Hi, I have a small home network which I will try to give as much info about as possible. I have 3 PCs connected to a Linksys WRT54GS router. Each computer is assigned a static IP in the network. What I want to do is to find some way to track what websites are being visited on the other computers from my main PC. I do NOT want to install any kind of hidden program on the target PCs, since antivirus programs usually pick these up. What I really want is something that would track all incoming traffic and what computer it is going to. I have a ~moderate~ knowledge of networking, so please explain to me what could work to accomplish this in simple terms.

Thanks so much,
Derek

I don't know the capabilities of the wrt54g but you could plug a hub in to the router and branch the traffic off to your machine and run a packet sniffer such as wireshark and monitor all network traffic. You would see IM, emails, etc in addition to websites. Before I delve too deep in to that topic will adjusting your cabling be a viable solution for this?

Well, I have an old DI-604 router...would I be able to use that as a true hub? Or if necessary, I could pick up a 4 port hub at walmart. (Used to have an old one laying around here...don't know what happened to it :-) I don't see changing cabling as a problem. Please do explain more though! :-)

Actually -- are the other computers hard wired or connected with wifi/802.11 ?

All computers are connected with normal Cat5e cables, no wifi in use at this time.

Ok, two possible wiring scenarios unless someone knows how you can tee traffic on the router which is conceptually the same as what I am doing here but doesn't require hardware. Basically you need to tee all the traffic to a central computer that analyzes the traffic and records what you want.

Wiring scenario #1:
Everybody can see everyones traffic. They have to know how to look for it but the other members in your household could see your traffic.

Wiring scenario #2:
You could see everyone elses traffic, but nobody could see yours.

Software scenario:
Plug your software in to port #1 on the router. Have the router copy all traffic to/from ports #2,3,4 out port #1 so you can see it. I don't know how/if this can be done with your router but it can on enterprise routers.

Once you have the setup complete you can just run Wireshark on your computer and it will analyze all of the network traffic for you. You can set up filters in Wireshark to only only capture "HTTP GET" requests on port 80/TCP which will analyzes all of the website traffic which is what you asked for.

--- or another approach ---
I know you can download utilities to flash the wrt54g and install custom firmware to do more advanced tasks. You may be able to use this to set up a PROXY on the router and have the proxy log all web traffic requests. This is also identical to the solution mentioned above.

PS - I offer graphic design service for $100/hr if you were impressed with my diagram! :)

Wiring scenario #1:
Everybody can see everyones traffic. They have to know how to look for it but the other members in your household could see your traffic.

I don't see that this would be a problem. The other folks in my house are just smart enough to delete browsing history...that's about it. Viewing traffic would be WAY beyond their scope. Maybe I will pick up a true hub today and try that. The way I understand it, the router ONLY sends data to the specific host that requested it, not to all of them. I had downloaded a trial version of the Ming Network Spy and Network Monitor. Supposedly the Network Spy will work with ANY network scenario, but the only thing I could pick up was any sites on the LAN that were visited, no WAN sites showed up. I emailed them and they said to make sure it was a true hub, and my thinking is that perhaps the DI-604 is not operating that way.

Wiring scenario #2:
You could see everyone elses traffic, but nobody could see yours.

Software scenario:
Plug your software in to port #1 on the router. Have the router copy all traffic to/from ports #2,3,4 out port #1 so you can see it. I don't know how/if this can be done with your router but it can on enterprise routers.

Would this be something like "Static Routing" on the WRT54GS admin settings? http://downloads.linksysbycisco.com/downloads/WRT54GS_UG_WEB_20070529,5.pdf Chapter 3, Advanced Routing

One other thing, by routing all data through my computer first, will this present any significant slowdown on the throughput speeds for data transfer to either the other computers or to my computer?

PS - I offer graphic design service for $100/hr if you were impressed with my diagram! :)

I will be SURE to consider you should I ever have the need for graphic design! With your talent, you could probably even charge $200/hr! :-)

I'm glad you liked my artwork :P

>The way I understand it, the router ONLY sends data to the specific host that requested it, not to all of them.
No, routers only route traffic. In one ear and out the other. It is a little misleading since your wrt54g router has a 4 port switch built in to it.

A switch keeps an internal table of MAC addresses so it knows which MAC address is on which physical port. That way if port 1 wants to talk to port 2 the data goes in port 1 and out port 2.

A hub is dumb. It receives traffic and broadcasts it out all 4 ports because it does know who is where. This is why hubs can't be used for large corporate networks because they send out a lot of traffic to the wrong ports.

>Would this be something like "Static Routing" on the WRT54GS admin settings
No that is something else.

>One other thing, by routing all data through my computer first,
No -- This will not affect speed since you are not really routing the traffic through your computer. Your computer receives a duplicate copy of the traffic sent to/from the router. By the time your monitoring software has parsed the packet the router will have already handled the request and sent data to the internet. You're basically "listening in" on their internet traffic.

--

There is another way to do this with ettercap where you can hijack a switch but this is WAY beyond the scope of this thread and MUCH harder to implement. Its called "ARP Hijacking" if you want to look around. Windows won't let you do it -- the operating system will crash any program trying to send out incorrect ARP packets to stop people from doing this. You can do it on Linux with ettercap but I would highly suggest you use what we have been discussing. That gets in to the deep nitty gritty of network.

