Provided by: nfswatch_4.99.14-1_amd64 
NAME
nfswatch - monitor an NFS server
SYNOPSIS
nfswatch [ -dst dsthost ] [ -src srchost ] [ -server serverhost ] [ -all ] [ -dev device ] [ -allif ] [
-f filelist ] [ -lf logfile ] [ -sf snapfile ] [ -map mapfile ] [ -T maxtime ] [ -t timeout ] [ -fs ] [
-if ] [ -auth ] [ -procs ] [ -procs3 ] [ -clients ] [ -usage ] [ -l ] [ -bg ]
DESCRIPTION
nfswatch monitors all incoming network traffic to an NFS file server and divides it into several
categories. The number and percentage of packets received in each category is displayed on the screen in
a continuously updated display. The screen is updated every ten seconds by default; this time period is
called an interval.
On Irix: You must be the super-user to invoke nfswatch or it must be installed setuid to ``root.'' On
SunOS 4.x and SunOS 5.x (Solaris 2.x): You must be the super-user to invoke nfswatch or it must be
installed setuid to ``root.'' On System V Release 4: You must be the super-user to invoke nfswatch or it
must be installed setuid to ``root.'' On Ultrix or DEC OSF/1: Any user can invoke nfswatch once the
super-user has enabled promiscuous-mode operation using pfconfig(8). (For example, "pfconfig +p +c -a".)
On Linux: You must be the super-user to invoke nfswatch or it must be installed setuid to ``root.''
By default, nfswatch monitors all packets destined for the current host. An alternate destination host
to watch for may be specified using the -dst argument. If a source host is specified with the -src
argument, then only packets arriving at the destination host which were sent by the source host are
monitored. Traffic between a specific server and its clients may be watched by specifying the name of
the server with the -server argument. If the -all argument is given, then all NFS traffic on the network
is monitored. It is usually desirable to specify the -all option whenever using the -server option.
The nfswatch screen is divided into three parts. The first part, at the top of the screen, is made up of
three lines. The first line displays the name of the host being monitored, the current date and time,
and the time elapsed since the start of monitoring. The second line displays the total number of packets
received during the most recent interval, and the third line displays the total number of packets
received since monitoring started. These two lines display three numbers each: the total number of
packets on the network, the total number of packets received by the destination host (possibly subject to
being only from the specified source host), and the number of packets dropped by the monitoring interface
due to buffer space limitations. Dropped packets are not included in the packet monitoring totals.
The second part of the screen divides the received packets into 16 categories. Each category is
displayed with three numbers: the number of packets received this interval, the percentage this
represents of all packets received by the host during this interval, and the total number of packets
received since monitoring started. The packet categories are not mutually exclusive; some packets may be
counted in more than one category (for example, NFS packets are also UDP packets). The categories in
this section and their meanings are:
NFS3 Read
NFS v3 requests which primarily result in a file system read being performed (read file, read
directory, etc.).
NFS3 Write
NFS v3 requests which primarily result in a file system write being performed (write file, rename
file, create file, delete file, etc.).
NFS Read
NFS requests which primarily result in a file system read being performed (read file, read
directory, etc.).
NFS Write
NFS requests which primarily result in a file system write being performed (write file, rename
file, create file, delete file, etc.).
NFS Mount
NFS mount requests.
YP/NIS/NIS+
Sun NIS (Yellow Pages) and NIS+ requests.
RPC Authorization
All RPC reply packets fall into this category, because RPC replies do not contain the protocol
number, and thus cannot be classified as anything else. (If the -all argument is given, then you
will see all the RPC replies on the network in this category.)
Other RPC Packets
All RPC requests which do not fall into one of the above categories.
TCP Packets
Packets sent using the Transmission Control Protocol.
UDP Packets
Packets sent using the User Datagram Protocol.
ICMP Packets
Packets sent using the Internet Control Message Protocol.
Routing Control
Routing Information Protocol (RIP) packets.
Address Resolution
Address Resolution Protocol (ARP) packets. These packets are not counted on System V Release 4
systems (except for SunOS 5.x), due to limitations of the dlpi(7) interface.
Reverse Addr Resol
Reverse Address Resolution Protocol (RARP) packets. These packets are not counted on System V
Release 4 systems (except for SunOS 5.x), due to limitations of the dlpi(7) interface.
Ethernet/FDDI Bdcst
Ethernet (or FDDI) broadcast packets. These packets are destined for and received by all hosts on
the local network. These packets are not counted on System V Release 4 systems (except for SunOS
5.x), due to limitations of the dlpi(7) interface.
Other Packets
A catch-all for any packets not counted in any of the above categories.
