Ethereal Capture-Filter for web address filtering

G

Guest

Guest
Archived from groups: comp.dcom.lans.ethernet (More info?)

Hello,

I guess this question must have been asked before but I haven't found
any answers. My boss has told me to find out which web addresses within
the company are surfed to when he is on holidays.

The network is handled by a w2k server. For the stations the server acts
as gateway whereby it is forwarding internet traffic to a router which
is connected to the dsl line. So every traffic passes the server. I
installed Ethereal and played around a little bit. I already found out
how to filter all traffic on port 80. But of course this only returns
the data traffic between the two computers ip-addresses.

I guess I have to filter just the requests of the workstations to the
dns server, haven't I? With this I could theoretically see which
addresses are to be solved, am I right? How do I do this/which port do I
filter for name resolution?

Thanks and best regards,

Felix Eggbert, Germany
 
G

Guest

Guest
Archived from groups: comp.dcom.lans.ethernet (More info?)

Felix Eggbert <eggbert@phez.com> wrote:
> Hello,

> I guess this question must have been asked before but I haven't found
> any answers. My boss has told me to find out which web addresses within
> the company are surfed to when he is on holidays.

> The network is handled by a w2k server. For the stations the server acts
> as gateway whereby it is forwarding internet traffic to a router which
> is connected to the dsl line. So every traffic passes the server. I
> installed Ethereal and played around a little bit. I already found out
> how to filter all traffic on port 80. But of course this only returns
> the data traffic between the two computers ip-addresses.

> I guess I have to filter just the requests of the workstations to the
> dns server, haven't I? With this I could theoretically see which
> addresses are to be solved, am I right? How do I do this/which port do I
> filter for name resolution?

> Thanks and best regards,

> Felix Eggbert, Germany

replace / install squid and have the users forced to use it for surfing. Then
loggin will be as simple as extractings strings from the log.

--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
 
G

Guest

Guest
Archived from groups: comp.dcom.lans.ethernet (More info?)

Hello,
I hope you're aware of the fact that the task given is probably illegal
in germany.
I don't know the size and internal organisation of your company, but you
most probably need a written consent from every user in your network to
be able to do it without legal harm. This of course depends on the size
and form of contract...
General rule: If nothing is written that you CAN spy traffic, you're not
allowed to.

Anyway, to answer your question,
Felix Eggbert wrote:


> The network is handled by a w2k server. For the stations the server acts
> as gateway whereby it is forwarding internet traffic to a router which
> is connected to the dsl line. So every traffic passes the server. I
> installed Ethereal and played around a little bit. I already found out
> how to filter all traffic on port 80. But of course this only returns
> the data traffic between the two computers ip-addresses.
>
> I guess I have to filter just the requests of the workstations to the
> dns server, haven't I? With this I could theoretically see which
> addresses are to be solved, am I right? How do I do this/which port do I
> filter for name resolution?
>
The port is 53 in either udp (mostly used) and tcp (not very often).
But, since your W2K acts as a proxy, why don't you just use the
log-facility on this machine?


Mathias
--
CCIE #11220
Everything written is MY opinion only, not the one of my company or
employer unless otherwise noted

The early bird gets the worm, but the second mouse gets the cheese

My signature is certified by Fraunhofer Society.
The root-ca IS trusted but the browser-manufacturers want big $ to have
it included
 
G

Guest

Guest
Archived from groups: comp.dcom.lans.ethernet (More info?)

In article <2u4en4F25v804U1@uni-berlin.de>,
Felix Eggbert <eggbert@phez.com> wrote:
:I guess I have to filter just the requests of the workstations to the
:dns server, haven't I? With this I could theoretically see which
:addresses are to be solved, am I right? How do I do this/which port do I
:filter for name resolution?

UDP and TCP ports 53. Usually UDP with a fallback to TCP when
the answer is large (> 512 bytes), but going directly to TCP is valid as
well.

:My boss has told me to find out which web addresses within
:the company are surfed to when he is on holidays.

