Wireshark-users: [Wireshark-users] how can I see all readdirplus file entries with -T fields?
Howdy,
I'm writing a script to analyse nfs traffic and build a tree of files being
accessed on the NFS filesystem by snooping on lookup and readdirplus queries
to match filehandles back to names and eventually back to pathnames.
Of course, if you already wrote this, I'd love a copy and you can skip my
question :)
If not, I'm having a problem because only one of the files returned by
readdirplus is displayed, which is a problem.
I'm running:
tshark -n -l port nfs -V -T fields -E header=y -E separator='|' -e rpc.xid -e nfs.procedure_v3 -e nfs.name -e nfs.readdirplus.entry.name -e nfs.fh.hash -e nfs.nfsstat3
on a readdirplus call, I get:
0xef5be299|17|||0x98591a70|
0xef5be299|17||distributor|0x5c2e5b6a|0
So great, I know that FH 0x5c2e5b6a is distributor in directory 0x98591a70,
but this dropped all the other files returned by readdirplus.
I know I could just parse the output of
tshark -n -l port nfs -V -T pdml
but this output is huge, and I was hoping I wouldn't have to.
Is there a way out with -T fields, or will have to use -T pdml and dip my
hands in xml?
Thanks,
Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/