If I understood what you said, you are able to get the client's IP
address by using another resource, like netstat -a and you see the
connection is in CLOSE_WAIT state for ever. CLOSE_WAIT takes 12 hours to
timeout. It is a long while, but it happens. Maybe you could check
something in your kernel configuration and put this value a little lower.
Seeya,
Miguel.
kalin mintchev wrote:
i found a client connected to the process but could not find the client's
ip number in any of the logs of the server. so i assume its some remote
application that is hitting directly the offending script. but how do i
get to that?!? like somebody mentioned it's probably not written in the
logs until the file is served and the process finished but if the process
never finishes (CLOSE_WAIT) there is no trace in the log....
here is what's right now...
# top
PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
53452 nobody 55 0 15932K 10128K RUN 108:16 96.88% 96.88% httpd
56877 root 28 0 1996K 1100K RUN 0:00 0.89% 0.29% top
.............
# sockstat -4 | grep 53452
nobody httpd 53452 4 tcp4 66.117.34.36:80 66.134.162.210:1625
nobody httpd 53452 115 tcp4 *:443 *:*
nobody httpd 53452 116 tcp4 *:80 *:*
nobody httpd 53452 117 tcp4 66.117.34.36:80 *:*
# netstat -a
......
tcp4 0 0 server.http h-66-134-162-210.1625 CLOSE_WAIT
.......
# grep -rl 66.134.162.210 /html/*/logs/*
#
there are about maybe 150 domains under /html.... so now what?
i guess i'd have to go through each and every one of them?!? - i know the
20 min time window when the process gets wild but i don't have much
else...
i'm going to turn the mod_status on - like suggested here - to see what it
will come up with but i'm not holding my breath....
thanks....
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
.
--
Andre Miguel
Administrador de sistemas
e-mail: [EMAIL PROTECTED]
GVI - Globalview Internet Services
www.gvi.com.br
Fone: 3351-4470
Fax: 3351-4488
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
