Ethereal Capture-Filter for web address filtering

Archived from groups: comp.dcom.lans.ethernet (More info?)

Hello,

I guess this question must have been asked before but I haven't found
any answers. My boss has told me to find out which web addresses within
the company are surfed to when he is on holidays.

The network is handled by a w2k server. For the stations the server acts
as gateway whereby it is forwarding internet traffic to a router which
is connected to the dsl line. So every traffic passes the server. I
installed Ethereal and played around a little bit. I already found out
how to filter all traffic on port 80. But of course this only returns
the data traffic between the two computers ip-addresses.

I guess I have to filter just the requests of the workstations to the
dns server, haven't I? With this I could theoretically see which
addresses are to be solved, am I right? How do I do this/which port do I
filter for name resolution?

Thanks and best regards,

Felix Eggbert, Germany
8 answers Last reply
More about ethereal capture filter address filtering
  1. Archived from groups: comp.dcom.lans.ethernet (More info?)

    Felix Eggbert <eggbert@phez.com> wrote:
    > Hello,

    > I guess this question must have been asked before but I haven't found
    > any answers. My boss has told me to find out which web addresses within
    > the company are surfed to when he is on holidays.

    > The network is handled by a w2k server. For the stations the server acts
    > as gateway whereby it is forwarding internet traffic to a router which
    > is connected to the dsl line. So every traffic passes the server. I
    > installed Ethereal and played around a little bit. I already found out
    > how to filter all traffic on port 80. But of course this only returns
    > the data traffic between the two computers ip-addresses.

    > I guess I have to filter just the requests of the workstations to the
    > dns server, haven't I? With this I could theoretically see which
    > addresses are to be solved, am I right? How do I do this/which port do I
    > filter for name resolution?

    > Thanks and best regards,

    > Felix Eggbert, Germany

    replace / install squid and have the users forced to use it for surfing. Then
    loggin will be as simple as extractings strings from the log.

    --
    Peter Håkanson
    IPSec Sverige ( At Gothenburg Riverside )
    Sorry about my e-mail address, but i'm trying to keep spam out,
    remove "icke-reklam" if you feel for mailing me. Thanx.
  2. Archived from groups: comp.dcom.lans.ethernet (More info?)

    Hello,
    I hope you're aware of the fact that the task given is probably illegal
    in germany.
    I don't know the size and internal organisation of your company, but you
    most probably need a written consent from every user in your network to
    be able to do it without legal harm. This of course depends on the size
    and form of contract...
    General rule: If nothing is written that you CAN spy traffic, you're not
    allowed to.

    Anyway, to answer your question,
    Felix Eggbert wrote:


    > The network is handled by a w2k server. For the stations the server acts
    > as gateway whereby it is forwarding internet traffic to a router which
    > is connected to the dsl line. So every traffic passes the server. I
    > installed Ethereal and played around a little bit. I already found out
    > how to filter all traffic on port 80. But of course this only returns
    > the data traffic between the two computers ip-addresses.
    >
    > I guess I have to filter just the requests of the workstations to the
    > dns server, haven't I? With this I could theoretically see which
    > addresses are to be solved, am I right? How do I do this/which port do I
    > filter for name resolution?
    >
    The port is 53 in either udp (mostly used) and tcp (not very often).
    But, since your W2K acts as a proxy, why don't you just use the
    log-facility on this machine?


    Mathias
    --
    CCIE #11220
    Everything written is MY opinion only, not the one of my company or
    employer unless otherwise noted

    The early bird gets the worm, but the second mouse gets the cheese

    My signature is certified by Fraunhofer Society.
    The root-ca IS trusted but the browser-manufacturers want big $ to have
    it included
  3. Archived from groups: comp.dcom.lans.ethernet (More info?)

    In article <2u4en4F25v804U1@uni-berlin.de>,
    Felix Eggbert <eggbert@phez.com> wrote:
    :I guess I have to filter just the requests of the workstations to the
    :dns server, haven't I? With this I could theoretically see which
    :addresses are to be solved, am I right? How do I do this/which port do I
    :filter for name resolution?

