From owner-freebsd-questions@FreeBSD.ORG Tue Sep 25 06:01:49 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 31AFC16A468 for ; Tue, 25 Sep 2007 06:01:49 +0000 (UTC) (envelope-from mapsware@prodigy.net.mx) Received: from nlpiport09.prodigy.net.mx (nlpiport09.prodigy.net.mx [148.235.52.30]) by mx1.freebsd.org (Postfix) with ESMTP id E209413C447 for ; Tue, 25 Sep 2007 06:01:48 +0000 (UTC) (envelope-from mapsware@prodigy.net.mx) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AuE6AHNB+Ea9pTgfRmdsb2JhbACOIQEBATUBmCM X-IronPort-AV: E=Sophos;i="4.20,294,1186376400"; d="scan'208";a="42967875" Received: from dsl-189-165-56-31.prod-infinitum.com.mx (HELO morena) ([189.165.56.31]) by nlpiport09.prodigy.net.mx with ESMTP; 25 Sep 2007 01:00:47 -0500 From: Martin Alejandro Paredes Sanchez To: freebsd-questions@freebsd.org Date: Mon, 24 Sep 2007 23:01:46 -0700 User-Agent: KMail/1.9.7 References: <20070920172428.GA90565@pcjas.obspm.fr> <200709230027.15813.mapsware@prodigy.net.mx> <20070924132121.GG42088@pcjas.obspm.fr> In-Reply-To: <20070924132121.GG42088@pcjas.obspm.fr> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200709242301.47193.mapsware@prodigy.net.mx> Cc: Albert.Shih@obspm.fr Subject: Re: How to know who use NFS. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2007 06:01:49 -0000 El Lun 24 Sep 2007, Albert Shih escribi=F3: > Le 23/09/2007 =E0 00:27:15-0700, Martin Alejandro Paredes Sanchez a =E9c= rit > I've two servers : > > Server A (NFS) --- NFS -- Server B > > On server A there one service is NFS, and server B is it's client. > > On server B I've lot of users, some users make very huge transfert throug= ht > NFS (what I don't want), huge =3D ~ 10-100 Go in one time (big file). > > I want to known who did this, because I've lot of users it's not easy to > known when I'm using top/ps to known who did this (sometime it's the outp= ut > of some scientifique software). > > The solution you give me can tell me the name of server B, but this thing= I > known it ;-), what I want to known is WHO on server B. > Ok, that change the problem, but I think tcpdump is still usefull, only if = the=20 the problem is caused when a user copy one huge file in one time, this=20 because I assume 1 socket is created for each file copied (I am not an expe= rt=20 in NFS) In computer B run this command (piped) as root tcpdump -c 100 -nq dst port nfs and dst host serverB nawk 'BEGIN {FS=3D"[ .]"}{print $8}' nawk '{packets[$1]++} END{for (ip in packets){print packets[ip], ip}}' sort -rn In the last line will appear socket number that generate more packets,=20 something like this: 59891 To know who has that socket, run # sockstat -4c | grep ":59891" USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS martin kdeinit 1173 9 tcp4 192.168.45.25:59891 192.168.45.43:2049 The first column is the user, lets see what is doing # ps -wxU martin > > Do you think I need to use dark side of the force....I known it's not more > powerful, but it's more easy ;-) > You mean windows (for the easy), NNOOOO. If the problem is caused, because the user is copying a folder cp ~/MySmallFiles/* /serverB/dest/ maybe, each file will create a different socket, because of that, you will= =20 need to translate each socket to a user before counting the packets, I thin= k=20 that is a job for perl, phyton or something like that. maps