I had to change fxp0 to xl0, but that tcpdump command is very cool, very instructive and very reassuring. Thank you.
-------- At 05:57 PM 3/9/2011, Michael J. Kearney wrote: >I don't know if I got through the last time but you ... could... add to but >not take away from your operational matrices by writing it to a file. Using >tcpdump to anylize the traffic on your webserver, It might clear up some of >the confusion. > >tcpdump -i fxp0 -nN -vvv -xX -s 1500 port 80 > fale > >You can also read some of the output data. > >Eg, here are some of my logs: > >168.216.29.89 - - [09/Mar/2011:08:49:15 -0500] "GET >/index.php?domain=fixitbot&tld=com&lookup=%3E%3E HTTP/1.1" 200 5413 "-" >"Mozilla >/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" > >The query is 8,223 bytes and logged as 5,413 bytes ? > >The only logical concusion is that the header data is false. Unfortunately the >RAW data does not reveal anything more than that. Maybe you will have better >luck .. and p.s. I was hanging out with my android earlier, I hope this helps. > > >-----Original Message----- >From: [email protected] >[mailto:[email protected]] On Behalf Of [email protected] >Sent: Wednesday, March 09, 2011 3:40 PM >To: [email protected] >Subject: Re: Nonsensical Web Log Entries > >At 03:02 PM 3/9/2011, [email protected] wrote: >>At 03:06 PM 3/9/2011, Robert Bonomi wrote: >>>> From [email protected] Wed Mar 9 10:40:23 2011 >>>> Date: Wed, 09 Mar 2011 09:57:03 -0500 >>>> To: [email protected] >>>> From: [email protected] >>>> Subject: Nonsensical Web Log Entries >>>> >>>> >>>> I was looking at my Web log this morning, and a bunch of nonsensical >>>> entries like these caught my attention: >>>> >>>> 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] "GET http://www.yahoo.com/ >>>> HTTP/1.0" 301 294 "-" "Mozilla/4.0 (compatible; > MSIE 6.0; Windows NT >>>> 5.1; SV1)" >>>> 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] "GET >>>> http://makeabank.com/faq.cgi HTTP/1.0" 404 3485 "-" "Mozilla/4.0 >>>> (compatible; MSIE 6.0; Windows NT 5.1; SV1)" >>>> 115.225.166.2 - > - [09/Mar/2011:09:50:04 -0500] "GET >>>> http://join1.winhundred.com/affiliate/link.php?ref=35840&productid=7178 >>>> HTTP/1.0" 404 3485 "http://www.wingclips.com/"; "Mozilla/4.0 (compatible; > >>>> MSIE 6.0; Windows NT 5.1; SV1)" >>>> 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] "GET >>>> http://www.tosunmail.com/proxyheader.php HTTP/1.0" 301 313 >>>> "http://www.cashsoldier.com/VerifyerLevel.php"; "Mozilla/4.0 (compatible; >>>> MSIE 6.0; Windows NT 5.1; SV1)" >>>> >>>> Is my FreeBSD box serving as some kind of Web proxy? >>> >>>Your box is _not_ doing the proxying. that's why it's signalling errors >>>for those requests. >>> >>>The perpetrators are _hoping_ you are running a misconfigured proxying front- >>>end. >> >>Does this entry change your conclusion: >> >> 188.134.62.20 - - [09/Mar/2011:12:15:04 -0500] "GET >> http://images.google.com/ HTTP/1.1" 200 13134 "-" "-" >> > >Here's another entry that's too bizarre for words: > > 218.172.209.123 - - [09/Mar/2011:15:38:29 -0500] "\x16\x03\x01" 200 13107 > "-" "-" > > > >------------------------------------------------- >This message sent via VFEmail.net >http://www.vfemail.net >$14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! > >_______________________________________________ >[email protected] mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "[email protected]" >_______________________________________________ >[email protected] mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "[email protected]" ------------------------------------------------- This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
