Is there a way to find NFS / RPC requests without responses from a tcpdump?

Introduction

There are a few different techniques which may be used to find RPC Calls without Replys.

Manual approach (most any version of wireshark/tshark)

• One simplistic, but somewhat manual, way to look for NFS / RPC requests which are incomplete is to process the tcpdump with a simple tshark command which dumps out a summary of the packet. From the summary, look for "RPC retransmission" instances, and inspect specific transactions to see if they have a NFS / RPC reply.

$ tshark -tad -r tcpdump.pcap > tcpdump.pcap.txt
$ grep "RPC retransmission" tcpdump.pcap.txt
...
  3 2013-11-20 10:29:22.953970 10.2.1.9 -> 10.2.1.7 NFS 206 [RPC retransmission of #1]V3 GETATTR Call, FH:0xae03ce73
...
  7 2013-11-20 10:30:34.915719 10.2.1.9 -> 10.2.1.7 NFS 210 [RPC retransmission of #5]V3 ACCESS Call, FH:0xae03ce73
...

• You may also count the 'Call' packets and 'Reply' packets and see whether the counts match. In the below example, there are 46 RPC Calls without RPC Reply packets.

$ TZ="America/New_York" tshark -tad -R rpc -r tcpdump.pcap | egrep '(Call,|V4 Call)' | wc
     84    1037    7564
$ TZ="America/New_York" tshark -tad -R rpc -r tcpdump.pcap | egrep 'Reply \(Call In' | wc
     38     556    3754
$ tshark -tad -R "rpc && rpc.msgtyp == 0" -r tcpdump.pcap | wc
     84    1037    7564
$ tshark -tad -R "rpc && rpc.msgtyp == 1" -r tcpdump.pcap | wc
     38     556    3754
$ dc --expression="84 38 - f"
46

Certain versions of tshark

• On some versions of tshark with the '-2' option, you can use 'rpc.msgtype == 0 && not rpc.reqframe' to get RPC requests without responses. NOTE: The tshark filter is somewhat counter-intuitive, but is correct.

$ tshark -r tcpdump.pcap -2 -Y 'rpc.msgtyp == 0 && not rpc.reqframe' | wc
     46     576    4009
_OR_
$ tshark -r tcpdump.pcap -2 -R 'rpc.msgtyp == 0 && not rpc.reqframe' | wc
     46     576    4009