I read a lot of discussion about investigating NFS using Wireshark but it doesn't give me a "global" view of all files accessed by NFS.
On the NFS server I know that NFS process use a lof of disk activity. Extract from
pidstat -p ALL -d
05:11:48 PM 0 4970 0.00 1.20 0.45 rsyslogd
05:11:48 PM 0 4983 0.00 4.74 0.00 snmpd
05:11:48 PM 0 6438 26.97 46498.87 44951.28 nfsd
05:11:48 PM 0 6439 29.71 67677.59 52382.44 nfsd
05:11:48 PM 0 6440 32.23 91297.19 59268.11 nfsd
05:11:48 PM 0 6441 34.06 114280.26 65961.18 nfsd
05:11:48 PM 0 6442 35.88 134947.77 74024.66 nfsd
05:11:48 PM 0 6443 39.15 155449.00 83946.33 nfsd
05:11:48 PM 0 6444 45.73 162572.04 97760.24 nfsd
05:11:48 PM 0 6446 55.43 169127.98 130529.82 nfsd
05:11:48 PM 992 6787 5.40 7.09 0.00 java
05:11:48 PM 1002 7497 0.02 15.53 0.00 java
05:11:48 PM 1002 7588 0.11 66.64 4.90 java
Then usually we can use lsof to know what are the files accessed by a process but for nfsd it display nothing interesting (real file accessed or folders are not displayed):
6427|nfsd4_callbacks
lsof -p 6427 :
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nfsd4_cal 6427 root cwd DIR 253,0 4096 128 /
nfsd4_cal 6427 root rtd DIR 253,0 4096 128 /
nfsd4_cal 6427 root txt unknown /proc/6427/exe
lsof -p 6438 :
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nfsd 6438 root cwd DIR 253,0 4096 128 /
nfsd 6438 root rtd DIR 253,0 4096 128 /
nfsd 6438 root txt unknown /proc/6438/exe
Isn't there a way to know exactly what are the files accessed by nfsd process? The OS is able to store the disk activity of the process but can't say what are the exact files accessed?
Maybe is there a way to look at /proc/6438/exe to discover the real file accessed (I can't as I don't have root rights)?
If it is really impossible this way, is there a script or a command in Wireshark that could extract from the tcpdump all files accessed as a list? It would be painfull to do manually + I have only the filename, not the complete path.
