Re: monitor traffic on host

["Kurt Buff" <kurt.buff () gmail com>]

At what level of detail are you needing to log - will just sites and
URLs, or all of the bytes? Do you need only stuff done external to the
business, or do you need to keep track of visits to internal sites as
well?

If what you care about is external stuff, for SMTP, I'd pull logs from
your email server and for the URLs and FTP sites, I'd take a look at
your firewall logs.

If those aren't available, or aren't easy to use, you have two other options:

1) set up a spare whitebox running ntop with a really restrictive
filter, so that only the IP address of your subject is monitored -
this requires access to a point in your network past which all of
his/her traffic will flow. Usually, this means a mirror/span port on
the switch to which that PC is attached.

2) set up a spare whitebox with two NICs, and configuring it as a
transparent bridge with squid running on it.

Both of these depend on your level of comfort with Linux/FreeBSD.

As for appliances/VMs, I'd cruise this page:

http://vmware.com/appliances/

and see if there's anything there that looks interesting.

Kurt

On 9/14/07, Kelly Keeton <kellyrkeeton () gmail com> wrote:
> I have a issue where I have been asked to monitor all web traffic on a
> employee. I need to as quick as possible set up a transparent device
> that will monitor and log all web traffic in the clear. anything sent
> or rx over the network. ideally it would also monitor smtp, ft, etc. i
> need real time reporting so tcpdump wont work, snort also i dont think
> is the correct answer. is there any "prebuilt" knoppix or vm-appliance
> that will accomplish this?