[CentOS] Browser related question

Sat Jan 30 13:55:16 UTC 2010
Bob McConnell <rmcconne at lightlink.com>

Rajagopal Swaminathan wrote:
> On Sat, Jan 30, 2010 at 12:58 AM, Agile Aspect <agile.aspect at gmail.com> wrote:
>> If the client can't reach the site, then it should be clear the server
>> won't be able to log the attempt.
> 
> In fact this is exactly the condition I wanted to capture as
> unavailability window
> 
> FWIW, I am approaching this with tcpdump
> 
> tcpdump -s 0 -A -i eth0 -n -q -tttt '(dst host <mumble> and dst port
> 80) and tcp[13] == 2'
> 
> Basically checking for the SYN flag in the outgoing traffic.
> 
> But it is generating too much data for my purposes.

If you have X11 installed, use Wireshark to capture the data. If you 
don't, save the captured data into a file, then copy it to another 
computer where you can use Wireshark. Set the view filter for the 
specific IP addresses you are looking for. From above, it would be

"ip.addr eq <mumble>"

The view filter I used yesterday to examine one connection at work was

"ip.addr eq 10.3.1.66 and ip.addr eq 10.3.1.96"

Remove the flags condition from the capture (tcp[13]) as it won't make 
any difference until the SYN packets get through and then it will only 
get in the way of seeing what happens next.

Bob McConnell
N2SPP