Filtering on NFSv3 procedures

I was asked to figure out why a NFSv3 server was not responding to READDIR requests. Note, I don’t know if this was READDIR or READDIRPLUS. I fired off tshark to capture packets:

tshark -i any -w /tmp/bonds.scp 

Hmm, even when filtering on NFS, too many packets to examine (it is a very busy NFSv3 server):

NR_09-20:24:09 pixie ~ $ tshark -r /tmp/bonds.scp | wc -l
Running as user "root" and group "root". This could be dangerous.
140532
NR_09-20:29:13 pixie ~ $ tshark -r /tmp/bonds.scp -Y nfs | wc -l
Running as user "root" and group "root". This could be dangerous.
39350

I could use Wireshark, but nah!

I can use a better filter:

NR_09-20:31:46 pixie ~ $ tshark -r /tmp/bonds.scp -Y "nfs.procedure_v3  == 16 || nfs.procedure_v3  == 17" | wc -l
Running as user "root" and group "root". This could be dangerous.
21

This states to only filter if the NFSv3 procedure is either 16 or 17.

You can find the list of NFSv3 procedures at https://datatracker.ietf.org/doc/html/rfc1813#page-27.

Share