time elapsed since the start of monitoring. The second line displays the total number of packets received during the most recent interval, and the third line displays the total number of packets received since monitoring started. These two lines display three numbers each: the total number of packets on the network, the total number of packets received by the destination host (possibly subject to being only from the specified source host), and the number of packets dropped by the monitoring interface due to buffer space limitations. Dropped packets are not included in the packet monitoring totals.

The second part of the screen divides the received packets into 16 categories. Each category is displayed with three numbers: the number of packets received this interval, the percentage this represents of all packets received by the host during this interval, and the total number of packets received since monitoring started. The packet categories are not mutually exclusive; some packets may be counted in more than one category (for example, NFS packets are also UDP packets). The categories in this section and their meanings are:

NFS v3 requests which primarily result in a file system read being performed (read file, read directory, etc.).
NFS v3 requests which primarily result in a file system write being performed (write file, rename file, create file, delete file, etc.).
NFS requests which primarily result in a file system read being performed (read file, read directory, etc.).
NFS requests which primarily result in a file system write being performed (write file, rename file, create file, delete file, etc.).
NFS mount requests.
Sun NIS (Yellow Pages) and NIS+ requests.
All RPC reply packets fall into this category, because RPC replies do not contain the protocol number, and thus cannot be classified as anything else. (If the -all argument is given, then you will see all the RPC replies on the network in this category.)
All RPC requests which do not fall into one of the above categories.
Packets sent using the Transmission Control Protocol.
Packets sent using the User Datagram Protocol.
Packets sent using the Internet Control Message Protocol.
Routing Information Protocol (RIP) packets.
Address Resolution Protocol (ARP) packets. These packets are not counted on System V Release 4 systems (except for SunOS 5.x), due to limitations of the dlpi(7) interface.
Reverse Address Resolution Protocol (RARP) packets. These packets are not counted on System V Release 4 systems (except for SunOS 5.x), due to limitations of the dlpi(7) interface.
Ethernet (or FDDI) broadcast packets. These packets are destined for and received by all hosts on the local network. These packets are not counted on System V Release 4 systems (except for SunOS 5.x), due to limitations of the dlpi(7) interface.
A catch-all for any packets not counted in any of the above categories.

The third part of the display shows the mounted file systems exported by the file server for mounting through NFS. If nfswatch is monitoring the same host it is being run on, these file systems are listed by path name. Otherwise, the program attempts to decode the server's major and minor device numbers for the file system, and displays them in parentheses. (If the -all argument is given, the name of the server is also shown.) With each file system, three numbers are displayed: the number of NFS requests for this file system received during the interval, the percentage this represents of all NFS requests received by the host, and the total number of NFS requests for this file system received since monitoring started. Up to 1024 file systems will be monitored by nfswatch and recorded in the log file, but only as many as will fit (2 * (LINES - 16)) will be displayed on the screen.

If the -map mapfile option is specified, nfswatch will read pairs of file system device specifications (as described above) and the proper names of the file systems from mapfile. Each line should contain a string representing what nfswatch would normally print, and then separated from that by whitespace, the name that is preferred. For example,


myhost(7,24)     /homedirs

If the -f filelist option is specified, a list of file names (one per line) is read from filelist, and the traffic to these individual files is also monitored. The files must reside in file systems exported by the file server. When this option is specified, the third section of the screen will display counters for these files, instead of for the mounted file systems. Up to 1024 individual files will be monitored by nfswatch and recorded in the log file, but only as many as will fit (2 * (LINES - 16)) will be displayed on the screen.

If the -procs or -procs3 option is specified, then instead of showing per-file or per-file system statistics, nfswatch shows the frequency of each NFS procedure (RPC call) (or as many as will fit on the screen). For each procedure, some timing statistics are also displayed; these include the number of completed operations (request and response seen) during the interval, the average response time during the interval (in milliseconds), the standard deviation from the average during the interval, and the maximum response time over all time.