I must echo the previous poster who warned that what you have been
asked to do might be illegal in Germany.

The legality here (Canada) would depend in part on whether by
'web addresses' you mean the URL's, or just the hostnames.
For example, do you want to record just 'aol.de', or do you want to record
'http://aol.de/~eggbert/kundst/pamela_anderson/pla_nude78.jpg' ?

--
Inevitably, someone will flame me about this .signature.
 

Stephen

Distinguished
Apr 4, 2004
380
0
18,780
Archived from groups: comp.dcom.lans.ethernet (More info?)

"Felix Eggbert" <eggbert@phez.com> wrote in message
news:2u4en4F25v804U1@uni-berlin.de...
> Hello,
>
> I guess this question must have been asked before but I haven't found
> any answers. My boss has told me to find out which web addresses within
> the company are surfed to when he is on holidays.

the UK follows some of the european laws about privacy (but isnt anywhere
near as strict as Germany).

you need your users to understand that they may be monitored, or the company
(and you specifically) are breaking the law.

I suggest you check this before doing anything, since even if the company
doesnt do anything with the information you collect you may still be
violating some sort of privacy or data protection laws.
>
> The network is handled by a w2k server. For the stations the server acts
> as gateway whereby it is forwarding internet traffic to a router which
> is connected to the dsl line. So every traffic passes the server. I
> installed Ethereal and played around a little bit. I already found out
> how to filter all traffic on port 80. But of course this only returns
> the data traffic between the two computers ip-addresses.

the usual way to intercept URLs is to use an explicit or a transparent web
proxy.

Some SOHO and larger firewalls will keep a list of accessed web sites for
you - you may find your existing firewall can have logging set up for what
you want.

there is a "standard" technique used to hand off URLs from a router for
checking / logging called WCCP - this isoften used for caching, but can also
drive URL checking software such as Websense.

It may make more sense to build this into your network perimeter and let
commercial tools do the complex data collection rather than rolling your
own.
>
> I guess I have to filter just the requests of the workstations to the
> dns server, haven't I? With this I could theoretically see which
> addresses are to be solved, am I right? How do I do this/which port do I
> filter for name resolution?
>
> Thanks and best regards,
>
> Felix Eggbert, Germany
--
Regards

Stephen Hope - return address needs fewer xxs
 
G

Guest

Guest
Archived from groups: comp.dcom.lans.ethernet (More info?)

Mathias Gaertner schrieb:
> Hello,
> I hope you're aware of the fact that the task given is probably illegal
> in germany.
> I don't know the size and internal organisation of your company, but you
> most probably need a written consent from every user in your network to
> be able to do it without legal harm. This of course depends on the size
> and form of contract...
> General rule: If nothing is written that you CAN spy traffic, you're not
> allowed to.
>
> Anyway, to answer your question,
> Felix Eggbert wrote:
>
>
>> The network is handled by a w2k server. For the stations the server
>> acts as gateway whereby it is forwarding internet traffic to a router
>> which is connected to the dsl line. So every traffic passes the
>> server. I installed Ethereal and played around a little bit. I already
>> found out how to filter all traffic on port 80. But of course this
>> only returns the data traffic between the two computers ip-addresses.
>>
>> I guess I have to filter just the requests of the workstations to the
>> dns server, haven't I? With this I could theoretically see which
>> addresses are to be solved, am I right? How do I do this/which port do
>> I filter for name resolution?
>>
> The port is 53 in either udp (mostly used) and tcp (not very often).
> But, since your W2K acts as a proxy, why don't you just use the
> log-facility on this machine?
>
>
> Mathias
Hello,

Thanks for your answers. I know it is illegal monitoring employees
WITHOUT their knowledge of the process. I think it is legal to do so if
you announce this. I wonder if it also is illegal if you captured the
requested web addresses but not the stations names the request came from.
Is it illegal to block certain websites within the company network?

