From owner-freebsd-questions@FreeBSD.ORG Sun Sep 23 07:41:40 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A7EEA16A421 for ; Sun, 23 Sep 2007 07:41:40 +0000 (UTC) (envelope-from mapsware@prodigy.net.mx) Received: from nlpiport06.prodigy.net.mx (nlpiport06.prodigy.net.mx [148.235.52.43]) by mx1.freebsd.org (Postfix) with ESMTP id 7E87313C459 for ; Sun, 23 Sep 2007 07:41:40 +0000 (UTC) (envelope-from mapsware@prodigy.net.mx) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ah5FACKy9Ua9pTgfRmdsb2JhbACODgEBATUBlX4 X-IronPort-AV: E=Sophos;i="4.20,288,1186376400"; d="scan'208";a="40396959" Received: from dsl-189-165-56-31.prod-infinitum.com.mx (HELO morena) ([189.165.56.31]) by nlpiport06.prodigy.net.mx with ESMTP; 23 Sep 2007 02:26:15 -0500 From: Martin Alejandro Paredes Sanchez To: freebsd-questions@freebsd.org Date: Sun, 23 Sep 2007 00:27:15 -0700 User-Agent: KMail/1.9.7 References: <20070920172428.GA90565@pcjas.obspm.fr> <20070921185934.GI7562@dan.emsphone.com> <20070921201756.GB85057@pcjas.obspm.fr> In-Reply-To: <20070921201756.GB85057@pcjas.obspm.fr> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <200709230027.15813.mapsware@prodigy.net.mx> Cc: Le Cocq Michel , Albert.Shih@obspm.fr Subject: Re: How to know who use NFS. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Sep 2007 07:41:40 -0000 El Vie 21 Sep 2007, Albert Shih escribi=F3: > Le 21/09/2007 =E0 13:59:35-0500, Dan Nelson a =E9crit > > In the last episode (Sep 21), Le Cocq Michel said: > > > Albert Shih a =E9crit : > > > > How can I known at un precise moment who charge my NFS server (I'm > > > > root in both side : client and server). > > >=20 > > > With some info student it also happen some times in here, and the way= i=20 > > > find is to launch a tcpdum or ethereal on the server and look at which > > > ip appear the more often > >=20 > > I think ethereal/wireshark is your best bet too. At least with it you= =20 > > can filter on the userid making an NFS request (it's rpc.auth.uid). > > Unfortunately it doesn't look like there's a summary or analysis option > > for NFS, so you'll have to count packets maually... >=20 > But my problem is the NFS traffic is heavy in standard time, and wireshar= k=20 > or tcpdump give my lot of lot of data. > Use the force luke You only need 100 packets (you may decide to increase) that are directed to= =20 your server, to the NFS daemon. tcpdump -c 100 -nq dst port nfs and dst host $HOST You don't need to interpret this info, you need to know who is originating = the=20 traffic, lets extract the ip that are originating the traffic nawk 'BEGIN {FS=3D"[ .]"; OFS=3D"."} {print $4,$5,$6,$7}' But, who generate more traffic? Lets count how many packets are originating each one of those ip nawk '{packets[$1]++} END{for (ip in packets){print packets[ip], ip}}' And order it sort -rn Use pipes to connect all the commands, if this situation is very common,=20 create a shell. HTH maps