Suggestions for network logging program
 

Hey.
I am running a linux firewall and I was wondering if anybody knew of some good traffic logging software. Ok I am not really concerned about tracking the amount of traffic on the router, but if I go to google or linux.com then I want the router to log the full address and the time. If I can only log the IP addresses and the pages of that ip then that would be ok but I'd rather have it the other way.

One side note, I am doing this just for my own amusement. I'm not trying to spy on my family (I live alone) or anything devious like that. But truth be told, I'd like to implement something like this at work because we're having lots of trouble with this and I'm the one who gets to spend 2 hrs cleaning off infested Windows PCs. It would be nice for people to think they can't just browse anywhere anytime (It is a hospital.... I'm pretty sure they have better things to do than download games).

But anyhow, any suggestions anybody could give me would be mucho appreciato.

hi

try ntop - you will love it.
it does the simple tasks you want to be done. and it does much more :)
theres nearly no configuration needed.

you can get ntop from www.ntop.org

What version of windows are your clients running? You might be able to prevent alot of the issues by giving them guest accounts :p

Thanks, I'll check out ntop later on.

Most of our client PCs here are W2k. We have some software that needs admin priveleges to work. Not all PCs need the software so we limit some PCs. This is one of those problems that goes in waves. We'll see a lot, then crack down on it. Then the problem subsides for a while. We have a firewall that has some logging capablilites; we just need to get people thinking we are going to start checking those daily again.

Ok. Ntop crapped out during the ./configure stage of install. I've looked online for a while on how to resolve this. Is there another program similar to the ntop that someone knows about?

have you built the chart libs before configuring ntop?
you can read about building them in ntop/docs/BUILD-NTOP.txt:

in addition to the 2 points below, you may read point 1 as it lists what's needed to build ntop.
alternatively, try searching www.rpmfind.net for appropriate rpms' - in this case, you don't have to configure/compile it yourself.

if you absolutely don't want to use ntop, maybe iptraf (homepage can help out.

-----
2. Build chart libraries

- cd gdchart0.94c/
- ./configure
- cd gd-1.8.3/libpng-1.2.4
- cp scripts/makefile.[make your choice] Makefile
- make
- cd ../../zlib-1.1.4/
- ./configure
- make
- cd ..
- make

If you're using a gcc-powered system you can type
- cd gdchart0.94c/
- ./buildAll.sh

Note: It MAY be necessary for some of these packages on some systems
to do a "make install". If you get error messages concerning
missing libraries at run time, then try doing the make install
from the appropriate subdirectory.

3. Build ntop

- cd ntop
- ./configure
- make
- make install
---

If you want to log web usage, you might think about squid........you can turn off the caching function and just have it log all of your traffic. You then could block all outgoing web requests at the firewall unless it originates from the squid proxy server. From there have all of the Windows clients configure their browsers to use the squid proxy server.

This could have 2 advantages for you.

1.) It doesnt let out internet traffic (through the firewall) that doesnt go through the proxy server first.

2.) It makes sure they know that you are watching what they are doing by having them change the proxy settings. You can add passwords also I believe per user.

This is just a quick suggestion :) Hope this helps!

Something like squid or privoxy would probably help quite a bit.

Thanks all!
I look into all these.

Ok. I've got ntop running on my home router. I went to my web interface to see if it logged where I went and it did. I don't think it gave the full address (the directory and page name that was visited) but that's ok for now. The problem I have is that it shows where I went for the last hour and that's it. I want more info than that. I'd like a weeks worth of information and I'd like to have a few weeks worth backed up so I could review last weeks if possible. Is this possible w/ this program? I'm impressed w/ the info it has given thus far, but I need more.

Here is my command to start it:
/usr/local/bin/ntop -d -i eth1 -p HTTP=http,https -r 120 -w 10001 -W 0 -u xuser -P /var/spool/ntop -s

ok...ahm...if ntop is running since one hour, then there is just information gathered the last hour.
if ntop captuers one week, it will show all connections made during this week.

ntop is not able to tell you the future :)

No.....
Ntop runs for hours and only gives the last one hour worth of info.