On 10/15/2016 05:16 PM, Jester Purtteman wrote:
> The packet capture idea is a good one too, I'll do that as well.
> Similar issue (sifting a small amount of info out of an ocean of data)
> but I think valuable.
With a packet capture and a matching access.log, it is easy to find the
offending connections without Squid-specific knowledge because you can
ask Wireshark or a similar tool to locate the packets that match the
logged IPs and ports (the ones on the error:... lines in access.log).
After that, you just follow the TCP stream you found and look at its
packet payload to identify the protocol/intent...
With cache.log, the procedure is similar but there is no nice interface
to "follow the identified transaction". There are some very useful
scripts that can follow descriptors and internal Squid "jobs", but they
do require some low-level Squid-specific knowledge and experience to
operate correctly (unfortunately). Besides, you may not see the payload,
especially if Squid does not try to parse it.
squid-users mailing list