Manual Pages
Table of Contents
na_cifs_top - display CIFS clients based on activity
cifs top [-s <sort>] [-n <maxclients>] [-a <avg>] [-v]
The cifs top command is used to display CIFS client activity
based on a number of different criteria. It can display
which clients are generating large amounts of load,
as well as help identify clients that may be behaving suspiciously.
The default output is a sorted list of clients, one per
line, showing the number of I/Os, number and size of READ
and WRITE requests, the number of "suspicious" events, and
the IP address and user account of the client. The statistics
are normalized to values per second. A single client
may have more than one entry if it is multiplexing multiple
users on a single connection, as is frequently the
case when a Windows Terminal Server connects to the filer.
This command relies on data collected when the
cifs.per_client_stats.enable option is "on", so it must be
used in conjunction with that option. Administrators
should be aware that there is overhead associated with
collecting the per-client stats. This overhead may noticeably
affect filer performance.
-
-s <sort>
- Specifies how the client stats are to be
sorted. Possible values of <sort> are ops,
reads, writes, ios, and suspicious.
These values may be abbreviated to the
first character, and the default is ops.
They are interpreted as follows:
ops Sort by number of operations per second
of any type.
reads
Sort by kilobytes per second of data
sent in response to read requests.
writes
Sort by kilobytes per second of data
written to the filer.
ios Sort by the combined total of reads
plus writes for each client.
suspicious
Sort by the number of "suspicious"
events sent per second by each client.
"Suspicious" events are any of the
following, which are typical of the
patterns seen when viruses or other
badly behaved software/users are
attacking a system:
-
ACCESS_DENIED returned for FindFirst
ACCESS_DENIED returned for Open/CreateFile
ACCESS_DENIED returned for DeleteFile
SUCCESS returned for DeleteFile
SUCCESS returned for TruncateFile
-
-n <maxclients>
-
Specifies the maximum number of top clients
to display. The default is 20.
-
-a <avg>
- Specifies how the statistics are to be
averaged for display. Possible values of
<avg> are smooth, now and total.
These values may be abbreviated to the
first character, and the default is smooth.
They are interpreted as follows:
smooth
Use a smoothed average which is
weighted towards recent behavior but
takes into account previous history of
the client.
now Use a one-second sample taken immediately.
No history is taken into
account.
total
Use the total count of each statistic
divided by the total time since sampling
started. If the -v option is
also used, the totals are given without
dividing by the sample time.
-
-v
- Specifies that detailed statistics are
given, similar to those of the cifs stat
command. These stats include the sample
time and the counters used to calculate the
usage. As mentioned above, in the case of
total averaging, a dump of the raw stats is
produced in a form suitable for input to
scripts.
toaster> cifs top -n 3 -s w
ops/s reads(n, KB/s) writes(n, KB/s) suspect/s IP Name
263 | 29 215 | 137 627 | 0 | 10.56.10.120 ENGR\varun
248 | 27 190 | 126 619 | 1 | 10.56.10.120 ENGR\jill
246 | 26 195 | 125 616 | 19 | 10.56.12.118 MKTG\bob
If vfilers are licensed the per-user statistics are only
available when in a vfiler context. That means the "cifs
top" command must be invoked in a vfiler context (e.g.
using "vfiler run"), even for the hosting filer. For example,
to see the top cifs users for the hosting filer, give
this command:
-
toaster> vfiler run vfiler0 cifs top
Table of Contents