Amos Shapira wrote:
Maybe a clever iptables rule can count incoming SYN packets on the
relevant ports (we listen on about 4-5 different ports) and then I can
compare it against Apache access log for same period.
No need for anything special. Just do "iptables -L -v" to see how many
hits on each rule. iptables even has command option that give you the
stats and atomically zero the counters. All you need in addition is
grep, and you're almost set.
while apache log should be easily achievable by grep
If the TCP-level connection is dropped before an HTTP request is
received then I'm not sure Apache's log will show it (just tried this
on a Ubuntu desktop, don't know how much it indicates for CentOS 5).
Do you count that as a successful connection? It sounds to me like it is
not, which means that apache not listing it is actually a good thing.
What I would be worried about (not very, mind you) is SYN floods and
other stuff. Some failed TCP connections should not be counted (SYN is
invalid, three way handshake did not complete due to client
considerations, retransmitted SYNs etc.). The only way I can think of to
find those is a sniffer (I don't know of any tcpdump rules that can
match those, and I wouldn't trust its performance anyway, so I think a
dedicated one would work best).
Shachar
--
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
http://www.lingnu.com
_______________________________________________
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
