monitoring internet access (IP logs) of computer on my LAN
 

I need to monitor everything that is being done, especially internet-wise on a computer on my LAN. I'm not exactly sure what the best solution is.

I mean I specifically want to know what sites are surfed, or at least what IPs are accessed by the computer on my LAN, and actually it would be fine if it just monitored all traffic from my LAN to the internet, that would also work. A keylogger would also work, but maybe as a last resort, because I've tried them before and they all seem to suck, and again it is internet traffic that is the important part.

So far I've tried packet sniffers like ethereal, but these would require that I install it on said computer, the question is this: How would I make sure the user does not simply modify the logs or kill the program. Also, it would be nice if the program e-mail the logs to me once in a while, so I don't have to go get them myself. Again, I have root access to this machine, it is my computer, but the user also has root access. Maybe I should just restrict root access to the user, but this causes other problems, then I'd need to setup sudo properly or something, and where would I keep the log so it is safe, and make sure the program runs and cannot be killed, etc.

I've heard that ethereal can actually sniff packets for all computers on a switched network, but I'm not sure if this appiles to my network.

The easiest solution would probably be the best one here, so nothing too complicated please.

I've also checked my router, and it has a log function, but it only logs system errors for itself, not IPs, so it's useless I guess.

So if you had a list of hostnames or IP addresses visited over http/s by a single client on your LAN, that would solve your problem?

*Everything* is asking a lot. You can't effectively monitor logs for every action a user takes. If the user has root access, you can't be sure of anything. If you restrict access and set him/her up in sudoers, then you can regulate the kinds of things they can do and the security logs will show what those things are. Set the sticky bit on .bash_history, too.

All traffic can be monitored by tcpdump or ethereal. Ask yourself, "How many hours a day do I want to review logs?"

One more thing, if they have physical access to a machine, they "own it". Boot from CD, boot from USB, etc. Is this business or personal? If business, you can build a case for violation of terms of use/policy.

If you have a gateway machine different to the wkstn in question, you could add SQUID, no restrictions (initially), just logging.
Don't give the user a login to that system.

Solution 1:
An hardware gateway. Some free OS exist for that like ipcop, smoothwall, astaro (free for small network), pfsense (my own choice), endian and engarde. The "netstat" command can list every connection with the website url. PFsense also have a display mode if you connect a screen on it displaying every active connection (source and destination IP)

Solution 2:
A hub with a computer connected to it and a packet sniffer. You will see all packets passing in the hub nomather where they come from or where they go, you will just see everything.

Solution 3:
Using a bash/dos script on client collecting information and sending them, it is quite a trivial script to do.

Thanks for the responses so far.

Yes, I think that would solve it.

Both I and them have physical access to the machine, and it is for personal use, not business. In fact, I bought the machine, so it's technically mine in any case.

You know that's a very good point, I guess I'll need to write a script to parse the log for info I might need. It's true that I'm not going to read thousands of lines of IP logs. Yet another problem to solve.

All very useful info, thank you. I didn't know netstat listed that. I might just use solution #3. Any recommendation on the best program to use for such a script ... netstat ? or is there a better solution. I'm quite competent at scripting so I can probably handle that, but I still need a good program that collects the data I need.

I think chrism01's suggestion could potentially be the most elegant solution. A proxy would give you much more control over traffic, and your logging would be much simpler.

I used to work in an R&D lab where they tried, in vain, to clamp down on all sorts of traffic. Of course, that just led to tunneling and remote login to other hosts to get around the restrictions. In the end, management reached a place where they accepted that they were herding cats and we honored a gentleman's agreement not to abuse access.

Is that a possibility? Is this a loose cannon about to fall through your deck?

@H_TeXMeX_H: yes, use netstat if you want to go that way. Other tools exist, but netstat is installed by default and will do the job just fine

is probably the command you are looking for. But warning, as all other solution, the connection time may be quite small, if the script does not run during this tiny timeframe, as every solution except squid will miss many websites.

Hmm, so this would mean that I would need to setup squid on one of my computers and keep it running for all time I need it to be monitoring, right ? I'm not sure I can do that, the power goes out here a lot.

Maybe I'll try the script solution at certain intervals. Maybe I don't need all the internet traffic, I just want to sample it here and there, that might be good enough.

I like the squid solution, but I have to point out that it might not do what you need, in a couple of respects:

• depending on your network arch, a 'clever' user may be able to divert packets around the squid box, if they want to
• squid will tell you which sites (and even which pages on which sites) have been accessed from your network. That doesn't, at least by default, tell you which machine, or more particularly which user, has been doing the accessing

If those aren't problems to you (and you haven't really explained the background...I can see there might be reasons that you don't want to do that), go with squid!

Otherwise, I think my next idea would be to look at wireshark and its ability to filter packets. All of what wireshark does is primarily by ip addresses rather than by URL, so you'd have to manually convert suspect URLs to suspect IPs, but if the number of suspect URLs is small, this shouldn't be a problem...until the association between URLs and IPs is changed (so, if this is a long term problem, you might have to keep re-mapping that association).

Well, for the background, let's just say this user is not to be trusted, and I have been deemed with the task of monitoring the connection and making sure certain sites are not accessed. I know I could probably use programs to block these services and sites, but I know that there exist easy ways to bypass this (proxy). Besides, I don't actually have a list of sites to be banned.

Ok, I think I've found the best solution to the problem, I'm marking this solved. Thanks to everyone for they help.

So what did you judge as the best solution?

A script, either for network monitoring, or I recently found keylogging.