How can I identify who is writing to NFS server and where are these writes coming from?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












Our CentOS6 NFS export is near 100% capacity. We've turned off NFS for now and are trying to move data around. I temporarily turned it back on with logging on and was surprised to see data roaring back into the NFS directories. There's no information in the log about who is doing the writing. I'd like to find out where these writes are coming from, who is doing them, and which directory they're writing to. Unfortunately, the logs don't really show me the identities of who/where they are coming from. Any hints on how to get that information?



Thanks in advance!







share|improve this question



















  • There really isn't any way to find out who is writing to the export unless you're going to monitor processes on every machine that has the exports mounted. You can du /path/to/export | sort -rn > outputfile on the machine which will output the largest file sizes to a file and you can review it to see what's taking up the space. Perhaps that will give you a better idea of what's happening.
    – Nasir Riley
    May 8 at 23:52










  • re-enable but firewall off and look for connection attempts in the fw logs? if a small enough ip pool, re-allow small blocks at a time until writes start flooding in...
    – ivanivan
    May 8 at 23:55














up vote
2
down vote

favorite












Our CentOS6 NFS export is near 100% capacity. We've turned off NFS for now and are trying to move data around. I temporarily turned it back on with logging on and was surprised to see data roaring back into the NFS directories. There's no information in the log about who is doing the writing. I'd like to find out where these writes are coming from, who is doing them, and which directory they're writing to. Unfortunately, the logs don't really show me the identities of who/where they are coming from. Any hints on how to get that information?



Thanks in advance!







share|improve this question



















  • There really isn't any way to find out who is writing to the export unless you're going to monitor processes on every machine that has the exports mounted. You can du /path/to/export | sort -rn > outputfile on the machine which will output the largest file sizes to a file and you can review it to see what's taking up the space. Perhaps that will give you a better idea of what's happening.
    – Nasir Riley
    May 8 at 23:52










  • re-enable but firewall off and look for connection attempts in the fw logs? if a small enough ip pool, re-allow small blocks at a time until writes start flooding in...
    – ivanivan
    May 8 at 23:55












up vote
2
down vote

favorite









up vote
2
down vote

favorite











Our CentOS6 NFS export is near 100% capacity. We've turned off NFS for now and are trying to move data around. I temporarily turned it back on with logging on and was surprised to see data roaring back into the NFS directories. There's no information in the log about who is doing the writing. I'd like to find out where these writes are coming from, who is doing them, and which directory they're writing to. Unfortunately, the logs don't really show me the identities of who/where they are coming from. Any hints on how to get that information?



Thanks in advance!







share|improve this question











Our CentOS6 NFS export is near 100% capacity. We've turned off NFS for now and are trying to move data around. I temporarily turned it back on with logging on and was surprised to see data roaring back into the NFS directories. There's no information in the log about who is doing the writing. I'd like to find out where these writes are coming from, who is doing them, and which directory they're writing to. Unfortunately, the logs don't really show me the identities of who/where they are coming from. Any hints on how to get that information?



Thanks in advance!









share|improve this question










share|improve this question




share|improve this question









asked May 8 at 23:41









PolkaRon

74113




74113











  • There really isn't any way to find out who is writing to the export unless you're going to monitor processes on every machine that has the exports mounted. You can du /path/to/export | sort -rn > outputfile on the machine which will output the largest file sizes to a file and you can review it to see what's taking up the space. Perhaps that will give you a better idea of what's happening.
    – Nasir Riley
    May 8 at 23:52










  • re-enable but firewall off and look for connection attempts in the fw logs? if a small enough ip pool, re-allow small blocks at a time until writes start flooding in...
    – ivanivan
    May 8 at 23:55
















  • There really isn't any way to find out who is writing to the export unless you're going to monitor processes on every machine that has the exports mounted. You can du /path/to/export | sort -rn > outputfile on the machine which will output the largest file sizes to a file and you can review it to see what's taking up the space. Perhaps that will give you a better idea of what's happening.
    – Nasir Riley
    May 8 at 23:52










  • re-enable but firewall off and look for connection attempts in the fw logs? if a small enough ip pool, re-allow small blocks at a time until writes start flooding in...
    – ivanivan
    May 8 at 23:55















