Skip to content

Instantly share code, notes, and snippets.

@kofemann

kofemann/nfs_pdml.py

Last active July 13, 2023 12:34
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save kofemann/3e40ef20902d840ccafea5f8f88411a6 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save kofemann/3e40ef20902d840ccafea5f8f88411a6 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. kofemann revised this gist Jul 13, 2023. 1 changed file with 3 additions and 5 deletions.
    8 changes: 3 additions & 5 deletions nfs_pdml.py
    View file
    Original file line number Diff line number Diff line change
    @@ -269,17 +269,15 @@ def parse(f):
    handler = PdmlHandler()
    xml.sax.parse(f, handler)


    def main():
    if len(sys.argv) != 2:
    print("Usage: nfs_scan <file>")
    print("Usage: nfs_scan < file | - >")
    sys.exit(1)

    packets = '/dev/stdin' if sys.argv[1] == "-" else sys.argv[1]


    with open(sys.argv[1], mode='r') as f:
    with open(packets, mode='r', encoding='utf-8', errors='replace') as f:
    parse(f)


    if __name__ == '__main__':
    main()
  2. kofemann revised this gist Jul 5, 2023. 1 changed file with 31 additions and 4 deletions.
    35 changes: 31 additions & 4 deletions nfs_pdml.py
    View file
    Original file line number Diff line number Diff line change
    @@ -202,6 +202,23 @@
    10044 : "OP_ILLEGAL",
    }

    nfs_cb_opnum4 = {
    3 : "OP_CB_GETATTR",
    4 : "OP_CB_RECALL",
    5 : "OP_CB_LAYOUTRECALL",
    6 : "OP_CB_NOTIFY",
    7 : "OP_CB_PUSH_DELEG",
    8 : "OP_CB_RECALL_ANY",
    9 : "OP_CB_RECALLABLE_OBJ_AVAIL",
    10 : "OP_CB_RECALL_SLOT",
    11 : "OP_CB_SEQUENCE",
    12 : "OP_CB_WANTS_CANCELLED",
    13 : "OP_CB_NOTIFY_LOCK",
    14 : "OP_CB_NOTIFY_DEVICEID",
    15 : "OP_CB_OFFLOAD",
    10044 : "OP_CB_ILLEGAL",
    }

    interest = [
    'frame.number',
    'frame.time_epoch',
    @@ -215,10 +232,12 @@
    'nfs.main_opcode',
    'nfs.nfsstat4',
    'nfs.fhandle',
    'nfs.stateid4.other'
    'nfs.stateid4.other',
    'nfs.cb.operation'
    ]

    class NfsPdmlHandler(xml.sax.ContentHandler):

    class PdmlHandler(xml.sax.ContentHandler):

    def __init__(self):
    self._packet = {}
    @@ -229,20 +248,25 @@ def startElement(self, name, attributes):
    elif name == 'field':
    fname = attributes.getValue('name')
    if fname in interest:
    self._packet[fname] = attributes.getValue('show')
    self._packet[fname] = attributes.getValue('show')


    def endElement(self, name):
    if name == 'packet' and 'rpc.xid' in self._packet:
    if 'nfs.main_opcode' in self._packet:
    self._packet['nfs.main_opcode'] = nfs_opnum4[int(self._packet['nfs.main_opcode'])]

    if 'nfs.cb.operation' in self._packet:
    self._packet['nfs.cb.operation'] = nfs_cb_opnum4[int(self._packet['nfs.cb.operation'])]

    if 'nfs.nfsstat4' in self._packet:
    self._packet['nfs.nfsstat4'] = nfsstat4[int(self._packet['nfs.nfsstat4'])]

    print(self._packet)


    def parse(f):
    handler = NfsPdmlHandler()
    handler = PdmlHandler()
    xml.sax.parse(f, handler)


    @@ -251,8 +275,11 @@ def main():
    print("Usage: nfs_scan <file>")
    sys.exit(1)



    with open(sys.argv[1], mode='r') as f:
    parse(f)


    if __name__ == '__main__':
    main()
  3. kofemann created this gist Jul 4, 2023.
    258 changes: 258 additions & 0 deletions nfs_pdml.py
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,258 @@
    #!/usr/bin/env python3

