NetFort Advertising

How to monitor which files are accessed through NFS?

NFS Network File System

Monitoring Network File Systems (NFS)

Network file shares based on Microsoft servers remain the most popular way of sharing files and folders within corporate networks. This may change in a few years with the continued growth of services like Google docs or Office 365. There are many options available if you want to monitor Windows based file shares, a common use case is tracking down who is deleting files off your network.

NFS is another type of distributed file system. NFS is often used with Unix operating systems (such as Solaris, AIX and HP-UX) and Unix-like operating systems (such as Linux and FreeBSD). It is often used in research and development applications where engineers are using specialist computer systems to share data.

As with any network based data it is important to monitor who is accessing it and what they are doing with it. It may be because of compliance, operational or security reasons. Issues such as Ransomware attacks have made it a hot topic in todays world.

Getting an audit trail on a NFS server may be tricky as logs may not be available and even if they are it may cause performance issues on the NFS file server when you enable them. An alternative approach worth considering is to monitor the network traffic going to and from the NFS file servers. All you need to do is use a system like LANGuardian to analyze this traffic and extract certain metadata.

Monitoring NFS servers using network traffic analysis

Network traffic data can be captured from SPAN\mirror ports or via network TAPs. While it is possible to capture traffic locally on a system using tools like Wireshark, this is not a scalable solution for monitoring all activity throughout a network. The image below shows how you can see the activity associated with a file by looking inside the network packets.

NFS traffic capture using Wireshark

The image below shows a typical example of how a SPAN or mirror port can be used to capture NFS traffic. The switch is configured to send a copy of the network packets going to and from the file server to the network traffic analyzer (LANGuardian) which is plugged into the same switch. If you want to learn more about setting up SPAN or mirror ports, check out our video resource page.

Monitor NFS shares using SPAN or mirror port

Once you have your SPAN or monitor port in place and you have a LANGuardian connected, you can begin to see who is doing what on your NFS file shares. Use the search feature within LANGuardian and enter the text “NFS”. For my example I used Network Events (NFS) but you can choose any of the reports. The user variants allow you to see what username is associated with the activity. You can also focus in on a specific time period by clicking on the calendar option to the left of the report.

NFS LANGuardian report