								1 March 1993

This is NFSWATCH Version 4.0.  It lets you monitor NFS requests to any
given machine, or the entire local network.  It only monitors NFS client
traffic (NFS requests); it does not (and cannot) monitor the return traffic
from the server in response to those requests.

The following changes have been made since NFSWATCH 3.0:

	- NFSWATCH now runs on Sun SPARC machines under SunOS 5.x (Solaris
	  2.x) using the Data Link Provider Interface (DLPI), dlpi(7).

	- NFSWATCH now runs on Silicon Graphics machines under IRIX 4.0
	  using the snoop(7) interface.  It should also work on versions 3.2
	  and 3.3 (you'll need "-lbsd" on 3.2). Thanks to Tim Hudson of
	  Mincom Pty for the patches.

	- NFSWATCH "almost" works on System V Release 4 systems.  There are
	  some problems with the fact that Solaris 2.x uses DLPI 2.0 (good),
	  but most SVR4s out there still use DLPI 1.3 (bad).  I've had a few
	  beta testers working on it, but they have not yet gotten it to work.
	  If you manage to get it working, *please* send patches.

	- NFSWATCH now keeps track of timing information in the procedure
	  display, showing how quickly NFS calls receive replies.  Thanks to
	  Peter Phillips of the University of British Columbia for the code.
	  
	- NFSWATCH now has an authenticator display, which shows the username
	  or user id of the originator of each packet.  Thanks again to Peter
	  Phillips for the code.

	- A first pass at support for FDDI interfaces has been added.  The
	  support is better on some systems than others, as described below:

	  IRIX40: Has not been tested, and almost definitely will not work
		  "as is".  The packet header that's read into from snoop
		  probably needs to be different.  Send us patches if you
		  get it to work.

	  SUNOS4: Has been tested on a Sun-4/380 under SunOS 4.1.2.  Works
		  with the SunNet FDDI/DX boards.

	  SUNOS5: Has not been tested, but "should" work.  Send us patches
		  if it doesn't.

	  SVR4:   Has not been tested, but "should" work.  Send us patches
	  	  if it doesn't.  (And if you get the rest of it working;
		  see above.)

	  ULTRIX: Works with Ultrix V4.2 or later *only*.  All flavors of
		  Ultrix 4.2 (including 4.2A, 4.2B, 4.2C) require kernel
		  patches before you can use the FDDI code.  Obtain the
		  patched versions of net_common.o and pfilt.o from your
		  Customer Support Center.

	- A new option, "-server hostname" has been added to watch all the
	  traffic between a server and its clients; this is equivalent to
	  "src == hostname || dst == hostname", which is not specifiable
	  using the other options.  Thanks again to Peter Phillips for the
	  patches.

	- A new option, "-map", is available to help translate file system
	  device names to "english" names, e.g. "/usr" instead of
	  "fs1(7,23)".  Thanks yet again to Peter Phillips.

	- Two new options have been added to allow NFSWATCH to be run from
	  cron, via rsh, etc.  The "-bg" option tells NFSWATCH to run in the
	  background, with no screen display.  All information will be put
	  into the logfile only.  The "-T maxtime" option tells NFSWATCH to
	  terminate execution after maxtime seconds.

	- A new interactive command has been added.  The "n" command toggles
	  the display of client names or client host numbers in client mode,
	  so that foreign hosts can be identified.

	- The maximum number of client hosts for a single server has been
	  increased to 512.  The maximum number of internet addresses for
	  a single host has been increased to 16.  The maximum number of
	  interfaces that can be watched at one time has been increased to
	  16.

	- The bug in which file matching did not work on Sun-3 systems has
	  been fixed.

	- The bug in which the standard input got closed upon exit, making
	  the curses routines screw up, has been fixed.

	- The bug causing miscompilation of nit.c on SunOS 4.0 has been
	  fixed.

	- Note that due to limitations in the SVR4 DLPI, the ethernet broad-
	  cast, arp, and rarp packet counters will not be supported.  Also
	  note that on SVR4s still using DLPI 1.3, which does not support
	  promiscuous mode, the "-all" and "-dst" options to NFSWATCH will not
	  work.

NFSWATCH has been successfully compiled and at least minimally tested on the
following architectures and operating systems:

	Architecture		Operating System
	------------		----------------
	Sun-3 (68000)		SunOS 4.1.1
	Sun-4 (SPARC)		SunOS 4.1.1, 4.1.2, 4.1.3
	Sun-4 (SPARC)		SunOS 5.1 (Solaris 2.1)

	DEC VAX			Ultrix 4.0, 4.1, 4.2
	DEC RISC		Ultrix 4.0, 4.1, 4.2

	SGI Personal IRIS	IRIX 4.0.1
	SGI 4D/440		IRIX 4.0.5

To compile NFSWATCH, just say "make."  The Makefile will use the "uname"
command to determine what operating system should be compiled for.  If for
some reason this blows up in your face, say "make OS=foo" where "foo" is one
of the following:

	Macro Value		Operating System
	-----------		----------------
	IRIX40			Silicon Graphics IRIX 4.0
	SUNOS4			Sun Microsystems SunOS 4.x
	SUNOS5			Sun Microsystems SunOS 5.x (Solaris 2.x)
	SVR4			AT&T System V Release 4
	ULTRIX			Digital Equipment Ultrix 4.x

On Sun systems, NFSWATCH needs to either be run as root, or made setuid root
(this is safe; it setuids itself back after opening the needed device).  On
Ultrix systems, it does not need to be setuid root or run as root, but the
super-user has to enable promiscuous mode operation using pfconfig(8).  On
SGI systems, it needs to be either run as root or made setuid to root.  On
SVR4 systems, it needs to be either run as root or made setuid to root.

On pre-4.2 Ultrix systems, the enclosed "pfcopyall" program can be used to
change the value of the "pfcopyall" variable in the kernel so that you can
see packets sent by the host you are running on.  Otherwise, these packets
will not be included in the output of NFSWATCH.

You can redistribute this program as much as you want.  All we ask is that
you give credit where credit is due.  If you make modifications or bug fixes,
please send them back to us, in "diff -c" format, so they can be incorporated
into the next release.

Dave Curry					Jeff Mogul
Purdue University				Digital Equipment Corp.
Engineering Computer Network			Western Research Laboratory
1285 Electrical Engineering Bldg.		250 University Avenue
West Lafayette, IN 47907-1285			Palo Alto, CA 94301
davy@ecn.purdue.edu				mogul@decwrl.dec.com
