Merge pull request #1231 from kofemann/nfs

packetbeat: add support for NFS v3 and v4 protocols
elastic · Mar 30, 2016 · 928d8d7 · 928d8d7
2 parents 1b5b6c6 + ce41d1a
commit 928d8d7
Show file tree

Hide file tree

Showing 20 changed files with 1,221 additions and 0 deletions.
diff --git a/packetbeat/docs/fields.asciidoc b/packetbeat/docs/fields.asciidoc
@@ -24,6 +24,7 @@ grouped in the following categories:
 * <<exported-fields-trans_env>>
 * <<exported-fields-flows_env>>
 * <<exported-fields-raw>>
+* <<exported-fields-nfs>>
 
 [[exported-fields-flows_event]]
 === Flow Event Fields
@@ -1453,6 +1454,102 @@ A BSON document that specifies the update to be performed. For information on sp
 The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database.
 
 
+=== rpc Fields
+
+OncRPC specific event fields.
+
+
+==== rpc.xid
+
+RPC message transaction identifier.
+
+==== rpc.call_size
+
+type: number
+
+RPC call size with argument.
+
+==== rpc.reply_size
+
+type: number
+
+RPC reply size with argument.
+
+==== rpc.status
+
+RPC message reply status.
+
+==== rpc.time
+
+type: number
+
+RPC message processing time.
+
+==== rpc.time_str
+
+RPC message processing time in human readable form.
+
+==== rpc.auth_flavor
+
+RPC authentication flavor.
+
+==== rpc.cred.uid
+
+type: number
+
+RPC caller's user id, in case of auth-unix.
+
+==== rpc.cred.gid
+
+type: number
+
+RPC caller's group id, in case of auth-unix.
+
+==== rpc.cred.gids
+
+RPC caller's secondary group ids, in case of auth-unix.
+
+==== rpc.cred.stamp
+
+type: number
+
+Arbitrary ID which the caller machine may generate.
+
+==== rpc.cred.machinename
+
+The name of the caller's machine.
+
+[[exported-fields-nfs]]
+=== NFS Fields
+
+NFS v4/3 specific event fields.
+
+
+==== nfs.version
+
+type: number
+
+NFS protocol version number.
+
+==== nfs.minor_version
+
+type: number
+
+NFS protocol minor version number.
+
+==== nfs.tag
+
+NFS v4 COMPOUND operation tag.
+
+==== nfs.opcode
+
+NFS operation name, or main operation name, in case of COMPOUND calls.
+
+
+==== nfs.status
+
+NFS operation reply status.
+
 [[exported-fields-trans_measurements]]
 === Measurements (Transactions) Fields
 

diff --git a/packetbeat/etc/beat.yml b/packetbeat/etc/beat.yml
@@ -146,6 +146,11 @@ protocols:
     # the MongoDB protocol by commenting out the list of ports.
     ports: [27017]
 
+  nfs:
+    # Configure the ports where to listen for NFS traffic. You can disable
+    # the NFS protocol by commenting out the list of ports.
+    ports: [2049]
+
 ############################# Processes #######################################
 
 # Configure the processes to be monitored and how to find them. If a process is

diff --git a/packetbeat/etc/fields.yml b/packetbeat/etc/fields.yml
@@ -1288,6 +1288,74 @@ trans_event:
           description: >
             The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database.
 
+    - name: rpc
+      type: group
+      description: OncRPC specific event fields.
+      fields:
+        - name: xid
+          description: RPC message transaction identifier.
+
+        - name: call_size
+          type: number
+          description: RPC call size with argument.
+
+        - name: reply_size
+          type: number
+          description: RPC reply size with argument.
+
+        - name: status
+          description: RPC message reply status.
+
+        - name: time
+          type: number
+          description: RPC message processing time.
+
+        - name: time_str
+          description: RPC message processing time in human readable form.
+
+        - name: auth_flavor
+          description: RPC authentication flavor.
+
+        - name: cred.uid
+          type: number
+          description: RPC caller's user id, in case of auth-unix.
+
+        - name: cred.gid
+          type: number
+          description: RPC caller's group id, in case of auth-unix.
+
+        - name: cred.gids
+          description: RPC caller's secondary group ids, in case of auth-unix.
+
+        - name: cred.stamp
+          type: number
+          description: Arbitrary ID which the caller machine may generate.
+
+        - name: cred.machinename
+          description: The name of the caller's machine.
+
+    - name: nfs
+      type: group
+      description: NFS v4/3 specific event fields.
+      fields:
+        - name: version
+          type: number
+          description: NFS protocol version number.
+
+        - name: minor_version
+          type: number
+          description: NFS protocol minor version number.
+
+        - name: tag
+          description: NFS v4 COMPOUND operation tag.
+
+        - name: opcode
+          description: >
+            NFS operation name, or main operation name, in case of COMPOUND
+            calls.
+
+        - name: status
+          description: NFS operation reply status.
 raw:
   type: group
   description: These fields contain the raw transaction data.
@@ -1383,3 +1451,4 @@ sections:
   - ["trans_env", "Environmental (Transactions)"]
   - ["flows_env", "Environmental (Flows)"]
   - ["raw", "Raw"]
+  - ["nfs", "NFS"]
diff --git a/packetbeat/etc/sample_outputs/nfs.json b/packetbeat/etc/sample_outputs/nfs.json
@@ -0,0 +1,41 @@
+{
+  "@timestamp": "2016-03-28T06:18:18.431Z",
+  "beat": {
+    "hostname": "localhost",
+    "name": "localhost"
+  },
+  "count": 1,
+  "dst": "127.0.0.1",
+  "dst_port": 2049,
+  "nfs": {
+    "minor_version": 1,
+    "opcode": "GETATTR",
+    "status": "NFSERR_NOENT",
+    "tag": "",
+    "version": 4
+  },
+  "rpc": {
+    "auth_flavor": "unix",
+    "call_size": 200,
+    "cred": {
+      "gid": 500,
+      "gids": [
+        491,
+        499,
+        500
+      ],
+      "machinename": "localhost",
+      "stamp": 4597002,
+      "uid": 500
+    },
+    "reply_size": 96,
+    "status": "success",
+    "time": 25631000,
+    "time_str": "25.631ms",
+    "xid": "2cf0c876"
+  },
+  "src": "127.0.0.1",
+  "src_port": 975,
+  "type": "nfs"
+}
+
diff --git a/packetbeat/main.go b/packetbeat/main.go
@@ -13,6 +13,7 @@ import (
 	_ "github.com/elastic/beats/packetbeat/protos/memcache"
 	_ "github.com/elastic/beats/packetbeat/protos/mongodb"
 	_ "github.com/elastic/beats/packetbeat/protos/mysql"
+	_ "github.com/elastic/beats/packetbeat/protos/nfs"
 	_ "github.com/elastic/beats/packetbeat/protos/pgsql"
 	_ "github.com/elastic/beats/packetbeat/protos/redis"
 	_ "github.com/elastic/beats/packetbeat/protos/thrift"

