[Bro] nfs analysis

Mike Wood muscletot at gmail.com
Mon Sep 24 10:39:20 PDT 2007

On 9/22/07, Christian Kreibich <christian at whoop.org> wrote:
> On Fri, 2007-09-21 at 17:25 -0700, Mike Wood wrote:
> >
> > "Deficiency: Bro's notion of NFS is currently confined to just
> > knowledge of the existence of these services. It does not analyze the
> > particulars of different NFS operations."
> >
> > I am trying to extract some NFS file access events from a trace and
> > cannot seem to get the nfs_request_* nfs_attempt_* event handlers to
> > trigger. Should I be able to?
> Hey Mike! I believe the documentation is once again misleading. :( Do
> you get nothing at all when you load nfs.bro?

Sadly, yes I do not get any output from nfs.bro.

The tcpdump output for my trace looks like:

16:01:13.467628 IP client.host.name.4160508447 > server.host.name.nfs:
132 getattr [|nfs]
16:01:13.467879 IP server.host.name.nfs > client.host.name.4160508447:
reply ok 96 getattr DIR 40755 ids 10013/6007 sz 1024
16:01:13.467940 IP client.host.name.4177285663 > server.host.name.nfs:
148 lookup [|nfs]
16:01:13.468130 IP server.host.name.nfs > client.host.name.4177285663:
reply ok 128 lookup [|nfs]

So I would assume I have some valid NFS traffic there... but when I run

bro -r mytrace.pcap nfs.bro

I just get plenty of weird messages:

1190415715.190522 weird: bad_RPC
1190415715.190781 weird: unpaired_RPC_response

So, perhaps this is all the NFS traffic not getting recognized. Have
you seen this before?

I am running Bro 1.2.9... if that helps at all.


More information about the Bro mailing list