Am I correct in assuming that the DI-604 will NOT function properly as a "dumb" hub? How could I check this?

Correct. It will not function as a hub, it has a 4 port switch built in to it.

http://www.amazon.com/D-Link-DI-604-Router-4-Port-Switch/dp/B000069K98

D-Link DI-604 Cable/DSL Router, 4-Port Switch
Technical Details
Easily applied content filtering based on MAC address, IP Address, and/or Domain name
Quickly and easily share an Internet connection with multiple computers
Setup wizard simplifies the installation process
Advanced Firewall and parental control
Built-in 4-port switch ********************

I've been having so much fun with photo shop today here is a picture of my desk. I run the identical scenario I have been describing to you. You will see 4 network appliances on my desk that I write software for and I sniff the Ethernet communications to debug comm errors when writing an application.

ok, wow, just got back from walmart and meijer...turns out they don't carry the hubs anymore. I was looking around on Newegg and Tigerdirect and everything is labeled as a "switch", but the same exact product that I used to have (Netgear EN104) I know was a hub. Could you please give me some guidance/recommendations on what kind of "hub" to purchase? And possibly where to get it?

Thanks again,

Derek

I grabbed me a cheapie on ebay...money's kinda tight right now. I could just KICK myself for getting rid of that old hub! I grabbed a dynex (???) for 10 bucks. As long as it does the job, I don't care too much about it. Now I just gotta wait for it to get here to try it out....!

Good luck! I'll wait to hear from you

Good luck! I'll wait to hear from you

Well, I got the router. I don't really know that Wireshark is the best option for me. I don't want to go commercial (=$$) but Wireshark is a LOT more advanced than what I need. All I want/need is a program that will simply log/monitor all websites visited. I don't need every single header request and all those inundating communications between the computers. Any thoughts on what might do the job?

Derek

Are you at least seeing all the traffic? :)

Give me a few minutes and i'll get back to you on the log analysis

Hmm you can set the filter http.request == 1 to limit to HTTP GET traffic. To analyze the sites visited do this:

Statistics -- HTTP -- Requests -- in the filter put "http.request == 1"
There you have it. A list of websites visited.

That does seem to work. Just one more question (ha! will they ever cease!?)...how would I only view from certain host, for example 192.168.0.103? I've been toying around with the filters...in fact, all i really want to CAPTURE is from 2 other hosts....I'm sure you can set it up that way, but I just haven't figured it out yet.

Seriously, you have been SO much help to me. I really appreciate it!

Derek

Edit: Maybe I have it... I changed filter in capture screen to "http.request == 1 and ip.host matches "192.168.0.103"" seems to work...does this look right to you?

use "ip.addr == 192.168.0.103". You can use the expression editor to help you build filters if you want to filter even more. "tcp.port == 80" is another example for ports. ip.host matches with DNS hostnames and might be a bit ambiguous or more CPU intensive if it tries to resolve. It should give you the same results but may take a bit longer... but yes, it looks right.

Please mark this thread as solved if I have answered all of your questions :) . This is probably the most involved thread I have posted on to date.

I give you a "more than solved"! You definitely have helped me with this more than I could have expected, and I greatly appreciate it!

I really wish I could find something that would run sort of in the background 24/7 on my main machine that would just log URLS and not be very demanding on CPU, but the Wireshark does do what I want it to, just kind of in a more extravagant fashion.

Thanks again!

Derek

There is always the "Add to reputation" under my name if you want to give more thanks :) Reputation is always appreciated

With wireshark there are a few more options to decrease CPU. Go to capture -- options and put in the tcp.port filter there (you can also add a capture filter for ip.addr != 192.168.0.1 and use YOUR ip address, this will stop your traffic from eating up CPU). The display filter only filters what is showed on the screen but the capture filter stops it from logging, writing to disk, displaying on grid, deep packet analysis, etc.

In the same screen set it to log to a file and under Display Options disable "Update list of packets in real time", "Autmatic scrolling in live capture". Under "Name Resolution" deselect all 3 checkboxes. This should significant decrease the Wireshark overhead. Let me know how that works for you

Out of curiosity -- what sites are you trying to bust your roomies visiting?

Out of curiosity -- what sites are you trying to bust your roomies visiting?

Haha! The usual - porn sites. Teenage step-sons...ya know!

I will try the additional settings you recommended and see how that works for me. I have added to your reputation as well!

Derek

I thought so. I was questioning whether or not I should explain how to do this since it could be a huge invasion of privacy .. but you were far too patient so I figured it was a concerned parent or someone with a very interesting story :)

You can start null routing the sites they frequent on your router if discipline alone doesn't work. If you want to go that route then create a new thread and post the URL on here so i'll get notified.

Hmm, no, I don't think that would work. Seems to be a general variety of many different sites usually found using search engines. One brute force method that I don't really like is to disable the ability to delete browser history through the IE options, but this guy is pretty clever...I don't want to rely on that alone, cause there are definitely work-arounds to that. So, no, I don't think that URL blocking or null routing would really work. I'm more interested in tracking and busting right now, me and my wife.

If you know the IP, it's easy, but the IP is changed manually, it's a very complicated job by tracking the traffic of the router. Another useful way is using monitoring software like EaseMon, which can monitor every computer's website visiting. http://www.easemon.com

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.