Rajagopal Swaminathan wrote:
On Sat, Jan 30, 2010 at 12:58 AM, Agile Aspect agile.aspect@gmail.com wrote:
If the client can't reach the site, then it should be clear the server won't be able to log the attempt.
In fact this is exactly the condition I wanted to capture as unavailability window
FWIW, I am approaching this with tcpdump
tcpdump -s 0 -A -i eth0 -n -q -tttt '(dst host <mumble> and dst port 80) and tcp[13] == 2'
Basically checking for the SYN flag in the outgoing traffic.
But it is generating too much data for my purposes.
If you have X11 installed, use Wireshark to capture the data. If you don't, save the captured data into a file, then copy it to another computer where you can use Wireshark. Set the view filter for the specific IP addresses you are looking for. From above, it would be
"ip.addr eq <mumble>"
The view filter I used yesterday to examine one connection at work was
"ip.addr eq 10.3.1.66 and ip.addr eq 10.3.1.96"
Remove the flags condition from the capture (tcp[13]) as it won't make any difference until the SYN packets get through and then it will only get in the way of seeing what happens next.
Bob McConnell N2SPP