# Logging NFSv3/v4 file opens by client and file



## scotia (Mar 16, 2020)

Hi all,

I've got a bunch of NFS clients (v3 and v4) accessing an NFS server and I want to know what files they are opening.

Is there a way I can log NFS file opens (or whatever the call is) and IP address of the client?

I've searched for a DTrace probe/dwatch without luck.

Thanks


----------



## Peter Eriksson (Mar 18, 2020)

scotia said:


> Hi all,
> 
> I've got a bunch of NFS clients (v3 and v4) accessing an NFS server and I want to know what files they are opening.
> 
> ...




Filenames (but no directories) & uid's:

#!/usr/sbin/dtrace -s

fbt::nfsvno_namei:entry {
  printf("%s [uid=%d]",
   stringof(args[1]->ni_cnd.cn_pnbuf),
   args[1]->ni_cnd.cn_cred->cr_uid);
}

No IP addresses though...

To trace that requires more intricate stuff.


----------



## Peter Eriksson (Mar 18, 2020)

You can also find some other NFS-server-related Dtrace scripts at: freebsd-stuff (not the one you are looking for though).

tcpdump + wireshark can trace network packets + decode the NFS protocol so you might be able to see some stuff that way too...


----------



## scotia (Mar 19, 2020)

Thanks Peter,
nice one.  As you said it only partially solves my challenge.  I might try tcpdump against NFS to see what I can gather.
I ended up piping your dtrace into PERL:

```
/usr/sbin/dtrace -s /tmp/nfs.dtrace | perl -nle '($f,$uid)=($1,$2)if/:entry (.*) \[uid=(\d)\]/;if(not $seen{"$f$uid"}){print"$f $uid";$seen{"$f$uid"}=1}'
```

It made me wonder if there's a tool like 'sort' or 'uniq' that works with streams that never close...

I'm also surprised that NFSD doesn't have a debug or logging option.

Cheers,
Scott


----------



## Peter Eriksson (Mar 19, 2020)

scotia said:


> I'm also surprised that NFSD doesn't have a debug or logging option.



I've also been a bit frustrated by the lack of debugging(visibility) options - so I've been patching the kernel a bit whenever I've had the need for seeing what is happening (when debugging problems). Some of those patches you can also find at the github project mentioned above.

The main reason that it isn't easy to link an IP address to NFS operations is that inside the kernel you don't have a hard "link" between those two. NFS packets may arrive via multiple paths (IPv4 and IPv6) and/or source IP addresses and they will be handled correctly since a NFS client is identified via "ClientID" - not IP addresses.

For NFSv4 you can display ClientID's associated with ClientAddr via the "nfsdumpstate" tool.


----------

