[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bro
Subject:    Re: [Bro] nfs analysis
From:       Vern Paxson <vern () icir ! org>
Date:       2007-10-11 18:59:47
Message-ID: 200710111859.l9BIxqQH024608 () pork ! ICSI ! Berkeley ! EDU
[Download RAW message or body]

Sorry for the delay on following up on this.

> 16:01:13.467628 IP client.host.name.4160508447 > server.host.name.nfs:
> 132 getattr [|nfs]

Whenever tcpdump displays "|xxx", it means that the packet was truncated
due to a snapshot limitation.  Bro can't analyze such packets at the
application level.  So you need to capture traffic using tcpdump -s 0 to
turn off the limited snapshot.

Note, the funky port number its showing is the NFS file handle (or maybe
it's the RPC transaction ID - I forget which) - a tcpdump feature.  So
I'm not sure what to make about your later comment that this was a tcpdump
bug ...

> 1190415715.190522 weird: bad_RPC
> 1190415715.190781 weird: unpaired_RPC_response

These arise because Bro can't fully parse the RPC.

		Vern

[prev in list] [next in list] [prev in thread] [next in thread]