nfs_annot

In this version the first, third, and fifth packets are the ones sent from the NFS client ( moe ) to the NFS server ( larry ), which contain NFS procedures lookup, getattr,and read. The second, fourth, and sixth packets were responses from the server, respectively.

The packets shown by tcpdump contain the following data: IP header and data portion. The IP data contains a UDP packet, that is, it contains a UDP header and it's data portion. We have used the following typographical notation:

packet 1:
* underlined for IP headers, UDP headers and NFS procedure call parameters
* bold for UDP headers
* italic for RPC headers
* each block of numbers in black and red color indicates a particular field

packet 2:
* underlined for IP headers, UDP headers
* bold for UDP headers
* italic for file attributes
* each block of numbers in black and red color indicates a particular field

packet 3:
* underlined for IP headers, UDP headers
* bold for UDP headers
* blue for RPC header
* red for file handler

packet 4:
* underlined for IP headers, UDP headers
* bold for UDP headers
* blue for RPC header
* red for file attributes

packet 5:
* underlined for IP headers, UDP headers
* bold for UDP headers
* blue for RPC header
* red for file handler

packet 6:
* underlined for IP headers, UDP headers, actual file data
* bold for UDP headers
* blue for RPC header
* red for file attributes

Some Useful References:
IP header format
UDP header format
ASCII table
tcpdump
snoop
nfstrace
nfswatch
A detailed analysis of monitoring NFS systems
RFC1057
RFC1831
RFC1813

Here is the printout of the dumped packets:

packet 1:
21:32:54.898924 moe.baylor.edu.1791010337 > larry.baylor.edu.nfs: 148 lookup fh Unknown/1 "secret" (ttl 64, id 267)
    4500 00b0 010b 0000 4011 4efa 813e 93dd
    813e 93de 0320 0801 009c db4e 6ac0 a621
    0000 0000 0000 0002 0001 86a3 0000 0002
    0000 0004 0000 0001 0000 0040 0000 7239
    0000 000e 6d6f 652e 6261 796c 6f72 2e65
    6475 0c23 0000 0000 0000 0000 0000 0007
    0000 0000 0000 0001 0000 0002 0000 0003
    0000 0004 0000 0006 0000 000a 0000 0000
    0000 0000caba ebfe c11f 0000 0200 0000
    0208 0000 0208 0000 c11f 0000 8b68 2036
    0000 0000 0000 00067365 6372 6574 0000

In the first line, host moe.baylor.edu sent a transaction with id 1791010337 to larry.baylor.edu (note that the number following the src host is a transaction id, not the source port). The request was 148 bytes, excluding the UDP and IP headers. The operation was a lookup ( Searches for a file in the current directory and if found, returns a file handle pointing to it plus information on the file's attributes. ) on file handle( fh ) Unknow/1. ( If one is lucky, not in this case, the file handle can be interpreted as a major, minor device number pair, followed by the inode number and generation number, for example 21,24/10.73165 ) The moe asked larry to lookup name "secret" in directory file "Unknown/1".

       Additional information that is readily available from the IP header:
       4   Version 4
       5   Internet Header Length - 5 32-bit words.
       00   Type of Service - Normel Delay, Normal Throughput, Normal Reliability
       00b0   Total Length - the whole packet is b0 hex (176 decimal = 20 bytes IP header + 8 bytes UDP header + 148 bytes data for request) bytes long
       010b Identification
       0000 Flags and Fragmentation Offset
       40   Time To Live - 64 hops
       11   Protocol - UDP
       4efa Header Checksum
       813e 93dd   Source Address - 129.62.147.221 - 81 hex is 129 dec, 3e is 62, 93 is 147 and dd is 221.
       813e 93de   Destination Address - 129.62.147.222

       Additional information that is readily available from the UDP header:
       0320 Source Port, 800 decimal
       0801 Destination Port, 2049 decimal, which is usually used as port number for NFS
       009c Total length for the UDP packet, 9c hex ( 156 decimal = 8 bytes UDP header + 148 bytes data for request ) bytes long
       db4e Checksum

       Additional information that is readily available from the RPC header:
       6ac0 a621    transaction identifier
       0000 0000    msg_type = CALL
       0000 0002   rpcvers = 2 ( in version 2 of the RPC protocol specification, rpcvers must be equal to 2 )
       0001 86a3   hex 000186a3 (decimal 100003), remote program ID
       0000 0002   remote program version number
       0000 0004   procedure within the remote program to be called ( hex 4 for "lookup" )
       0000 0001 auth_flavor = AUTH_UNIX ( for authentification purpose )
       0000 000e stamp ( an arbitrary ID which te caller machine may generate )
       6d6f 652e 6261 796c 6f72 2e65 6475    moe.baylor.edu ( name of the caller machine )
       0000 0000 uid ( the caller's effective user ID )
       0000 0000 gid ( the caller's effective group ID )
       0000 0007 gids ( a counted array of groups which contain the caller as a member )
       0000 0000 AUTH_NULL ( the verifier accompanying the credential )

       NFS procedure call parameters:
      caba ebfe c11f 0000 0200 0000 0208 0000 0208 0000
       c11f 0000 8b68 2036 0000 0000 0000 0006    file handle for the directory in which to manipulate or access the file
       7365 6372 6574     "secret" ( name of the file to be looked up )

packet 2:
21:32:54.899211 larry.baylor.edu.nfs > moe.baylor.edu.1791010337: reply ok 128 lookup fh Unknown/1 REG 100644 ids 0/0 sz 40 (ttl 64, id 1964)
    4500 009c 07ac 0000 4011 486d 813e 93de
    813e 93dd 0801 0320 0088 3a66 6ac0 a621
    0000 0001 0000 0000 0000 0000 0000 0000
    0000 0000 0000 0000 caba ebfe e720 0000
    c11f 0000 0208 0000 0208 0000 c11f 0000
    131e 0c23 0000 00000000 0001 0000 81a4
    0000 0001 0000 00000000 0000 0000 0028
    0000 1000 0000 0000 0000 0002 0000 0802
    0000 20e7 3802 9d5a 0000 0000 3802 9d5a
    0000 0000 3802 9d5a 0000 0000

