Revision history [back]
if you mean pcap when you say 'log file', then there are several possible signs of an attack. But it's hard to spot such a sign, without knowing what kind of attack you're looking for.
- DoS/DDoS attack: You should see a massive increase of traffic in the pcap and lot's of missing ACK and/or Duplicate ACK, because the system can't handle the extra load
- targeted attacks (protocol/application level): Longer response times, more TCP reconnets, TCP RESETs, etc., because the application is either under load or crashing
If you really mean a log file, when you say log file, please add more details.
Regards
Kurt