List, there is some space for improvement with regard to NFS decoding. In particular, for TCP NFS tcp_print() detects NFS very early and diverts decoding to either nfsreq_print() or nfsreply_print(). This layering violation causes a few issues:
1. The two NFS-specific functions currently print (via print_nfsaddr() function) the source and destination addresses/ports of a packet. This printing does not include TCP-specific (flags, options and sequence numbers) and UDP-specific (checksum) information. 2. The print_nfsaddr() function prints message xid instead of the non-NFS UDP/TCP port. 3. The NFS-decoded TCP packets don't update the seq/ack hash table in tcp_print(). There is a git branch that fixes the TCP part of the problem with two commits: https://github.com/Longinus00/tcpdump/commits/print-tcp_nfs I have verified that these commits don't introduce regressions. The only thing that gets in the way of immediate merge is that the cleanups naturally change the output format, for example (with an extra commit not in the branch): (old, TCP NFS packets) IP 10.230.61.9.865991996 > 10.230.61.77.2049: 148 getattr fh 0,11/1370219428 IP 10.230.61.77.2049 > 10.230.61.9.865991996: reply ok 112 getattr REG 644 ids 0/0 sz 10485760 IP 10.230.61.9.882769212 > 10.230.61.77.2049: 148 getattr fh 0,11/1370219428 IP 10.230.61.77.2049 > 10.230.61.9.882769212: reply ok 112 getattr REG 644 ids 0/0 sz 10485760 (new, same packets) IP 10.230.61.9.760 > 10.230.61.77.2049: Flags [P.], seq 45328:45480, ack 9735069, win 10183, options [nop,nop,TS val 327000059 ecr 30912442], length 152: NFS request xid 865991996 getattr fh 0,11/1370219428 IP 10.230.61.77.2049 > 10.230.61.9.760: Flags [P.], seq 9735069:9735185, ack 45480, win 24576, options [nop,nop,TS val 30912442 ecr 327000059], length 116: NFS reply xid 865991996 reply ok 112 getattr REG 644 ids 0/0 sz 10485760 IP 10.230.61.9.760 > 10.230.61.77.2049: Flags [P.], seq 45480:45632, ack 9735185, win 10183, options [nop,nop,TS val 327000059 ecr 30912442], length 152: NFS request xid 882769212 getattr fh 0,11/1370219428 IP 10.230.61.77.2049 > 10.230.61.9.760: Flags [P.], seq 9735185:9735301, ack 45632, win 24576, options [nop,nop,TS val 30912442 ecr 327000059], length 116: NFS reply xid 882769212 reply ok 112 getattr REG 644 ids 0/0 sz 10485760 I intend to merge the commits in a few days unless anyone argues that the output format must be retained. Thank you. -- Denis Ovsienko _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers