On Tue, Feb 05, 2008 at 09:29:30AM -0800, John R Pierce wrote:
Tony Schreiner wrote:
assuming you want to log user web browsing traffic, configuring a Squid transparent proxy at your network border would be the best way. its logfiles are quite similar to those of a webserver, so you can use a wide range of log analysis tools.
To get more specific about what's going on. My network services have informed me that the machine is probing other systems at a high rate. An infection of some sort. And I'm trying to track down what's going on.
ah. tcpdump -i ethX tcp port 80
(and prepare for a flood of data).
If you decide to use tcpdump at all, maybe just limit to SYN packets as well:
tcpdump -n -i ethX 'tcp port 80 and tcp[tcpflags] & tcp-syn != 0'
Ray