BenB
|
| posted on 13/7/09 at 01:04 PM |
|
|
Anyone know an easy way to monitor web traffic on a network
Usual workplace monitoring stuff.
Employees have worked out to use porn mode or deleting the history afterwards. I could make deleting the history an offense but it wouldn't take
long until they discovered P-mode. The implications of a worm getting onto the server (confidential information) is too much to bear so we've
got to do something to stop people going to prohibited sites...
I know I could use spy software but that seems rather intrusive (key loggers etc etc) so I'm thinking of a network sniffer looking for port
80.
Is there an easier way?
I've found some software called DNSeye which presumably looks up DNS requests but if they use plain IP numbers it would get round that....
Anyone know of an automated packet sniffer which just logs port 80 traffic on the entire local network?!?!?!
Obviously we've told the employees that we're monitoring traffic...
|
|
|
|
|
Staple balls
|
| posted on 13/7/09 at 01:07 PM |
|
|
wireshark?
|
|
|
Omni
|
| posted on 13/7/09 at 01:07 PM |
|
|
Why not set up a web Proxy Server which will give you full control of everything and a reporting facility?
Bit more info here:
http://en.wikipedia.org/wiki/Proxy_server
O
[Edited on 13/7/09 by Omni]
|
|
|
BenB
|
| posted on 13/7/09 at 01:12 PM |
|
|
True, I could do that but the server is pretty much out of bounds- the techy geeks are pretty neurotic about it!!!
|
|
|
Omni
|
| posted on 13/7/09 at 01:16 PM |
|
|
quote:
Originally posted by BenB
True, I could do that but the server is pretty much out of bounds- the techy geeks are pretty neurotic about it!!!
lol. Really?
So do you already have a proxy server? It can even be a old desktop. Then use Group Policies to set IE (Connections Tab) to use the proxy server and
hey presto. Full control 
O
|
|
|
BenB
|
| posted on 13/7/09 at 01:17 PM |
|
|
quote:
Originally posted by Staple balls
wireshark?
Aha! Will have a look at it. Just found smartsniff which seems to give some of the functionality I want. It's just a shame I can't
automatically display the names, I have to select all the TCP IPs and then it displays the websites underneath.
Better than nothing though- i'll have a shoofty at wireshark. Cheers.
|
|
|
BenB
|
| posted on 13/7/09 at 01:19 PM |
|
|
quote:
Originally posted by Omni
quote:
Originally posted by BenB
True, I could do that but the server is pretty much out of bounds- the techy geeks are pretty neurotic about it!!!
lol. Really?
So do you already have a proxy server? It can even be a old desktop. Then use Group Policies to set IE (Connections Tab) to use the proxy server and
hey presto. Full control
O
Oh, I see, yes, that would work. Put a proxy server on the old desktop then point all the internet connections there.... Good idea... That way I
wouldn't get told off the tech geeks 
|
|
|
cd.thomson
|
| posted on 13/7/09 at 01:19 PM |
|
|
make sure you add http://www.locostbuilders.co.uk
[Edited on 13/7/09 by cd.thomson]
Craig
|
|
|
BenB
|
| posted on 13/7/09 at 01:25 PM |
|
|
I think LB is okay from a security point of view....
|
|
|
BenB
|
| posted on 13/7/09 at 01:27 PM |
|
|
Ooooh I like Wireshark. Export html object function. Bingo. Cheers
|
|
|
Omni
|
| posted on 13/7/09 at 01:28 PM |
|
|
Might be worth a look. Not free though 
http://www.etherlook.com/howto/how-to-monitor-http-traffic-with-p
acket-sniffer/
You will need to install a packet sniffer though.
O
[Edited on 13/7/09 by Omni]
|
|
|
m8kwr
|
| posted on 13/7/09 at 02:18 PM |
|
|
Unsure what firewalls but what i do internally is send the syslog directly to a service running on a server (this could be run a normal pc as well),
this then strips the log file apart and get you the information you need, website, user IP, date/time etc.. then writes this to an sql database (or
mysql with a little tweek).
The only issue with this is that it gives you an IP address of the user and not the username, so to get around that in the startup on each computer i
write the username and ip to a table in the sql server, and then have a trigger that when an entry is entered into the main table it replaces the IP
for the username.... sounds more complex then it is.... and its completely free....