    # Licensed under GNU GENERAL PUBLIC LICENSE Version 2

    #
    # parses files produced by : `tshark -r file.pcap -q -n -T pdml`
    #

    import xml.sax
    import sys

    nfsstat4 = {
    0 : "NFS4_OK",
    1 : "NFS4ERR_PERM",
    2 : "NFS4ERR_NOENT",
    5 : "NFS4ERR_IO",
    6 : "NFS4ERR_NXIO",
    13 : "NFS4ERR_ACCESS",
    17 : "NFS4ERR_EXIST",
    18 : "NFS4ERR_XDEV",
    20 : "NFS4ERR_NOTDIR",
    21 : "NFS4ERR_ISDIR",
    22 : "NFS4ERR_INVAL",
    27 : "NFS4ERR_FBIG",
    28 : "NFS4ERR_NOSPC",
    30 : "NFS4ERR_ROFS",
    31 : "NFS4ERR_MLINK",
    63 : "NFS4ERR_NAMETOOLONG",
    66 : "NFS4ERR_NOTEMPTY",
    69 : "NFS4ERR_DQUOT",
    70 : "NFS4ERR_STALE",
    10001 : "NFS4ERR_BADHANDLE",
    10003 : "NFS4ERR_BAD_COOKIE",
    10004 : "NFS4ERR_NOTSUPP",
    10005 : "NFS4ERR_TOOSMALL",
    10006 : "NFS4ERR_SERVERFAULT",
    10007 : "NFS4ERR_BADTYPE",
    10008 : "NFS4ERR_DELAY",
    10009 : "NFS4ERR_SAME",
    10010 : "NFS4ERR_DENIED",
    10011 : "NFS4ERR_EXPIRED",
    10012 : "NFS4ERR_LOCKED",
    10013 : "NFS4ERR_GRACE",
    10014 : "NFS4ERR_FHEXPIRED",
    10015 : "NFS4ERR_SHARE_DENIED",
    10016 : "NFS4ERR_WRONGSEC",
    10017 : "NFS4ERR_CLID_INUSE",
    10018 : "NFS4ERR_RESOURCE",
    10019 : "NFS4ERR_MOVED",
    10020 : "NFS4ERR_NOFILEHANDLE",
    10021 : "NFS4ERR_MINOR_VERS_MISMATCH",
    10022 : "NFS4ERR_STALE_CLIENTID",
    10023 : "NFS4ERR_STALE_STATEID",
    10024 : "NFS4ERR_OLD_STATEID",
    10025 : "NFS4ERR_BAD_STATEID",
    10026 : "NFS4ERR_BAD_SEQID",
    10027 : "NFS4ERR_NOT_SAME",
    10028 : "NFS4ERR_LOCK_RANGE",
    10029 : "NFS4ERR_SYMLINK",
    10030 : "NFS4ERR_RESTOREFH",
    10031 : "NFS4ERR_LEASE_MOVED",
    10032 : "NFS4ERR_ATTRNOTSUPP",
    10033 : "NFS4ERR_NO_GRACE",
    10034 : "NFS4ERR_RECLAIM_BAD",
    10035 : "NFS4ERR_RECLAIM_CONFLICT",
    10036 : "NFS4ERR_BADXDR",
    10037 : "NFS4ERR_LOCKS_HELD",
    10038 : "NFS4ERR_OPENMODE",
    10039 : "NFS4ERR_BADOWNER",
    10040 : "NFS4ERR_BADCHAR",
    10041 : "NFS4ERR_BADNAME",
    10042 : "NFS4ERR_BAD_RANGE",
    10043 : "NFS4ERR_LOCK_NOTSUPP",
    10044 : "NFS4ERR_OP_ILLEGAL",
    10045 : "NFS4ERR_DEADLOCK",
    10046 : "NFS4ERR_FILE_OPEN",
    10047 : "NFS4ERR_ADMIN_REVOKED",
    10048 : "NFS4ERR_CB_PATH_DOWN",
    10049 : "NFS4ERR_BADIOMODE",
    10050 : "NFS4ERR_BADLAYOUT",
    10051 : "NFS4ERR_BAD_SESSION_DIGEST",
    10052 : "NFS4ERR_BADSESSION",
    10053 : "NFS4ERR_BADSLOT",
    10054 : "NFS4ERR_COMPLETE_ALREADY",
    10055 : "NFS4ERR_CONN_NOT_BOUND_TO_SESSION",
    10056 : "NFS4ERR_DELEG_ALREADY_WANTED",
    10057 : "NFS4ERR_BACK_CHAN_BUSY",
    10058 : "NFS4ERR_LAYOUTTRYLATER",
    10059 : "NFS4ERR_LAYOUTUNAVAILABLE",
    10060 : "NFS4ERR_NOMATCHING_LAYOUT",
    10061 : "NFS4ERR_RECALLCONFLICT",
    10062 : "NFS4ERR_UNKNOWN_LAYOUTTYPE",
    10063 : "NFS4ERR_SEQ_MISORDERED",
    10064 : "NFS4ERR_SEQUENCE_POS",
    10065 : "NFS4ERR_REQ_TOO_BIG",
    10066 : "NFS4ERR_REP_TOO_BIG",
    10067 : "NFS4ERR_REP_TOO_BIG_TO_CACHE",
    10068 : "NFS4ERR_RETRY_UNCACHED_REP",
    10069 : "NFS4ERR_UNSAFE_COMPOUND",
    10070 : "NFS4ERR_TOO_MANY_OPS",
    10071 : "NFS4ERR_OP_NOT_IN_SESSION",
    10072 : "NFS4ERR_HASH_ALG_UNSUPP",
    10074 : "NFS4ERR_CLIENTID_BUSY",
    10075 : "NFS4ERR_PNFS_IO_HOLE",
    10076 : "NFS4ERR_SEQ_FALSE_RETRY",
    10077 : "NFS4ERR_BAD_HIGH_SLOT",
    10078 : "NFS4ERR_DEADSESSION",
    10079 : "NFS4ERR_ENCR_ALG_UNSUPP",
    10080 : "NFS4ERR_PNFS_NO_LAYOUT",
    10081 : "NFS4ERR_NOT_ONLY_OP",
    10082 : "NFS4ERR_WRONG_CRED",
    10083 : "NFS4ERR_WRONG_TYPE",
    10084 : "NFS4ERR_DIRDELEG_UNAVAIL",
    10085 : "NFS4ERR_REJECT_DELEG",
    10086 : "NFS4ERR_RETURNCONFLICT",
    10087 : "NFS4ERR_DELEG_REVOKED",
    10088 : "NFS4ERR_PARTNER_NOTSUPP",
    10089 : "NFS4ERR_PARTNER_NO_AUTH",
    10090 : "NFS4ERR_UNION_NOTSUPP",
    10091 : "NFS4ERR_OFFLOAD_DENIED",
    10092 : "NFS4ERR_WRONG_LFS",
    10093 : "NFS4ERR_BADLABEL",
    10094 : "NFS4ERR_OFFLOAD_NO_REQS",
    10095 : "NFS4ERR_NOXATTR",
    10096 : "NFS4ERR_XATTR2BIG",
    }

