Simple way to monitor and analyze home network traffic, via proxy?

monitoring networking proxy squid

Question

I'm looking for a way to create a simple list/log/database of the URLs my home computers have accessed. This list should show Domains, Urls, Timestamps, bytes sent/rec'd and that's about it.

Background

On my home network I have frequent visitors with limited computer knowledge and some laptops with un-patched old versions of Windows. Our young children and my teenage son also have occasional access. Occasionally, someone clicks on crazy things. Currently, I suspect there is a highly sophisticated virus infecting our entire LAN by modifying our google search results. So that the text of the results is unchanged but the links occasionally point to extremely malicious sites. It's so ingeniously designed that it's hard to track but I have strong evidence that this exists. So I'm starting to seriously clamp down on our network.

Prior Research

I'm familiar with many of the analysis tools like wireshark and the network management systems that are severe overkill. I've read dozens of related questions. The one most similar to mine is:

Network Traffic Log

However, this guy is taking an overly complex approach. I'm also aware of RFlow but I'm seeking a more universal approach and I don't want to buy another router just because mine lacks this protocol.

Summary

There must be a simpler way! Can't I setup a proxy, point all my computers to it, and have that proxy log all URLs requested?

It seems like squid would be the the proxy of choice along with some kind of external tool to parse the log files. Does anyone have suggestions on a clean, simple way to analyze the traffic of computers (Mac, Windows, Ubuntu) in a home network, via proxy? The number of Squid extensions is overwhelming. Has anyone had success doing this sort of thing with any of the countless squid plugins?


Solution 1:

I feel a dns attack is far more likely here. If you're still hellbent on tracking your urls you may want to try using Fiddler2, it's more for web-developers but it makes a intercepting local proxy and monitors web-traffic.

However, I feel what's more likely than google injection, is DNS Attacks:

Basically you request the ip for www.fun.com and the dns resolution returns the ip for www.gonna-hack-you.cc

  1. Check your hosts file, malware likes to override dns resolutions especially to anti-malware sites. This file is located at: c:\Windows\System32\drivers\etc\hosts, you can read more about it here: Hosts (File) @ Wikipedia.
  2. Use Trusted DNS Resolution Servers. It's much harder to do but attackers can abuse the cache on your ISP's DNS servers to get them to return invalid results to you. Best to use your router to override the DNS Settings. I suggest Google's public DNS, it not only is of higher security, but it also will stop you from visiting KNOWN bad sites in general. (So in a lot of cases if your urls ARE being re-written, the offending sites may not resolve ;p)

Also, as a test, try resolving dns from a web-based external DNS resolving service, and compare the results to those returned from nslookup it'll help you determine if your dns is being overriden.

Solution 2:

You have a few potential options here.

  1. Check your router (may be built into your modem). Some of them have a basic logging capability built in and can log and store or email information to you.
  2. If you want to go with a proxy, I'd suggest a transparent proxy setup using a linux box. All this machine needs to do is pass everything back and forth and log all source and destination addresses. If you have separate modem and router hardware, the transparent proxy would, of course, go between them. See here for a guide to get one going with squid.
  3. I haven't used them in years, so I don't remember any of the good ones, but I know there are applications that can be installed and used to watch each system's traffic individually. If you know where the suspected traffic is coming from, these could help pinpoint the exact source and let you get specific help and cleanup.
    (Edit)
  4. OpenDNS is capable of logging all traversed addresses. Set your Modem/Router to use it, and sign up for their service to have everything taken care of automatically.

Solution 3:

You can set your DNS settings in your DHCP configuration in your router to use OpenDNS. Create an account with OpenDNS and you can enable DNS request logging so you can see what domains are being looked up. It's easy to bypass but it should work on the average user.

Related

Monaco font not appearing in PuTTY font list
"Desktop" not showing in Navigation Pane
Avoid automatic deletion of meeting requests after accepting them
Synergy 'Shift' key not working on the Mac
OSX 'open with' bash script
How can I include vim settings in source code so that the file is displayed the same way?
BootCamp - Right-Click on Windows 7 running on MacBook Air
Mac Terminal 'cd' to a folder alias
In Windows, a batch file with a recursive for loop and a file name including blanks
gimp - turn shades of white into shades of another color
How can I emulate key presses on Vim startup?
What does "remove only" mean for installed programs in Windows 7?