Getting deeper into NFS with Packetbeat

Hi !

Love packetbeat, I'm using it to replace home-grown sed and awk templates with tshark. I looked through fields.yml and ran packetbeat -d and realized you were constraining your output event schema predump.

Is it possible for you folks to provide the points where libpcap / packetbeat -d control point are and how they spits out raw parsable pcap telemetry and where your events are defined ?

Very interested in capturing this type of granularity:

tshark -V -r classifier-training-001-resnet-50.pcap -T pdml

Here's my list of dream events coming out of my pcap pipeline:

nfs.access_check
nfs.access_delete
nfs.access_execute
nfs.access_extend
nfs.access_lookup
nfs.access_modify
nfs.access_read
nfs.access_rights
nfsacl.procedure_v3
nfs.atime
nfs.atime
nfs.atime
nfs.atime.nsec
nfs.atime.nsec
nfs.atime.nsec
nfs.atime.sec
nfs.atime.sec
nfs.atime.sec
nfs.attr
nfs.attr_count
nfs.attributes_follow
nfs.attributes_follow
nfs.attr_mask
nfs.clientid
nfs.cookie3
nfs.count3
nfs.count3_dircount
nfs.count3_maxcount
nfs.ctime
nfs.ctime
nfs.ctime
nfs.ctime.nsec
nfs.ctime.nsec
nfs.ctime.nsec
nfs.ctime.sec
nfs.ctime.sec
nfs.ctime.sec
nfs.data
nfs.dtime
nfs.dtime.nsec
nfs.dtime.sec
nfs.fattr3.fileid
nfs.fattr3.fileid
nfs.fattr3.fileid
nfs.fattr3.fsid
nfs.fattr3.fsid
nfs.fattr3.fsid
nfs.fattr3.gid
nfs.fattr3.gid
nfs.fattr3.gid
nfs.fattr3.nlink
nfs.fattr3.nlink
nfs.fattr3.nlink
nfs.fattr3.size
nfs.fattr3.size
nfs.fattr3.size
nfs.fattr3.type
nfs.fattr3.type
nfs.fattr3.type
nfs.fattr3.uid
nfs.fattr3.uid
nfs.fattr3.uid
nfs.fattr3.used
nfs.fattr3.used
nfs.fattr3.used
nfs.fattr4.files_avail
nfs.fattr4.files_free
nfs.fattr4.files_total
nfs.fattr4.space_avail
nfs.fattr4.space_free
nfs.fattr4.space_total
nfs.fhandle
nfs.fhandle
nfs.fhandle
nfs.fh.hash
nfs.fh.hash
nfs.fh.hash
nfs.fh.length
nfs.fh.length
nfs.fh.length
nfs.fsinfo.dtpref
nfs.fsinfo.maxfilesize
nfs.fsinfo.properties
nfs.fsinfo.properties.hardlinks
nfs.fsinfo.properties.pathconf
nfs.fsinfo.properties.setattr
nfs.fsinfo.properties.symlinks
nfs.fsinfo.rtmax
nfs.fsinfo.rtmult
nfs.fsinfo.rtpref
nfs.fsinfo.wtmax
nfs.fsinfo.wtmult
nfs.fsinfo.wtpref
nfs.fsstat3_resok.abytes
nfs.fsstat3_resok.afiles
nfs.fsstat3_resok.fbytes
nfs.fsstat3_resok.ffiles
nfs.fsstat3_resok.tbytes
nfs.fsstat3_resok.tfiles
nfs.fsstat.invarsec
nfs.handle_follow
nfs.main_opcode
nfs.minorversion
nfs.mode3
nfs.mode3
nfs.mode3
nfs.mode3.rgrp
nfs.mode3.rgrp
nfs.mode3.rgrp
nfs.mode3.roth
nfs.mode3.roth
nfs.mode3.roth
nfs.mode3.rusr
nfs.mode3.rusr
nfs.mode3.rusr
nfs.mode3.sgid
nfs.mode3.sgid
nfs.mode3.sgid
nfs.mode3.sticky
nfs.mode3.sticky
nfs.mode3.sticky
nfs.mode3.suid
nfs.mode3.suid
nfs.mode3.suid
nfs.mode3.wgrp
nfs.mode3.wgrp
nfs.mode3.wgrp
nfs.mode3.woth
nfs.mode3.woth
nfs.mode3.woth
nfs.mode3.wusr
nfs.mode3.wusr
nfs.mode3.wusr
nfs.mode3.xgrp
nfs.mode3.xgrp
nfs.mode3.xgrp
nfs.mode3.xoth
nfs.mode3.xoth
nfs.mode3.xoth
nfs.mode3.xusr
nfs.mode3.xusr
nfs.mode3.xusr
nfs.mtime
nfs.mtime
nfs.mtime
nfs.mtime.nsec
nfs.mtime.nsec
nfs.mtime.nsec
nfs.mtime.sec
nfs.mtime.sec
nfs.mtime.sec
nfs.name
nfs.nfsstat4
nfs.nfsstat4
nfs.offset3
nfs.opcode
nfs.ops.count
nfs.pathconf.case_insensitive
nfs.pathconf.case_preserving
nfs.pathconf.chown_restricted
nfs.pathconf.linkmax
nfs.pathconf.name_max
nfs.pathconf.no_trunc
nfs.procedure_v3
nfs.procedure_v4
nfs.readdir.entry
nfs.readdir.eof
nfs.readdirplus.entry.cookie
nfs.readdirplus.entry.fileid
nfs.readdirplus.entry.name
nfs.read.eof
nfs.specdata1
nfs.specdata1
nfs.specdata1
nfs.specdata2
nfs.specdata2
nfs.specdata2
nfs.status
nfs.status
nfs.status3
nfs.tag
nfs.verifier

The code that is responsible for decoding the NFS protocol data is contained in this package beats/packetbeat/protos/nfs at master · elastic/beats · GitHub. This code is independent of the code that captures the data via libpcap or afpacket. The traffic capturing code is in the sniffer package.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.