Provided by: nfstest_3.2-2_all 
NAME
nfstest_pkt - Packet trace decoder
SYNOPSIS
nfstest_pkt [options] <trace1.cap> [<trace2.cap> ...]
DESCRIPTION
Decode and display all packets in the packet trace file(s) given. The match option gives
the ability to search for specific packets within the packet trace file. Other options
allow displaying of their corresponding call or reply when only one or the other is
matched. Only a range of packets can be displayed if the start and/or end options are
used.
There are three levels of verbosity in which they are specified using a bitmap, where the
most significant bit gives a more verbose output. Verbose level 1 is used as a default
where each packet is displayed condensed to one line using the last layer of the packet as
the main output. By default only the NFS packets (NFS, MOUNT, NLM, etc.) are displayed.
The packet trace files are processed either serially or in parallel. The packets are
displayed using their timestamps so they are always displayed in the correct order even if
the files given are out of order. If the packet traces were captured one after the other
the packets are displayed serially, first the packets of the first file according to their
timestamps, then the second and so forth. If the packet traces were captured at the same
time on multiple clients the packets are displayed in parallel, packets are interleaved
from all the files when displayed again according to their timestamps.
Note: When using the --call option, a packet call can be displayed out of order if the
call is not matched explicitly but its reply is matched so its corresponding call is
displayed right before the reply.
OPTIONS
--version
show program's version number and exit
-h, --help
show this help message and exit
-v VERBOSE, --verbose=VERBOSE
Verbose level bitmask [default: 1]. bitmap 0x01: one line per packet. bitmap
0x02: one line per layer. bitmap 0x04: real verbose.
-l LAYERS, --layers=LAYERS
Layers to display [default: 'rpc']. Valid layers: ethernet, ip, tcp, udp, rpc, nfs,
nlm, mount, portmap
-s START, --start=START
Start index [default: 0]
-e END, --end=END
End index [default: 0]
-m MATCH, --match=MATCH
Match string [default: True]
-c, --call
If matching a reply packet, include its corresponding call in the output
-r, --reply
If matching a call packet, include its corresponding reply in the output
-d DISPLAY, --display=DISPLAY
Print specific packet or part of a packet [default: pkt]
-z TZ, --tz=TZ
Time zone to use to display timestamps
--serial
Process packet traces one after the other in the order in which they are given. The
default is to open all files first and then display the packets ordered according
to their timestamps.
--progress=PROGRESS
Display progress bar [default: 1]
RPC display:
--rpc-type=RPC_TYPE
Display RPC type [default: True]
--rpc-load=RPC_LOAD
Display RPC load type (NFS, NLM, etc.) [default: True]
--rpc-ver=RPC_VER
Display RPC load version [default: True]
--rpc-xid=RPC_XID
Display RPC xid [default: True]
Packet display:
--nfs-mainop=NFS_MAINOP
Display NFSv4 main operation only [default: False]
--load-body=LOAD_BODY
Display RPC payload body [default: True]
--frame=FRAME
Display record frame number [default: 0]
--index=INDEX
Display packet number [default: 1]
--crc16=CRC16
Display CRC16 encoded strings [default: True]
--crc32=CRC32
Display CRC32 encoded strings [default: True]
--strsize=STRSIZE
Truncate all strings to this size [default: 0]
Debug:
--enum-check=ENUM_CHECK
If set to True, enums are strictly enforced [default: False]
--enum-repr=ENUM_REPR
If set to True, enums are displayed as numbers [default: False]