If the -clients option is specified, then instead of showing per-file or per-file system statistics, nfswatch shows the operation rate of each NFS client of the specified server(s) (or as many as will fit on the screen).

It should be noted here that only NFS requests, made by client machines, are counted in the NFS packet monitoring area. The NFS traffic generated by the server in response to these requests is not counted.

If the -auth option is specified, then the display will show packet counts divided up by user name (or user id, if the login name is not in the local password file). This information is decoded from the AUTH_UNIX authentication part of each RPC packet. nfswatch only decodes AUTH_UNIX authenticators, the other types of authentication (e.g., AUTH_DES) are lumped into a single bucket for each authentication type.

When logging is on, nfswatch writes one entry to the log file each interval. The information printed to the log file is easily readable, and basically contains a copy of all information on the screen. Additionally, any NFS traffic to file systems or individual files which was not printed on the screen (due to space limitations) is printed in the log file. Finally, in the log file, the NFS traffic to file systems and individual files is further broken down into counts of how many times each specific NFS procedure was called.

The information in the nfswatch log file can be summarized easily using the nfslogsum(8) program.

nfswatch also allows several commands to be entered at its prompt during execution. The prompt is displayed on the last line of the screen. For most commands, feedback describing the effect of the command is printed on the same line as the prompt. The commands are:

^L
Clear and redraw the screen.
Switches the display to show statistics on individual users.
Switches the display to show statistics on NFS client hosts instead of per-file or per-filesystem information.
Toggle the display of mounted file systems and the display of individual files in the NFS packet monitoring area. This command is only meaningful if the -f filelist option was specified on the command line. (If the display is showing NFS procedures or clients, then this command switches the display to show file systems.)
Switches the display to show statistics on NFS procedures instead of per-file or per-filesystem information.
Switches the display to show statistics on NFS v3 procedures instead of per-file or per-filesystem information.
Toggle the logging feature. If logging is off it is (re)started; if logging is on, it is turned off.
Toggle display of host names or host numbers in client mode. By default, client mode displays host names. However, this may not be sufficient for determining the names of unknown remote hosts, since domain names are not displayed. This command tells nfswatch to display host numbers instead, enabling each host to be uniquely identified.
Take a ``snapshot'' of the current screen and save it to a file. This is useful to record occasional copies of the data when the logfile is not needed.
Toggle the sort key for the display of mounted file systems in the NFS packet monitoring area. By default, these are sorted by file system name, but they can also be sorted in declining order of percent usage.
-
Decrease the cycle time (interval length) by ten seconds. This will take effect after the next screen update.
+
Increase the cycle time (interval length) by ten seconds. This will take effect after the next screen update.
<
Decrease the cycle time (interval length) by one second. This will take effect after the next screen update.
>
Increase the cycle time (interval length) by one second. This will take effect after the next screen update.
]
Scroll forward through the bottom part of the display, if there are files/file systems/clients/procedures not being displayed due to lack of space.
[
Scroll back.
Exit nfswatch. Using the interrupt key will also cause nfswatch to exit.

Typing any other character will cause a help screen to be displayed.

nfswatch can usually be run without arguments and will obtain useful results. However, for those occasions when the defaults are not good enough, the following options are provided:

