Project

General

Profile

Bug #4456

snoop(1m) should display remote RPC calls in summary mode

Added by Marcel Telka over 7 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
cmd - userland programs
Start date:
2014-01-10
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

In a case there is a remote RPC call (CALLIT, BCAST, or INDIRECT) snoop(1m) in summary mode displays the encapsulated RPC call, not the remote RPC call itself.

Here is an example:

# snoop -r -d lo0 
Using device lo0 (promiscuous mode)
   127.0.0.1 -> 127.0.0.1    RPCBIND C GETTIME
   127.0.0.1 -> 127.0.0.1    RPCBIND C GETTIME
   127.0.0.1 -> 127.0.0.1    RPCBIND R GETTIME 
   127.0.0.1 -> 127.0.0.1    RPCBIND R GETTIME

The 1st and 4th packets above is the remote call, the 2nd and 3rd packet is the normal (non-remote) RPC call.

The same traffic in verbose summary mode:

# snoop -r -d lo0 -V
Using device lo0 (promiscuous mode)
________________________________
   127.0.0.1 -> 127.0.0.1    IPNET src zone 0 dst zone 0
   127.0.0.1 -> 127.0.0.1    IP  D=127.0.0.1 S=127.0.0.1 LEN=84, ID=0, TOS=0x0, TTL=255
   127.0.0.1 -> 127.0.0.1    UDP D=111 S=47279 LEN=64
   127.0.0.1 -> 127.0.0.1    RPC C XID=1389445658 PROG=100000 (PMAP) VERS=4 PROC=5
   127.0.0.1 -> 127.0.0.1    RPCBIND C BCAST prog=PMAP vers=4 proc=6
   127.0.0.1 -> 127.0.0.1    RPCBIND C GETTIME
________________________________
   127.0.0.1 -> 127.0.0.1    IPNET src zone 0 dst zone 0
   127.0.0.1 -> 127.0.0.1    IP  D=127.0.0.1 S=127.0.0.1 LEN=68, ID=0, TOS=0x0, TTL=255
   127.0.0.1 -> 127.0.0.1    UDP D=111 S=37197 LEN=48
   127.0.0.1 -> 127.0.0.1    RPC C XID=3021490624 PROG=100000 (PMAP) VERS=4 PROC=6
   127.0.0.1 -> 127.0.0.1    RPCBIND C GETTIME
________________________________
   127.0.0.1 -> 127.0.0.1    IPNET src zone 0 dst zone 0
   127.0.0.1 -> 127.0.0.1    IP  D=127.0.0.1 S=127.0.0.1 LEN=56, ID=0, TOS=0x0, TTL=255
   127.0.0.1 -> 127.0.0.1    UDP D=37197 S=111 LEN=36
   127.0.0.1 -> 127.0.0.1    RPC R (#2) XID=3021490624 Success
   127.0.0.1 -> 127.0.0.1    RPCBIND R GETTIME 
________________________________
   127.0.0.1 -> 127.0.0.1    IPNET src zone 0 dst zone 0
   127.0.0.1 -> 127.0.0.1    IP  D=127.0.0.1 S=127.0.0.1 LEN=80, ID=0, TOS=0x0, TTL=255
   127.0.0.1 -> 127.0.0.1    UDP D=47279 S=37197 LEN=60
   127.0.0.1 -> 127.0.0.1    RPC R (#1) XID=1389445658 Success
   127.0.0.1 -> 127.0.0.1    RPCBIND R BCAST Uaddr=127.0.0.1.0.111 len=4
   127.0.0.1 -> 127.0.0.1    RPCBIND R GETTIME

The issue is reproducible using this:

$ cat rmtcall.c 
#include <rpc/rpc.h>
#include <netconfig.h>
#include <rpc/rpcb_prot.h>
#include <netdir.h>

int
main(int argc, char **argv)
{
    struct netconfig *nconf;
    ulong_t ret;
    struct timeval tout;
    struct netbuf *svca;
    char *addr;

    if (argc < 2)
        addr = "localhost";
    else
        addr = argv[1];

    nconf = getnetconfigent("udp");

    tout.tv_sec = 10;
    tout.tv_usec = 0;

    svca = uaddr2taddr(nconf, addr);