The third part of the display shows the mounted file systems exported by the file server for mounting
through NFS. If nfswatch is monitoring the same host it is being run on, these file systems are listed
by path name. Otherwise, the program attempts to decode the server's major and minor device numbers for
the file system, and displays them in parentheses. (If the -all argument is given, the name of the
server is also shown.) With each file system, three numbers are displayed: the number of NFS requests
for this file system received during the interval, the percentage this represents of all NFS requests
received by the host, and the total number of NFS requests for this file system received since monitoring
started. Up to 1024 file systems will be monitored by nfswatch and recorded in the log file, but only as
many as will fit (2 * (LINES - 16)) will be displayed on the screen.
If the -map mapfile option is specified, nfswatch will read pairs of file system device specifications
(as described above) and the proper names of the file systems from mapfile. Each line should contain a
string representing what nfswatch would normally print, and then separated from that by whitespace, the
name that is preferred. For example,
myhost(7,24) /homedirs
If the -f filelist option is specified, a list of file names (one per line) is read from filelist, and
the traffic to these individual files is also monitored. The files must reside in file systems exported
by the file server. When this option is specified, the third section of the screen will display counters
for these files, instead of for the mounted file systems. Up to 1024 individual files will be monitored
by nfswatch and recorded in the log file, but only as many as will fit (2 * (LINES - 16)) will be
displayed on the screen.
If the -procs or -procs3 option is specified, then instead of showing per-file or per-file system
statistics, nfswatch shows the frequency of each NFS procedure (RPC call) (or as many as will fit on the
screen). For each procedure, some timing statistics are also displayed; these include the number of
completed operations (request and response seen) during the interval, the average response time during
the interval (in milliseconds), the standard deviation from the average during the interval, and the
maximum response time over all time.
If the -clients option is specified, then instead of showing per-file or per-file system statistics,
nfswatch shows the operation rate of each NFS client of the specified server(s) (or as many as will fit
on the screen).
It should be noted here that only NFS requests, made by client machines, are counted in the NFS packet
monitoring area. The NFS traffic generated by the server in response to these requests is not counted.
If the -auth option is specified, then the display will show packet counts divided up by user name (or
user id, if the login name is not in the local password file). This information is decoded from the
AUTH_UNIX authentication part of each RPC packet. nfswatch only decodes AUTH_UNIX authenticators, the
other types of authentication (e.g., AUTH_DES) are lumped into a single bucket for each authentication
type.
LOGFILE
When logging is on, nfswatch writes one entry to the log file each interval. The information printed to
the log file is easily readable, and basically contains a copy of all information on the screen.
Additionally, any NFS traffic to file systems or individual files which was not printed on the screen
(due to space limitations) is printed in the log file. Finally, in the log file, the NFS traffic to file
systems and individual files is further broken down into counts of how many times each specific NFS
procedure was called.
The information in the nfswatch log file can be summarized easily using the nfslogsum(8) program.
COMMANDS
nfswatch also allows several commands to be entered at its prompt during execution. The prompt is
displayed on the last line of the screen. For most commands, feedback describing the effect of the
command is printed on the same line as the prompt. The commands are:
^L Clear and redraw the screen.
a Switches the display to show statistics on individual users.
c Switches the display to show statistics on NFS client hosts instead of per-file or per-filesystem
information.
f Toggle the display of mounted file systems and the display of individual files in the NFS packet
monitoring area. This command is only meaningful if the -f filelist option was specified on the
command line. (If the display is showing NFS procedures or clients, then this command switches
the display to show file systems.)
p Switches the display to show statistics on NFS procedures instead of per-file or per-filesystem
information.
P Switches the display to show statistics on NFS v3 procedures instead of per-file or per-filesystem
information.
l Toggle the logging feature. If logging is off it is (re)started; if logging is on, it is turned
off.
n Toggle display of host names or host numbers in client mode. By default, client mode displays
host names. However, this may not be sufficient for determining the names of unknown remote
hosts, since domain names are not displayed. This command tells nfswatch to display host numbers
instead, enabling each host to be uniquely identified.
s Take a ``snapshot'' of the current screen and save it to a file. This is useful to record
occasional copies of the data when the logfile is not needed.
u Toggle the sort key for the display of mounted file systems in the NFS packet monitoring area. By
default, these are sorted by file system name, but they can also be sorted in declining order of
percent usage.
- Decrease the cycle time (interval length) by ten seconds. This will take effect after the next
screen update.
+ Increase the cycle time (interval length) by ten seconds. This will take effect after the next
screen update.
< Decrease the cycle time (interval length) by one second. This will take effect after the next
screen update.
> Increase the cycle time (interval length) by one second. This will take effect after the next
screen update.
] Scroll forward through the bottom part of the display, if there are files/file
systems/clients/procedures not being displayed due to lack of space.
[ Scroll back.
q Exit nfswatch. Using the interrupt key will also cause nfswatch to exit.
Typing any other character will cause a help screen to be displayed.
OPTIONS
nfswatch can usually be run without arguments and will obtain useful results. However, for those
occasions when the defaults are not good enough, the following options are provided:
-dst dsthost
Monitor packets destined for dsthost instead of the local host.
-src srchost
Restrict packets being counted to those sent by srchost.