I use a sonicwall by the way.
Then i have a web frontend for the manager to access to see what employees are doing!!!
I have tried a proxy server, but i didn't like it, and other products that sat on people computers sending information to a central location -
but i noticed network traffic increased to much.
If you want, i am more then happy to help you set something up.
HTH
I am now about to see what wireshark is all about....
|
|
|
BenB
|
| posted on 13/7/09 at 02:58 PM |
|
|
I think TBH wireshark's the answer. Haven't tried it on the network yet only my home PC. Looks pretty good so as long as it can detect the
packets on the network (not a very good network packet sniifer if it can't!!) then I'm all good....
I could do a fancy front-end for the data side of things but to be honest I only want to know if they're going on certain sites that we've
told them not to so I'll just dump the text output into a file and do a simple string search...
Cheers for the advice though.
|
|
|
scudderfish
|
| posted on 13/7/09 at 03:57 PM |
|
|
You'll probably find you've got a switched network which means wireshark will only see your webbrowsing and any broadcast packets. You
need something closer to the firewall.
|
|
|
BenB
|
| posted on 13/7/09 at 04:34 PM |
|
|
quote:
Originally posted by scudderfish
You'll probably find you've got a switched network which means wireshark will only see your webbrowsing and any broadcast packets. You
need something closer to the firewall.
Good point..... Grrrrr.... Maybe it's proxy time!!
|
|
|
fov
|
| posted on 13/7/09 at 05:23 PM |
|
|
Whats your environment?
To use WS you could mirror the port which connects to the internet. But I would really suggest a proxy.
Also you might want to check into the policy regarding monitoring traffic. I know someone who got in a bit of hot water regarding this...
|
|
|
BenB
|
| posted on 13/7/09 at 05:41 PM |
|
|
quote:
Originally posted by fov
Whats your environment?
To use WS you could mirror the port which connects to the internet. But I would really suggest a proxy.
Also you might want to check into the policy regarding monitoring traffic. I know someone who got in a bit of hot water regarding this...
XP SP3....
I'll check the policy- I wrote it but can't remember what's in it!!!! LOL
|
|
|
fov
|
| posted on 13/7/09 at 06:02 PM |
|
|
I was more meaning what switches, routers and firewalls you have?
How are you connected to the internet?
Are you in an AD domain?
Server 2k3 or 2k8? Std, Ent or SBS?
|
|
|
gottabedone
|
| posted on 13/7/09 at 06:17 PM |
|
|
Ben,
If you're going to take staff to task over their browsing then you need to have a robust policy stating what is reasonable use (personal/work
related). State the types of sites that are acceptable and those that are not. Tell them that their use of internet is monitored and that they have
no right of privacy over this. Have your managers tell the staff what the penalties will be and that they will be periodically monitored. You
should also think about informing your staff that they have no right to privacy to e-mail in the workplace either. This way you have loosely covered
data in/out via e-mail, internet and webmail. If they fight it, remove it completely for individuals.
You now need to find a tecchie solution after you have laid out the rules......
good luck
Steve
|
|
|
britishtrident
|
| posted on 13/7/09 at 06:33 PM |
|
|
Pass all the internet traffic through an IP Cop box (any old PC will do lust install IP Cop) on to the IP Cop box load the IPCop CopFilter addon
module (Which includes Dan's Guardian proxy filter) . Also lots of other modules for IP Cop.
[Edited on 13/7/09 by britishtrident]
|
|
|
iank
|
| posted on 13/7/09 at 07:26 PM |
|
|
I always like the proxy they had at a company I visited years ago. It displayed every gif/jpg on a monitor that was in the middle of the workarea.
Made people think twice about their browsing, though you'd have to be careful if you let the general public in the building.
I agree with gottabedone it makes sense to have a clearly stated and unambiguous policy in place, and made part of peoples T&C's, if you are
going to enforce it fairly. Make it clear what counts as gross misconduct if you are going to wield the big stick.
[Edited on 13/7/09 by iank]
--
Never argue with an idiot. They drag you down to their level, then beat you with experience.
Anonymous
|
|
|
