remote network sniffing

[stefanos]

Hi,

I am runnig a linux based router (wrt54gl) and is setup as follows:

WAN (connection to internet)
IP Address 192.168.1.4
Subnet Mask 255.255.255.0
Gateway 192.168.1.1
DNS 1 192.168.1.1

LAN (wifi)
IP Address 192.168.4.1
Subnet Mask 255.255.255.0
Gateway 192.168.1.4
Local DNS 192.168.1.1

I would like to log the http URL's (i.e. the GET requests) of the people connected to my LAN to a remote server.

As I am limited to use iptables.

1) Can I log from the firewall the HTTP GET URL's requests to syslog? If so can I have an example for the firewall rule please?

My BAD IDEA
I could use tcpdump on the remote server and iptables with the --tee option as follows:

Quote:

iptables -t mangle -I FORWARD -j ROUTE --gw [ip that's sniffing] --tee

but that will forward a copy of all the packets and given a 8 meg Down ADSL line / 1024 up I don't think this is a good idea.

Any help ideas please would be much appreciated!

Kind regards
Stephen

[Ben]

In case you want to log inside the http protocoll, you need to log on the app layer.
Thus i'd suggest to do so on your router with tcpdump, e.g. dst port 80. You could log into a named pipe, reading this into netcat. With netcat you can send this to another host, filtering out all get requests. The question is just if the cpu power is enough on the router.
Another thing you could do is to just allow http traffic through a transparent proxy, that might sniff this traffic, then.

If you want to sniff on the remote side, you could just check the remote webserver's logfile for these get requests.