This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tracking Incognito Use

0

I would like to know how to track the incognito browser use of my family using wireshark ]

asked 14 Jun '14, 14:00

Ashley%20Lynne%20Torgerson's gravatar image

Ashley Lynne...
5224
accept rate: 0%

If the question is "how can I track only the incognito browser use", Kurt's answer is correct, in that there's nothing on the network that's different about incognito use.

If the question is "how can I track the browser use of my family, even if it's incognito and isn't getting logged in the browser history", Quadratic's answer is correct.

(15 Jun '14, 20:11) Guy Harris ♦♦

2 Answers:

1

how to track the incognito browser use of my family using wireshark

You can't!

Reason: traffic in incognito (private) mode looks the same as in 'normal' mode in Wireshark.

All that incognito mode does is this: it deletes traces of the activities on the PC.

https://support.google.com/chrome/answer/95464?hl=en

So, if you wan't to know what your family is trying to hide from you, here is what you can do:

  • ask them directly and try to discuss the problem
  • install spyware on every PC
  • install hidden surveillance cameras in every room
  • If nothing else works: give them a truth serum and then start some insistent questioning ;-))

Regards
Kurt

answered 15 Jun '14, 08:00

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 15 Jun '14, 08:56

Thank you for your overly sarcastic answer :)

(15 Jun '14, 10:25) Ashley Lynne...

overly sarcastic answer ?? No way.... ;-))

All I was trying to say: If your family denies to be cooperative and talk openly about their failures, you need to protect the family by doing the inevitable: show them who's the boss!

I'm not suggesting you should apply water boarding (although that might teach them some respect), I'm just saying that some soft pressure will help your family to learn the borders of their freedom and to respect the laws within your family, defined by whom? Of course you (who else!)

Good luck with those little stubborn bast<beep>. You should <beep> the cr<beep> out of them. <beep>, <beep>, <beep>

;-))

(15 Jun '14, 13:13) Kurt Knochner ♦

0

There are a few things you can do.

Assumptions:

  1. There are multiple devices running in your (home?) network, and you want to track the web usage of all of them.
  2. Your network consists of end user devices like computers and tablets, along with a 'typical' home router and modem.
  3. You want to track usage but you don't know exactly when the suspect browser usage is taking place, nor by which device.

If that's all true, this might actually be a use-case for a program like "Snort", where you set it up to log all the URLs that it sees on the network, with a timestamp and source IP info for the device in the network that browsed there.

Whether by something like Snort or Wireshark, the critical piece here is that you need a system that is in-between all your users and the Internet, to see all the packets. If your home router supports a feature called "port mirroring", that could be the solution, but that's not a common feature on a home router. Installing a 'hub' between the home router and the modem (if that is your setup) could degrade performance, but that would be another method (where your "spy" workstation could connect along with the router and modem in a three-way network and see all the traffic between them).

And for a Wireshark method, I'm not sure what technical expertise you have with UNIX or Wireshark but if you're familiar with scripting and the use of scheduled 'cron' jobs, that's another way. A statement like "/usr/bin/dumpcap -a duration:3600 -i {interface name} -f tcp port 80 -w {filename}" would capture all visible HTTP traffic using TCP port 80 for one hour. Write that into a script that runs hourly, and set that filename to something with a timestamp in it, and you've got yourself an hourly packet capture database that will capture all HTTP traffic on port 80 continuously.

There are a few reasons why I think Snort would be much better for this (detecting and logging traffic patterns is the bread-and-butter of what IDS systems like Snort does), but either way there's very little you're going to be able to do about parsing HTTPS traffic, and in the case of a network hub you wouldn't be getting the traffic before NATing happens so it would be more difficult to tell which device originated the traffic.

answered 15 Jun '14, 14:01

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

edited 15 Jun '14, 19:27