--no-rpc-replies
Do not dissect RPC replies
--debug-level=DEBUG_LEVEL
Set debug level messages
EXAMPLES
# Display all NFS packets (one line per packet)
# Display only the NFS packets by default.
# Default for --verbose option is 1 -- one line per packet
$ nfstest_pkt /tmp/trace.cap
# Display all NFS packets (one line per layer)
$ nfstest_pkt -v 2 /tmp/trace.cap
# Display all NFS packets (real verbose, all items in each layer are displayed)
$ nfstest_pkt -v 4 /tmp/trace.cap
# Display all NFS packets (display both verbose level 1 and 2)
$ nfstest_pkt -v 3 /tmp/trace.cap
# Display all TCP packets (this will display all RPC and NFS packets as well)
$ nfstest_pkt -l tcp /tmp/trace.cap
# Display all packets
$ nfstest_pkt -l all /tmp/trace.cap
# Display all NFS, NLM, MOUNT and PORTMAP packets
$ nfstest_pkt -l nfs,nlm,mount,portmap /tmp/trace.cap
# Display packets 100 through 199
$ nfstest_pkt -s 100 -e 200 -l all /tmp/trace.cap
# Display all NFS packets with non-zero status
$ nfstest_pkt -m "nfs.status != 0" /tmp/trace.cap
# Display all NFSv4 WRITE packets
$ nfstest_pkt -m "rpc.version == 4 and nfs.op == 38" /tmp/trace.cap
# Display all NFSv4 WRITE calls
$ nfstest_pkt -m "rpc.version == 4 and nfs.argop == 38" /tmp/trace.cap
# Display all NFS packets having a file name as f00000001 (OPEN, LOOKUP, etc.)
# including their replies
$ nfstest_pkt -r -m "nfs.name == 'f00000001'" /tmp/trace.cap
# Display all NFS packets with non-zero status including their respective calls
$ nfstest_pkt -c -m "nfs.status != 0" /tmp/trace.cap
$ nfstest_pkt -d "pkt_call,pkt" -m "nfs.status != 0" /tmp/trace.cap
# Display all TCP packets (just the TCP layer)
$ nfstest_pkt -d "pkt.tcp" -l tcp /tmp/trace.cap
# Display all NFS file handles
$ nfstest_pkt -d "pkt.NFSop.fh" -m "len(nfs.fh) > 0" /tmp/trace.cap
# Display all RPC packets including the record information (packet number, timestamp,
etc.)
# For verbose level 1 (default) the "," separator will be converted to a
# space if all items are only pkt(.*)? or pkt_call(.*)?
$ nfstest_pkt -d "pkt.record,pkt.rpc" -l rpc /tmp/trace.cap
# Display all RPC packets including the record information (packet number, timestamp,
etc.)
# For verbose level 2 the "," separator will be converted to a new line if
# all items are only pkt(.*)? or pkt_call(.*)?
$ nfstest_pkt -v 2 -d "pkt.record,pkt.rpc" -l rpc /tmp/trace.cap
# Display all RPC packets including the record information (packet number, timestamp,
etc.)
# using the given display format
$ nfstest_pkt -d ">>> record: pkt.record >>> rpc: pkt.rpc" -l rpc /tmp/trace.cap
# Display all packets truncating all strings to 100 bytes
# This is useful when some packets are very large and there
# is no need to display all the data
$ nfstest_pkt --strsize 100 -v 2 -l all /tmp/trace.cap
# Display all NFSv4 packets displaying the main operation of the compound
# e.g., display "WRITE" instead of "SEQUENCE;PUTFH;WRITE"
$ nfstest_pkt --nfs-mainop 1 -l nfs /tmp/trace.cap
# Have all CRC16 strings displayed as plain strings
$ nfstest_pkt --crc16 0 /tmp/trace.cap
# Have all CRC32 strings displayed as plain strings
# e.g., display unformatted file handles or state ids
$ nfstest_pkt --crc32 0 /tmp/trace.cap
# Display packets using India time zone
$ nfstest_pkt --tz "UTC-5:30" /tmp/trace.cap
$ nfstest_pkt --tz "Asia/Kolkata" /tmp/trace.cap
# Display all packets for all trace files given
# The packets are displayed in order using their timestamps
$ nfstest_pkt trace1.cap trace2.cap trace3.cap
SEE ALSO
formatstr(3), nfstest_alloc(1), nfstest_cache(1), nfstest_delegation(1), nfstest_dio(1),
nfstest_fcmp(1), nfstest_file(1), nfstest_interop(1), nfstest_io(1), nfstest_lock(1),
nfstest_pnfs(1), nfstest_posix(1), nfstest_rdma(1), nfstest_sparse(1), nfstest_ssc(1),
nfstest_xattr(1), nfstest_xid(1), packet.pkt(3), packet.pktt(3), packet.record(3),
packet.utils(3)
BUGS
No known bugs.
AUTHOR
Jorge Mora (mora@netapp.com)