5/15 My boss wants me to track what websites a user visits. The user is
smart enough to delete their history every time they log out (tweakui?)
Any recommendations for UNIX/NT software to do this?
\_ You can use a network snooper but I question what will be
accomplish by tracking what websites your own workers visit.
\_ There could be the case of the person visiting inappropriate
sites. However, in this case, the person (a secretary) tells
everyone that she has way too much work to do, but all the other
secretaries say that she just surfs the web all day.
\_ When installing a network snooper, where do you put it? Doesn't
it depend on whether the user is connected to a switch or a hub?
\_ Yes a snooper won't work on a switched lan. A alternate soln.
if you don't want use a caching proxy is to have your fw log
all outbound http and ftp requests and then translate that to
web sites. The problem with this is that you won't be able
to catch request made to services like anonymizer.
\_ Set up a caching proxy (eg. squid) and run it in transparent
mode (your fw/router redirects port 80, 21, etc to the cache)
and turn on max logging. You need to use transparent mode so
that your users can't circumvent the cache and screw up your
information gathering.
Use perl to grok the cache's log files and generate a list of
urls (or sites) per ip. Now use the dhcp server's log files to
map IP to NIC and therefore to individual client systems and
users (I'm assuming that most of your clients are mac/win boxes
and have only one user). This should give you all the information
you need and more.
\_ Thanks! We have a cache (Symantec i-gear), but the user wasn't
using it. I'll investigate how to get our router (no firewall)
to forward requests.
\_ One possible way is the set up the dhcp server to specify
the cache as the default router for the mac in question.
Then you setup the cache to re-route all traffic (except
for http traffic, which it handles) to the real rotuer.
\_ currently, we're still on static ip's/routes, but that's
something i'll look into
\_ If she is not smart enough to also clear the disk cache, you can go
to the cache directories and look at the content. E.g. on NT,
However, I think a better solution is to just keep track of her
%USERPROFILE%\Temporary Internet Files\Content.IE5\ for IE and
%SystemDrive%\Program Files\Netscape\Users\%USERNAME%\Cache\ for
Netscape; for Unix, ~/.netscape/cache for Netscape. You might not
know which URLs she visited, but at least you can see the content
of the pages. Note that for IE some of the dirs and files are
marked hidden or system, so you have to do "dir /a" to see them.
However, I think the better solution is to just keep track of her
activity at the proxy server.
\_ Be careful of what you and your boss are doing. Unless it's
in your company policy, you shouldn't do this. Your coworkers
can sue the company for this tactic.
can sue the company for this tactic. If you're going to do this
you better adopt a policy for this and have everyone in the company
be aware of and agreeable to it.
\_ Double check with your company's specific policy, but at
most places the company owns the machine and all files on it
if it is a work machine, and the company is allowed to
access it whenever it wants.
\_ if your company is going to do that, make sure it's in the
policy. "Company owns everything" is too vague. A good
lawyer will defeat that. You can not do it in way it single
out an individual or in anyway showing bias.
\- if the person you are trying to track is stupid, you can
use dug song's software ... that will basically sniff the
net, extract the urls and feed them to a netscape you run
so you more or less can watch the secretary "over his/her
shoulder". however really you probably want timestamped
logs, in which case just get tcpdump the port 80 traffic.
getting the urls in addition to dst addr is a little more
work but pretty simple. BRO can do this. --psb |