Squid Transparent Proxy Reporting Issue

To give some background, I'm not extremely vetted with unix or Freebsd, only basics and what I need to know.
My freedsb is being used as a router and mail server.
I need something that can help me monitor network traffic(almost something like squid reporting services), but because we are running a transparent proxy the squid reporting doesn't show any traffic generated for https. I must be able to monitor all IP addresses on the internal network that connect to the net through my squid server. It is so I can see which IP/user viewed which sites and what amount of total bandwidth they each used over a period of time.
Is this possible, and if you know of a solution or a add-on I can add to the server to perform this, please help me.

Thank you,
B
 
I assume you're already running something like www/calamaris and www/sarg?

Monitoring https URLs will be difficult because Squid does not handle them in transparent mode, and the web browser will not send the URL over the network; it will just perform a DNS lookup and establish a connection to port 443 of the resulting IP address -- any URL/path information will be encrypted from then on.

You could resort to running this in the background and dumping it to a file:

Code:
tcpdump -s 0 -pli $intf dst port 443 and 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'

This will at least give you the start and stop records for the SSL connection. Note that the destination host doesn't give you much information about which URL was used. It may or may not have a PTR record, and if it does have a PTR record, it may not be the hostname used in the URL.

The amount of traffic could be monitored by using PF and running sysutils/pfstat to create graphs of tcp/443 traffic. Or you can use net/ntop to get an overview of all traffic and protocols.
 
Back
Top