Logwatch?

Knute Johnson knute at frazmtn.com
Tue May 29 17:35:38 UTC 2007


>"Knute Johnson" <knute at frazmtn.com> writes:
>>  Connection attempts using mod_proxy:
>>     220.132.60.97 -> msa.hinet.net:25: 1 Time(s)
>> Above is a piece of my logwatch email today.  What is msa.hinet.net 
>> actually trying to do here?  
>
>Probably msa.hinet.net isn't doing anything but being the target of
>some proxy spamming attempt.  I've found that the simplest way to
>unravel such logs is to just keep a week's worth of "tcpdump -w" logs
>and then use wireshark (formerly ethereal) to read the appropriate
>logs.  The "follow tcp stream" option when highlighting a tcp packet
>is a great way to see what both sides were doing.
>
>I normally just run tcpdump in an infinite shell loop with a counter
>incrementing.  Then if the syslogs show something I don't understand
>I'll look at the packets around that time by wireshark-ing the
>appropriate tcpdump file.
>
>  tcpdump -i eth0 -s 1500 -c 5000 -w eth0-$cnt.tcpdump
>
>Disk space is relatively cheap.  It normally only takes a few gigs,
>which at today's prices is well under a buck.
>
>-wolfgang

Thanks Wolfgang and Alexander for the replies.

-- 
Knute Johnson
Molon Labe...





More information about the fedora-list mailing list