"Knute Johnson" <knute@xxxxxxxxxxx> writes: > Connection attempts using mod_proxy: > 220.132.60.97 -> msa.hinet.net:25: 1 Time(s) > Above is a piece of my logwatch email today. What is msa.hinet.net > actually trying to do here? Probably msa.hinet.net isn't doing anything but being the target of some proxy spamming attempt. I've found that the simplest way to unravel such logs is to just keep a week's worth of "tcpdump -w" logs and then use wireshark (formerly ethereal) to read the appropriate logs. The "follow tcp stream" option when highlighting a tcp packet is a great way to see what both sides were doing. I normally just run tcpdump in an infinite shell loop with a counter incrementing. Then if the syslogs show something I don't understand I'll look at the packets around that time by wireshark-ing the appropriate tcpdump file. tcpdump -i eth0 -s 1500 -c 5000 -w eth0-$cnt.tcpdump Disk space is relatively cheap. It normally only takes a few gigs, which at today's prices is well under a buck. -wolfgang -- Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/ Hints for IPv6 on FC6 http://www.wsrcc.com/wolfgang/fedora/ipv6-tunnel.html
