Re: [Wireshark-users] How to see HTTP hosts visited
the two switches are not forwarding packets to your PC as the destination of the packets are not meant to receive it You need to do the tracing on the WRTG54G itself (if it runs some linux for example) or it should forward packets. I dont think even without the two switches you will see the packets as they come/go from DSL and WLAN. So the WRT will not forward it to you because it knows (or thinks) you are not looking for those packets. On 12.11.2007, at 22:34, Gary Fritz wrote: From: Stephen Fisher [EMAIL PROTECTED] What does your network setup look like? Do you have separate wireless AP, router, cable/dsl modem? Or which parts are combined into one? Our home network looks something like this (sorry for the ASCII graphics): Linksys WRT54G switch switch my PC (wifi hub) | | other PCs The Linksys is acting as a DSL modem (although my broadband connection is actually wireless), router, and wireless AP. So I have 2 switches between the router and my PC. Could that be part of the problem? You could monitor the wifi through another wifi connection only if your operating system wireless driver support promiscuous mode, which is not common (especially on Windows). Hm. And I am running on Windows -- XP Home Pro. The promiscuous- mode option is checked in the Capture Options dialog. Ideally you would monitor his machine by installing Wireshark on his machine, but that may give away what you're trying to do :). Yeah, that's not ideal for me. :-) Since the initial sites visited are typically the only time HTML is loaded (the accesses to other sites are usually graphics), this display filter should help narrow it down: ip.addr == 192.168.1.106 http http.content_type contains text/html Hm, no, I'm still seeing requests for googleadservices.com, pagead.l.google.com, rcm.amazon,com, some gifs and jpgs, etc. A lot of the sites I'm seeing are requesting p3p.xml files or similar. And it doesn't seem to be capturing all the actual browse requests. E.g. if I browse to www.dogpile.com (my son's favorite search engine), nothing gets through the filter. It's definitely better than I had come up with before. The statistics report I was using before doesn't work with that filter, but the filtered output is better than the stat report was anyway. If it just included all the hosts I browsed to, it would be good enough for now. Except... I've just discovered that display filters and capture filters don't use the same syntax, sigh. These packets pile up quickly without a filter. I tried port 80 and src my IP and that helps, but I'm sure it's not optimal. Can you capture basically the same set of packets that the display filter shows? Thanks for the start! Gary ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How to see HTTP hosts visited
On 13 Nov 2007 at 12:00, Andreas Fink [EMAIL PROTECTED] wrote: the two switches are not forwarding packets to your PC as the destination of the packets are not meant to receive it You need to do the tracing on the WRTG54G itself (if it runs some linux for example) or it should forward packets. I believe it is running a linux OS, but I don't know of any way to change its programming to tell it to forward the packets. Even if I dug through the source (which is available on the Linksys site!), I couldn't change the code in the router. It has a Port Forwarding feature, but I think that's only to forward specific ports from the outside (internet) to an IP on the LAN. I could tell it to forward port 80 traffic to my PC, but I think that would only forward incoming port-80 requests from outside, not the port-80 traffic from my son's laptop. (User manual, GPL source, etc are all available at http://www.linksys.com/servlet/Satellite?c=L_CASupport_C2childpagename =US%2FLayoutcid=1166859837401packedargs=sku%3DWRT54Gpage name=Linksys%2FCommon%2FVisitorWrapperlid=3740137401B01displa ypage=download#versiondetail ) I dont think even without the two switches you will see the packets as they come/go from DSL and WLAN. So the WRT will not forward it to you because it knows (or thinks) you are not looking for those packets. What about computers that are connected directly to the WRT's ports, with no switches in the way? Would they see the packets, or would the WRT still not forward the packets to those ports because they aren't the target of the packets? If none of those tricks work, then I guess the only way to do this is to run Wireshark on my son's laptop. Not the greatest solution. Ohwell Thanks, Gary ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How to see HTTP hosts visited
On Nov 13, 2007 3:21 PM, Gary Fritz [EMAIL PROTECTED] wrote: If none of those tricks work, then I guess the only way to do this is to run Wireshark on my son's laptop. Not the greatest solution. Ohwell Have you looked at linklogger or wallwatcher etc? http://www.linklogger.com/ http://www.wallwatcher.com/ If you like thinkering a bit, there seems to be an option listed at http://www.hardforum.com/showthread.php?t=155 -- Best regards / Mvh Jan Pedro Tumusok If I knew being here with you today, Would mean being alone tomorrow. I would gladly trade all of my tomorrows away For a moment with you. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How to see HTTP hosts visited
