0

I setup a PPTP VPN server (pptpd) on Ubuntu 10.04 and need the ability to monitor URLs that are being accessed via the web browser (80/443). I was thinking of utilizing a proxy like Squid, but wanted to be sure there wasn't something I could more easily/efficiently setup (whether it be logging on PPTP or something else). I know I could log on the DNS portion of things, but I need to be more granular down to the URL being accessed. I thought a proxy like Squid might be a little more than needed because I do not really need to read/cache the actual content of the page or what is being submitted, but just the URL being accessed.

Josh

Josh Barker
  • 103
  • 4

1 Answers1

2

One easy to do it would be to analyze the raw http traffic on the VPN interface and extract the needed headers, like this:

tcpdump -nli ppp0 port 80 -w - -s 0 | strings | egrep -i '(GET|Host)'

You should be running this once per ppp device, of course. This isn't as exact or clean as it gets, but I thought it might be useful for you.

It only works for plain HTTP connections, though.

EDIT: Found a better one!

apt-get install dsniff
urlsnarf -i ppp0

It still doesn't work with SSL connections, of course. You have to go the proxy way if you need that as far as I can see.

Eduardo Ivanec
  • 14,881
  • 1
  • 37
  • 43
  • Is there no way to sniff the HTTPS url? – Josh Barker Apr 26 '11 at 21:08
  • Not that I know of - not if the HTTPS server isn't yours, at least. As far as I can tell you would need the server key to be able to decrypt the traffic. You can, of course, log the IP addresses visisted through HTTPS. Or use a proxy - not a transparent one by the way, but a normal one. – Eduardo Ivanec Apr 26 '11 at 21:53