>"Knute Johnson" <knute@xxxxxxxxxxx> writes: >> Connection attempts using mod_proxy: >> 220.132.60.97 -> msa.hinet.net:25: 1 Time(s) >> Above is a piece of my logwatch email today. What is msa.hinet.net >> actually trying to do here? > >Probably msa.hinet.net isn't doing anything but being the target of >some proxy spamming attempt. I've found that the simplest way to >unravel such logs is to just keep a week's worth of "tcpdump -w" logs >and then use wireshark (formerly ethereal) to read the appropriate >logs. The "follow tcp stream" option when highlighting a tcp packet >is a great way to see what both sides were doing. > >I normally just run tcpdump in an infinite shell loop with a counter >incrementing. Then if the syslogs show something I don't understand >I'll look at the packets around that time by wireshark-ing the >appropriate tcpdump file. > > tcpdump -i eth0 -s 1500 -c 5000 -w eth0-$cnt.tcpdump > >Disk space is relatively cheap. It normally only takes a few gigs, >which at today's prices is well under a buck. > >-wolfgang Thanks Wolfgang and Alexander for the replies. -- Knute Johnson Molon Labe...
