Can I use tcpdump to detect Aborted connections on port 80 (Apache) originating from a specific IP (my remote IP). I can reproduce the Aborted connection in my web browser, but I have no way to verify if the request is getting to my server. I tried this, but couldn't really tell if a connection was Aborted.
tcpdump -n -i eth0 -s 0 src or dst port 80|grep -F "XXX.XXX.XXX.XXX"
Best Answer
I would think that an "Aborted" connection happens when a TCP packet is sent the tells the connection to reset, the flag that represents this is the
RSTflag.You can filter for RST using
tcpdump -i eth1 'tcp[13] & 4 = 4'. Also, a bit off point but grepping tcp dump is a little lazy, you can always adddst host X or src host Xto your filter.