Wireshark-bugs: [Wireshark-bugs] [Bug 11720] New: two-pass NFSv4 skips valid operations

Date: Tue, 17 Nov 2015 01:58:13 +0000
Bug ID 11720
Summary two-pass NFSv4 skips valid operations
Product Wireshark
Version unspecified
Hardware All
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Build Information:
 $ tshark -v
TShark (Wireshark) 2.0.0rc3 (SVN Rev Unknown from unknown)

Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), without libnl,
with libz 1.2.7, with GLib 2.40.0, with SMI 0.4.8, with c-ares 1.10.0, without
Lua, with GnuTLS 3.3.8, with Gcrypt 1.5.3, with MIT Kerberos, without GeoIP.

Running on Linux 3.10.0-229.20.1.el7.x86_64, with locale en_AU.utf8, with
libpcap version 1.5.3, with libz 1.2.7, with GnuTLS 3.3.8, with Gcrypt 1.5.3.
Intel(R) Core(TM) i7-4800MQ CPU @ 2.70GHz (with SSE4.2)

Built using gcc 4.8.3 20140911 (Red Hat 4.8.3-9).
--
Individual NFSv4 opcodes are contained within a COMPOUND NFSv4 procedure. If
one runs:

tshark -r a.pcap -q -z rpc,srt,100003,4

to print the RTT of NFSv4 opcodes, you only get results for the COMPOUND
procedure and not individual ops. (Bug 1693 has an Enhancement request to
resolve this)

We have an awk script which attempts to provide per-operation RTT by parsing
the output of the nfs.main_opcode with a command like:

tshark -r a.pcap -2 -R "nfs.procedure_v4 and rpc.time" -T fields -e
nfs.main_opcode -e rpc.time

This uses two-pass mode. However, when running this in single-pass mode like:

tshark -r a.pcap -Y "nfs.procedure_v4 and rpc.time" -T fields -e
nfs.main_opcode -e rpc.time

We see a difference in the number of operations the two commands report.

Sometimes two-pass will either not print the opcode, or not even consider the
operation in its analysis. Hand-counting operations shows that two-pass is
inaccurate and single-pass is accurate.

Guy Harris suggested this is most likely a bug in the NFS dissector and
suggested I log a bug:
https://ask.wireshark.org/questions/47649/tshark-two-pass-nfsv4-skips-valid-operations

(note: most of our analysis so far has been done on packet captures where
tcpdump has dropped at least some traffic due to buffer overrun during receive.
We've yet to test this on a "perfect" packet capture)


You are receiving this mail because:
  • You are watching all bug changes.