This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Easiest way to detect prohibited activity?

0

I have mirrored the "hot" port on our switch and run that to a dedicated PC we used only to monitor network activity and I am able to monitor all traffic on our network this way, so when we have a network bottleneck I am able to fairly easily see what IP is using the bandwidth (I then use Angry IP Scanner to get the machine name and sometimes it also shows the name of the user logged in).

The issue is that I have a lot of difficulty seeing what they are doing. For example one user today I know was on Youtube (which is prohibited 99% of the time), and I filtered the capture using "http includes youtube" and it did show several packets to the IP address for that machine...but the boss wants to know what video he was watching so he can determine if it is work related, not work related but not inappropriate, or inappropriate. I expanded every field for every packet that turned up using the filter and I didn't see a URL or even the word Youtube for that matter.

In addition to doing this when issues occur, the boss wants me to spend an hour or two per week filtering through the traffic that week and notify him if people are on Youtube, Facebook, and really anything streaming that will use a lot of bandwidth (we are in a rural area and our whole facility only has 6Mbps down and about 4Mbps up).

asked 29 Jul '14, 17:22

Chris%20M's gravatar image

Chris M
11112
accept rate: 0%


2 Answers:

3

If your looking at Wireshark you're probably looking in the wrong place. This tool is poised to get to the details of every bit of every packet it sees. What you are looking for is traffic analysis. Then tools like etherape and ntopng come to mind. These are much better suited for these kinds of tasks.

answered 30 Jul '14, 04:27

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thanks, I was talking about using Wireshark. I just started a couple of months ago and they have just been doing what they could with Wireshark for the past several years. This is currently on XP machine in a 100% Windows environment (about 90% Windows 7 and the rest XP excluding servers most of which are on Server 2003).

Can anyone suggest a good free tool for this that works in a 100% Windows environment?

(30 Jul '14, 06:56) Chris M

Can anyone suggest a good free tool for this that works in a 100% Windows environment?

sure:

https://www.google.com/?q=windows%20network%20monitor%20freeware

(30 Jul '14, 08:48) Kurt Knochner ♦

Unfortunately, that did not turn up anything particularly useful. 90% of what is there is either not free or won't work for monitoring more than 5 or 10 PCs. Network Miner seems to be the closest bet, allowing me to easily see who is on Youtube, Facebook, etc...I just still am unable to see what they were doing on the site.

Anyone have a favorite free software to monitor network traffic similar to my described needs?

(30 Jul '14, 11:37) Chris M

0

I did a little testing just now on my own machine, and it looks like this just plain isn't possible to do. It looks like the initial connection of youtube is using HTTP, but once the connection is established it moves over to HTTPS/TLSv1. Try it yourself if you like. I'm using the lazy filter on a trace: frame contains "youtube"

Sorry, but you might be out of luck on this one...

answered 01 Aug '14, 16:23

patrick_harrold's gravatar image

patrick_harrold
36558
accept rate: 0%