How can I identify who is writing to NFS server and where are these writes coming from?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












Our CentOS6 NFS export is near 100% capacity. We've turned off NFS for now and are trying to move data around. I temporarily turned it back on with logging on and was surprised to see data roaring back into the NFS directories. There's no information in the log about who is doing the writing. I'd like to find out where these writes are coming from, who is doing them, and which directory they're writing to. Unfortunately, the logs don't really show me the identities of who/where they are coming from. Any hints on how to get that information?



Thanks in advance!




centos raid nfsv4




share|improve this question



















  • There really isn't any way to find out who is writing to the export unless you're going to monitor processes on every machine that has the exports mounted. You can du /path/to/export | sort -rn > outputfile on the machine which will output the largest file sizes to a file and you can review it to see what's taking up the space. Perhaps that will give you a better idea of what's happening.
    – Nasir Riley
    May 8 at 23:52










  • re-enable but firewall off and look for connection attempts in the fw logs? if a small enough ip pool, re-allow small blocks at a time until writes start flooding in...
    – ivanivan
    May 8 at 23:55














up vote
2
down vote

favorite












Our CentOS6 NFS export is near 100% capacity. We've turned off NFS for now and are trying to move data around. I temporarily turned it back on with logging on and was surprised to see data roaring back into the NFS directories. There's no information in the log about who is doing the writing. I'd like to find out where these writes are coming from, who is doing them, and which directory they're writing to. Unfortunately, the logs don't really show me the identities of who/where they are coming from. Any hints on how to get that information?



Thanks in advance!




centos raid nfsv4




share|improve this question



















  • There really isn't any way to find out who is writing to the export unless you're going to monitor processes on every machine that has the exports mounted. You can du /path/to/export | sort -rn > outputfile on the machine which will output the largest file sizes to a file and you can review it to see what's taking up the space. Perhaps that will give you a better idea of what's happening.
    – Nasir Riley
    May 8 at 23:52










  • re-enable but firewall off and look for connection attempts in the fw logs? if a small enough ip pool, re-allow small blocks at a time until writes start flooding in...
    – ivanivan
    May 8 at 23:55












up vote
2
down vote

favorite









up vote
2
down vote

favorite











Our CentOS6 NFS export is near 100% capacity. We've turned off NFS for now and are trying to move data around. I temporarily turned it back on with logging on and was surprised to see data roaring back into the NFS directories. There's no information in the log about who is doing the writing. I'd like to find out where these writes are coming from, who is doing them, and which directory they're writing to. Unfortunately, the logs don't really show me the identities of who/where they are coming from. Any hints on how to get that information?



Thanks in advance!




centos raid nfsv4




share|improve this question











Our CentOS6 NFS export is near 100% capacity. We've turned off NFS for now and are trying to move data around. I temporarily turned it back on with logging on and was surprised to see data roaring back into the NFS directories. There's no information in the log about who is doing the writing. I'd like to find out where these writes are coming from, who is doing them, and which directory they're writing to. Unfortunately, the logs don't really show me the identities of who/where they are coming from. Any hints on how to get that information?



Thanks in advance!





centos raid nfsv4





share|improve this question










share|improve this question




share|improve this question









asked May 8 at 23:41









PolkaRon

74113




74113











  • There really isn't any way to find out who is writing to the export unless you're going to monitor processes on every machine that has the exports mounted. You can du /path/to/export | sort -rn > outputfile on the machine which will output the largest file sizes to a file and you can review it to see what's taking up the space. Perhaps that will give you a better idea of what's happening.
    – Nasir Riley
    May 8 at 23:52










  • re-enable but firewall off and look for connection attempts in the fw logs? if a small enough ip pool, re-allow small blocks at a time until writes start flooding in...
    – ivanivan
    May 8 at 23:55
















  • There really isn't any way to find out who is writing to the export unless you're going to monitor processes on every machine that has the exports mounted. You can du /path/to/export | sort -rn > outputfile on the machine which will output the largest file sizes to a file and you can review it to see what's taking up the space. Perhaps that will give you a better idea of what's happening.
    – Nasir Riley
    May 8 at 23:52










  • re-enable but firewall off and look for connection attempts in the fw logs? if a small enough ip pool, re-allow small blocks at a time until writes start flooding in...
    – ivanivan
    May 8 at 23:55















There really isn't any way to find out who is writing to the export unless you're going to monitor processes on every machine that has the exports mounted. You can du /path/to/export | sort -rn > outputfile on the machine which will output the largest file sizes to a file and you can review it to see what's taking up the space. Perhaps that will give you a better idea of what's happening.
– Nasir Riley
May 8 at 23:52




There really isn't any way to find out who is writing to the export unless you're going to monitor processes on every machine that has the exports mounted. You can du /path/to/export | sort -rn > outputfile on the machine which will output the largest file sizes to a file and you can review it to see what's taking up the space. Perhaps that will give you a better idea of what's happening.
– Nasir Riley
May 8 at 23:52












re-enable but firewall off and look for connection attempts in the fw logs? if a small enough ip pool, re-allow small blocks at a time until writes start flooding in...
– ivanivan
May 8 at 23:55




re-enable but firewall off and look for connection attempts in the fw logs? if a small enough ip pool, re-allow small blocks at a time until writes start flooding in...
– ivanivan
May 8 at 23:55










2 Answers
2






active

oldest

votes

















up vote
1
down vote













I found some good answers in this AskUbuntu question.



