I have been toying with monitoring POST requests from a specific IP on an application. I suspect the IP of abusing/finding a bug, however, it is not easy to find the suspect piece of code in the codebase so i'm trying to take a Sys admin approach to the solution.
What I want to do is profile the IP for the next few days/weeks or so. Ignoring anything I know as being dis-interesting. So far I have this but i'm not sure where to take it next.
tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)' |grep -i -b10 -a10 'X-Forwarded-For: 127.0.0.1*'
Obviously not the correct IP, but you get the drift.
Any help would be great.