This may be a bit more difficult than it needs to be. Is your linksys router actually your internet gateway? You said your internet connection is wireless, and your drawing lists your pc as the wifi hub. So is your outgoing internet connection your computer via the wifi, or the linksys via something else? If your computer is the gateway, then everything is flowing through it anyway, and you should have no problem looking at the ethernet port from your pc plugged into the switch to see all traffic. If the linksys is the gateway, then you will need to do something else to see the traffic. You can find a way to do the trace on the linksys itself through the linux firmware (there may be compatible non linksys firmware releases that do this, I'm not sure - ddwrt is a popular replacement firmware that has many more features than the linksys one but I've never used it). You can setup your desktop as your son's default gateway, thereby forcing all traffic to be sent from his pc, to the linksys, to your desktop, then back to the linksys to go out. It should work, but of course it adds some lag time, and your machine would need to be left on continuously. The same thing is accomplished by installing a web proxy package on your computer and pointing his browser to it. The linksys may even have an option that's not enabled to perform logging of internal access (usually only external access attempts are logged by default). Or you can remove the wireless card from your son's pc, purchase a $20 hub (not a switch) and place it inline between your son's pc and the linksys. Then you would simply connect your machine to the hub every time you want to look at his traffic. I would never discourage somebody from doing packet analysis, and as much as I love sifting through packets, if you're already using nanny software and it's functioning properly (he hasn't figured out how to bypass or disable it), you may just want to enable full logging in the tool, and that should give you a list of everything he does online. I'm sure there are standalone tools that do this as well that would stay running when/if you disable the nanny tool for his approved research times (such as a web proxy package). Some type of logging local on his machine is what I would choose if it were me and I was set on using wireless. As he learns more about computers, he'll realize that all he has to do to bypass your logging is change the wireless settings on his computer to connect to the neighbor's access point. If you're using regular ethernet, then of course you can do any monitoring you want outside of his computer on the local network and he can't bypass it if setup correctly. Wireless monitoring via one of the options above will work just fine as long as you realize it isn't 100% effective. It all depends on how savvy he and his friends are, and how much you trust him. Good luck! Kevin. On 13 Nov 2007 at 12:00, Andreas Fink [EMAIL PROTECTED] wrote: the two switches are not forwarding packets to your PC as the destination of the packets are not meant to receive it You need to do the tracing on the WRTG54G itself (if it runs some linux for example) or it should forward packets. I believe it is running a linux OS, but I don't know of any way to change its programming to tell it to forward the packets. Even if I dug through the source (which is available on the Linksys site!), I couldn't change the code in the router. It has a Port Forwarding feature, but I think that's only to forward specific ports from the outside (internet) to an IP on the LAN. I could tell it to forward port 80 traffic to my PC, but I think that would only forward incoming port-80 requests from outside, not the port-80 traffic from my son's laptop. (User manual, GPL source, etc are all available at http://www.linksys.com/servlet/Satellite?c=L_CASupport_C2childpagename =US%2FLayoutcid=1166859837401packedargs=sku%3DWRT54Gpage name=Linksys%2FCommon%2FVisitorWrapperlid=3740137401B01displa ypage=download#versiondetail ) I dont think even without the two switches you will see the packets as they come/go from DSL and WLAN. So the WRT will not forward it to you because it knows (or thinks) you are not looking for those packets. What about computers that are connected directly to the WRT's ports, with no switches in the way? Would they see the packets, or would the WRT still not forward the packets to those ports because they aren't the target of the packets? If none of those tricks work, then I guess the only way to do this is to run Wireshark on my son's laptop. Not the greatest solution. Ohwell Thanks, Gary ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org
Re: [Wireshark-users] How to see HTTP hosts visited