-server serverhost
Restrict packets being counted to those sent to or from serverhost.
-all Monitor packets to and from all NFS servers on the local network.
-dev device
On non-DEC systems: Use network interface device device to read packets from. By default,
nfswatch will use the system's default network device for an Internet datagram. On Ultrix or DEC
OSF/1: device specifies the packet filter interface from which to read packets. You can specify
interfaces either by their actual names (such as ln0) or by their generic packet filter interface
names (pfN, for N a small integer). By default, pf0 (the first configured interface that supports
the packet filter) is used.
-allif Read packets from all configured network interfaces, instead of a single device. On Irix: The
first five (0-4) of each of the following devices are checked: ec, et, fxp, enp, and epg. If
configured, they will be monitored. On SunOS: The first five le (0-4) devices, the first five ie
(0-4) devices, and the first five fddi (0-4) devices are checked, and if configured, will be
monitored. On System V Release 4: The first five emd (0-4) devices are checked, and if
configured, will be monitored. On Ultrix and DEC OSF/1: The first ten pf devices (0-9) are
checked, and if configured, will be monitored.
-f filelist
Read a list of file names (one per line) from filelist and monitor the NFS traffic to these files
in addition to the normal monitoring of exported file systems.
-lf logfile
When logging, write information to the file logfile. The default is nfswatch.log.
-sf snapfile
Write snapshots to the file snapfile. The default is nfswatch.snap.
-map mapfile
Read a list of device names and file system names (one pair per line) from mapfile and translate
from one to the other when displaying file system names.
-T maxtime
Terminate execution after running for maxtime seconds. This is primarily for use with the -bg
option.
-t timeout
Set the cycle time (interval length) to timeout seconds. The default is 10. The cycle time may
also be adjusted from the command prompt.
-fs Display the file system NFS monitoring data instead of the individual file data. This option is
only meaningful if the -f filelist option was specified. The display may also be controlled from
the command prompt.
-if Display the individual file NFS monitoring data instead of the file system data. This option is
only meaningful if the -f filelist option was specified. The display may also be controlled from
the command prompt.
-auth Display statistics on authentication packets (individual users).
-procs Display statistics on NFS procedures (RPC calls) instead of per-file or per-filesystem data.
-procs3
Display statistics on NFS v3 procedures (RPC calls) instead of per-file or per-filesystem data.
-client
Display statistics on NFS client operation rates instead of per-file or per-filesystem data.
-usage Set file system, procedure, or client display to be sorted in declining order of percent usage.
By default, the display is sorted alphabetically. This may also be toggled from the command
prompt.
-l Turn logging on at startup time. Logging is turned off by default, but may be enabled from the
command prompt.
-bg Start as a daemon, running in the background. No screen updates will be performed; all data will
be written to the log file only. When started with this option, nfswatch will print the process
id of the daemon process. To terminate nfswatch, send the process a SIGTERM signal, or use the -T
option to set the maximum execution time.
BUGS
To monitor NFS traffic to files and file systems, nfswatch must extract information from the NFS file
handle. The file handle is a server-specific item, and its contents vary from vendor to vendor and
operating system to operating system. Unfortunately, there is no server-independent way to extract
information from a file handle. nfswatch uses a set of heuristics to parse the file handle format used
by many popular NFS servers, but in some cases there is no way to disambiguate the file handle format,
and the program may get the wrong answer. It should, however, get the right answer for file handles
generated by the host it is running on.
nfswatch uses the Snoop (snoop(7)) network monitoring protocol under Irix 4.x, the Network Interface Tap
(nit(4)) under SunOS 4.x, the Data Link Provider Interface (dlpi(7)) under SunOS 5.x (Solaris 2.x) and
System V Release 4, the Packet Filter {(packetfilter(4)) under Ultrix (4.0 or later); (packetfilter(7))
under DEC OSF/1 (V1.3 or later)}, and the packet interface (packet(7)) under Linux. To run on other
systems, code will have to be written to read packets from the network in promiscuous mode.
On Ultrix systems, FDDI is only supported under appropriately patched versions of Ultrix 4.2 (the kernel
modules net_common.o and pfilt.o must be replaced; contact your Customer Support Center). Native FDDI
support is standard in Ultrix 4.3 and later systems.
SEE ALSO
etherfind(8c), dlpi(7), nit(4), nfslogsum(8), packetfilter(4/7), snoop(1m), snoop(7), packet(7)
AUTHORS
David A. Curry
Purdue University
Engineering Computer Network
1285 Electrical Engineering Building
West Lafayette, IN 47907-1285
davy@ecn.purdue.edu
Jeffrey C. Mogul
Digital Equipment Corporation
Western Research Laboratory
250 University Avenue
Palo Alto, CA 94301
mogul@wrl.dec.com
Christian Iseli
Ludwig Institute for Cancer Research
UNIL - BEP
Lausanne, CH-1015
Christian.Iseli@licr.org
Lausanne/LICR 25 February 2005 NFSWATCH(8)