    UDP and TCP ports 53. Usually UDP with a fallback to TCP when
    the answer is large (> 512 bytes), but going directly to TCP is valid as
    well.

    :My boss has told me to find out which web addresses within
    :the company are surfed to when he is on holidays.

    I must echo the previous poster who warned that what you have been
    asked to do might be illegal in Germany.

    The legality here (Canada) would depend in part on whether by
    'web addresses' you mean the URL's, or just the hostnames.
    For example, do you want to record just 'aol.de', or do you want to record
    'http://aol.de/~eggbert/kundst/pamela_anderson/pla_nude78.jpg' ?

    --
    Inevitably, someone will flame me about this .signature.
  4. Archived from groups: comp.dcom.lans.ethernet (More info?)

    "Felix Eggbert" <eggbert@phez.com> wrote in message
    news:2u4en4F25v804U1@uni-berlin.de...
    > Hello,
    >
    > I guess this question must have been asked before but I haven't found
    > any answers. My boss has told me to find out which web addresses within
    > the company are surfed to when he is on holidays.

    the UK follows some of the european laws about privacy (but isnt anywhere
    near as strict as Germany).

    you need your users to understand that they may be monitored, or the company
    (and you specifically) are breaking the law.

    I suggest you check this before doing anything, since even if the company
    doesnt do anything with the information you collect you may still be
    violating some sort of privacy or data protection laws.
    >
    > The network is handled by a w2k server. For the stations the server acts
    > as gateway whereby it is forwarding internet traffic to a router which
    > is connected to the dsl line. So every traffic passes the server. I
    > installed Ethereal and played around a little bit. I already found out
    > how to filter all traffic on port 80. But of course this only returns
    > the data traffic between the two computers ip-addresses.

    the usual way to intercept URLs is to use an explicit or a transparent web
    proxy.

    Some SOHO and larger firewalls will keep a list of accessed web sites for
    you - you may find your existing firewall can have logging set up for what
    you want.

    there is a "standard" technique used to hand off URLs from a router for
    checking / logging called WCCP - this isoften used for caching, but can also
    drive URL checking software such as Websense.

    It may make more sense to build this into your network perimeter and let
    commercial tools do the complex data collection rather than rolling your
    own.
    >
    > I guess I have to filter just the requests of the workstations to the
    > dns server, haven't I? With this I could theoretically see which
    > addresses are to be solved, am I right? How do I do this/which port do I
    > filter for name resolution?
    >
    > Thanks and best regards,
    >
    > Felix Eggbert, Germany
    --
    Regards

    Stephen Hope - return address needs fewer xxs
  5. Archived from groups: comp.dcom.lans.ethernet (More info?)

    Mathias Gaertner schrieb:
    > Hello,
    > I hope you're aware of the fact that the task given is probably illegal
    > in germany.
    > I don't know the size and internal organisation of your company, but you
    > most probably need a written consent from every user in your network to
    > be able to do it without legal harm. This of course depends on the size
    > and form of contract...
    > General rule: If nothing is written that you CAN spy traffic, you're not
    > allowed to.
    >
    > Anyway, to answer your question,
    > Felix Eggbert wrote:
    >
    >
    >> The network is handled by a w2k server. For the stations the server
    >> acts as gateway whereby it is forwarding internet traffic to a router
    >> which is connected to the dsl line. So every traffic passes the
    >> server. I installed Ethereal and played around a little bit. I already
    >> found out how to filter all traffic on port 80. But of course this
    >> only returns the data traffic between the two computers ip-addresses.
    >>
    >> I guess I have to filter just the requests of the workstations to the
    >> dns server, haven't I? With this I could theoretically see which
    >> addresses are to be solved, am I right? How do I do this/which port do
    >> I filter for name resolution?
    >>
    > The port is 53 in either udp (mostly used) and tcp (not very often).
    > But, since your W2K acts as a proxy, why don't you just use the
    > log-facility on this machine?
    >
    >
    > Mathias
    Hello,

    Thanks for your answers. I know it is illegal monitoring employees
    WITHOUT their knowledge of the process. I think it is legal to do so if
    you announce this. I wonder if it also is illegal if you captured the
    requested web addresses but not the stations names the request came from.
    Is it illegal to block certain websites within the company network?

