Rajagopal Swaminathan wrote: > On Sat, Jan 30, 2010 at 12:58 AM, Agile Aspect <agile.aspect at gmail.com> wrote: >> If the client can't reach the site, then it should be clear the server >> won't be able to log the attempt. > > In fact this is exactly the condition I wanted to capture as > unavailability window > > FWIW, I am approaching this with tcpdump > > tcpdump -s 0 -A -i eth0 -n -q -tttt '(dst host <mumble> and dst port > 80) and tcp[13] == 2' > > Basically checking for the SYN flag in the outgoing traffic. > > But it is generating too much data for my purposes. If you have X11 installed, use Wireshark to capture the data. If you don't, save the captured data into a file, then copy it to another computer where you can use Wireshark. Set the view filter for the specific IP addresses you are looking for. From above, it would be "ip.addr eq <mumble>" The view filter I used yesterday to examine one connection at work was "ip.addr eq 10.3.1.66 and ip.addr eq 10.3.1.96" Remove the flags condition from the capture (tcp[13]) as it won't make any difference until the SYN packets get through and then it will only get in the way of seeing what happens next. Bob McConnell N2SPP