    6ac0 a621    transaction ID
    0000 0001   msg_type = REPLY
    0000 0000    reply_stat = MSG_ACCEPTED ( hex 0 )
    0000 0000    verifier, auth_flavor = AUTH_NULL ( hex 0 )
    0000 0000    accept_stat = SUCCESS ( hex 0 )
    caba ebfe e720 0000 c11f 0000 0208 0000 0208 0000 c11f 0000 131e 0c23 0000 0000   returned file ( "secret" ) handle

    0000 0001    file type: REG (regular) = hex 1
    0000 81a4    file mode (type and access permission)
    0000 0001    link count
    0000 0000    user id
    0000 0000    group id
    0000 0028    file size ( 40 bytes in decimal )
    0000 1000 actually used disk space (4096 bytes, 2 blokes)
    0000 0000    device major number (only meaningful if file is a device)
    0000 0002 device minor number ( only meaningful if file is a device )
    0000 0802    file system major number ( 8 ) and minor number ( 2 )
    0000 20e7    Inode number
    3802 9d5a 0000 0000    Atime, the time when the file data was last accessed
    3802 9d5a 0000 0000    Mtime, the time when the attributes of the file were last changed
    3802 9d5a 0000 0000    Ctime, the time when the attributes of the file were last changed

packet 3:
21:32:54.900034 moe.baylor.edu.1807787553 > larry.baylor.edu.nfs: 136 getattr fh Unknown/1 (ttl 64, id 268)
    4500 00a4 010c 0000 4011 4f05 813e 93dd
    813e 93de 0320 0801 0090 bdf86bc0 a621
    0000 0000 0000 0002 0001 86a3 0000 0002
    0000 0001 0000 0001 0000 0040 0000 7239
    0000 000e 6d6f 652e 6261 796c 6f72 2e65
    6475 0c23 0000 0000 0000 0000 0000 0007
    0000 00000000 0001 0000 0002 0000 0003
    0000 0004 0000 0006 0000 000a 0000 0000
    0000 0000 caba ebfe e720 0000 c11f 0000
    0208 0000 0208 0000 c11f 0000 131e 0c23
    0000 0000

packet 4:
21:32:54.900238 larry.baylor.edu.nfs > moe.baylor.edu.1807787553: reply ok 96 getattr REG 100644 ids 0/0 sz 40 (ttl 64, id 1965)
    4500 007c 07ad 0000 4011 488c 813e 93de
    813e 93dd 0801 0320 0068 7d116bc0 a621
    0000 0001 0000 0000 0000 0000 0000 0000
    0000 0000 0000 00000000 0001 0000 81a4
    0000 0001 0000 0000 0000 0000 0000 0028
    0000 1000 0000 0000 0000 0002 0000 0802
    0000 20e7 3802 9d5a 0000 0000 3802 9d5a
    0000 0000 3802 9d5a 0000 0000

packet 5:
21:32:54.901147 moe.baylor.edu.1824564769 > larry.baylor.edu.nfs: 148 read fh Unknown/1 4096 bytes @ 0 (ttl 64, id 269)
    4500 00b0 010d 0000 4011 4ef8 813e 93dd
    813e 93de 0320 0801 009c 98fe 6cc0 a621
    0000 0000 0000 0002 0001 86a3 0000 0002
    0000 0006 0000 0001 0000 0040 0000 7239
    0000 000e 6d6f 652e 6261 796c 6f72 2e65
    6475 1000 0000 0000 0000 0000 0000 0007
    0000 0000 0000 0001 0000 0002 0000 0003
    0000 0004 0000 0006 0000 000a 0000 0000
    0000 0000 caba ebfe e720 0000 c11f 0000
    0208 0000 0208 0000 c11f 0000 131e 0c23
    0000 0000 0000 0000 0000 1000 0000 1000

0000 0000 0000 1000 offset-the position within the file at which the read is to begin
0000 1000 the number of bytes of data that are to be read

packet 6:
21:32:54.901513 larry.baylor.edu.nfs > moe.baylor.edu.1824564769: reply ok 140 read REG 100644 ids 0/0 sz 40 (ttl 64, id 1966)
    4500 00a8 07ae 0000 4011 485f 813e 93de
    813e 93dd 0801 0320 0094 945a 6cc0 a621
    0000 0001 0000 0000 0000 0000 0000 0000
    0000 0000 0000 00000000 0001 0000 81a4
    0000 0001 0000 0000 0000 0000 0000 0028
    0000 1000 0000 0000 0000 0002 0000 0802
    0000 20e7 3802 9dd6 0000 0000 3802 9d5a
    0000 0000 3802 9d5a 0000 00000000 0028
    3031 3233 3435 2054 6869 7320 6973 2061
    2073 6563 7265 7420 6d65 7373 6167 652e
    2035 3433 3231 300a

    0000 0028    count-the number of bytes of data returned by the read`
    3031 3233 3435 2054 6869 7320 6973 2061
    2073 6563 7265 7420 6d65 7373 6167 652e
    2035 3433 3231 30    file contents: 012345 This is a secret message. 543210
    0a    Line Feed