板上各位先進大家好

小弟公司目前網路架構大略如下

Linux(NAT) → 各部門 PC

目前因管理上的需要想在上面做個使用者上網紀錄的功能，有點類似下圖
https://dl.dropboxusercontent.com/u/3788033/ipshare.jpg
這張圖是從別間公司上面的 RT-N16 (刷番茄)借來的。

不曉得 Linux 下有沒有甚麼套件或是 OpenSources 之類的程式可以支援這樣子的功能呢？
還是說要將網路架構直接改成 Linux(Proxy) → 各部門 PC 的方式呢？


小弟常是架過 cacti、NTOP 等都無如上圖那樣詳細的紀錄功能，能否請板上有經驗的網管高手
提供一個方向，謝謝！

贊助商連結

tcpdump 看 flags syn 或 ack

C:\>windump -i 2 "tcp[13]&252 == 0" | gawk "{print $1,$3,$5;}"
windump: listening on \Device\NPF_{CCABD535-02D7-48A6-A3E1-5342884DE179}
00:33:37.630808 acer-107cbde00f.2638 61-63-26-host48.kbtelecom.net.tw.80:
00:33:38.804883 acer-107cbde00f.2639 61-63-26-host48.kbtelecom.net.tw.80:
00:33:38.808568 acer-107cbde00f.2641 61-63-26-host48.kbtelecom.net.tw.80:
00:33:38.808765 acer-107cbde00f.2640 l3.ycs.vip.tw1.yahoo.com.80:
00:33:38.810060 acer-107cbde00f.2642 61-63-26-host48.kbtelecom.net.tw.80:
00:33:38.811247 acer-107cbde00f.2643 61-63-26-host48.kbtelecom.net.tw.80:
00:33:38.811670 acer-107cbde00f.2644 61-63-26-host48.kbtelecom.net.tw.80:
00:33:38.812080 acer-107cbde00f.2645 61-63-26-host48.kbtelecom.net.tw.80:
00:33:45.852243 acer-107cbde00f.2646 61-63-26-host48.kbtelecom.net.tw.80:
00:33:45.854245 acer-107cbde00f.2647 61-63-26-host48.kbtelecom.net.tw.80:
00:33:45.857031 acer-107cbde00f.2648 61-63-26-host48.kbtelecom.net.tw.80:
00:33:45.865355 acer-107cbde00f.2649 61-63-26-host48.kbtelecom.net.tw.80:
00:33:45.870565 acer-107cbde00f.2650 61-63-26-host48.kbtelecom.net.tw.80:
00:33:45.892539 acer-107cbde00f.2651 61-63-26-host48.kbtelecom.net.tw.80:
00:33:45.895382 acer-107cbde00f.2652 61-63-26-host48.kbtelecom.net.tw.80:
00:33:45.925804 acer-107cbde00f.2653 61-63-26-host48.kbtelecom.net.tw.80:
00:33:45.931102 acer-107cbde00f.2654 61-63-26-host48.kbtelecom.net.tw.80:
00:33:45.934356 acer-107cbde00f.2655 61-63-26-host48.kbtelecom.net.tw.80:
00:33:45.934960 acer-107cbde00f.2656 61-63-26-host48.kbtelecom.net.tw.80:
00:33:45.936754 acer-107cbde00f.2657 61-63-26-host48.kbtelecom.net.tw.80:

試試iptables -I FORWARD --state NEW -j LOG,不過當然得加工過出來的紀錄才有可讀性可言,而且如果是要紀錄payload(i.e. HTTP中的keyword之類)就非動用應用層的proxy才有辦法了....

C:\>windump -i 2 -A "src net 192.168.2.0/24" | grep -B1 "GET \/search"
windump: listening on \Device\NPF_{CCABD535-02D7-48A6-A3E1-5342884DE179}
11:27:29.310217 IP acer-107cbde00f.1622 > tf-in-f94.1e100.net.80: P 0:856(856) a
ck 1 win 50781
E...1@@.P.=n......H^.V.PFl.....qP..]....GET /search?q=%E5%8D%97%E7%93%9C&oq=%E5%
8D
--
11:28:02.452702 IP acer-107cbde00f.1617 > fe.intl.search.vip.tw1.yahoo.com.80: .
1718:3150(1432) ack 44172 win 50781
[email protected]._.Q.P?.....L}P..]$;..GET /search;_ylt=A8tUwZaZdIhRyAMABQxr1gt
.?
需要把編碼 ASCII 轉回中文 就可以了.

看樣子 proxy 方案可能比較適合我，不過我比較好奇的是 TOMATO 那種簡單的方案是如何辦到的？