Various file system utilities require information with regard to changes that occurred in the file system between two points in time. Some examples of such utilities include: incremental backup, asynchronous remote mirroring, virus scanning, and many more. Snapshots are often used for capturing the state and content of the file system in certain points in time. The changes made to data and metadata of objects (e.g., directories, files) of the file system between two points in time can be determined by comparing the two snapshots that were respectively taken in these two points in time. The differences between two snapshots are also of interest for users of the file system when manually scoping, auditing and looking for potential malicious and/or unauthorized accesses that may occurred between the two snapshots.
ZFS (an open source file system) provides a utility for reporting changes that occurred between two snapshots of a file system, one is an older snapshot and the second is a newer snapshot.
The reported changes that were made in the file system may include: files and directories that were added (i.e., appear only in the newer snapshot), files and directories that were removed (appear only in the older snapshot), files and directories that were modified between the older and newer snapshots, files and directories that were renamed between the older and newer snapshots and more.
Some Unix based Operating Systems (e.g., Solaris, FreeBSD) that employ ZFS as the underlying file system, provide access to the ZFS utility for comparing snapshots, by enabling a user to use the line command ‘zfs diff’. For example, for comparing an earlier snapshot named ‘snap1’ with a later snapshot named ‘snap2’ and for reporting the changes that occurred under a certain directory or sub-tree (e.g. all changes under ‘dir1’ and it sub-directories), the following command-line can be typed: zfs diff/dir1/snap1/dir1/snap2.
The displayed result includes a list of changes with a new line for each file or directory that has undergone a change between the first snapshot (‘snap1’) and the second snapshot (‘snap2’), the type of change and the name of the file or directory.
Assuming that dir2 is a directory under dir1 and that out of all directories under dir1 only dir2 was changed between the snapshots—then the list of changes may include, for example, the following lines:
M/dir1/dir2/
+/dir1/dir2/fileA
−/dir1/dir2/fileD
R/dir1/dir2/fileB->/dir1/dir2/fileC
The line starting with ‘M’ (Modify) indicates that directory dir2 has been changed between the creation of snap1 and the creation of snap2.
The line starting with ‘+’ indicates that fileA was added between snap1 and snap2 (i.e., fileA exists in snap2 and does not exist in snap1).
The line starting with ‘−’ indicates that fileD was deleted between the two snapshots (i.e., exists in snap1 and does not exist in snap2).
The line starting with ‘R’ indicates that the name of a file named as ‘fileB’ in snap1 was changed to ‘fileC’ in snap2.
Snapshot comparison commands (such as diff-command) can be used by a user to compare snapshots that are managed by the user host computer.
There is a need to allow users to perform a snapshot comparison in cases where such users do not have access to comparing utilities provided by the local operating system or by the underlying file system.
When a user accesses a filesystem hosted by a file-server or a storage system implementing a file-server, the network file system (NAS) protocol used for interfacing such filesystem does not support using a snapshot comparison command and therefore, even if the file-server includes a snapshot comparison utility, the access to the snapshot comparison utility is not available for the end-user. Non-limiting examples of such network file system protocols are Network File System (NFS) and Common Internet File System (CIFS).