PDA

View Full Version : Internet monitoring




philstone
Mar 2, 2013, 08:33 AM
Hi,
I have a client who wants to monitor sites employees visit and time spent on each site, current setup is an OSX server, with AirPort Extreme with a mix of wired and wireless mac clients. Has anyone done this before and what's the best approach?

Thanks



switon
Mar 2, 2013, 04:10 PM
Hi philstone,

There are many Internet monitoring tools available, especially for Windows, with not as many for the Mac OS X. So it really depends upon exactly what your clients want to monitor. Of course, depending upon local laws, your clients may be required to alert their employees to the fact that they are monitoring their Internet traffic.

In terms of tools, for instance, if your clients only want to monitor what is being downloaded, then the following command provides a complete history from the "beginning of time" of everything ever downloaded from the Internet by an individual, even if the files have been subsequently deleted (say to check for security holes or malware):
sqlite3 /Users/<username>/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'select LSQuarantineDataURLString from LSQuarantineEvent'
but this, of course, requires either access to the <username>'s account or root access to the machine.

On the other hand, if your clients want to "sniff" everything on their networks, then the `gold standard' packet capture tool is the "wireshark" program that will capture wired, wireless, USB, Bluetooth, Token Ring, really any network type and virtually every protocol of packets being transmitted over the network. This program can thus be used to hunt for "hackers" that have surreptitiously gained access to the network as well as sniff all packets from any computer, phone, iPad, etc. going to and from the Internet. This tool also allows for "offline" analysis, so the packets are captured and stored for later analysis. This is a very powerful tool for determining exactly what is happening on your network, including any problems that might be occurring on the network. Most find it quite useful, but there is an activation barrier that must be surmounted in order to use it. The "wireshark" program is available free for the Mac OS through MacPorts and Fink.

So, in a nutshell, I recommend finding out precisely what information and for what purposes your clients want to monitor network traffic. Then search the web for applications that satisfy those needs. Some apps will monitor web traffic only and produce reports on website access. Other apps, such as wireshark, will capture every network packet, filter them for what you need, and then generate output and reports (XML, txt, PS, CSV) for subsequent analysis.

Good luck,
Switon

assembled
Mar 3, 2013, 10:21 PM
security onion running on a PC with a lot of disk attached is possibly worth looking at

otherwise you're into the territory of websense et al, all of which require windows servers to run on.

philstone
Mar 4, 2013, 05:48 AM
Thanks. The legal apsects are all covered.

We want to see how long people are spending on specific website - facebook etc.