Community discussions

 
Basharlb
just joined
Topic Author
Posts: 1
Joined: Fri Mar 17, 2017 4:36 pm

Monitor Users Web activity

Fri Mar 17, 2017 4:45 pm

Hello.

I bought my first Mikrotik rb1100 and installed it in a small office. I was wondering how can I monitor all the users Web activity ( in what websites are they visiting, how many times they are visiting a website and for how long etc..). Should I be using the hotspot config .

Also how can I block certain websites for certain users and allow theme for others.

Would appriciate the advise and a step by step guide since I'm new to mikrotik.

Cheers.
 
katit
newbie
Posts: 32
Joined: Wed May 13, 2015 6:01 am

Re: Monitor Users Web activity

Sat Mar 18, 2017 12:12 am

I just went through this setup myself. If you complete newbie - it might be too much to handle.

But in a nutshell - it is done via Logging capabilities of Mikrotik. And there is 2 ways to approach. And you don't get any kind of "reporting" with stats, etc out of Mikrotik. Mikrotik has all the tools to help you collect data. Visualizing/analyzing/reporting is on you (other software)

1. Reverse proxy. Enable reverse proxy(millions of tutorials) and log data. It will give you all HTTP (unsecured) traffic. You will be able to see exact URLs.
It's nice because you can tell from URL what it is.
It's bad because SSL (HTTPS) will not be there. And more and more sites use HTTPS

2. Forward packets to "Log" on firewall level. This will give you IP from and IP to info. So it's very detailed. ALL activity will be captured.
It's nice because every single packet is captured
It's bad because:
a. You need to lookup IPs. For internal addresses it's easy (I assume you know which PC uses which IP)
b. You need to lookup IPs. For external addresses pretty much impossible. You can use DNS lookups but it will give you s1.amazonses.com instead of www.someinterestingsite.com. There will be a LOT of IPs.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Monitor Users Web activity

Mon Mar 20, 2017 1:50 pm

If you do not need the full url, you can logg DNS request, and you then see all site requested.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
Thor187
newbie
Posts: 46
Joined: Sat Oct 21, 2017 10:21 pm

Re: Monitor Users Web activity

Wed Sep 26, 2018 12:25 pm

Alright, so how do you go about getting https traffic?

All I want is:

src-address/hotspot username | dst-address/website | timestamp
 
User avatar
Thor187
newbie
Posts: 46
Joined: Sat Oct 21, 2017 10:21 pm

Re: Monitor Users Web activity

Mon Feb 11, 2019 10:33 am

Surely there must be a way to track https URLs. not for one moment can I imagine that https URLs are untraceable.

Mac | dst url

That should be possible?
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1776
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Monitor Users Web activity

Mon Feb 11, 2019 12:59 pm

Can't be done, unless you play "man-in-the-middle" with wildcard certificate, so that you can decrypt the traffic.

That's because for any request / response flowing over the connection, a ssl socket is setup and used for communication. So all you CAN see is the dns / ip of other side, not the url, not the traffic.

edit: corrected language
Last edited by sebastia on Mon Feb 11, 2019 7:10 pm, edited 1 time in total.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Monitor Users Web activity

Mon Feb 11, 2019 6:57 pm

We do use https://www.forcepoint.com/ as a man in the middle to examine all urls at our work.
To make this to work all computers need a digital certificate from forcepoint at our PC.
This is not some you can do if you does not have control over the equipment.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
reinerotto
Member
Member
Posts: 437
Joined: Thu Dec 04, 2008 2:35 am

Re: Monitor Users Web activity

Mon Feb 18, 2019 11:46 am

This you can do yourself, using squid proxy. However, it needs quite some expertise for correct setup.
However: Does forcepoint work with _ALL_ domains ? (facebook, google ...)
Just thinking about pinned certs ...
 
whupper
just joined
Posts: 1
Joined: Fri Aug 30, 2019 6:07 am

Re: Monitor Users Web activity

Fri Aug 30, 2019 6:14 am

What about SNI? Don't most clients advertise the hostname via SNI outside of the TLS envelope? It maps to tls-host in Mikrotik, doesn't it? Is there a way to monitor that?
 
reinerotto
Member
Member
Posts: 437
Joined: Thu Dec 04, 2008 2:35 am

Re: Monitor Users Web activity

Sun Sep 01, 2019 6:48 am

Using squid: YES.
I did that for "Parental Control" , for a commercial product.
 
AhmadITmanager
just joined
Posts: 8
Joined: Tue Aug 27, 2019 7:40 am

Re: Monitor Users Web activity

Sun Sep 01, 2019 8:18 am

please i am facing a problem of controlling AD users after radius integration between windows server and mikrotikso i need to transfer users to user manager how can i do that please
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Monitor Users Web activity

Sun Sep 01, 2019 8:39 am

However: Does forcepoint work with _ALL_ domains ? (facebook, google ...)
Yes it does.

But there are some domains that are white listed like banking etc.
Also if you try to install an App on your computer that do releay on HTTPS, it will not work without being white listed.
Eks Ultrasurf ++
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 

Who is online

Users browsing this forum: No registered users and 32 guests