Skip to content

Instantly share code, notes, and snippets.

@kofemann

kofemann/nfs_pdml.py

Last active July 13, 2023 12:34
Show Gist options
  • Save kofemann/3e40ef20902d840ccafea5f8f88411a6 to your computer and use it in GitHub Desktop.
Save kofemann/3e40ef20902d840ccafea5f8f88411a6 to your computer and use it in GitHub Desktop.
Download ZIP
Simple python script to parse NFS packes in pdml file generated by wireshark
Raw
nfs_pdml.py
#!/usr/bin/env python3
# Licensed under GNU GENERAL PUBLIC LICENSE Version 2
#
# parses files produced by : `tshark -r file.pcap -q -n -T pdml`
#
import xml.sax
import sys
nfsstat4 = {
0 : "NFS4_OK",
1 : "NFS4ERR_PERM",
2 : "NFS4ERR_NOENT",
5 : "NFS4ERR_IO",
6 : "NFS4ERR_NXIO",
13 : "NFS4ERR_ACCESS",
17 : "NFS4ERR_EXIST",
18 : "NFS4ERR_XDEV",
20 : "NFS4ERR_NOTDIR",
21 : "NFS4ERR_ISDIR",
22 : "NFS4ERR_INVAL",
27 : "NFS4ERR_FBIG",
28 : "NFS4ERR_NOSPC",
30 : "NFS4ERR_ROFS",
31 : "NFS4ERR_MLINK",
63 : "NFS4ERR_NAMETOOLONG",
66 : "NFS4ERR_NOTEMPTY",
69 : "NFS4ERR_DQUOT",
70 : "NFS4ERR_STALE",
10001 : "NFS4ERR_BADHANDLE",
10003 : "NFS4ERR_BAD_COOKIE",
10004 : "NFS4ERR_NOTSUPP",
10005 : "NFS4ERR_TOOSMALL",
10006 : "NFS4ERR_SERVERFAULT",
10007 : "NFS4ERR_BADTYPE",
10008 : "NFS4ERR_DELAY",
10009 : "NFS4ERR_SAME",
10010 : "NFS4ERR_DENIED",
10011 : "NFS4ERR_EXPIRED",
10012 : "NFS4ERR_LOCKED",
10013 : "NFS4ERR_GRACE",
10014 : "NFS4ERR_FHEXPIRED",
10015 : "NFS4ERR_SHARE_DENIED",
10016 : "NFS4ERR_WRONGSEC",
10017 : "NFS4ERR_CLID_INUSE",
10018 : "NFS4ERR_RESOURCE",
10019 : "NFS4ERR_MOVED",
10020 : "NFS4ERR_NOFILEHANDLE",
10021 : "NFS4ERR_MINOR_VERS_MISMATCH",
10022 : "NFS4ERR_STALE_CLIENTID",
10023 : "NFS4ERR_STALE_STATEID",
10024 : "NFS4ERR_OLD_STATEID",
10025 : "NFS4ERR_BAD_STATEID",
10026 : "NFS4ERR_BAD_SEQID",
10027 : "NFS4ERR_NOT_SAME",
10028 : "NFS4ERR_LOCK_RANGE",
10029 : "NFS4ERR_SYMLINK",
10030 : "NFS4ERR_RESTOREFH",
10031 : "NFS4ERR_LEASE_MOVED",
10032 : "NFS4ERR_ATTRNOTSUPP",
10033 : "NFS4ERR_NO_GRACE",
10034 : "NFS4ERR_RECLAIM_BAD",
10035 : "NFS4ERR_RECLAIM_CONFLICT",
10036 : "NFS4ERR_BADXDR",
10037 : "NFS4ERR_LOCKS_HELD",
10038 : "NFS4ERR_OPENMODE",
10039 : "NFS4ERR_BADOWNER",
10040 : "NFS4ERR_BADCHAR",
10041 : "NFS4ERR_BADNAME",
10042 : "NFS4ERR_BAD_RANGE",
10043 : "NFS4ERR_LOCK_NOTSUPP",
10044 : "NFS4ERR_OP_ILLEGAL",
10045 : "NFS4ERR_DEADLOCK",
10046 : "NFS4ERR_FILE_OPEN",
10047 : "NFS4ERR_ADMIN_REVOKED",
10048 : "NFS4ERR_CB_PATH_DOWN",
10049 : "NFS4ERR_BADIOMODE",