    Best regards,

    Felix
  6. Archived from groups: comp.dcom.lans.ethernet (More info?)

    "Felix Eggbert" <eggbert@phez.com> wrote in message
    news:2u6esaF26f5isU1@uni-berlin.de...
    > Mathias Gaertner schrieb:
    > > Hello,
    > > I hope you're aware of the fact that the task given is probably illegal
    > > in germany.
    > > I don't know the size and internal organisation of your company, but you
    > > most probably need a written consent from every user in your network to
    > > be able to do it without legal harm. This of course depends on the size
    > > and form of contract...
    > > General rule: If nothing is written that you CAN spy traffic, you're not
    > > allowed to.
    > >
    > > Anyway, to answer your question,
    > > Felix Eggbert wrote:
    > >
    > >
    > >> The network is handled by a w2k server. For the stations the server
    > >> acts as gateway whereby it is forwarding internet traffic to a router
    > >> which is connected to the dsl line. So every traffic passes the
    > >> server. I installed Ethereal and played around a little bit. I already
    > >> found out how to filter all traffic on port 80. But of course this
    > >> only returns the data traffic between the two computers ip-addresses.
    > >>
    > >> I guess I have to filter just the requests of the workstations to the
    > >> dns server, haven't I? With this I could theoretically see which
    > >> addresses are to be solved, am I right? How do I do this/which port do
    > >> I filter for name resolution?
    > >>
    > > The port is 53 in either udp (mostly used) and tcp (not very often).
    > > But, since your W2K acts as a proxy, why don't you just use the
    > > log-facility on this machine?
    > >
    > >
    > > Mathias
    > Hello,
    >
    > Thanks for your answers. I know it is illegal monitoring employees
    > WITHOUT their knowledge of the process. I think it is legal to do so if
    > you announce this.

    these are really Qs for a lawyer

    it is legal here if you explain what is going on - but you probably have to
    tell them what you might do with the info, and they may have to agree to it
    before it happens - your personnel people should be worrying about this side
    of it.

    I wonder if it also is illegal if you captured the
    > requested web addresses but not the stations names the request came from.

    i suspect it depends on why you want to trace it to a specific station - if
    someone may get identified by the info, then probably not

    > Is it illegal to block certain websites within the company network?

    No - but the difficullt bit is classifying all the different URLs - a
    reasonable size network may generate 100s of requests / hour.

    This is why people buy a service so they can concentrate on which kinds of
    web site they want to block rather than individual sites. Most of the
    commercial systems claim to classify 1,000,000s of sites.
    >
    > Best regards,
    >
    > Felix
    --
    Regards

    Stephen Hope - return address needs fewer xxs
  7. Archived from groups: comp.dcom.lans.ethernet (More info?)

    > Thanks for your answers. I know it is illegal monitoring employees
    > WITHOUT their knowledge of the process. I think it is legal to do so if
    > you announce this. ...

    This is not a universal statement world wide or even US wide. I don't
    even thing it is generally true in the US. Where are you located?
  8. Archived from groups: comp.dcom.lans.ethernet (More info?)

    Felix Eggbert <eggbert@phez.com> wrote:
    > Thanks for your answers. I know it is illegal monitoring
    > employees WITHOUT their knowledge of the process. I think
    > it is legal to do so if you announce this.

    This is very dependant on country. Some allow monitoring even
    without consent. Others require consent. For Germany, you
    may find some interesting discussion in c't magazine.

    > I wonder if it also is illegal if you captured the requested
    > web addresses but not the stations names the request came from.

    All monitoring must be justified by genuine business concerns.
    Bandwidth usage, virus activity, etc. Some monitoring is required.

    Snooping on employees and taking no action is unjustifiable.
    Pure invasion of privacy. Snooping for discipline then risks
    a full review. The employee may insist on seeing all records
    to verify that no-one undisplined was worse or nearly as bad.

    > Is it illegal to block certain websites within the company network?

    I would expect this is usually legal. In the US, it is often
    considered negligent _not_ to block porn websites because they
    can create "an oppressive environment of sexual harrassment".

    -- Robert
Ask a new question

Read More

Filter Servers Networking