I am trying to check for all NFS WRITE RPC requests in a packet capture that's around 27GB in size. I know that all NFS WRITEs are 1MB in size, so there should be ~27K NFS WRITE requests in the capture, but tshark (and also wireshark) give up after exactly 4095.
# tshark -r merged.pcap -Y nfs | grep "WRITE
Call" | wc -l
Running as user "root" and group "root". This could be dangerous.
4095
Since it decodes exactly till 4095, I suspect that maybe the RPC decoder is limited by the use of uint32 for offset.
To confirm this, I restricted the NFS wsize to 256K and ran the same workload, and this time I can see that tshark can decode 4 times as many NFS WRITE requests, confirming that the 4GB size is somehow limiting the decoding.
I confirmed this with nfstrace and it correctly shows all 26K WRITE requests.
# nfstrace --mode=stat -I merged.pcap | grep WRITE | wc -l
26873
I even wrote my own decoder using lipbcap and I can correctly see all the WRITE requests as long as I correctly keep walking the stream using the fragheader length in the record marker.
Can someone confirm this or if anyone has used wireshark/tshark to decode RPC streams greater than 4GB your confirmation will be helpful too. Btw I've tried all the protocol preferences and nothing helps.
Thanks,
LS