Reducing a pcap file down to all operations on a specific NFS file

Question

I have an 80GB packet capture (libpcap) and I want to filter it down to everything involving all operations on a particular NFS file/filehandle.

How can I accomplish this?

I know the following facts about what I want to capture (in tshark display format):

nfs.name == ".o1_mf_1_1093__1366653401581181_.arc
nfs.fh.hash == 0x5c191ad8
nfs.fhandle == 3a:4f:47:4c:20:11:7b:48:7f:88:4f:16:94:90:a0:34:9a:fa:cf:71:e1:6a:95:fc:3e:3b:4e:6a:bb:9c:c6:c4:49:db:80:ca

But I don't know how to tell tshark to give me the applicable requests/replies/etc.

I've tried:

tshark -r ginormous.pcap -w 1366653401581181.pcap \
    -R "nfs.fh.hash == 0x5c191ad8" \
    -o nfs.file_name_snooping:TRUE \
    -o nfs.file_full_name_snooping:TRUE \
    -o nfs.fhandle_find_both_reqrep:TRUE

to try and coax tshark to do the snooping that the full GUI would do, but but no avail.

Answer 1

With tshark -r nfs.pcap -R 'nfs.fh.hash == 0x5c191ad8' you can get all requests or reply with fh. For more complicated cases I guess you need to write some code. There is a great tool for that http://git.linux-nfs.org/?p=mora/nfstest.git;a=summary

Answer 2

Work in progress:

tshark -r $BIGFILE -T fields -e rpc.xid -R "nfs.fh.hash == 0x5c191ad8" | \
   tshark -r $BIGFILE -R "$(\
       python -c 'import sys; xids = sys.stdin.readlines(); print("||".join(["rpc.xid=={0}".format(xid.strip()) for xid in xids]))'\
   )"