As part of the monitoring package, we are interested in recording which web sites that users are visiting. The first step is to capture the urls. The second step is to process and report the urls.
It took a while, but I came across DebianHelp. Among a bunch of other network diagnostic tools, it made mention of dsniff. It is a
composition of the following tools:
- arpspoof - Send out unrequested (and possibly forged) arp replies.
- dnsspoof - forge replies to arbitrary DNS address / pointer queries on the Local Area Network.
- dsniff - password sniffer for several protocols.
- filesnarf - saves selected files sniffed from NFS traffic.
- macof - flood the local network with random MAC addresses.
- mailsnarf - sniffs mail on the LAN and stores it in mbox format.
- msgsnarf - record selected messages from different Instant Messengers.
- sshmitm - SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
- sshow - SSH traffic analyser
- tcpkill - kills specified in-progress TCP connections.
- tcpnice - slow down specified TCP connections via "active" traffic shaping.
- urlsnarf - output selected URLs sniffed from HTTP traffic in CLF.
- webmitm - HTTP / HTTPS monkey-in-the-middle. transparently proxies.
- webspy - sends URLs sniffed from a client to your local browser.
urlsnarf was the tool for which I was looking. For usage, it does have a man page. The whole toolset can be installed
with:
apt-get install dsniff
I now have urlsnarf logging to a file. I still need to do log rotation with it.
I am now looking at various ways to process the result. I was thinking of manually using Logfile::Access to parse the lines
and put stuff into a database. Then I got to looking around at log file analyzers like visitors or awstats, but they don't provide a breakdown of sites by user. I think I'll roll my own with the perl
library already mentioned.