Hi,

Is there any way to collect the most visited sites by users? I think I could write some script to analyze tcpdump output, but maybe there are any ready to go tools?

Thanks.

Can you be a little more specific? What OS/version? Are you acting as a gateway? A squid proxy?

not very scientific but maybe:

#!/usr/local/bin/perl
# --ephemera

$netif='em0';
$nsites=10;
$updateSecs=10;
open TDMP, "tcpdump -lnni $netif 'dst port 53' |" or die "$!\n";
while(<TDMP>) {
if (/ A\? ([A-z](?:[\w-]+\.)+[\w-]+[\w])\. /) {
$m{$1}++;
if (time - $t >= $updateSecs) {
$t = time;
print "\nTop $nsites sites as of ", scalar localtime $t, ":\n\n";
@s = sort {$m{$b} <=> $m{$a}} keys %m;
for (0..$nsites-1) { print "\t",$_+1,". $s[$_]\n";}
}
}
}

If you use BASE with Snort, you can have snort filter specifically for web traffic, then BASE can automatically and nicely sort the address hits. And since BASE is a web app, it's actually pretty easy to use.