2
I want to monitor my kids’ browsing history. I can’t seem to find any straightforward solution.
user28603
Posted 2018-02-02T13:40:41.777
Reputation: 31
Are there anyway to track people’s browser history through my router if they’re on my network?
Answers
-1
Sonicwall has an embedded firewall application that tracks all of your users internet traffic and displays them in both a list or chart format by IP address. The Sonicwall must sit between your router and your internal network, this way it will capture all the packets traveling in/out of your router.
ISP-----Router----SonicWall----AccessPoint ((( ))) Wireless Devices
and
ISP-----Router----SonicWall----Wired Devices
pythonian
Posted 2018-02-02T13:40:41.777
Reputation: 899
This won’t do much since most traffic is encrypted, giving you IP connection usage at best. – John Keates – 2018-02-04T01:30:34.087
1@John Keates- Pythonian is correct, sonicwalls have these features. They also have ASIC controllers (supporting large groups of users). Sophos would also work for this, but both are considered Corporate/Enterprise solutions. And are quite pricey. Plus usally have paid yearly licencing. I know sophos will give you the FQDN and the Mac/IP of the user that requested it. Not sure about sonicwalls, for the price I imagine you can. – Tim_Stewart – 2018-02-04T05:03:30.627
So they don’t give you browsing history, as stated. – John Keates – 2018-02-04T10:04:10.220
A DNS request contains zero HTTP data. You don't seem to know what you are talking about. Here are some RFCs that should help you get started: 2616 (HTTP), 793(TCP/IP), 5246(TLS), 1035(DNS). Also, don't forget a basic explanation of a few of the layers in networking: https://en.wikipedia.org/wiki/OSI_model but you can discard layers 5, 6, 7 from a TCP/IP perspective as those are up to HTTP, HTML and the browser. In short, when a client asks for a page, you get a DNS resolution, a TCP handshake, a TLS handshake, and then only encrypted data, unless plaintext HTTP is used. Popular sites use TLS.
– John Keates – 2018-02-04T18:53:41.697Hello everyone. Thanks for your feedback, but the sonicwall has the ability to generate a detailed report on the browsing activity of a particular user. That's it's job. Let's not overthink a solution for this simple problem... Furthermore, I don't think I deserve a down vote if you don't understand how to resolve a simple problem. Cheers – pythonian – 2018-02-05T19:34:37.537
0
I don't think this is possible, as it would technically mean sniffing and capturing network data (think passwords, credit card numbers...).
To track these, you'll have to track from inside the device in question.
On Windows, you can set up an account so that its data can be shared with other accounts on the computer. I believe you would find it in Account Sharing settings.
That way you check their browser's cache, history, etc in their AppData folder.
Alienz
Posted 2018-02-02T13:40:41.777
Reputation: 29
@ alienz You shouldn't be transmitting passwords or credit cards on HTTP. 99.9% of banks and online retailers are using HTTPS with SSL/TLS and usually certificates from a trusted certificate authority. next up, even if you are using HTTPS your DNS queries from the user will be forwarded through the router, then to your ISP's 1st DNS server without encryption. so while the router cant see whats going on inside the encrypted session, it most certainly can record the originating local IP, and the FQDN that the queries returned. This is common practice in enterprise environments. – Tim_Stewart – 2018-02-03T06:09:29.750
You are very welcome. The cisco ccent reading materials go into the mechanics of networking in depth, if your interested give it a shot. – Tim_Stewart – 2018-02-04T18:51:19.747
-1
This doesn’t do much in the age of SSL and TLS, and with multiple sites sharing IPs, most IP-based logs would be bad too (except the few top-tier sites that have whole networks of their own like Google and Facebook).
To explicitly do what you ask, you would have to install root CAs on all of their devices and force them via a transcrypting proxy to actually track their history at the network level to get the URLs and not just the IPs or domain names.
Best to just use parental controls on their devices, or MDM, which will log and report history on the device itself.
John Keates
Posted 2018-02-02T13:40:41.777
Reputation: 266
DNS requests happen before the https session. -_- – Tim_Stewart – 2018-02-04T04:25:36.093
How does that help with browsing history? That is a timeline with URLs... – John Keates – 2018-02-04T10:03:10.273
Exactly, so not DNS lookups. – John Keates – 2018-02-04T19:44:51.923
Indeed. So not DNS lookups. – John Keates – 2018-02-04T19:46:24.623
Here is a plain-english explanation of what an URL is: https://en.wikipedia.org/wiki/URL Hint: it is not a DNS A-record. Also, anecdotal "works on my PC"-answers doesn't really help here. Here is the relevant RFC if you're up for it: 1738
– John Keates – 2018-02-04T19:52:51.007"works on my PC" is a known expression in IT, meaning, "I have a setup where it works". It doesn't help anyone if you can't replicate or generalise it. – John Keates – 2018-02-04T20:07:52.310
And yes, the URL definition helps here, because you seem to think that if you have a domain name, you know what page someone visited. If we limit the scope to GET requests, you need the part that comes after the FQDN. Something else: why do you insist on contaminating an otherwise good generalisable question with a comment-discussion, even after I have transferred to chat twice? – John Keates – 2018-02-04T20:10:21.670
@Tim_Stewart no Tim, that is not an answer. A straightforward solution was requested, not a "build your own stuff and hack some software together". Also, it's not really an answer at all because it only logs URLs for HTTP (unencrypted) traffic and DNS lookups, nothing else. Yet, from a parent's perspective, the 'else' is very important here. Luckily, device manufacturers already have solutions for this, called Parental Controls. It's built into macOS, Windows, iOS and Android, and does exactly what would fit user28603's question. – John Keates – 2018-02-04T20:11:42.890
So you have a magical box that decodes TLS traffic into readable GET requests? That seems highly unlikely. – John Keates – 2018-02-04T20:24:22.883
@Tim_Stewart You don't seem to get it. After the DNS request is done, i.e. google.com, which might return something like 216.58.212.174, the next step is an IP connection to 216.58.212.174 over which TCP will start a transmission. Inside, TLS will start the handshake. At this point, HTTP, with the URI comes into play, and then, and only then, is the GET request transmitted, encrypted by TLS. Maybe it would be educational for you to use something like tcpdump, tshark, or if you don't have a shell that supports those, try Wireshark. You can see the DNS, TCP/IP and TLS in sequence, HTTP=encrypted – John Keates – 2018-02-04T20:38:27.927
I'm willing to concede, you are correct. The get comes after the encrypted session. after looking at it in depth and running my config at home with and without mitm configured. (Squid with light squid http=full url and https=FQDN only) squid with mitm and lightsquid reporting ssl interception ( http=full url https=full url) I'll make the clarification in my answer – Tim_Stewart – 2018-02-05T02:03:52.500
Routers typically do not have enough memory or storage to log this kind of data. You either need to have a "man in the middle" device doing the logging, to regularly check their browser history or, if they know to clear their browser history, to be literally looking over their shoulder while they browse. – Mokubai – 2018-02-02T14:10:11.470
You may want to clarify your question. Browsing history is a list of visited URLs tagged with a date and time stamp. If that is not what you want, check to see what your actual goal is. – John Keates – 2018-02-04T18:56:58.750