    nfs_opnum4 = {
    3 : "OP_ACCESS",
    4 : "OP_CLOSE",
    5 : "OP_COMMIT",
    6 : "OP_CREATE",
    7 : "OP_DELEGPURGE",
    8 : "OP_DELEGRETURN",
    9 : "OP_GETATTR",
    10 : "OP_GETFH",
    11 : "OP_LINK",
    12 : "OP_LOCK",
    13 : "OP_LOCKT",
    14 : "OP_LOCKU",
    15 : "OP_LOOKUP",
    16 : "OP_LOOKUPP",
    17 : "OP_NVERIFY",
    18 : "OP_OPEN",
    19 : "OP_OPENATTR",
    20 : "OP_OPEN_CONFIRM",
    21 : "OP_OPEN_DOWNGRADE",
    22 : "OP_PUTFH",
    23 : "OP_PUTPUBFH",
    24 : "OP_PUTROOTFH",
    25 : "OP_READ",
    26 : "OP_READDIR",
    27 : "OP_READLINK",
    28 : "OP_REMOVE",
    29 : "OP_RENAME",
    30 : "OP_RENEW",
    31 : "OP_RESTOREFH",
    32 : "OP_SAVEFH",
    33 : "OP_SECINFO",
    34 : "OP_SETATTR",
    35 : "OP_SETCLIENTID",
    36 : "OP_SETCLIENTID_CONFIRM",
    37 : "OP_VERIFY",
    38 : "OP_WRITE",
    39 : "OP_RELEASE_LOCKOWNER",
    40 : "OP_BACKCHANNEL_CTL",
    41 : "OP_BIND_CONN_TO_SESSION",
    42 : "OP_EXCHANGE_ID",
    43 : "OP_CREATE_SESSION",
    44 : "OP_DESTROY_SESSION",
    45 : "OP_FREE_STATEID",
    46 : "OP_GET_DIR_DELEGATION",
    47 : "OP_GETDEVICEINFO",
    48 : "OP_GETDEVICELIST",
    49 : "OP_LAYOUTCOMMIT",
    50 : "OP_LAYOUTGET",
    51 : "OP_LAYOUTRETURN",
    52 : "OP_SECINFO_NO_NAME",
    53 : "OP_SEQUENCE",
    54 : "OP_SET_SSV",
    55 : "OP_TEST_STATEID",
    56 : "OP_WANT_DELEGATION",
    57 : "OP_DESTROY_CLIENTID",
    58 : "OP_RECLAIM_COMPLETE",
    59 : "OP_ALLOCATE",
    60 : "OP_COPY",
    61 : "OP_COPY_NOTIFY",
    62 : "OP_DEALLOCATE",
    63 : "OP_IO_ADVISE",
    64 : "OP_LAYOUTERROR",
    65 : "OP_LAYOUTSTATS",
    66 : "OP_OFFLOAD_CANCEL",
    67 : "OP_OFFLOAD_STATUS",
    68 : "OP_READ_PLUS",
    69 : "OP_SEEK",
    70 : "OP_WRITE_SAME",
    71 : "OP_CLONE",
    72 : "OP_GETXATTR",
    73 : "OP_SETXATTR",
    74 : "OP_LISTXATTRS",
    75 : "OP_REMOVEXATTR",
    10044 : "OP_ILLEGAL",
    }