There really isn't any way to find out who is writing to the export unless you're going to monitor processes on every machine that has the exports mounted. You can du /path/to/export | sort -rn > outputfile on the machine which will output the largest file sizes to a file and you can review it to see what's taking up the space. Perhaps that will give you a better idea of what's happening.
– Nasir Riley
May 8 at 23:52




There really isn't any way to find out who is writing to the export unless you're going to monitor processes on every machine that has the exports mounted. You can du /path/to/export | sort -rn > outputfile on the machine which will output the largest file sizes to a file and you can review it to see what's taking up the space. Perhaps that will give you a better idea of what's happening.
– Nasir Riley
May 8 at 23:52












re-enable but firewall off and look for connection attempts in the fw logs? if a small enough ip pool, re-allow small blocks at a time until writes start flooding in...
– ivanivan
May 8 at 23:55




re-enable but firewall off and look for connection attempts in the fw logs? if a small enough ip pool, re-allow small blocks at a time until writes start flooding in...
– ivanivan
May 8 at 23:55










2 Answers
2






active

oldest

votes

















up vote
1
down vote













I found some good answers in this AskUbuntu question.



I would stress the answer that uses:



iftop -P -i <interface name (e.g. enp1s0)>


to show traffic sorted by volume on a port and then uses:



sudo netstat -tup <port number>


to identify which PID is using which port.



Once you have the PID, you're home free.






share|improve this answer






























    up vote
    0
    down vote













    I would suggest to use 'wireshark' tool to monitor network traffic. With filters set to show only NFS traffic you will be able to identify network hosts writing to your NFS server.






    share|improve this answer





















    • Wireshark is good. Maybe too good for this job. Don't misunderstand me, I mean well, but that program is a little complex to me at least.
      – Vlastimil
      May 9 at 11:06










    • Wireshark is very easy to use: Launch wireshark GUI. Select network card. Start capturing traffic. Select line marked with NFS. From context menu select apply it as filter. Write down displayed IP address, from context menu add it as exclude filter. Repeat it until list gets empy.
      – John Doe
      May 9 at 11:29











    • Put that to your answer.
      – Vlastimil
      May 9 at 11:54










    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );








     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f442656%2fhow-can-i-identify-who-is-writing-to-nfs-server-and-where-are-these-writes-comin%23new-answer', 'question_page');

    );

    Post as a guest






























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    1
    down vote













    I found some good answers in this AskUbuntu question.



    I would stress the answer that uses:



    iftop -P -i <interface name (e.g. enp1s0)>


    to show traffic sorted by volume on a port and then uses:



    sudo netstat -tup <port number>


    to identify which PID is using which port.



    Once you have the PID, you're home free.






    share|improve this answer



























      up vote
      1
      down vote













      I found some good answers in this AskUbuntu question.



      I would stress the answer that uses:



      iftop -P -i <interface name (e.g. enp1s0)>


      to show traffic sorted by volume on a port and then uses:



      sudo netstat -tup <port number>


      to identify which PID is using which port.



      Once you have the PID, you're home free.






      share|improve this answer

























        up vote
        1
        down vote










        up vote
        1
        down vote









        I found some good answers in this AskUbuntu question.



        I would stress the answer that uses:



        iftop -P -i <interface name (e.g. enp1s0)>


        to show traffic sorted by volume on a port and then uses:



        sudo netstat -tup <port number>


        to identify which PID is using which port.



        Once you have the PID, you're home free.






        share|improve this answer















        I found some good answers in this AskUbuntu question.



        I would stress the answer that uses:



        iftop -P -i <interface name (e.g. enp1s0)>


        to show traffic sorted by volume on a port and then uses:



        sudo netstat -tup <port number>


        to identify which PID is using which port.



