Analyzing Traffic of Routing & Remote Access

[oktech]

Hello Sirs,

I am running a RAS on my Windows 2008 R2 to provide NATing and VPN to my users.

What I am interested to do is to analyze the NATing traffic in order to get internet usage reports.

RAS provides the Session Mapping Table tool which shows which local IP address is contacting which remote address; but the problem these logs can't be copied nor stored anywhere as far I see.

Which tool can I use in order to export these/such logs and analyze them?

Thank you

[+BudMan MVC]

Hint, use a routing/firewall distro designed to do what your doing, sorry but windows servers even though they maybe able to nat, etc. Just not the right choice for what your doing. If need be run VM on that server and run your routing distro in the vm.

Those logs are going to be pretty useless for that you want anyway. Run a proxy if you want usage reports of your users internet habits.

You asked for tool suggestions. That is what I am doing suggesting you the correct tools to accomplish what you want. Your job calls for a Phillips head screwdriver and your trying to use flathead screwdriver.. Yeah sometimes you can get the screw out, but its always difficult prob end up stripping it and nicking up your hands as it slips in and out, etc..

[oktech]

Thank you for your response. However, while you say that Windows servers are not the right choice for NATing you didn't explain on what basis you have come up with this conclusion.

[+BudMan MVC]

Reason #1 why spend $$$ for Server OS, that yes as a side note can accomplish simple natting, when you can get full blown router/firewall for FREE.

Do you really want your DC / fileserver directly connected to the public net? Reason #2

Where do you get the logs you want? "Internet Usage Reports" Reason #3

I could prob go on for as many reasons as you would like - the box is not designed for what your wanting to do. While you can for FREE grab a distro designed to accomplish all the tasks you want. Natting to the internet, providing reports of bandwidth and where users went. Simple easy to use firewalling of said connections, content filtering based upon categories, requirements of authing to gain internet if so wanted tied to your AD userbase, etc. etc.

Another reason -- you need to reboot your server for update, and now you don't have internet!

Lets say you get the NAT sessions off - this is more a state table, not a log of who went where.. They are not logged, its just a session/state table. Does not show you bandwidth used, what url went too. Just IP, or at best PTR for that IP, not the actual url user put in their browser.

[sc302 Veteran]

As far as windows goes you would need a third party software or more software from microsoft to accomplish what you want.

Some products to look at:

Microsoft Forefront Threat Management Gateway

GFI Webmonitor

Websense

Bluecoat

Barracuda web filter

Squid proxy

pfsense

monowall

smoothwall

[oktech]

I have been to pfsense before and looked interesting. I will give it another try.

But if I want to run usage reports on pfsense, I will need to run a proxy server. If I do so, will I be able to run usage reports for all protocols or only http?

[sc302 Veteran]

Most web filters you will see what the end user is going to with port 80 and port 443. Really isn't going to filter much else. You can log port 21 traffic as well, I suppose as well as some applications. I don't know exactly what you are looking for, no webfilter is really designed to monitor things like rdp or printing to port 9005, etc...so I am going to say simply no it won't run usage reports on all protocols. Perhaps you want some sort of corporate spy program that would monitor everything on the end user computer.

[+BudMan MVC]

If you want to break down protocol traffic, then run ntop - it will run on pfsense if you so desire. You sure an the hell were not going to get a protocol breakdown from your nat session tables ;)

Normally to be honest non standard ports are blocked in a company setup. I can tell you for sure I can not RDP out of my work network. But ntop is what I would suggest if you want to see who is doing what on what protocols, what % of traffic each protocol is using, etc.

You can customize it to show you specific protocols, here I only normally turn it on if troubleshooting something -- but here example output - turned it on a couple of minutes ago

If your really really looking to be able look at your traffic for analysis -- take a look at http://www.colasoft.com/nchronos/

I use to run it on my home network - but when I switch over to full VMs I have not had chance to bring it back online again. Normally this sort of thing costs 10's of thousands of dollars and only setup in enterprise networks. But this is FREE http://www.colasoft.com/download/products/nchronos-free.php , slickest **** since sliced bread if wanting to know what is going on in your network -- and need to check say what happened last thursday at 3:03 am, etc.. You know I think I need to set this up again, And another drive to my n40l, and then set this up on a VM. Hmmm I do believe I have 500GB drive laying around collecting dust ;)

[garethevans1986]

+1 for pfsense.