Interpretation of tcpdump

NikolaPiterskiy

New Member
Joined
Sep 10, 2019
Messages
12
Reaction score
0
Credits
0
Hi all again.
I still trying analyze what going on with NFS server-client communication...
Below output from # tcpdump -i eth1 -n host 10.111.69.81 (to see what going on between NFS server and client as reaction to mount -t nfs 10.111.69.81:/raid1/ARGUS /mnt/datanas)

[root@jaguar etc]# tcpdump -i eth1 -n host 10.111.69.81
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
13:47:55.814242 IP 10.111.69.171.863 > 10.111.69.81.nfs: Flags , seq 3518582858, win 14600, options [mss 1460,sackOK,TS val 67536226 ecr 0,nop,wscale 7], length 0
13:47:55.814421 IP 10.111.69.81.nfs > 10.111.69.171.863: Flags [S.], seq 2133975368, ack 3518582859, win 5792, options [mss 1460,sackOK,TS val 67419500 ecr 67536226,nop,wscale 7], length 0
13:47:55.814453 IP 10.111.69.171.863 > 10.111.69.81.nfs: Flags [.], ack 1, win 115, options [nop,nop,TS val 67536226 ecr 67419500], length 0
13:47:55.814468 IP 10.111.69.171.4001344428 > 10.111.69.81.2049: 40 null
13:47:55.814561 IP 10.111.69.81.nfs > 10.111.69.171.863: Flags [.], ack 45, win 46, options [nop,nop,TS val 67419500 ecr 67536226], length 0
13:47:55.814608 IP 10.111.69.81.2049 > 10.111.69.171.4001344428: reply ok 24 null
13:47:55.814615 IP 10.111.69.171.863 > 10.111.69.81.nfs: Flags [.], ack 29, win 115, options [nop,nop,TS val 67536226 ecr 67419500], length 0
13:47:55.814845 IP 10.111.69.171.4018121644 > 10.111.69.81.2049: 108 getattr fh 0,0/24
13:47:55.855346 IP 10.111.69.81.nfs > 10.111.69.171.863: Flags [.], ack 157, win 46, options [nop,nop,TS val 67419541 ecr 67536226], length 0

13:48:55.814910 IP 10.111.69.171.863 > 10.111.69.81.nfs: Flags [F.], seq 157, ack 29, win 115, options [nop,nop,TS val 67596227 ecr 67419541], length 0
13:48:55.855295 IP 10.111.69.81.nfs > 10.111.69.171.863: Flags [.], ack 158, win 46, options [nop,nop,TS val 67479546 ecr 67596227], length 0
13:49:00.854536 ARP, Request who-has 10.111.69.171 tell 10.111.69.81, length 46
13:49:00.854552 ARP, Reply 10.111.69.171 is-at a0:8c:fd:d8:08:0d, length 28
1

As i understand after some typical communication :
client > server
server > client [S.]
client > server [.]
server > client [.]
. . . . . .
client sent flag F "finish" to server...
and server sent answer [.]
then start regular ARP requests and replies...
No any handshakes and positive flags....
and no mounting going...

Can any make interpretation?
Thanks
 


SOLVED: without interpretation..
but how it has to looks like:
in normal case
tcpdump -i eth1 -n host 10.111.69.81
mount :
IP 10.111.69.173. > 10.111.69.81.: Flags ,
IP 10.111.69.81. > 10.111.69.173.: Flags [S.],
IP 10.111.69.173. > 10.111.69.81.: Flags [.],
IP 10.111.69.173. > 10.111.69.81.: Flags [P.],
IP 10.111.69.81. > 10.111.69.173.: Flags [.],
IP 10.111.69.81. > 10.111.69.173: Flags [P.],
IP 10.111.69.173. > 10.111.69.81.: Flags [.],
.............................................................................

umount :
IP 10.111.69.173.> 10.111.69.81.nfs: Flags [F.],
IP 10.111.69.81.nfs > 10.111.69.173.: Flags [F.],
IP 10.111.69.173. > 10.111.69.81.nfs: Flags [.],
 

Members online


Latest posts

Top