Incomplete web logs

General discussion about WFilter ICF features, problems, configuration issues etc.

Moderators: imfirewall, gengw2000

ddd
Posts: 3
Joined: Tue Jun 22, 2010 10:46 am

Incomplete web logs

Postby ddd » Tue Jun 22, 2010 10:59 am

Hi,



I just bought and installed WFilter with a 25 users licence.



The only functionnality I use is to keep logs of the visited web sites for everyone of our workstation.





Everything is working fine(even blocking but i don't need it), except from one crucial thing.



I noticed that the logs are not complete, for some of the workstation. For some workstations the logs are perfect, but for some workstations, the only accesses logged are google, addclick accesses and a couple of seemingly random sites, only some of the time. I tried :



- monitoring by MAC and by IP

- mirroring only the problematic workstation's port instead of all internet trafic.



none of those had any effect.



please help, thanks.







admin
Site Admin
Posts: 137
Joined: Wed Nov 23, 2016 12:08 pm

Incomplete web logs

Postby admin » Tue Jun 22, 2010 7:36 pm



This is related to your network topology and port mirroring settings.



Please check:



1. Port mirroring settings. The source port shall be the internet port, usually connected to the router or firewall. The target port shall be WFilter computer. We recommend you not to mirror multiple ports to one port, which might overburden the target port and cause losing packets.



2. Cable connections of these abnormal workstations. For example, if a workstation is directly connected to an uplayer switch of the port mirroring switch, it will not be monitored. So please check to make sure all workstations access internet through the port mirroring switch.



Let me know your topology and mirroring settings if this problem still exists.

ddd
Posts: 3
Joined: Tue Jun 22, 2010 10:46 am

Incomplete web logs

Postby ddd » Wed Jun 23, 2010 8:57 am

Hi,



point 1 : this is what I do - mirror the ethernet port connected to the firewall. I also tried mirroring only the problematic computer's port with the same effect. I did not mirror multiple ports to a single port.



point 2 : The problematic computer being now plugged directly into the main switch, I still exactly experience the problem. Plus, some computers plugged in secondary unmannaged switches are being monitored just fine.



Quick reminder : On the problematic computer, I can monitor some of the web activity just fine. But not all activities are recording.



So yes the problem still exist and is unchanged.

admin
Site Admin
Posts: 137
Joined: Wed Nov 23, 2016 12:08 pm

Incomplete web logs

Postby admin » Wed Jun 23, 2010 7:28 pm

It seems no problem with the mirroring settings and network topology, however it is also possible that the workstation used VPN tunnel or local proxy server to bypass monitoring.



We need a packet dump to confirm it. Please follow this guide to generate a packet dump: Use dumpPacket.exe of WFilter to generate a packet dump file



Steps:

1. Run "DumpPacket.exe".

2. Input the workstation ip address, and begin dump.

3. Stop dump after 1 minute.

4. Send me the dump.pcap file.



ddd
Posts: 3
Joined: Tue Jun 22, 2010 10:46 am

Incomplete web logs

Postby ddd » Fri Jun 25, 2010 11:43 am

Can I have a email address I can use to send you that ?

admin
Site Admin
Posts: 137
Joined: Wed Nov 23, 2016 12:08 pm

Incomplete web logs

Postby admin » Sun Jun 27, 2010 7:27 pm

support@imfirewall.us

admin
Site Admin
Posts: 137
Joined: Wed Nov 23, 2016 12:08 pm

Incomplete web logs

Postby admin » Mon Jun 28, 2010 7:14 pm

Thanks for the pcap files.



I understand "en.wikipedia.org/wiki/2_(number)" and "en.wikipedia.org/wiki/5_(number)" were not recorded.

However, when I check the pcap file, I found it was because the browser cache. As you know, when you visit a webpage, the browser will cache this page for a while. If you visit the webpage again before the cache expires, your browser will just retrieve the page from its cache. In this case, WFilter can not record it because the page is not transfered again on network.



Please take a look at the attached screenshots. For these two HTTP request, the server just replied "Not modified", which told the browser to retrieve the webpage from its cache.



You can clear the browser cache and do the test again.



Attached files


Return to “WFilter ICF”

Who is online

Users browsing this forum: No registered users and 20 guests