From owner-freebsd-current@FreeBSD.ORG Fri Sep 25 09:59:04 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F24B0106566C; Fri, 25 Sep 2009 09:59:04 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id B54818FC1C; Fri, 25 Sep 2009 09:59:04 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 95ADE6D41B; Fri, 25 Sep 2009 09:59:02 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 57475844B4; Fri, 25 Sep 2009 11:59:02 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Michael Proto References: <86d45g4ffl.fsf@ds4.des.no> <1de79840909241050h6b3233dcgbd07386d716dac7f@mail.gmail.com> Date: Fri, 25 Sep 2009 11:59:01 +0200 In-Reply-To: <1de79840909241050h6b3233dcgbd07386d716dac7f@mail.gmail.com> (Michael Proto's message of "Thu, 24 Sep 2009 13:50:46 -0400") Message-ID: <86fxabpcpm.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org Subject: Re: Confused tcpdump X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Sep 2009 09:59:05 -0000 Michael Proto writes: > Dag-Erling Sm=C3=B8rgrav writes: > > 15:50:42.622040 IP 10.0.0.10.871009576 > 10.0.0.4.2049: 192 lookup [|nf= s] > > 15:50:42.622386 IP 10.0.0.4.2049 > 10.0.0.10.871009576: reply ok 236 lo= okup [|nfs] > > > > I'm pretty sure 871009576 is not a valid port number... > I've noticed this behavior since at least 4.3 as well, with the source > port being some obscenely-high number, when examining UDP-based NFS > traffic with tcpdump (32bit). Somebody explained to me that this is in fact the NFS transaction ID: NFS Requests and Replies Sun NFS (Network File System) requests and replies are printed as: src.xid > dst.nfs: len op args src.nfs > dst.xid: reply stat len op results sushi.6709 > wrl.nfs: 112 readlink fh 21,24/10.73165 wrl.nfs > sushi.6709: reply ok 40 readlink "../var" sushi.201b > wrl.nfs: 144 lookup fh 9,74/4096.6878 "xcolors" wrl.nfs > sushi.201b: reply ok 128 lookup fh 9,74/4134.3150 In the first line, host sushi sends a transaction with id 6709 to = wrl (note that the number following the src host is a transaction id, = not the source port). The request was 112 bytes, excluding the UDP and= IP headers. The operation was a readlink (read symbolic link) on f= ile handle (fh) 21,24/10.731657119. (If one is lucky, as in this case, = the file handle can be interpreted as a major,minor device number pa= ir, followed by the inode number and generation number.) Wrl replies = =E2=80=98ok=E2=80=99 with the contents of the link. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no