10050 : "NFS4ERR_BADLAYOUT",
10051 : "NFS4ERR_BAD_SESSION_DIGEST",
10052 : "NFS4ERR_BADSESSION",
10053 : "NFS4ERR_BADSLOT",
10054 : "NFS4ERR_COMPLETE_ALREADY",
10055 : "NFS4ERR_CONN_NOT_BOUND_TO_SESSION",
10056 : "NFS4ERR_DELEG_ALREADY_WANTED",
10057 : "NFS4ERR_BACK_CHAN_BUSY",
10058 : "NFS4ERR_LAYOUTTRYLATER",
10059 : "NFS4ERR_LAYOUTUNAVAILABLE",
10060 : "NFS4ERR_NOMATCHING_LAYOUT",
10061 : "NFS4ERR_RECALLCONFLICT",
10062 : "NFS4ERR_UNKNOWN_LAYOUTTYPE",
10063 : "NFS4ERR_SEQ_MISORDERED",
10064 : "NFS4ERR_SEQUENCE_POS",
10065 : "NFS4ERR_REQ_TOO_BIG",
10066 : "NFS4ERR_REP_TOO_BIG",
10067 : "NFS4ERR_REP_TOO_BIG_TO_CACHE",
10068 : "NFS4ERR_RETRY_UNCACHED_REP",
10069 : "NFS4ERR_UNSAFE_COMPOUND",
10070 : "NFS4ERR_TOO_MANY_OPS",
10071 : "NFS4ERR_OP_NOT_IN_SESSION",
10072 : "NFS4ERR_HASH_ALG_UNSUPP",
10074 : "NFS4ERR_CLIENTID_BUSY",
10075 : "NFS4ERR_PNFS_IO_HOLE",
10076 : "NFS4ERR_SEQ_FALSE_RETRY",
10077 : "NFS4ERR_BAD_HIGH_SLOT",
10078 : "NFS4ERR_DEADSESSION",
10079 : "NFS4ERR_ENCR_ALG_UNSUPP",
10080 : "NFS4ERR_PNFS_NO_LAYOUT",
10081 : "NFS4ERR_NOT_ONLY_OP",
10082 : "NFS4ERR_WRONG_CRED",
10083 : "NFS4ERR_WRONG_TYPE",
10084 : "NFS4ERR_DIRDELEG_UNAVAIL",
10085 : "NFS4ERR_REJECT_DELEG",
10086 : "NFS4ERR_RETURNCONFLICT",
10087 : "NFS4ERR_DELEG_REVOKED",
10088 : "NFS4ERR_PARTNER_NOTSUPP",
10089 : "NFS4ERR_PARTNER_NO_AUTH",
10090 : "NFS4ERR_UNION_NOTSUPP",
10091 : "NFS4ERR_OFFLOAD_DENIED",
10092 : "NFS4ERR_WRONG_LFS",
10093 : "NFS4ERR_BADLABEL",
10094 : "NFS4ERR_OFFLOAD_NO_REQS",
10095 : "NFS4ERR_NOXATTR",
10096 : "NFS4ERR_XATTR2BIG",
}
nfs_opnum4 = {
3 : "OP_ACCESS",
4 : "OP_CLOSE",
5 : "OP_COMMIT",
6 : "OP_CREATE",
7 : "OP_DELEGPURGE",
8 : "OP_DELEGRETURN",
9 : "OP_GETATTR",
10 : "OP_GETFH",
11 : "OP_LINK",
12 : "OP_LOCK",
13 : "OP_LOCKT",
14 : "OP_LOCKU",
15 : "OP_LOOKUP",
16 : "OP_LOOKUPP",
17 : "OP_NVERIFY",
18 : "OP_OPEN",
19 : "OP_OPENATTR",
20 : "OP_OPEN_CONFIRM",
21 : "OP_OPEN_DOWNGRADE",
22 : "OP_PUTFH",
23 : "OP_PUTPUBFH",
24 : "OP_PUTROOTFH",
25 : "OP_READ",
26 : "OP_READDIR",
27 : "OP_READLINK",
28 : "OP_REMOVE",
29 : "OP_RENAME",
30 : "OP_RENEW",
31 : "OP_RESTOREFH",
32 : "OP_SAVEFH",
33 : "OP_SECINFO",
34 : "OP_SETATTR",
35 : "OP_SETCLIENTID",
36 : "OP_SETCLIENTID_CONFIRM",
37 : "OP_VERIFY",
38 : "OP_WRITE",
39 : "OP_RELEASE_LOCKOWNER",
40 : "OP_BACKCHANNEL_CTL",
41 : "OP_BIND_CONN_TO_SESSION",
42 : "OP_EXCHANGE_ID",
43 : "OP_CREATE_SESSION",
44 : "OP_DESTROY_SESSION",
