PDA

View Full Version : network monitoring


weazle
10th February 2005, 08:20 PM
Does anyone know of any way of tracking what computers are accessing what websites and anything like etherape that i can select what protocols are on the network and only show that. I'm having a problem with students downloading copywrighted materials. I'm currently in the process of setting up a proxy server with dansguardian (hopefully that will work) but I need to be able to monitor the network... ethereal and etherape are the main tools I use right now, but does anyone have any suggestions on other opensource/freeware network monitoring tools that would help. It's been years since I really had to worry about network traffic.

awdac
10th February 2005, 08:37 PM
Sounds like you need something that monitors and reports to me. Have you thought about an IDS like Snort? It monitors packets and you can get or write signatures for alerting you to certain packets based on source/destination, content, or anything else. It also has a couple of GUI interfaces for reports like ACID, a php/mysql app that keeps track of your alerts and gives you a web interface to look at collated data. It would be a big time solution, but it depends on how serious the problem is for you and how long-term you are looking. Snort's free and not all that difficult to set up if you're responsible for your own network. It would certainly be a powerful tool in defending your network (and liability) I would think.

taylor65
11th February 2005, 07:51 PM
not sure if mrtg will do what you're looking for, but it might be worth a look.

Dog-One
12th February 2005, 05:18 PM
Something to think about...

There exists what are termed anonymous proxies (http://www.google.com/search?q=anonymous+proxy) on the Internet. Some of which are encrypted SSH sessions, much like a VPN. If any of your students happen to be sly enough to use them, your problem has grown or will grow by an order of magnitude. To stop something like this, you will have to maintain some sort of blacklist database and use fairly complex packet inspection to take apart the encapsulated packets--all straight overhead that will degrade network performance.

It's a tough call. If you eliminate the obvious, you'll push a portion of the abusers towards tactics that are much harder to stop without adversely impacting the entire network. If I was in your shoes, I would probably just attempt to document the abuse, without actually eliminating it. Take the information to the dean and tell him what you're up against and let him decide the proper course of action. Advise him that going to the next level will have an impact on the network that goes beyond a simple inconvenience.

Good luck on the project.

Void Main
12th February 2005, 06:53 PM
Proxy servers (and/or firewalls) generate the raw data you are interested in. I would suggest setting up a transparent proxy and use those logs along with good firewall rules and logging and you should have everything you need except reporting. Sarg would be one exampe of a reporting tool:

http://sarg.sf.net/sarg.php

I have used this for a few years. There are probably a lot more tools out there now or writing your own reporting tools that parse logs aren't too tough.