On Thursday 06 November 2003 6:59 pm, Tom Lahti wrote:
> At 10:34 AM 11/6/2003, Adam Aube wrote:
> > >>> Has anyone configured squid as a logging only server? I
> > >>> just want to monitor Internet access without caching or
> > >>> forwarding of traffic.
> > >>
> > >> See the FAQ
> > >
> > > Actually, the answer is no, you can't have squid log without
> > > at least proxying (forwarding) your web traffic.
> >
> >Correct. I just guessed that the OP simply mis-phrased the question.
> >
> >After all, if they don't plan to have Squid process their traffic, why
> >would they even bother installing it?
>
> To log outbound web traffic -- what web sites/pages their users are
> visiting. You might be able to do something with "iptables -p tcp --dport
> 80 -j LOG" and then write a perl script to do DNS lookups, but that doesn't
> give you the URL.
>
> You could use "tcpdump -x port 80" on an edge router and store the output,
> then scan it for HTTP headers with a perl script. But that would consume
> huge amounts of I/O time and disk space.
>
> Probably a layer 7 switch/router can do this. Someone could write a
> program that uses promiscuous mode to do it also.
As you say, iptables will not give you URLs, only server IPs, and with
multi-site hosting being so common these days (not to mention that the
specific page on the site is probably at least as interesting as the name of
the site), this probably isn't very useful.
Tcpdump will give you what you want in a very raw form; I think tethereal
(the text version of the excellent ethereal packet sniffer / protocol
analyser) would be a more comfortable place to start.
As for writing a program to use promiscuous mode, I wouldn't be surprised if
such already exists, possibly amongst Dug Song's varied collection of
"security tools" (do a Google for dsniff and you'll see what I mean).
Regards,
Antony.
-- It wasn't a sight to be seen on an empty stomach, although it could probably cause one. - Terry Pratchett, Soul Music Please reply to the list; please don't CC me.Received on Thu Nov 06 2003 - 12:08:44 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:10 MST