Ask Your Question
0

Capture Setup for Home Network - Help! (beginner)

asked 2021-11-02 16:42:41 +0000

DirtyDish gravatar image

I have been reading about the various capture setups, and not being computer savvy I'm a little lost.

To give some background, I would like to monitor web traffic from computers, but mainly iphones on our home network. We have kids going through those ages, and I want to have some insight into what they're accessing on the internet. They are aware that I am monitoring web traffic. We had been monitoring through Open DNS, but that doesn't show the full url (for example YouTube is typically fine, but some content they access is totally inappropriate for their age).

We have what I would think is a typical home network setup. We have a modem from the ISP, which connects to a wireless router (Netgear Nighthawk), and all traffic that needs to be monitored goes through the wireless router. I do have a spare laptop I can run Wireshark on if need be.

What would be the recommended setup to capture all https traffic on home network? If I need to buy a hub or managed switch I can. But trying to make this as effective and simple as possible.

Thanks

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-11-02 17:07:37 +0000

grahamb gravatar image

Wireshark probably isn't the right tool for this, it's a Packet Analyser, i.e. a microscope for network traffic, it sounds as though you are looking for a broader network monitoring\statistics tool.

Regardless, whatever tool you use will need access to ALL the traffic, that means it MUST be a central point through which all traffic flows, and in your case it would be the wireless router, or a switch that mirrors traffic to a capture port inserted between the ISP modem and the wireless router. See the wiki page on Ethernet Capture setup for a fuller description of how to capture on a switched network.

You might also find tools on the wireless router provided by the vendor, or be able to install replacement firmware, e.g. OpenWRT or similar to accomplish your task.

edit flag offensive delete link more

Comments

Thank you so much for the quick response. It sounds like having a switch with port mirroring inserted between the ISP modem and the wireless router is the way to go. I should then be able to connect my laptop running Wireshark to the mirrored port, correct?

I would consider other software, but would Wireshark be able to capture full urls even for https traffic? If not then I may need to go with another option. I don't need the best option, just something that will work and preferably not require a monthly subscription.

Thanks again.

DirtyDish gravatar imageDirtyDish ( 2021-11-02 19:40:36 +0000 )edit

Capturing the full URI might be possible, but if Encrypted SNI is used or a VPN that will be hidden.

Have you given any thought how you will manage this, i.e. 24 hrs a day of capture files for ALL traffic with many, many URI's.

grahamb gravatar imagegrahamb ( 2021-11-02 22:27:31 +0000 )edit

Honestly no, I haven't considered how to manage capturing all traffic. My plan is to use a port mirroring switch between the ISP modem and router, and use my spare laptop to run Wireshark on the mirrored port. Would I be able to store the files/logs on the laptop's hard drive?

DirtyDish gravatar imageDirtyDish ( 2021-11-04 15:42:56 +0000 )edit

Yes, but you'll likely have to use a ringbuffer to store the captures in more manageable files and to stop the capture process running out of memory. Ideally you'd simply use dumpcap (part of the Wireshark suite) to perform the capture as that doesn't perform dissection and can run for extended periods of time.

Now you have a hard disk full of captures, what are you going to do to locate the "errant" entries? Manually open each file, or use some form of scripting to extract the URL's and then manually inspect it?

grahamb gravatar imagegrahamb ( 2021-11-04 15:53:31 +0000 )edit

I'll have to cross that bridge when I get there. Now that I know what setup should work I plan on experimenting this weekend. But I haven't seen what Wireshark's captured data looks like in raw form. Since I have no experience scripting, I'd likely open each file... If you have any thoughts or ideas to simplify this I'd appreciate more feedback. I have a feeling I'll be returning here to get help when I start my experiment this weekend...

And thank you for the responses! I'm relatively clueless with this stuff so your help is much appreciated.

DirtyDish gravatar imageDirtyDish ( 2021-11-04 16:13:26 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-11-02 16:42:41 +0000

Seen: 4,757 times

Last updated: Nov 02 '21