Best regards,

Felix
 

Stephen

Distinguished
Apr 4, 2004
380
0
18,780
Archived from groups: comp.dcom.lans.ethernet (More info?)

"Felix Eggbert" <eggbert@phez.com> wrote in message
news:2u6esaF26f5isU1@uni-berlin.de...
> Mathias Gaertner schrieb:
> > Hello,
> > I hope you're aware of the fact that the task given is probably illegal
> > in germany.
> > I don't know the size and internal organisation of your company, but you
> > most probably need a written consent from every user in your network to
> > be able to do it without legal harm. This of course depends on the size
> > and form of contract...
> > General rule: If nothing is written that you CAN spy traffic, you're not
> > allowed to.
> >
> > Anyway, to answer your question,
> > Felix Eggbert wrote:
> >
> >
> >> The network is handled by a w2k server. For the stations the server
> >> acts as gateway whereby it is forwarding internet traffic to a router
> >> which is connected to the dsl line. So every traffic passes the
> >> server. I installed Ethereal and played around a little bit. I already
> >> found out how to filter all traffic on port 80. But of course this
> >> only returns the data traffic between the two computers ip-addresses.
> >>
> >> I guess I have to filter just the requests of the workstations to the
> >> dns server, haven't I? With this I could theoretically see which
> >> addresses are to be solved, am I right? How do I do this/which port do
> >> I filter for name resolution?
> >>
> > The port is 53 in either udp (mostly used) and tcp (not very often).
> > But, since your W2K acts as a proxy, why don't you just use the
> > log-facility on this machine?
> >
> >
> > Mathias
> Hello,
>
> Thanks for your answers. I know it is illegal monitoring employees
> WITHOUT their knowledge of the process. I think it is legal to do so if
> you announce this.

these are really Qs for a lawyer

it is legal here if you explain what is going on - but you probably have to
tell them what you might do with the info, and they may have to agree to it
before it happens - your personnel people should be worrying about this side
of it.

I wonder if it also is illegal if you captured the
> requested web addresses but not the stations names the request came from.

i suspect it depends on why you want to trace it to a specific station - if
someone may get identified by the info, then probably not

> Is it illegal to block certain websites within the company network?

No - but the difficullt bit is classifying all the different URLs - a
reasonable size network may generate 100s of requests / hour.

This is why people buy a service so they can concentrate on which kinds of
web site they want to block rather than individual sites. Most of the
commercial systems claim to classify 1,000,000s of sites.
>
> Best regards,
>
> Felix
--
Regards

Stephen Hope - return address needs fewer xxs
 
G

Guest

Guest
Archived from groups: comp.dcom.lans.ethernet (More info?)

> Thanks for your answers. I know it is illegal monitoring employees
> WITHOUT their knowledge of the process. I think it is legal to do so if
> you announce this. ...

This is not a universal statement world wide or even US wide. I don't
even thing it is generally true in the US. Where are you located?
 
G

Guest

Guest
Archived from groups: comp.dcom.lans.ethernet (More info?)

Felix Eggbert <eggbert@phez.com> wrote:
> Thanks for your answers. I know it is illegal monitoring
> employees WITHOUT their knowledge of the process. I think
> it is legal to do so if you announce this.

This is very dependant on country. Some allow monitoring even
without consent. Others require consent. For Germany, you
may find some interesting discussion in c't magazine.

> I wonder if it also is illegal if you captured the requested
> web addresses but not the stations names the request came from.

All monitoring must be justified by genuine business concerns.
Bandwidth usage, virus activity, etc. Some monitoring is required.

Snooping on employees and taking no action is unjustifiable.
Pure invasion of privacy. Snooping for discipline then risks
a full review. The employee may insist on seeing all records
to verify that no-one undisplined was worse or nearly as bad.

> Is it illegal to block certain websites within the company network?

I would expect this is usually legal. In the US, it is often
considered negligent _not_ to block porn websites because they
can create "an oppressive environment of sexual harrassment".

-- Robert