Network monitoring help

OK so here goes. I am the MIS guy at work, I was thrown into this job because I was the most computer savy person in the office at the time. I can get the basic computer setup/maintenance and networking stuff done, that's about as far as my knowlege level will take me. We are a very small office of around 6 people, all machines are Win 2k on a worgroup. One of our employees is a self proclaimed Hacker and likes to treat our internet connection like his own personal downloading campground. Normally I could care less what he does as long as it does not affect me, however, lately my boss has been complaining about slow email and soi forth. She told me to "fix it", she assumes it is a problem with her computer. I would like to be able to have some proof of Mr. Hacker's network abuse, what is the best way to monitor the network? We have Dynamic IP adresses but I can get his MAC adress easily. On the network side of things we have a Linksys Etherfast II 24 Port Switch Model EF2S24. It is connected to our Netopia DSL router. Could somebody give me hand figuring out a solution to this problem or point me in the right direction? Thanks

 

Have you got a win2k server running on the network? apparently not?Seems as youre using a workgroup its decentralized anyway which would mean you dont need a server as such. If you can get packet logs from a firewall on the a server, you could total up all the bandwidth used by each computer, and if he is hogging bandwidth he'll have a lot more than everyone else. You may be able to get these from the DSL router, im not familiar with that particular model. Also, if you were running a server you could throttle each users bandwidth to the net too. But obviously you dont need a server, so not my place to recomend adding one.

Do you have admin privs on all the workstations? You might want to check everyones setup, see if his machine has any software on it that it shouldnt have (shouldnt be a privacy issue since the computer would belong to the company, right?)

You might want to have a quiet unoffical word with him in private, not to threaten or accuse or anything, could be he doesnt realise that hes causing other people inconvinience.

 

Actually we do have a Windows 2k Server, it functions as a file server only though. The computers are on a workgroup instead of a domain but is there anything I can do to use the server to monitor the network? All of the computers here conect directly to the switch and the switch to the router. The Server is connected to the switch like any other computer.

I have admin rights to the computers but he reformatts his laptop on a regular basis, he somehow does this without the software. So I do not have admin rights on his computer and he would make a big stink about my having rights. Nobody wants to mess with this guy, he is one of those people who takes pleasure in screwing people over (he got our last boss fired by complaining to our corporate human resources). This is all a very touchy situation so I am trying to tread lightly. But it still pisses me off that he has this attitude, just want to teach him a leason!!! Sorry to vent like that but it makes me mad. Thanks for your help!

 

Ah, i understand.

It might be harder if youre using a switch but it is possible to run a network sniffer to sniff all the packets going around the network. You could of course set up the server to forward connections to work as a thru point, and not let any other computer access the net by its self. That way they would be forced to use the server, and so youve just found a way to log internet usage.

Again, im not familiar with your networking setup, so I don't know how plausable this is. If you were really concerned with the matter, you could let the server act as a DHCP server for the other computers in the workgroup and make it act as a NAT firewall. This would involve having 2 NICs in the server machine, one connected to the hub youre using, the other to the router. Of course, if the guy is really determined he can get past this layer, but chances are it would be inpractical for him to do so, and would also be quite obvious to you, and should leave you with yet more evidence for his case against.

But i will have a little research and see if its possible to sniff all network traffic without having to change your setup quite this much.

 

try this

http://www.majorgeeks.com/download.php?det=1089

if 300.00 is a bit much, then try the lite version of it.

http://www.objectplanet.com/Probe/#freeprobe

 

A few links for your perusal

http://www.net-security.org/article.php?id=615

Looks like in order to force people to send their packets through the server, you need to set up an ARP inject (you might want to research this yourself.. i dont want to post any dodgey links, people use this method for malicious purposes) basically it just makes all the machines on the network think that the server is the router, and so all packets go through the server first before they are forwarded to the router. Youve got to be careful with this though, you can loose connectivity to the network for a while if youre not careful. Also your hacker friend may have set his ARP table to static, which means he will not be "vunerable" as it were.

Dont take this wrong, i am in NO WAY suggesting you do this backhandedly, because in reality its your network to use as you feel nececary to, and if that means you want to monitor traffic then so be it.

Your best defense against abuse of computers is knowledge. (would be nice if i could spell knowledge too )

If you need any more detailed info, feel free to PM me or email me.

 

I had similar problems, although it wasn't a bad user, so much as a machine flooding the network and me having to figure out whose machine was doing it.

Get yourself a hub (not a switch). Go to your cable room and unplug your PITA guy's machine and the machine you're going to use for monitoring. Plug both those into the hub and then run a crossover from the hub to your normal switch.

Now go ahead and run whatever monitoring software you're going to use and you can analyze every packet the guy is sending out.

Unfortunately, I haven't found anything too helpful in the way of software that will do the work on the analysis of the packets. Most tools let you sort and stuff like that, but I haven't gotten to use anything that will parse things for you and sort them into categories like warez, porn, and such.

-Joe

 

Your jaw would drop if I told you what I have pulled off of packets on my computer with NetworkActiv.

It will even reconstruct the webpages visited for you.

However I don't know how useful NetworkActiv would be here, unless you could find a way to run it on their machine without them noticing it and then check the results later.

From what I can see, it only listens to local interfaces.

That, or I am too stupid to figure out how to get it to fnd my other machines.