# Parental Controls and Monitoring

## dixtow

I am a parent, and I have a right, duty, and responsibility to monitor internet activity.  I can find no directly articulable means by which I can monitor traffic through my router.

I want to know who my kids are talking to, and what they are saying in Instant Messenger Programs.

I want to see what websites they are visiting.  I want to be able to view the page exactly as it appears on their screen.

I want to know what passwords and usernames they have on MySpace, etc.

If I don't know what they're hiding, I can't very well protect them from it.

Are there any parents out there who can describe their current means of doing these things?  Wireshark, dumpcap, etc.  Very powerful statistical analyzers and loggers of all sorts; yet completely useless when it comes to viewing the actual content of traffic.  I already know what traffic exists on my network, I need to know what the content of it is.  And I can find no way to do this that won't be an 80 hour a week job all by itself.

Please share.

----------

## grimm26

First, the technical.  As far as monitoring web content, just block all http traffic through the router except what comes from your linux server and have them proxy their browsers to squid on your linux box.  For that matter, you can have them proxy their IM through squid, too.  Check out also squidguard and the info at http://www.pcbypaul.com/software/squid.html and http://www.ma.utexas.edu/users/stirling/computergeek/dansguardian.html.  If your kids are also using linux, there are hacks out there to capture all keyboard activity through X's lack of security.  You could also wrap the executables in question with something like:

```

#!/bin/sh

/usr/bin/ProgramName $* | tee -a /var/log/DadsLog/ProgramName

```

I don't have any of that set up at my house, my kids are still tiny.  Those are some basics, though.

Now, the personal.  Protection is good.  Block things, log things and use that to initiate discussions with your kids on what is appropriate and build trust.  Monitoring every detail of their online lives will create more trouble than it will solve.  Assuming it is possible to protect a child from everything 'bad' while they live at home, that will only increase their rate of 'mistakes' when they leave the house, having had no experience with 'the bad' while a family safety net was there for them.  That's my opinion and I don't mean to make any judgment on you or your methods with your own family.  Just wanted to put it out there.

----------

## dixtow

 *grimm26 wrote:*   

> Now, the personal.  Protection is good.  Block things, log things and use that to initiate discussions with your kids on what is appropriate and build trust.  Monitoring every detail of their online lives will create more trouble than it will solve.  Assuming it is possible to protect a child from everything 'bad' while they live at home, that will only increase their rate of 'mistakes' when they leave the house, having had no experience with 'the bad' while a family safety net was there for them.  That's my opinion and I don't mean to make any judgment on you or your methods with your own family.  Just wanted to put it out there.

 

I agree very much with this statement, which is why it is my intent to monitory, but not necessarily Block/Punish every little thing.  The Internet provides ways to to satisfy curiosities anonymously and privately, something I didn't have when I was this age.  I must recognize and weigh the difference between dangerous and unpleasant.

At the moment, I have (very solid) reason to believe that an 'inappropriate relationship' (a la Bill Clinton) exists between my [much younger than 18] year old daughter and an [older than 21] year old male.  This crosses the line, and we need evidence because neither one will fess up, duh.  The router belongs to me, and the connection to the network is wireless, so I can monitor any traffic that passes through it and there is no 'reasonable expectation of privacy' with wireless to begin with.  

Thank you for your info.  I hadn't thought of pumping everything through a proxy.  For now, I'm able to discern some plain-text AIM and Yahoo traffic using dumpcap and wireshark.  But the log gets huge fast, monitoring all traffic through the router for the sake of a few text messages....  I was hoping for something passive, so I would not have to alter any settings, nor mention the need for it.  Covert is the word.  She's not dumb, she just thinks we are.

IMs are my primary target.  If there were a way to log only ICQ/MSN/AIM/Yahoo Messenger traffic, it'd be perfect.  The proxy idea has possibilities in this regard.  Their computers have been switched to Gentoo, but I can find no simple keylogger daemon in portage.

----------

## Hu

You could slow the growth of your packet captures by filtering the capture live.  That is, save only traffic on ports you expect the IM client to be using.  If there are machines where your daughter is not able to log in, you could also exclude logging traffic generated by those machines.  To be clear, the excluded packets would not be saved in any way, so err on the side of logging too much or you may find yourself not logging the messages you need.

----------

## think4urs11

at least for AIM there's aimsniff.

Nevertheless you shouldn't forget that this is a break into your daughters privacy, even if your intentions may be the best out of your parental duties. You have to balance both sides.

----------

## dixtow

 *Think4UrS11 wrote:*   

> at least for AIM there's aimsniff.
> 
> Nevertheless you shouldn't forget that this is a break into your daughters privacy, even if your intentions may be the best out of your parental duties. You have to balance both sides.

 

I'm a very big privacy advocate, but there are things parents need to know and have the means to prevent.  It is a degree of 'privacy' that did not exist prior to the invention of Instant Messaging, and comes with a breach in parental knowledge that must be closed.

To put it in a selfish way:  When she turns 18/lives somewhere else, then it will no longer by my business as the law will hold her accountable for her own actions.  Until then, the law forces me to bear the consequences instead of her, which is stupid, but it's the law.  As long as it's my ass, it's my rules.  As long as the consequences will not fall where they should, I have to have the ability to enforce consequences of my own, or what will she be like when she is an adult?  this is the very definition of being a parent.

There is no more expectation of privacy using my computer, on my network, living in my house than can be expected using a computer at work.  But it goes beyond that.  At work, your employer merely has a right to monitor their own.  Any wrong-doing falls on the head of the individual who did it, not the employer.  It doesn't work that way at home.  I have not just a right, but a duty.  I already know she's getting into a situation that could ruin the rest of her life.  I just need details to put a stop to it, or at least have the chance to dole out a little common-sense that is very much lacking.

On the topic....

I'm still just using dumpcap and wireshark.  How can I limit traffic logged to/from a specific IP, or on specific ports?  Aimsniff is a nice tool for aim, but if I want to do more, my current setup would mean that I'm duplicating data.  The logs are already huge enough....

----------

## Wojtek_

I wouldn't like to be in your place when she realizes whats been going on...

Good luck anyway,

Wojtek

----------

## Hu

It will not be the first time a teenage(?) girl was angry at her parents.  :Wink: 

First, stop using Wireshark for the captures.  It works, but if you are not doing live viewing, you are better off using tcpdump to record the data and Wireshark to view it after the fact.  You can get tcpdump by emerging net-analyzer/tcpdump.  The manpage describes the details of filter syntax, but you can get started with these:

tcpdump -w ~/traffic.pcap tcp port 22 (logs ssh traffic)

tcpdump -w ~/traffic.pcap tcp and host 1.2.3.4 (logs TCP to/from 1.2.3.4)

In both cases, be careful what you choose to filter on.  A bad filter will discard the traffic you want.  Some IM protocols route traffic through a central server.  Some send the IMs directly between the peer computers.  Some even do both, depending on external factors.  So - about the only "safe" filter is to save all traffic from systems of interest, and prune it later.

As a related feature, you can use tcpdump to prune an existing pcap file.  For example, suppose you captured all traffic from her system and you want to view just the HTTP.  You could run tcpdump -r ~/all-traffic.pcap -w ~/http-traffic.pcap tcp port 80, which will read the full capture and produce a stripped capture containing only packets which match the filter tcp port 80.  The full capture is not deleted, so you can go back and view other pieces of it if you decide the HTTP was not sufficient.

----------

## dixtow

 *Hu wrote:*   

> It will not be the first time a teenage(?) girl was angry at her parents. 

 

I'm sure it won't be the last either.  This was meant to be a technical thread and I only mentioned my reasons to let others know that I was not engaging in any nefarious Dubya-style eves-dropping.  I'm not trying to have a stranglehold on everything she does or says.  But the total blackout is far more unacceptable than snooping.  There are plenty of things that I may not like that I will overlook because she is her own person and must choose her own path.  But I am obligated to steer her away from the paths that lead over the edge of a cliff (even in iron-fist fashion if nothing gentler works).  Whether she (or anyone else) likes it or not.  I wouldn't be much of a Father if I didn't.

I'm trying to get just the right amount of information, not everything.  Nor will every little thing be nit-picked.  It is easier and more effective to do this by getting too much and subtracting the excess, than getting to little and wishing there were more.  Wish in one hand, crap in the other, and see which one fills up first.  That's not a chance you take with your kids.  Any disciplinary actions are more informed and 'punishment fits the crime' is more accurate and proper.

I'm not even trying to censor, honestly.  I'd consider it if sexual/inappropriate/dangerous [in this, I am more lenient than the State] content seems to be all the kids look at online...  That's not even healthy behavior for an adult.  A certain degree of curiosity is to be expected for those making the awkward transition into adulthood.  But to 'learn' alone in the dark is not ideal.

Thank you for offering your assistance without giving me the Nth degree about how evil I am for snooping.

I really have no need to justify my actions to those of ambiguous age and motivation.  I consider this aspect of the thread to be closed.

 *Hu wrote:*   

> 
> 
> First, stop using Wireshark for the captures.  It works, but if you are not doing live viewing, you are better off using tcpdump to record the data and Wireshark to view it after the fact.

 

This is precisely what I am doing.  The router machine is a headless P2-266 with 64MB of ram and a 3gb hard drive.  Yes, it took all week to get gentoo onto that thing without distcc.    :Rolling Eyes: 

 *Hu wrote:*   

> 
> 
> You can get tcpdump by emerging net-analyzer/tcpdump.  The manpage describes the details of filter syntax, but you can get started with these:

 

I've been using dumpcap becasue it has ringbuffer abilities.  It's filtering is not defined well enough in the man page for me to comprehend.  It seems to just be a regular expression, but I need something a little more analytical than blindly logging everything with '$foo'.

I don't see this in tcpdump is clearly the filter tool I want, but it doesn't seem to have the ringbuffer or file-handling options that dumpcap does.

I wonder if I can combine them with a pipe?  This is not my forte....  It seems tcpdump has facilties for stdin and stdout.

I am also testing off-site, so I really am not sure that my command line options do the desired things...  Dumpcap man page explicitly states that stdout is no an option.  So, somehow pipe tcpdump's output into dumpcap's filehandling   :Question: 

My best guess (I'm not good at this):

```

tcpdump host 192.168.1.260 | dumpcap -b filesize:680000 files:10 -w traffic.192.168.1.260.pcap

```

Would give me all traffic to or from host 192.168.1.260 [yes, fake address for example] into a file named kinda like foo_stuff_things_traffic.192.168.1.260.pcap, making a new file every 680MB, and recycling back to the first file after 10 are made.  I think?  I'm not much for shell scripting or piping commands, so this is a complete stab in the dark.

I might want to add -U to tcpdump?  Since it is sending to stdout, this may or may not have the described effect?

 *Hu wrote:*   

> 
> 
> tcpdump -w ~/traffic.pcap tcp port 22 (logs ssh traffic)
> 
> tcpdump -w ~/traffic.pcap tcp and host 1.2.3.4 (logs TCP to/from 1.2.3.4)
> ...

 

That's what I was thinking, I just didn't know how.  Thank you for providing me with a clue.    :Smile: 

My biggest issue is LimeWire/gtk-gnutella.  I have no problem with her using it [it sure beats paying for all that stuff she'll only listen to once, and saves on having to buy the same CDs she breaks over and over again], but holy crap does that make a huge logfile!  Instead of explicitly choosing what to monitor, I'd just like to be able to exclude a few specifics, if even just a port number.  If I could just not log streaming traffic from flash-video streaming sites (would probably be asking a bit much to exclude logging based on a mime-type that is not announced across packets), and filesharing, everything else would be good to have.

To be able to set an exclude instead of an explicit include is what I need.

 *Hu wrote:*   

> 
> 
> As a related feature, you can use tcpdump to prune an existing pcap file.  For example, suppose you captured all traffic from her system and you want to view just the HTTP.  You could run tcpdump -r ~/all-traffic.pcap -w ~/http-traffic.pcap tcp port 80, which will read the full capture and produce a stripped capture containing only packets which match the filter tcp port 80.  The full capture is not deleted, so you can go back and view other pieces of it if you decide the HTTP was not sufficient.

 

This is nice.

I think I can do filters like this in wireshark, but it's not always obvious where the actual readable content of the packets is located.  I use Wireshark only as a viewer, not a live logger.

This is a handy thing to know.  I can archive an entire logfile to CD, and then just strip what I really want to see.  If I ever have to hand evidence to the police, it will be easy to do, and something that will make their job so very much easier in this realm, compared to the usual clueless parents who stand about muttering "How could this have happened?" while failing to educate themselves or take any action at all....

I still don't know how to 're-compile' the port 80 website packets back into a readable page that I can view, images and all.  This isn't my top priority, and I can always look at the DNS lookups for URL/Domain requests.  Being able to re-constitute the full and actual HTML pages to see any inappropriate/incriminating/dangerous communication is really all I want to do in that category.  I'm not sure how much more information inappropriate/incriminating/dangerous images would give me, granted that images of such content would likely be accompanied by plaintext that would probably tell me all I need to know without actually seeing things I don't want to see, just know about...

I really don't want to go so far as logging into her online accounts and such [keylogger would assist in this], but it would make a good option if such extremes are ever needed.  Worst case, I can confiscate the machine itself and look in the browser buffer, but I really don't want to go off like that.

----------

## Hu

 *dixtow wrote:*   

> This is precisely what I am doing.  The router machine is a headless P2-266 with 64MB of ram and a 3gb hard drive.  Yes, it took all week to get gentoo onto that thing without distcc.   

 

In the future, perhaps you should use the support for installing prebuilt binary packages so that something a bit beefier can do the compilation.  :Wink: 

I neglected to mention above, but you may need to tune the snarf size of tcpdump.  The default capture size will probably not capture everything you want.  Use -s 0 to remove the limit on how much data is saved from a matched packet.

 *dixtow wrote:*   

> I've been using dumpcap becasue it has ringbuffer abilities.  It's filtering is not defined well enough in the man page for me to comprehend.  It seems to just be a regular expression, but I need something a little more analytical than blindly logging everything with '$foo'.
> 
> I don't see this in tcpdump is clearly the filter tool I want, but it doesn't seem to have the ringbuffer or file-handling options that dumpcap does.

 

You are not looking hard enough.   :Smile:   A search of the tcpdump manpage for "rotating" reveals that the -C filesize and -W filecount options can be used together to create a ringbuffer of filesize * filecount bytes.

 *dixtow wrote:*   

> My best guess (I'm not good at this):
> 
> ```
> 
> tcpdump host 192.168.1.260 | dumpcap -b filesize:680000 files:10 -w traffic.192.168.1.260.pcap
> ...

 

Using the ringbuffer options I mentioned above, we can simplify this to tcpdump tcp and host 192.168.0.1 -C 680000 -W 10 -w ~/traffic.pcap.  No -U option is necessary, and indeed it would probably hurt performance to do packet-sized writes rather than buffer sized writes.

 *dixtow wrote:*   

> That's what I was thinking, I just didn't know how.  Thank you for providing me with a clue.   
> 
> My biggest issue is LimeWire/gtk-gnutella.  I have no problem with her using it [it sure beats paying for all that stuff she'll only listen to once, and saves on having to buy the same CDs she breaks over and over again], but holy crap does that make a huge logfile!  Instead of explicitly choosing what to monitor, I'd just like to be able to exclude a few specifics, if even just a port number.  If I could just not log streaming traffic from flash-video streaming sites (would probably be asking a bit much to exclude logging based on a mime-type that is not announced across packets), and filesharing, everything else would be good to have.
> 
> To be able to set an exclude instead of an explicit include is what I need.

 

Well, the cheap solution here is a social one.  Forbid her to download songs, but arrange that if there is something she wants, you will buy it for her (or download (providing the author is OK with this - not all bands are)), and then download it from a system that is not included in the logs.

Exclusions are easy.  tcpdump host 192.168.0.1 and tcp and not tcp port 80 will skip the HTTP traffic.  Excluding filesharing applications can be a pain, since many of them switch port numbers to avoid filtering.  I am not familiar with LimeWire, so I cannot say whether it exhibits this behavior.  Excluding based on MIME-type would be much easier with an application level proxy, since it can maintain state much better than you can with a packet capturing tool.  You might get by with excluding the hosts that tend to provide streaming video, but many providers farm that task out over a large server farm, so you would spend some time building up a list of hosts not to monitor.

 *dixtow wrote:*   

> I think I can do filters like this in wireshark, but it's not always obvious where the actual readable content of the packets is located.  I use Wireshark only as a viewer, not a live logger.
> 
> This is a handy thing to know.  I can archive an entire logfile to CD, and then just strip what I really want to see.  If I ever have to hand evidence to the police, it will be easy to do, and something that will make their job so very much easier in this realm, compared to the usual clueless parents who stand about muttering "How could this have happened?" while failing to educate themselves or take any action at all....

 

Yes, Wireshark can do the stripping as well.  I prefer tcpdump since I spend more time with it, but you can use whichever you feel prefer.  If I recall correctly, there is a checkbox when saving that includes only packets matching the display filter, rather than all packets.

 *dixtow wrote:*   

> I still don't know how to 're-compile' the port 80 website packets back into a readable page that I can view, images and all.  This isn't my top priority, and I can always look at the DNS lookups for URL/Domain requests.  Being able to re-constitute the full and actual HTML pages to see any inappropriate/incriminating/dangerous communication is really all I want to do in that category.

 

Use Wireshark's "Follow TCP stream" to get a single window with all the request/response traffic for a connection correlated.  This may show multiple requests at once if the browser used connection keep-alive.

 *dixtow wrote:*   

> I really don't want to go so far as logging into her online accounts and such [keylogger would assist in this], but it would make a good option if such extremes are ever needed.  Worst case, I can confiscate the machine itself and look in the browser buffer, but I really don't want to go off like that.

 

I strongly suggest avoiding this course of action.  Many people see a somewhat arbitrary line between passive snooping at the router and active snooping via account intrusion.  Also, while you are probably covered since you are snooping on a minor child for whom you are legal guardian, the deeper you go into surveillance, the greater the chance you will get burned by some bizarre wiretapping law.  On top of all that, some websites actually learned from Unix and have a lastlog, so the legitimate owner can check for illegitimate logins.

As a parting note, consider also whether you need to worry about SSL or other encrypted connections.  Snooping at the router is generally not able to see inside encrypted protocols.  Most attempts to do so tip off one or both parties that the connection has been compromised.

----------

