[Bro] nfs analysis
vern at icir.org
Thu Oct 11 11:59:47 PDT 2007
Sorry for the delay on following up on this.
> 16:01:13.467628 IP client.host.name.4160508447 > server.host.name.nfs:
> 132 getattr [|nfs]
Whenever tcpdump displays "|xxx", it means that the packet was truncated
due to a snapshot limitation. Bro can't analyze such packets at the
application level. So you need to capture traffic using tcpdump -s 0 to
turn off the limited snapshot.
Note, the funky port number its showing is the NFS file handle (or maybe
it's the RPC transaction ID - I forget which) - a tcpdump feature. So
I'm not sure what to make about your later comment that this was a tcpdump
> 1190415715.190522 weird: bad_RPC
> 1190415715.190781 weird: unpaired_RPC_response
These arise because Bro can't fully parse the RPC.
More information about the Bro