45 : "OP_FREE_STATEID",
46 : "OP_GET_DIR_DELEGATION",
47 : "OP_GETDEVICEINFO",
48 : "OP_GETDEVICELIST",
49 : "OP_LAYOUTCOMMIT",
50 : "OP_LAYOUTGET",
51 : "OP_LAYOUTRETURN",
52 : "OP_SECINFO_NO_NAME",
53 : "OP_SEQUENCE",
54 : "OP_SET_SSV",
55 : "OP_TEST_STATEID",
56 : "OP_WANT_DELEGATION",
57 : "OP_DESTROY_CLIENTID",
58 : "OP_RECLAIM_COMPLETE",
59 : "OP_ALLOCATE",
60 : "OP_COPY",
61 : "OP_COPY_NOTIFY",
62 : "OP_DEALLOCATE",
63 : "OP_IO_ADVISE",
64 : "OP_LAYOUTERROR",
65 : "OP_LAYOUTSTATS",
66 : "OP_OFFLOAD_CANCEL",
67 : "OP_OFFLOAD_STATUS",
68 : "OP_READ_PLUS",
69 : "OP_SEEK",
70 : "OP_WRITE_SAME",
71 : "OP_CLONE",
72 : "OP_GETXATTR",
73 : "OP_SETXATTR",
74 : "OP_LISTXATTRS",
75 : "OP_REMOVEXATTR",
10044 : "OP_ILLEGAL",
}
nfs_cb_opnum4 = {
3 : "OP_CB_GETATTR",
4 : "OP_CB_RECALL",
5 : "OP_CB_LAYOUTRECALL",
6 : "OP_CB_NOTIFY",
7 : "OP_CB_PUSH_DELEG",
8 : "OP_CB_RECALL_ANY",
9 : "OP_CB_RECALLABLE_OBJ_AVAIL",
10 : "OP_CB_RECALL_SLOT",
11 : "OP_CB_SEQUENCE",
12 : "OP_CB_WANTS_CANCELLED",
13 : "OP_CB_NOTIFY_LOCK",
14 : "OP_CB_NOTIFY_DEVICEID",
15 : "OP_CB_OFFLOAD",
10044 : "OP_CB_ILLEGAL",
}
interest = [
'frame.number',
'frame.time_epoch',
'frame.time_relative',
'ip.src',
'ip.dst',
'tcp.srcport',
'tcp.dstport',
'rpc.xid',
'rpc.msgtyp',
'nfs.main_opcode',
'nfs.nfsstat4',
'nfs.fhandle',
'nfs.stateid4.other',
'nfs.cb.operation'
]
class PdmlHandler(xml.sax.ContentHandler):
def __init__(self):
self._packet = {}
def startElement(self, name, attributes):
if name == 'packet':
self._packet = {}
elif name == 'field':
fname = attributes.getValue('name')
if fname in interest:
self._packet[fname] = attributes.getValue('show')
def endElement(self, name):
if name == 'packet' and 'rpc.xid' in self._packet:
if 'nfs.main_opcode' in self._packet:
self._packet['nfs.main_opcode'] = nfs_opnum4[int(self._packet['nfs.main_opcode'])]
if 'nfs.cb.operation' in self._packet:
self._packet['nfs.cb.operation'] = nfs_cb_opnum4[int(self._packet['nfs.cb.operation'])]
if 'nfs.nfsstat4' in self._packet:
self._packet['nfs.nfsstat4'] = nfsstat4[int(self._packet['nfs.nfsstat4'])]
print(self._packet)
def parse(f):
handler = PdmlHandler()
xml.sax.parse(f, handler)
def main():
if len(sys.argv) != 2:
print("Usage: nfs_scan < file | - >")
sys.exit(1)
packets = '/dev/stdin' if sys.argv[1] == "-" else sys.argv[1]
with open(packets, mode='r', encoding='utf-8', errors='replace') as f:
parse(f)
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment