This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

User monitoring

0

Hi,

I've been asked to monitor/log the internet usage during work hours of about a dozen employees. I want to leave it capturing for a few days but don't want run out of memory/space.

My current idea is to capture only DNS traffic, which should give me most of what I need. Is there a better way to capture or a better app/method?

Thanks

asked 09 Sep '13, 05:26

nt40lanman's gravatar image

nt40lanman
11112
accept rate: 0%


One Answer:

0

My current idea is to capture only DNS traffic, which should give me most of what I need.

that just tells you that 'something' on a system requested name resolution. It could be a ping on the CLI, it could be the user surfing (HTTP(s)), it could any other protocol to that server, etc.. So, based on the DNS information you have no valid data about the internet usage of those users. If the system uses the local DNS cache, you won't see any internet usage at all, until the DNS cache entry times out.

I want to leave it capturing for a few days but don't want run out of memory/space.

that's the biggest problem if you want to use Wireshark. Wireshark is a great protocol analyzer and network troubleshooting tool, but it is not very good at (realtime) monitoring for long periods of time.

So, either you run dumpcap (no RAM problems) or you head for another (monitoring) tool. See tools in the Links section of WinPcap (e.g. assniffer, iNetWatcher, and similar). On Linux, ngrep can be useful or maybe xplico.

Regards
Kurt

answered 09 Sep '13, 06:18

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%