monitoring internet access (IP logs) of computer on my LAN
I need to monitor everything that is being done, especially internet-wise on a computer on my LAN. I'm not exactly sure what the best solution is.
I mean I specifically want to know what sites are surfed, or at least what IPs are accessed by the computer on my LAN, and actually it would be fine if it just monitored all traffic from my LAN to the internet, that would also work. A keylogger would also work, but maybe as a last resort, because I've tried them before and they all seem to suck, and again it is internet traffic that is the important part. So far I've tried packet sniffers like ethereal, but these would require that I install it on said computer, the question is this: How would I make sure the user does not simply modify the logs or kill the program. Also, it would be nice if the program e-mail the logs to me once in a while, so I don't have to go get them myself. Again, I have root access to this machine, it is my computer, but the user also has root access. Maybe I should just restrict root access to the user, but this causes other problems, then I'd need to setup sudo properly or something, and where would I keep the log so it is safe, and make sure the program runs and cannot be killed, etc. I've heard that ethereal can actually sniff packets for all computers on a switched network, but I'm not sure if this appiles to my network. The easiest solution would probably be the best one here, so nothing too complicated please. I've also checked my router, and it has a log function, but it only logs system errors for itself, not IPs, so it's useless I guess. |
So if you had a list of hostnames or IP addresses visited over http/s by a single client on your LAN, that would solve your problem?
|
Quote:
Quote:
|
One more thing, if they have physical access to a machine, they "own it". Boot from CD, boot from USB, etc. Is this business or personal? If business, you can build a case for violation of terms of use/policy.
|
If you have a gateway machine different to the wkstn in question, you could add SQUID, no restrictions (initially), just logging.
Don't give the user a login to that system. |
Solution 1:
An hardware gateway. Some free OS exist for that like ipcop, smoothwall, astaro (free for small network), pfsense (my own choice), endian and engarde. The "netstat" command can list every connection with the website url. PFsense also have a display mode if you connect a screen on it displaying every active connection (source and destination IP) Solution 2: A hub with a computer connected to it and a packet sniffer. You will see all packets passing in the hub nomather where they come from or where they go, you will just see everything. Solution 3: Using a bash/dos script on client collecting information and sending them, it is quite a trivial script to do. |
Thanks for the responses so far.
Quote:
Quote:
Quote:
Quote:
|
Quote:
I used to work in an R&D lab where they tried, in vain, to clamp down on all sorts of traffic. Of course, that just led to tunneling and remote login to other hosts to get around the restrictions. In the end, management reached a place where they accepted that they were herding cats and we honored a gentleman's agreement not to abuse access. Is that a possibility? Is this a loose cannon about to fall through your deck? |
@H_TeXMeX_H: yes, use netstat if you want to go that way. Other tools exist, but netstat is installed by default and will do the job just fine
Code:
netstat --inet -avW --program |
Quote:
Maybe I'll try the script solution at certain intervals. Maybe I don't need all the internet traffic, I just want to sample it here and there, that might be good enough. |
Quote:
Otherwise, I think my next idea would be to look at wireshark and its ability to filter packets. All of what wireshark does is primarily by ip addresses rather than by URL, so you'd have to manually convert suspect URLs to suspect IPs, but if the number of suspect URLs is small, this shouldn't be a problem...until the association between URLs and IPs is changed (so, if this is a long term problem, you might have to keep re-mapping that association). |
Well, for the background, let's just say this user is not to be trusted, and I have been deemed with the task of monitoring the connection and making sure certain sites are not accessed. I know I could probably use programs to block these services and sites, but I know that there exist easy ways to bypass this (proxy). Besides, I don't actually have a list of sites to be banned.
|
Ok, I think I've found the best solution to the problem, I'm marking this solved. Thanks to everyone for they help.
|
Quote:
|
A script, either for network monitoring, or I recently found keylogging.
|
All times are GMT -5. The time now is 09:37 AM. |