I would stress the answer that uses:



iftop -P -i <interface name (e.g. enp1s0)>


to show traffic sorted by volume on a port and then uses:



sudo netstat -tup <port number>


to identify which PID is using which port.



Once you have the PID, you're home free.






share|improve this answer






























    up vote
    0
    down vote













    I would suggest to use 'wireshark' tool to monitor network traffic. With filters set to show only NFS traffic you will be able to identify network hosts writing to your NFS server.






    share|improve this answer





















    • Wireshark is good. Maybe too good for this job. Don't misunderstand me, I mean well, but that program is a little complex to me at least.
      – Vlastimil
      May 9 at 11:06










    • Wireshark is very easy to use: Launch wireshark GUI. Select network card. Start capturing traffic. Select line marked with NFS. From context menu select apply it as filter. Write down displayed IP address, from context menu add it as exclude filter. Repeat it until list gets empy.
      – John Doe
      May 9 at 11:29











    • Put that to your answer.
      – Vlastimil
      May 9 at 11:54










    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );








     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f442656%2fhow-can-i-identify-who-is-writing-to-nfs-server-and-where-are-these-writes-comin%23new-answer', 'question_page');

    );

    Post as a guest

















    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    1
    down vote













    I found some good answers in this AskUbuntu question.



    I would stress the answer that uses:



    iftop -P -i <interface name (e.g. enp1s0)>


    to show traffic sorted by volume on a port and then uses:



    sudo netstat -tup <port number>


    to identify which PID is using which port.



    Once you have the PID, you're home free.






    share|improve this answer



























      up vote
      1
      down vote













      I found some good answers in this AskUbuntu question.



      I would stress the answer that uses:



      iftop -P -i <interface name (e.g. enp1s0)>


      to show traffic sorted by volume on a port and then uses:



      sudo netstat -tup <port number>


      to identify which PID is using which port.



      Once you have the PID, you're home free.






      share|improve this answer

























        up vote
        1
        down vote










        up vote
        1
        down vote









        I found some good answers in this AskUbuntu question.



        I would stress the answer that uses:



        iftop -P -i <interface name (e.g. enp1s0)>


        to show traffic sorted by volume on a port and then uses:



        sudo netstat -tup <port number>


        to identify which PID is using which port.



        Once you have the PID, you're home free.






        share|improve this answer















        I found some good answers in this AskUbuntu question.



        I would stress the answer that uses:



        iftop -P -i <interface name (e.g. enp1s0)>


        to show traffic sorted by volume on a port and then uses:



        sudo netstat -tup <port number>


        to identify which PID is using which port.



        Once you have the PID, you're home free.







        share|improve this answer















        share|improve this answer



        share|improve this answer








        edited May 9 at 11:09









        Vlastimil

        6,3011146116




        6,3011146116











        answered May 9 at 6:05









        mathew gunther

        515




        515






















            up vote
            0
            down vote













            I would suggest to use 'wireshark' tool to monitor network traffic. With filters set to show only NFS traffic you will be able to identify network hosts writing to your NFS server.






            share|improve this answer





















            • Wireshark is good. Maybe too good for this job. Don't misunderstand me, I mean well, but that program is a little complex to me at least.
              – Vlastimil
              May 9 at 11:06










            • Wireshark is very easy to use: Launch wireshark GUI. Select network card. Start capturing traffic. Select line marked with NFS. From context menu select apply it as filter. Write down displayed IP address, from context menu add it as exclude filter. Repeat it until list gets empy.
              – John Doe
              May 9 at 11:29











            • Put that to your answer.
              – Vlastimil
              May 9 at 11:54














            up vote
            0
            down vote













            I would suggest to use 'wireshark' tool to monitor network traffic. With filters set to show only NFS traffic you will be able to identify network hosts writing to your NFS server.






            share|improve this answer





















            • Wireshark is good. Maybe too good for this job. Don't misunderstand me, I mean well, but that program is a little complex to me at least.
              – Vlastimil
              May 9 at 11:06










            • Wireshark is very easy to use: Launch wireshark GUI. Select network card. Start capturing traffic. Select line marked with NFS. From context menu select apply it as filter. Write down displayed IP address, from context menu add it as exclude filter. Repeat it until list gets empy.
              – John Doe
              May 9 at 11:29











            • Put that to your answer.
              – Vlastimil
              May 9 at 11:54












            up vote
            0
            down vote










            up vote
            0
            down vote









            I would suggest to use 'wireshark' tool to monitor network traffic. With filters set to show only NFS traffic you will be able to identify network hosts writing to your NFS server.






