On Tuesday 09 June 2009 15:13:43 Shachar Shemesh wrote: > > If the TCP-level connection is dropped before an HTTP request is > > received then I'm not sure Apache's log will show it (just tried this > > on a Ubuntu desktop, don't know how much it indicates for CentOS 5). > > > > Do you count that as a successful connection? It sounds to me like it is > not, which means that apache not listing it is actually a good thing. > > What I would be worried about (not very, mind you) is SYN floods and > other stuff. Some failed TCP connections should not be counted (SYN is > invalid, three way handshake did not complete due to client > considerations, retransmitted SYNs etc.). The only way I can think of to > find those is a sniffer (I don't know of any tcpdump rules that can > match those, and I wouldn't trust its performance anyway, so I think a > dedicated one would work best).
How about using iptables to count the TCP packets containing SYN's and comparing it to the access_log entries? There are a couple of pitfalls here that needs to be addressed (like retransmition of SYN packets), but this could probably be avoided by using parsing script, which would eliminate the duplicates. _______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
