Hello, I am trying to check for all NFS WRITE RPC requests in a packet capture that's around 27GB in size. I know that all NFS WRITEs are 1MB in size, so there should be ~27K NFS WRITE requests in the capture, but tshark (and also wireshark) give up after exactly 4095.
# ls -lh merged.pcap -rwxrwxrwx 1 root root 27G Jan 24 02:18 merged.pcap # tshark -r merged.pcap -Y nfs | grep "WRITE Call" | wc -l Running as user "root" and group "root". This could be dangerous. 4095 Since it decodes exactly till 4095, I suspect that maybe the RPC decoder is limited by the use of uint32 for offset. To confirm this, I restricted the NFS wsize to 256K and ran the same workload, and this time I can see that tshark can decode 4 times as many NFS WRITE requests, confirming that the 4GB size is somehow limiting the decoding. I confirmed this with nfstrace and it correctly shows all 26K WRITE requests. # nfstrace --mode=stat -I merged.pcap | grep WRITE | wc -l 26873 I even wrote my own decoder using lipbcap and I can correctly see all the WRITE requests as long as I correctly keep walking the stream using the fragheader length in the record marker. Can someone confirm this or if anyone has used wireshark/tshark to decode RPC streams greater than 4GB your confirmation will be helpful too. Btw I've tried all the protocol preferences and nothing helps. Thanks, LS
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe