Manual Pages

Table of Contents


na_cifs_top - display CIFS clients based on activity


cifs top [-s <sort>] [-n <maxclients>] [-a <avg>] [-v]


The cifs top command is used to display CIFS client activity based on a number of different criteria. It can display which clients are generating large amounts of load, as well as help identify clients that may be behaving suspiciously.

The default output is a sorted list of clients, one per line, showing the number of I/Os, number and size of READ and WRITE requests, the number of "suspicious" events, and the IP address and user account of the client. The statistics are normalized to values per second. A single client may have more than one entry if it is multiplexing multiple users on a single connection, as is frequently the case when a Windows Terminal Server connects to the filer.

This command relies on data collected when the cifs.per_client_stats.enable option is "on", so it must be used in conjunction with that option. Administrators should be aware that there is overhead associated with collecting the per-client stats. This overhead may noticeably affect filer performance.


-s <sort>
Specifies how the client stats are to be sorted. Possible values of <sort> are ops, reads, writes, ios, and suspicious.

These values may be abbreviated to the first character, and the default is ops. They are interpreted as follows:

ops Sort by number of operations per second of any type.

Sort by kilobytes per second of data sent in response to read requests.

Sort by kilobytes per second of data written to the filer.

ios Sort by the combined total of reads plus writes for each client.

Sort by the number of "suspicious" events sent per second by each client. "Suspicious" events are any of the following, which are typical of the patterns seen when viruses or other badly behaved software/users are attacking a system:

         ACCESS_DENIED returned for FindFirst
         ACCESS_DENIED returned for Open/CreateFile
         ACCESS_DENIED returned for DeleteFile
         SUCCESS returned for DeleteFile
         SUCCESS returned for TruncateFile

-n <maxclients>
Specifies the maximum number of top clients to display. The default is 20.

-a <avg>
Specifies how the statistics are to be averaged for display. Possible values of <avg> are smooth, now and total.

These values may be abbreviated to the first character, and the default is smooth. They are interpreted as follows:

Use a smoothed average which is weighted towards recent behavior but takes into account previous history of the client.

now Use a one-second sample taken immediately. No history is taken into account.

Use the total count of each statistic divided by the total time since sampling started. If the -v option is also used, the totals are given without dividing by the sample time.

Specifies that detailed statistics are given, similar to those of the cifs stat command. These stats include the sample time and the counters used to calculate the usage. As mentioned above, in the case of total averaging, a dump of the raw stats is produced in a form suitable for input to scripts.


  toaster> cifs top -n 3 -s w
   ops/s  reads(n, KB/s) writes(n, KB/s) suspect/s   IP              Name
     263 |     29   215 |     137   627 |        0 | ENGR\varun
     248 |     27   190 |     126   619 |        1 | ENGR\jill
     246 |     26   195 |     125   616 |       19 | MKTG\bob


If vfilers are licensed the per-user statistics are only available when in a vfiler context. That means the "cifs top" command must be invoked in a vfiler context (e.g. using "vfiler run"), even for the hosting filer. For example, to see the top cifs users for the hosting filer, give this command:

  toaster> vfiler run vfiler0 cifs top

Table of Contents