        Once you have the PID, you're home free.







        share|improve this answer















        share|improve this answer



        share|improve this answer








        edited May 9 at 11:09









        Vlastimil

        6,3011146116




        6,3011146116











        answered May 9 at 6:05









        mathew gunther

        515




        515






















            up vote
            0
            down vote













            I would suggest to use 'wireshark' tool to monitor network traffic. With filters set to show only NFS traffic you will be able to identify network hosts writing to your NFS server.






            share|improve this answer





















            • Wireshark is good. Maybe too good for this job. Don't misunderstand me, I mean well, but that program is a little complex to me at least.
              – Vlastimil
              May 9 at 11:06










            • Wireshark is very easy to use: Launch wireshark GUI. Select network card. Start capturing traffic. Select line marked with NFS. From context menu select apply it as filter. Write down displayed IP address, from context menu add it as exclude filter. Repeat it until list gets empy.
              – John Doe
              May 9 at 11:29











            • Put that to your answer.
              – Vlastimil
              May 9 at 11:54














            up vote
            0
            down vote













            I would suggest to use 'wireshark' tool to monitor network traffic. With filters set to show only NFS traffic you will be able to identify network hosts writing to your NFS server.






            share|improve this answer





















            • Wireshark is good. Maybe too good for this job. Don't misunderstand me, I mean well, but that program is a little complex to me at least.
              – Vlastimil
              May 9 at 11:06










            • Wireshark is very easy to use: Launch wireshark GUI. Select network card. Start capturing traffic. Select line marked with NFS. From context menu select apply it as filter. Write down displayed IP address, from context menu add it as exclude filter. Repeat it until list gets empy.
              – John Doe
              May 9 at 11:29











            • Put that to your answer.
              – Vlastimil
              May 9 at 11:54












            up vote
            0
            down vote










            up vote
            0
            down vote









            I would suggest to use 'wireshark' tool to monitor network traffic. With filters set to show only NFS traffic you will be able to identify network hosts writing to your NFS server.






            share|improve this answer













            I would suggest to use 'wireshark' tool to monitor network traffic. With filters set to show only NFS traffic you will be able to identify network hosts writing to your NFS server.







            share|improve this answer













            share|improve this answer



            share|improve this answer











            answered May 9 at 11:02









            John Doe

            804




            804











            • Wireshark is good. Maybe too good for this job. Don't misunderstand me, I mean well, but that program is a little complex to me at least.
              – Vlastimil
              May 9 at 11:06










            • Wireshark is very easy to use: Launch wireshark GUI. Select network card. Start capturing traffic. Select line marked with NFS. From context menu select apply it as filter. Write down displayed IP address, from context menu add it as exclude filter. Repeat it until list gets empy.
              – John Doe
              May 9 at 11:29











            • Put that to your answer.
              – Vlastimil
              May 9 at 11:54
















            • Wireshark is good. Maybe too good for this job. Don't misunderstand me, I mean well, but that program is a little complex to me at least.
              – Vlastimil
              May 9 at 11:06










            • Wireshark is very easy to use: Launch wireshark GUI. Select network card. Start capturing traffic. Select line marked with NFS. From context menu select apply it as filter. Write down displayed IP address, from context menu add it as exclude filter. Repeat it until list gets empy.
              – John Doe
              May 9 at 11:29











            • Put that to your answer.
              – Vlastimil
              May 9 at 11:54















            Wireshark is good. Maybe too good for this job. Don't misunderstand me, I mean well, but that program is a little complex to me at least.
            – Vlastimil
            May 9 at 11:06




            Wireshark is good. Maybe too good for this job. Don't misunderstand me, I mean well, but that program is a little complex to me at least.
            – Vlastimil
            May 9 at 11:06












            Wireshark is very easy to use: Launch wireshark GUI. Select network card. Start capturing traffic. Select line marked with NFS. From context menu select apply it as filter. Write down displayed IP address, from context menu add it as exclude filter. Repeat it until list gets empy.
            – John Doe
            May 9 at 11:29





            Wireshark is very easy to use: Launch wireshark GUI. Select network card. Start capturing traffic. Select line marked with NFS. From context menu select apply it as filter. Write down displayed IP address, from context menu add it as exclude filter. Repeat it until list gets empy.
            – John Doe
            May 9 at 11:29













            Put that to your answer.
            – Vlastimil
            May 9 at 11:54




            Put that to your answer.
            – Vlastimil
            May 9 at 11:54












             

            draft saved


            draft discarded


























             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f442656%2fhow-can-i-identify-who-is-writing-to-nfs-server-and-where-are-these-writes-comin%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?