Hi,
I just bought and installed WFilter with a 25 users licence.
The only functionnality I use is to keep logs of the visited web sites for everyone of our workstation.
Everything is working fine(even blocking but i don't need it), except from one crucial thing.
I noticed that the logs are not complete, for some of the workstation. For some workstations the logs are perfect, but for some workstations, the only accesses logged are google, addclick accesses and a couple of seemingly random sites, only some of the time. I tried :
- monitoring by MAC and by IP
- mirroring only the problematic workstation's port instead of all internet trafic.
none of those had any effect.
please help, thanks.
Incomplete web logs
Moderators: imfirewall, gengw2000
Incomplete web logs
This is related to your network topology and port mirroring settings.
Please check:
1. Port mirroring settings. The source port shall be the internet port, usually connected to the router or firewall. The target port shall be WFilter computer. We recommend you not to mirror multiple ports to one port, which might overburden the target port and cause losing packets.
2. Cable connections of these abnormal workstations. For example, if a workstation is directly connected to an uplayer switch of the port mirroring switch, it will not be monitored. So please check to make sure all workstations access internet through the port mirroring switch.
Let me know your topology and mirroring settings if this problem still exists.
Incomplete web logs
Hi,
point 1 : this is what I do - mirror the ethernet port connected to the firewall. I also tried mirroring only the problematic computer's port with the same effect. I did not mirror multiple ports to a single port.
point 2 : The problematic computer being now plugged directly into the main switch, I still exactly experience the problem. Plus, some computers plugged in secondary unmannaged switches are being monitored just fine.
Quick reminder : On the problematic computer, I can monitor some of the web activity just fine. But not all activities are recording.
So yes the problem still exist and is unchanged.
point 1 : this is what I do - mirror the ethernet port connected to the firewall. I also tried mirroring only the problematic computer's port with the same effect. I did not mirror multiple ports to a single port.
point 2 : The problematic computer being now plugged directly into the main switch, I still exactly experience the problem. Plus, some computers plugged in secondary unmannaged switches are being monitored just fine.
Quick reminder : On the problematic computer, I can monitor some of the web activity just fine. But not all activities are recording.
So yes the problem still exist and is unchanged.
Incomplete web logs
It seems no problem with the mirroring settings and network topology, however it is also possible that the workstation used VPN tunnel or local proxy server to bypass monitoring.
We need a packet dump to confirm it. Please follow this guide to generate a packet dump: Use dumpPacket.exe of WFilter to generate a packet dump file
Steps:
1. Run "DumpPacket.exe".
2. Input the workstation ip address, and begin dump.
3. Stop dump after 1 minute.
4. Send me the dump.pcap file.
We need a packet dump to confirm it. Please follow this guide to generate a packet dump: Use dumpPacket.exe of WFilter to generate a packet dump file
Steps:
1. Run "DumpPacket.exe".
2. Input the workstation ip address, and begin dump.
3. Stop dump after 1 minute.
4. Send me the dump.pcap file.
Incomplete web logs
Can I have a email address I can use to send you that ?
Incomplete web logs
support@imfirewall.us
Incomplete web logs
Thanks for the pcap files.
I understand "en.wikipedia.org/wiki/2_(number)" and "en.wikipedia.org/wiki/5_(number)" were not recorded.
However, when I check the pcap file, I found it was because the browser cache. As you know, when you visit a webpage, the browser will cache this page for a while. If you visit the webpage again before the cache expires, your browser will just retrieve the page from its cache. In this case, WFilter can not record it because the page is not transfered again on network.
Please take a look at the attached screenshots. For these two HTTP request, the server just replied "Not modified", which told the browser to retrieve the webpage from its cache.
You can clear the browser cache and do the test again.
I understand "en.wikipedia.org/wiki/2_(number)" and "en.wikipedia.org/wiki/5_(number)" were not recorded.
However, when I check the pcap file, I found it was because the browser cache. As you know, when you visit a webpage, the browser will cache this page for a while. If you visit the webpage again before the cache expires, your browser will just retrieve the page from its cache. In this case, WFilter can not record it because the page is not transfered again on network.
Please take a look at the attached screenshots. For these two HTTP request, the server just replied "Not modified", which told the browser to retrieve the webpage from its cache.
You can clear the browser cache and do the test again.
Who is online
Users browsing this forum: No registered users and 3 guests