Chris Robertson wrote:
> Anatoly Oreshkin wrote:
>>
>> Hello,
>>
>> We have squid server version squid-3.0.STABLE11-20090112 running on
>> Scientific Linux 4.4.
>> I noticed that sometimes, usually in working hours input traffic sharply
>> increases. I saw this increase in GANGLIA graph for proxy server I
>> looked into squid log files but did not found that proxy clients
>> increased their activity during these input traffic peaks.
>> Then I continued to investigate the case with tcpdump:
>>
>> tcpdump -A -i eth0
>>
>> and discovered many tcp connections to external sites on port 80.
>> But I did not find the names of these sites in squid logs
>> although if clients access these sites then site names should be
>> present in squid logs.
>>
>> Here is extract from tcpdump output:
>>
>> 11:28:15.232848 IP 194.187.97.85.webazilla.com.http >
>> proxyter.pnpi.spb.ru.55605: . 1:1449(1448) ack 349 win 33304
>> <nop,nop,timestamp 2902195045 1662548939>
>> 11:28:15.232871 IP proxyter.pnpi.spb.ru.55605 >
>> 194.187.97.85.webazilla.com.http: . ack 1449 win 2184
>> <nop,nop,timestamp 1662549003 2902195045>
>> 11:28:15.232878 IP 194.187.97.85.webazilla.com.http >
>> proxyter.pnpi.spb.ru.55605: . 1449:2897(1448) ack 349 win 33304
>> <nop,nop,timestamp 2902195045 1662548939>
>> 11:28:15.232889 IP proxyter.pnpi.spb.ru.55605 >
>> 194.187.97.85.webazilla.com.http: . ack 2897 win 2908
>> <nop,nop,timestamp 1662549003 2902195045>
>> 11:28:15.232896 IP 194.187.97.85.webazilla.com.http >
>> proxyter.pnpi.spb.ru.55605: P 2897:4097(1200) ack 349 win 33304
>> <nop,nop,timestamp 2902195045 1662548939>
>> 11:28:15.232906 IP proxyter.pnpi.spb.ru.55605 >
>> 194.187.97.85.webazilla.com.http: . ack 4097 win 3632
>> <nop,nop,timestamp 1662549003 2902195045>
>>
>>
>> proxyter.pnpi.spb.ru is our proxy server name. It is trying to access
>> 194.187.97.85.webazilla.com on port 80. However there is no references
>> to 194.187.97.85.webazilla.com in squid log files.
>
> But there might be a reference to another name that maps to the same
> IP... http://en.wikipedia.org/wiki/Reverse_DNS_lookup
>
> When you see odd traffic like this, run...
>
> squidclient cache_object://localhost/active_requests|grep ^uri
Or I think just:
squidclient mgr:active_requests | grep -E "^uri"
>
> ...to get a list of the hosts which are involved in active connections.
> Find the IP address each of these hosts maps to, and then perform a
> reverse DNS lookup on each of those IPs.
>
> For what it's worth, webazilla.com appears to be a hosting company, so
> it's likely that one of your customers was surfing to a site hosted with
> webazilla.com's service.
>
>> It is very strange. When I stop squid then these tcp connection
>> disappear.
>> The names of these sites are different, for example just IP
>> address,88.208.22.108 or 80-239-152-58.customer.teliacarrier.com.
>
> Probably the same story, different hosts.
>
I agree.
>>
>>
>> We have such squid logs enabled: access.log, referer.log, store.log,
>> useragent.log.
Those last three should be extraneous logging.
Your config looks fine.
Amos
-- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3Received on Fri Jan 16 2009 - 02:07:02 MST
This archive was generated by hypermail 2.2.0 : Fri Jan 16 2009 - 12:00:03 MST