Monitor packets destined for dsthost instead of the local host.
Restrict packets being counted to those sent by srchost.
Restrict packets being counted to those sent to or from serverhost.
Monitor packets to and from all NFS servers on the local network.
On non-DEC systems: Use network interface device device to read packets from. By default, nfswatch will use the system's default network device for an Internet datagram. On Ultrix or DEC OSF/1: device specifies the packet filter interface from which to read packets. You can specify interfaces either by their actual names (such as ln0) or by their generic packet filter interface names (pfN, for N a small integer). By default, pf0 (the first configured interface that supports the packet filter) is used.
Read packets from all configured network interfaces, instead of a single device. On Irix: The first five (0-4) of each of the following devices are checked: ec, et, fxp, enp, and epg. If configured, they will be monitored. On SunOS: The first five le (0-4) devices, the first five ie (0-4) devices, and the first five fddi (0-4) devices are checked, and if configured, will be monitored. On System V Release 4: The first five emd (0-4) devices are checked, and if configured, will be monitored. On Ultrix and DEC OSF/1: The first ten pf devices (0-9) are checked, and if configured, will be monitored.
Read a list of file names (one per line) from filelist and monitor the NFS traffic to these files in addition to the normal monitoring of exported file systems.
When logging, write information to the file logfile. The default is nfswatch.log.
Write snapshots to the file snapfile. The default is nfswatch.snap.
Read a list of device names and file system names (one pair per line) from mapfile and translate from one to the other when displaying file system names.
Terminate execution after running for maxtime seconds. This is primarily for use with the -bg option.
Set the cycle time (interval length) to timeout seconds. The default is 10. The cycle time may also be adjusted from the command prompt.
Display the file system NFS monitoring data instead of the individual file data. This option is only meaningful if the -f filelist option was specified. The display may also be controlled from the command prompt.
Display the individual file NFS monitoring data instead of the file system data. This option is only meaningful if the -f filelist option was specified. The display may also be controlled from the command prompt.
Display statistics on authentication packets (individual users).
Display statistics on NFS procedures (RPC calls) instead of per-file or per-filesystem data.
Display statistics on NFS v3 procedures (RPC calls) instead of per-file or per-filesystem data.
Display statistics on NFS client operation rates instead of per-file or per-filesystem data.
Set file system, procedure, or client display to be sorted in declining order of percent usage. By default, the display is sorted alphabetically. This may also be toggled from the command prompt.
Turn logging on at startup time. Logging is turned off by default, but may be enabled from the command prompt.
Start as a daemon, running in the background. No screen updates will be performed; all data will be written to the log file only. When started with this option, nfswatch will print the process id of the daemon process. To terminate nfswatch, send the process a SIGTERM signal, or use the -T option to set the maximum execution time.

To monitor NFS traffic to files and file systems, nfswatch must extract information from the NFS file handle. The file handle is a server-specific item, and its contents vary from vendor to vendor and operating system to operating system. Unfortunately, there is no server-independent way to extract information from a file handle. nfswatch uses a set of heuristics to parse the file handle format used by many popular NFS servers, but in some cases there is no way to disambiguate the file handle format, and the program may get the wrong answer. It should, however, get the right answer for file handles generated by the host it is running on.

nfswatch uses the Snoop (snoop(7)) network monitoring protocol under Irix 4.x, the Network Interface Tap (nit(4)) under SunOS 4.x, the Data Link Provider Interface (dlpi(7)) under SunOS 5.x (Solaris 2.x) and System V Release 4, the Packet Filter {(packetfilter(4)) under Ultrix (4.0 or later); (packetfilter(7)) under DEC OSF/1 (V1.3 or later)}, and the packet interface (packet(7)) under Linux. To run on other systems, code will have to be written to read packets from the network in promiscuous mode.

On Ultrix systems, FDDI is only supported under appropriately patched versions of Ultrix 4.2 (the kernel modules net_common.o and pfilt.o must be replaced; contact your Customer Support Center). Native FDDI support is standard in Ultrix 4.3 and later systems.

etherfind(8c), dlpi(7), nit(4), nfslogsum(8), packetfilter(4/7), snoop(1m), snoop(7), packet(7)

David A. Curry
Purdue University
Engineering Computer Network
1285 Electrical Engineering Building
West Lafayette, IN 47907-1285
davy@ecn.purdue.edu

Jeffrey C. Mogul
Digital Equipment Corporation
Western Research Laboratory
250 University Avenue
Palo Alto, CA 94301
mogul@wrl.dec.com

Christian Iseli
Ludwig Institute for Cancer Research
UNIL - BEP
Lausanne, CH-1015
Christian.Iseli@licr.org

25 February 2005 Lausanne/LICR