    (void) rpcb_rmtcall(nconf,
        addr, RPCBPROG,
        RPCBVERS4, RPCBPROC_GETTIME,
        xdr_void, NULL,
        xdr_u_long, (caddr_t)&ret,
        tout, svca);

    return (0);
}
$ gcc -lnsl -o rmtcall rmtcall.c 
$ ./rmtcall 
$

Related issues

Related to illumos gate - Bug #4481: snoop(1m) does not decode time in GETTIME rpcbind operationResolvedMarcel Telka2014-01-14

Actions
Related to illumos gate - Bug #4483: rpcbind: Reply for remote calls comes from incorrect UDP portResolvedMarcel Telka2014-01-15

Actions
#1

Updated by Marcel Telka over 7 years ago

  • Subject changed from snoop(1m) shold display remote calls in summary mode to snoop(1m) shold display remote RPC calls in summary mode
#2

Updated by Rich Lowe over 7 years ago

  • Subject changed from snoop(1m) shold display remote RPC calls in summary mode to snoop(1m) should display remote RPC calls in summary mode
#3

Updated by Marcel Telka over 7 years ago

  • Status changed from New to In Progress
#4

Updated by Marcel Telka about 7 years ago

There are three modes of verbosity in snoop:

  1. summary mode (the default mode, flags: F_SUM)
  2. verbose summary mode (option -V, flags: F_SUM | F_ALLSUM)
  3. verbose mode (option -v, flags: F_DTAIL)

Both summary and verbose summary modes are handled together. The verbose mode is separate (the output is completely different).

When flags is F_SUM, snoop prepares several lines of the (future) output during the packet decode. Once the whole packet is decoded the snoop prints all of the prepared lines (if flags is F_ALLSUM), or the last line only (when flags does not have F_ALLSUM).

With the remote RPC calls the last line is the "embedded" RPC call, not the remote RPC call itself. It is clearly visible in the verbose summary mode output:

   127.0.0.1 -> 127.0.0.1    IPNET src zone 0 dst zone 0
   127.0.0.1 -> 127.0.0.1    IP  D=127.0.0.1 S=127.0.0.1 LEN=84, ID=0, TOS=0x0, TTL=255
   127.0.0.1 -> 127.0.0.1    UDP D=111 S=47279 LEN=64
   127.0.0.1 -> 127.0.0.1    RPC C XID=1389445658 PROG=100000 (PMAP) VERS=4 PROC=5
   127.0.0.1 -> 127.0.0.1    RPCBIND C BCAST prog=PMAP vers=4 proc=6
   127.0.0.1 -> 127.0.0.1    RPCBIND C GETTIME

Since in the summary mode (one line output per packet) we are interested in the "envelope" RPC (BCAST in our case), I just prevented the protoprint() call (if flags is not F_ALLSUM), to do not decode the embeded RPC (in our case GETTIME).

#5

Updated by Marcel Telka about 7 years ago

In addition, I found a minor bug in the GETTIME time decoding. Previously, getxdr_date() was used to "decode" the time. The problem is that getxdr_date() uses 8 bytes from the stream for time (4 bytes for sec, 4 bytes for usec) while in the GETTIME operation the time is encoded only in 4 bytes - sec only (see RFC 1833). With the current implementation snoop was never able to dump the time correctly, so I just fixed this issue here too.

#6

Updated by Marcel Telka about 7 years ago

  • Status changed from In Progress to Pending RTI
#7

Updated by Marcel Telka about 7 years ago

  • Status changed from Pending RTI to Resolved
commit 78fb3df6a49cd4598f9bba9960558158f7ec440a
Author: Marcel Telka <marcel.telka@nexenta.com>
Date:   Tue Jan 14 23:40:38 2014 +0100

    4456 snoop(1m) should display remote RPC calls in summary mode
    Reviewed by: Sebastien Roy <sebastien.roy@delphix.com>
    Reviewed by: Garrett D'Amore <garrett@damore.org>
    Approved by: Dan McDonald <danmcd@omniti.com>

Also available in: Atom PDF