This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark two-pass NFSv4 skips valid operations

0

Individual NFSv4 opcodes are contained within a COMPOUND NFSv4 procedure. If one runs

tshark -r a.pcap -q -z rpc,srt,100003,4

to print the RTT of NFSv4 opcodes, you only get results for the COMPOUND procedure and not individual ops.

We have a script which parses the output of the nfs.main_opcode with a command like:

tshark -r a.pcap -2 -R "nfs.procedure_v4 and rpc.time" -T fields -e nfs.main_opcode -e rpc.time

This uses two-pass mode. However, when running this in single-pass mode like:

tshark -r a.pcap -Y "nfs.procedure_v4 and rpc.time" -T fields -e nfs.main_opcode -e rpc.time

We see a difference in the number of operations the two commands report.

Sometimes two-pass will either not print the opcode, or not even consider the operation in its analysis. Hand-counting operations shows that two-pass is inaccurate and single-pass is accurate.

Is this some behaviour of the NFSv4 dissector which we don't understand, or is this likely a bug in the NFSv4 two-pass dissector?

(note: most of our analysis so far has been done on packet captures where tcpdump has dropped at least some traffic due to buffer overrun during receive. We've yet to test this on a "perfect" packet capture)

asked 16 Nov '15, 16:26

superjamie's gravatar image

superjamie
26115
accept rate: 0%


One Answer:

1

Hand-counting operations shows that two-pass is inaccurate and single-pass is accurate.

...

Is this some behaviour of the NFSv4 dissector which we don't understand, or is this likely a bug in the NFSv4 two-pass dissector?

I'd say "two-pass is inaccurate and single-pass is accurate" indicates that there's a bug somewhere.

There's no such thing as "the NFSv4 two-pass dissector"; there's only one dissector, the NFSv4 dissector. This is almost certainly a bug in that dissector; please file a bug on it at the Wireshark Bugzilla.

answered 16 Nov '15, 17:10

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

(16 Nov '15, 17:58) superjamie