Ask Slashdot: Best Way To Monitor Traffic?

First time accepted submitter Shalmendo writes "My client needs to monitor traffic on his LAN, particularly going out to the internet. This will include websites like Facebook, Myspace, and similar, including from mobile devices. So far, based on the network education I have, I've concluded that it might be best to get a tap (And some kind of recording system with wireshark, probably a mini-barebone), or replace the existing Linksys router with a custom built mini barebone system with linux routing software and appropriate storage capacity etc to record traffic internally. (either way it looks like I will need to put together a mini barebone system for some purpose) My client is trying to protect his family from scammers and other unsavory types, and isn't savvy in this matter, so i'm doing it for him. What I need is a way to record the traffic at a singular point, like modem/router areas, or similar, and a way to scrape out Facebook, Myspace, and other messages. It also appears that the client's family is using iPhones and some game called 'words' which has message capability. Is it possible to scrape messages out of that game's packets, or are they obfuscated? Can I write a script? What software would you recommend? Linux routing OS? Can we sniff packets and drop them on the internal hard drive? or would a tap be better? How do I analyze and sort the data afterwards? my client needs easily read evidence (Such as text or screenshots) he can use as proof in discussion with his family to try and intercede in any potentially harmful transactions. In other words, how can I Achieve this goal? I have basic and medium training in computer networking, so I can make my own cables and such, but I've never worked on this exact kind of project before, and thought it might be better to query slashdot instead of do my own research from scratch. After days of discussion with the client, it's not plausible to put monitoring software in the devices on the network (due to legal issues and a few other factors), so I concluded a network tap or other device would be the best way to capture and study what's going on."

"due to legal issues and a few other factors"

[Neil_Brown]

It obviously depends on the laws to which your client is subject but, if there are "legal issues" in putting monitoring tools on "devices on the network," you may also find that there are similar restrictions, or at least hurdles to clear, in operating an interception capability as part of the network...

If it is just a private house, for members of a family, as the summary seems to suggest, chances are these will be minimal. If it will end up monitoring the nanny, cook or whatever other staff your client might have, you might need to have more robust procedures in place. In either case, it's worth checking it out if any part of your contract says "system will comply with applicable law" or anything like that — or just for your own peace of mind.

In reply to alot of the posters

[Shalmendo]

I admit the scope of the project is overwhelming, and I've told my client that he's asking for an NSA quality project. I will direct him to this post and your replies to help him to better understand the nature of his requests. Also, it appears that my article was truncated before being posted, so some of the explanatory bits were cut off, although the core of the question is still there for the most part. And yes, this is an actual client, not myself. I already suspected what most of you were saying, and tried to tell him that, but computers are a big 'mystery box' to him, and I can't seem to nail stuff home on my own. (IF it was myself i would have all already solved this problem.) Also, I'm a little surprised at some of the hostility and non-seriousness i've seen here, but I suppose it is to be expected considering alot of the drama and arguing i've seen going on in other arguments. When I originally wrote the article, I did specify 'serious answers only please, I don't want to start an argument, but a bunch of random answers that are unrelated won't help me solve this problem' And to be more specific, it's a home network with a cable connection. (I obviously can't be too specific due to his need for anonymity to avoid 'alarming' his family to his clandestine monitoring intentions). He does reasonable cause for suspecting something is going on and just needs to have information available to aid him in making decisions about some unusual behavior. and yes, I know that you can't get 'screenshots' right off a client PC through a network, by screenshots i meant some kind of recreation of a visited website, or just text information in printable form off some kind of analyzer software. I really would like to solve this problem, but I agree it's an excessive project. He wants the moon without having to go there to get it, type of issue.

Re:Ahmadinejad?

[blackraven14250]

All taking an Ethics class showed me was that anything can be justified by one of the many lines of reasoning used to create ethical principles...

A few things which will help

[kimvette]

A few things:

Better firewalls, including even the lowly dd-wrt and the now-defunct Snapgear, support syslog so you can capture and create your own custom reports, and dd-wrt reports total bandwidth usage on a daily, monthly and and annual basis and will retain that info until you do a reset (or until it runs out of NVRAM). It can come in very handy if your ISP claims you hit your bandwidth cap.

Another thing you might want to try is IMFIREWALL/WFilter in monitoring mode to see which users are doing what on your network. What is required is to either put a port on your switch (connected to your gateway/firewall) in either promiscuous mode or a two-way mirror to the port that connects to the firewall.

http://www.imfirewall.us/WFilter.htm [imfirewall.us]

It will report the number of hits to instant messaging, streaming, social networking, porn, gambling, stock trading, and any other criteria you can think of configuring. You can also put it in filter mode so it will basically kill any requests that you disapprove of, but in monitoring mode you can create custom reports of who is doing what.

Other firewalls will include these features as integrated, but some vendors (Cisco, Sonicwall) won't sell you the complete feature set for a flat price; they nickle and dime you because it's more profitable, and when the unit dies, good luck transferring those purchases.

You might want to check out m0n0wall as well, and get a good syslog app so you can capture detailed logs and create your own detailed status reports.

Re:Who is this

[Shalmendo]

I'm afraid it's not a trolling, it's more like a really stupid client that I need to inform.

Apologies

[Shalmendo]

While I'm not a troll by any means, the level of hostility and such has led me to feel it would be a good idea to apologize to everyone for having wasted their time with a ridiculous inquiry. Trolling was never my intention, but it appears I may have done so unintentionally by asking to be informed by people that are experts of many fields, and intelligent and well educated, so you all have what apology I can offer. And I'm quite serious. I don't think I can really say anymore, so I'll leave it at that, link my client to this article, and let him judge for himself.

Re:a bird in hand

[foniksonik]

www.cloudmeter.com

SaaS packet sniffing with reporting.

Put a client on your network and then tinker to get the data you want.

The wheel has already been invented!

[s.petry]

Okay, you find it interesting. Look at any corporate Firewall and monitoring system and you have your answers. Hell I have an O'Reilly book from the very early 90s on TCP/IP security that covers all of the topics you need to know. The technology is nothing new, the only real variations are in how the logs are stored and parsed.