    interest = [
    'frame.number',
    'frame.time_epoch',
    'frame.time_relative',
    'ip.src',
    'ip.dst',
    'tcp.srcport',
    'tcp.dstport',
    'rpc.xid',
    'rpc.msgtyp',
    'nfs.main_opcode',
    'nfs.nfsstat4',
    'nfs.fhandle',
    'nfs.stateid4.other'
    ]

    class NfsPdmlHandler(xml.sax.ContentHandler):

    def __init__(self):
    self._packet = {}

    def startElement(self, name, attributes):
    if name == 'packet':
    self._packet = {}
    elif name == 'field':
    fname = attributes.getValue('name')
    if fname in interest:
    self._packet[fname] = attributes.getValue('show')

    def endElement(self, name):
    if name == 'packet' and 'rpc.xid' in self._packet:
    if 'nfs.main_opcode' in self._packet:
    self._packet['nfs.main_opcode'] = nfs_opnum4[int(self._packet['nfs.main_opcode'])]

    if 'nfs.nfsstat4' in self._packet:
    self._packet['nfs.nfsstat4'] = nfsstat4[int(self._packet['nfs.nfsstat4'])]

    print(self._packet)

    def parse(f):
    handler = NfsPdmlHandler()
    xml.sax.parse(f, handler)


    def main():
    if len(sys.argv) != 2:
    print("Usage: nfs_scan <file>")
    sys.exit(1)

    with open(sys.argv[1], mode='r') as f:
    parse(f)

    if __name__ == '__main__':
    main()