A quick and very dirty way using tcpdump would be to have a look at what domain names are being resolved. You wouldn't actually be looking at the traffic itself, but it would give you an indication as to the websites being hit via their names. This wouldn't catch those using IP addresses directly in the URL for example. Nor would it differentiate between web / emal / any other protocol, its just pulling out the DNS resolution requests.
I guess it depend on how granular you want to be.
Code: Select all
tcpdump -i eth0 src net 172.16.1.0/24 and udp and port 53 -a -n -p -t -l | cut -d '?' -f 2
Change the src net (source network address) as required, the rest of the options are outlined below:
-i listen on eth0
-a output human readable ascii
-n dont resolve names
-p dont put interface into promiscuous mode
-t dont print timestamps
-l make output buffered so you can pipe it to a file or other command
That gives you output as shown below:
Code: Select all
IP 172.16.1.9.54746 > 10.1.1.8.53: 17841+ A? www.cisco.com. (31)
IP 172.16.1.9.62396 > 10.1.1.8.53: 35508+ A? socialmedia.cisco.com. (39)
IP 172.16.1.9.59799 > 10.1.1.8.53: 6911+ A? ma281-r.analytics.edgesuite.net. (49)
IP 172.16.1.9.54947 > 10.1.1.8.53: 10254+ A? services.plymedia.com. (39)
IP 172.16.1.9.60948 > 10.1.1.8.53: 35254+ A? ciscosystemsinc.tt.omtrdc.net. (47)
adding the
Just cuts it down to
Code: Select all
www.cisco.com. (31)
socialmedia.cisco.com. (39)
ma281-r.analytics.edgesuite.net. (49)
services.plymedia.com. (39)
ciscosystemsinc.tt.omtrdc.net. (47)
I'm no expert so I am sure there are more tidy ways of achieving this, as I said its dirty.
You can look to have it running in the background perhaps tee'ing it to a file, then just tail the file when you want to have a look.
tcpdump can be installed using apt-get from the standard repositories. Driftnet is another interesting tool to watch packets by, but probably a tool for a different discussion as it pulls images from passing traffic and shows them in a GUI. It isn't foolproof by any stretch, but does show people some of the possibilities when it comes to network sniffing.
HTH Jon.