            share|improve this answer













            I would suggest to use 'wireshark' tool to monitor network traffic. With filters set to show only NFS traffic you will be able to identify network hosts writing to your NFS server.







            share|improve this answer













            share|improve this answer



            share|improve this answer











            answered May 9 at 11:02









            John Doe

            804




            804











            • Wireshark is good. Maybe too good for this job. Don't misunderstand me, I mean well, but that program is a little complex to me at least.
              – Vlastimil
              May 9 at 11:06










            • Wireshark is very easy to use: Launch wireshark GUI. Select network card. Start capturing traffic. Select line marked with NFS. From context menu select apply it as filter. Write down displayed IP address, from context menu add it as exclude filter. Repeat it until list gets empy.
              – John Doe
              May 9 at 11:29











            • Put that to your answer.
              – Vlastimil
              May 9 at 11:54
















            • Wireshark is good. Maybe too good for this job. Don't misunderstand me, I mean well, but that program is a little complex to me at least.
              – Vlastimil
              May 9 at 11:06










            • Wireshark is very easy to use: Launch wireshark GUI. Select network card. Start capturing traffic. Select line marked with NFS. From context menu select apply it as filter. Write down displayed IP address, from context menu add it as exclude filter. Repeat it until list gets empy.
              – John Doe
              May 9 at 11:29











            • Put that to your answer.
              – Vlastimil
              May 9 at 11:54















            Wireshark is good. Maybe too good for this job. Don't misunderstand me, I mean well, but that program is a little complex to me at least.
            – Vlastimil
            May 9 at 11:06




            Wireshark is good. Maybe too good for this job. Don't misunderstand me, I mean well, but that program is a little complex to me at least.
            – Vlastimil
            May 9 at 11:06












            Wireshark is very easy to use: Launch wireshark GUI. Select network card. Start capturing traffic. Select line marked with NFS. From context menu select apply it as filter. Write down displayed IP address, from context menu add it as exclude filter. Repeat it until list gets empy.
            – John Doe
            May 9 at 11:29





            Wireshark is very easy to use: Launch wireshark GUI. Select network card. Start capturing traffic. Select line marked with NFS. From context menu select apply it as filter. Write down displayed IP address, from context menu add it as exclude filter. Repeat it until list gets empy.
            – John Doe
            May 9 at 11:29













            Put that to your answer.
            – Vlastimil
            May 9 at 11:54




            Put that to your answer.
            – Vlastimil
            May 9 at 11:54












             

            draft saved


            draft discarded


























             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f442656%2fhow-can-i-identify-who-is-writing-to-nfs-server-and-where-are-these-writes-comin%23new-answer', 'question_page');

            );

            Post as a guest
































































            -

            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Image
            Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Se
            Read more

            Bahrain

            Image
            For other uses, see Bahrain (disambiguation). Sovereign island state in the Persian Gulf Kingdom of Bahrain مملكة البحرين   (Arabic) Mamlakat al-Baḥrayn Flag Coat of arms Anthem:  نشيد البحرين الوطني Bahrainona Our Bahrain Location of   Bahrain    (circled in red) Capital and largest city Manama 26°13′N 50°35′E  /  26.217°N 50.583°E  / 26.217; 50.583 Official languages Arabic Ethnic groups (2010 [1] ) 50.7% Arab (46% Bahrani, 4.7% other Arabs) 45.5% Asian 1% European 1.2% Others Religion Islam Demonym(s) Bahraini Government Unitary constitutional monarchy • King Hamad bin Isa Al Khalifa • Crown Prince Salman bin Hamad bin Isa Al Khalifa • Prime Minister Khalifa bin Salman Al Khalifa Legislature National Assembly • Upper house Consultative Council • Lower house Council of Representatives Independence • Declared Independence [2] 14 August 1971 • from United Kingdom [1] 15 August 1971 • Admitted to the United Nations 21 September 1971 • Kingdom of Bahrain 14 February 2002
            Read more

            Postfix configuration issue with fips on centos 7; mailgun relay

            Image
            Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I am trying to setup postfix to relay all mail generated on the local machine via SMTP to a mailgun relay. I have used the mailgun relay before with success on an ubuntu server, but I am migrating to a Centos 7 server which I will be running in FIPS mode. There error log is below, slightly sanitized. I have a small enough network that I choose to have each machine reach out to mailgun individually (this the loopback-only, 127.0.0.0/8 restrictions) and no firewall open port allowing smtp in to the machine. I assume the FIPS mode (and with it disabling of MD5) is causing problems, but I don't know how to overcome it or if it is even possible for tls_fprint to use some supported hash such as sha256 or sha512. However, the relay=none is slightly concerning since I have relayhost set, but perhaps that is because the smtp process is failing? Any help would be appreciated! postconf -n: alias_database = hash:/etc/alia
            Read more