diff --git a/packetbeat/packetbeat.yml b/packetbeat/packetbeat.yml
@@ -146,6 +146,11 @@ protocols:
     # the MongoDB protocol by commenting out the list of ports.
     ports: [27017]
 
+  nfs:
+    # Configure the ports where to listen for NFS traffic. You can disable
+    # the NFS protocol by commenting out the list of ports.
+    ports: [2049]
+
 ############################# Processes #######################################
 
 # Configure the processes to be monitored and how to find them. If a process is

diff --git a/packetbeat/protos/nfs/README.md b/packetbeat/protos/nfs/README.md
@@ -0,0 +1,53 @@
+NFS packetbeat
+==============
+
+NFS v3 and v4 protocols parsing for packetbeat.
+
+Can be extended to handle other SunRPC based protocols as well.
+
+Sample output:
+--------------
+```json
+{
+  "@timestamp": "2016-03-28T06:18:18.431Z",
+  "beat": {
+    "hostname": "localhost",
+    "name": "localhost"
+  },
+  "count": 1,
+  "dst": "127.0.0.1",
+  "dst_port": 2049,
+  "nfs": {
+    "minor_version": 1,
+    "opcode": "GETATTR",
+    "status": "NFSERR_NOENT",
+    "tag": "",
+    "version": 4
+  },
+  "rpc": {
+    "auth_flavor": "unix",
+    "call_size": 200,
+    "cred": {
+      "gid": 500,
+      "gids": [
+        491,
+        499,
+        500
+      ],
+      "machinename": "localhost",
+      "stamp": 4597002,
+      "uid": 500
+    },
+    "reply_size": 96, 
+    "status": "success",
+    "time": 25631000,
+    "time_str": "25.631ms",
+    "xid": "2cf0c876"
+  },
+  "src": "127.0.0.1",
+  "src_port": 975,
+  "type": "nfs"
+}
+```
+
+
diff --git a/packetbeat/protos/nfs/config.go b/packetbeat/protos/nfs/config.go
@@ -0,0 +1,18 @@
+package nfs
+
+import (
+	"github.com/elastic/beats/packetbeat/config"
+	"github.com/elastic/beats/packetbeat/protos"
+)
+
+type rpcConfig struct {
+	config.ProtocolCommon `config:",inline"`
+}
+
+var (
+	defaultConfig = rpcConfig{
+		ProtocolCommon: config.ProtocolCommon{
+			TransactionTimeout: protos.DefaultTransactionExpiration,
+		},
+	}
+)
diff --git a/packetbeat/protos/nfs/nfs.go b/packetbeat/protos/nfs/nfs.go
@@ -0,0 +1,42 @@
+package nfs
+
+import (
+	"github.com/elastic/beats/libbeat/common"
+	"time"
+)
+
+type Nfs struct {
+	xdr   Xdr
+	vers  uint32
+	proc  uint32
+	event common.MapStr
+	ts    time.Time
+}
+
+func (nfs *Nfs) getRequestInfo() {
+
+	nfsInfo := common.MapStr{}
+	nfsInfo["version"] = nfs.vers
+
+	switch nfs.vers {
+	case 3:
+		nfsInfo["opcode"] = nfs.getV3Opcode()
+	case 4:
+		switch nfs.proc {
+		case 0:
+			nfsInfo["opcode"] = "NULL"
+		case 1:
+			tag := nfs.xdr.getDynamicOpaque()
+			nfsInfo["tag"] = string(tag)
+			nfsInfo["minor_version"] = nfs.xdr.getUInt()
+			nfsInfo["opcode"] = nfs.getV4Opcode()
+		}
+	}
+	nfs.event["nfs"] = nfsInfo
+}
+
+func (nfs *Nfs) getReplyInfo(xdr *Xdr) {
+	nfsInfo := nfs.event["nfs"].(common.MapStr)
+	stat := int(xdr.getUInt())
+	nfsInfo["status"] = NFS_STATUS[stat]
+}