would rpcap help? On Nov 13, 2007 7:21 AM, Gary Fritz [EMAIL PROTECTED] wrote: On 13 Nov 2007 at 12:00, Andreas Fink [EMAIL PROTECTED] wrote: the two switches are not forwarding packets to your PC as the destination of the packets are not meant to receive it You need to do the tracing on the WRTG54G itself (if it runs some linux for example) or it should forward packets. I believe it is running a linux OS, but I don't know of any way to change its programming to tell it to forward the packets. Even if I dug through the source (which is available on the Linksys site!), I couldn't change the code in the router. It has a Port Forwarding feature, but I think that's only to forward specific ports from the outside (internet) to an IP on the LAN. I could tell it to forward port 80 traffic to my PC, but I think that would only forward incoming port-80 requests from outside, not the port-80 traffic from my son's laptop. (User manual, GPL source, etc are all available at http://www.linksys.com/servlet/Satellite?c=L_CASupport_C2childpagename =US%2FLayoutcid=1166859837401packedargs=sku%3DWRT54Gpage name=Linksys%2FCommon%2FVisitorWrapperlid=3740137401B01displa ypage=download#versiondetail ) I dont think even without the two switches you will see the packets as they come/go from DSL and WLAN. So the WRT will not forward it to you because it knows (or thinks) you are not looking for those packets. What about computers that are connected directly to the WRT's ports, with no switches in the way? Would they see the packets, or would the WRT still not forward the packets to those ports because they aren't the target of the packets? If none of those tricks work, then I guess the only way to do this is to run Wireshark on my son's laptop. Not the greatest solution. Ohwell Thanks, Gary ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] How to see HTTP hosts visited
I installed Wireshark to use as a parenting tool. :-) We just gave my 12-yr- old a hand-me-down laptop with wifi. We have some net-nanny-type software on it to try to keep him on a rather short leash, but occasionally we have to turn it off to let him do homework/etc research. I want to keep a clandestine eye on him while he does. (He is a really good kid, but he once filled a computer with viruses while he was surfing for porn -- not appropriate for a kid!! He needs some supervision and monitoring. I want to keep an eye on what he does when off the leash.) So anyway. I've figured out how to monitor packets. If I look at my own system, I can filter on my IP, and I can even do a Statistics report (filtering on ip.addr == 192.168.1.106 and http) to find the HTTP hosts I'm hitting. So far so good, if a bit manual. Problems: I don't seem to get the http requests from his wifi connection on my hard-wired PC. I get a few things like registration and ICMP requests, but I don't see HTTP requests. Why some but not others? Do I have to monitor his wifi connection from another wifi connection? Also, the http Statistics report produces a lot more data than I want, no surprise. E.g. if I browse to site A, which has graphics downloaded from sites B-Z, the report shows me requests for sites A-Z. Is there any way to narrow the report down to ONLY the sites HE REQUESTS, either by typing in a URL or by clicking on a link? And is there a better way to do this than the stumbling around I've done? Thanks, Careful Dad ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How to see HTTP hosts visited
On Mon, Nov 12, 2007 at 09:39:38AM -0600, Gary Fritz wrote: So anyway. I've figured out how to monitor packets. If I look at my own system, I can filter on my IP, and I can even do a Statistics report (filtering on ip.addr == 192.168.1.106 and http) to find the HTTP hosts I'm hitting. So far so good, if a bit manual. Problems: I don't seem to get the http requests from his wifi connection on my hard-wired PC. I get a few things like registration and ICMP requests, but I don't see HTTP requests. Why some but not others? Do I have to monitor his wifi connection from another wifi connection? The packets you are seeing are broadcast or multicast, which in your type of setup are sent to all machines on the network. You're not seeing his traffic because your wireless AP/(router?) is acting like a switch instead of a hub. Switches do not send traffic for one host out to all ports. What does your network setup look like? Do you have separate wireless AP, router, cable/dsl modem? Or which parts are combined into one? You could monitor the wifi through another wifi connection only if your operating system wireless driver support promiscuous mode, which is not common (especially on Windows). Ideally you would monitor his machine by installing Wireshark on his machine, but that may give away what you're trying to do :). Also, the http Statistics report produces a lot more data than I want, no surprise. E.g. if I browse to site A, which has graphics downloaded from sites B-Z, the report shows me requests for sites A-Z. Is there any way to narrow the report down to ONLY the sites HE REQUESTS, either by typing in a URL or by clicking on a link? And is there a better way to do this than the stumbling around I've done? Since the initial sites visited are typically the only time HTML is loaded (the accesses to other sites are usually graphics), this display filter should help narrow it down: ip.addr == 192.168.1.106 http http.content_type contains text/html Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
