[Bro] nfs analysis

Vern Paxson vern at icir.org
Thu Oct 11 11:59:47 PDT 2007

Sorry for the delay on following up on this.

> 16:01:13.467628 IP client.host.name.4160508447 > server.host.name.nfs:
> 132 getattr [|nfs]

Whenever tcpdump displays "|xxx", it means that the packet was truncated
due to a snapshot limitation.  Bro can't analyze such packets at the
application level.  So you need to capture traffic using tcpdump -s 0 to
turn off the limited snapshot.

Note, the funky port number its showing is the NFS file handle (or maybe
it's the RPC transaction ID - I forget which) - a tcpdump feature.  So
I'm not sure what to make about your later comment that this was a tcpdump
bug ...

> 1190415715.190522 weird: bad_RPC
> 1190415715.190781 weird: unpaired_RPC_response

These arise because Bro can't fully parse the RPC.


More information about the Bro mailing list