Hello,
I am trying to check for all NFS WRITE RPC requests in a packet capture
that's around 27GB in size. I know that all NFS WRITEs are 1MB in size, so
there should be ~27K NFS WRITE requests in the capture, but tshark (and
also wireshark) give up after exactly 4095.

# ls -lh merged.pcap
-rwxrwxrwx 1 root root 27G Jan 24 02:18 merged.pcap

# tshark -r merged.pcap -Y nfs | grep "WRITE Call" | wc -l
Running as user "root" and group "root". This could be dangerous.
4095

Since it decodes exactly till 4095, I suspect that maybe the RPC decoder is
limited by the use of uint32 for offset.
To confirm this, I restricted the NFS wsize to 256K and ran the same
workload, and this time I can see that tshark can decode 4 times as many
NFS WRITE requests, confirming that the 4GB size is somehow limiting the
decoding.

I confirmed this with nfstrace and it correctly shows all 26K WRITE
requests.

# nfstrace --mode=stat -I merged.pcap  | grep WRITE | wc -l
26873

I even wrote my own decoder using lipbcap and I can correctly see all the
WRITE requests as long as I correctly keep walking the stream using the
fragheader length in the record marker.

Can someone confirm this or if anyone has used wireshark/tshark to decode
RPC streams greater than 4GB your confirmation will be helpful too. Btw
I've tried all the protocol preferences and nothing helps.

Thanks,
LS
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Reply via email to