Which means I cannot sniff my own data !
You can generally sniff your own data, but as soon as you start "monitoring of their behaviour as far as their behaviour takes place within the Union" then you should be aware of the implications of the GDPR, Regulation (EU) 2016/679. There is an exception that
- This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
which may apply to your situation.
Well, its documented on wiki.openwrt.org/doc/uci/dhcp
config dnsmasq option logqueries '1'
The log will be written on syslog & log-rotated with default buffer size. You can adjust the file location at local or at your desired server(:port) along with its buffer size on
config system option log_size '64' option log_ip '192.168.6.4' option log_port '6400'
Then wait for what the EU going to do with you!
If the native logging features are not of interest, you can consider pihole.
I would also like to inquire about this -- especially logging IP addresses. My DNS server already logs all DNS requests and all traffic on port 53 is redirected to the intranet.
Also, I'm not in the EU or EEA, so GDPR doesn't apply to me, and I'm processing data of myself only, and my devices (which do not consent to the data processing but aren't considered people, so I don't need their consent )
I'm using 19.07rc2 on ramips/mt76x8 with an external syslog server.
- In the future please consider making another thread.
- What are you inquiring on, exactly?
- Do you wish to use syslog to record the IPs, or another tool?
- Okay, though I would like to know if it's because of the thread age, or something else.
- I'm inquiring about the topic of the post,
"I need to know what websites with either partial or complete URL are been visited from my home router. This can be either dumped to a local file and log-rotated or URL info be sent to an external syslog server."
- Answered by #2.
So, in summary: I want to be able to log complete HTTP traffic metadata (URL, from LAN IP, to remote IP, via WAN IP, device location (wlan0, wlan1, eth0.1, eth0.2, eth0.3, eth0.4) to syslog and sync it remotely to an external server (which the build-in syslog server does, and I have successfully set it up).
Right now I have achieved this by adding iptables rules to log all traffic, but the results are not detailed at all. I would like to log HTTP URL and hostname, HTTPS hostname, TCP data in general (from ip & port, to ip & port).
Not possible, by design of HTTP-S
(Nor is anything else in the encrypted channel, such as URLs, other metadata, or content sent/received)
Of course it's possible, I explicitly said hostname, not URL or any other metadata (well, other than IPs and ports of dest and src, time info).
Unless the browser implements Encrypted SNI, it will send the hostname as cleartext in the initial TLS handshake. And since the "browser" is not actually a browser but instead an embedded device with a really bad TLS implementation, it will never have Encrypted SNI enabled.
So why don't you edit the iptables rules - in order to get more of the details you desire?
...or are you seeking someone to assist you with those detailed rules?
iptables is not the answer to logging HTTP and HTTPs metadata, it's suited for logging TCP, mostly. It's too low level.
Also, can you stop with the agressively-attacking attitude. I have been polite with you, it's only fair that you be polite to me, given that I have not posted anything that could be interpreted as being abusive, spam-like in nature, unwanted, etc.
Asking what you're seeking is aggressive and attacking!?!?
Don't worry, I won't try to help you any further.
In the context of usual forum ruleset of "ask for guidance only, don't request the whole solution", "are you seeking someone to assist you with those detailed rules?" comes off more as agressive than a genuine offer of help. Especially in the context of "So why don't you" and "or are you".
In any case, I apologize if I have misinterpreted it, English is not my mother tongue.
Well since it's clear now that you don't want to use iptables, I'm not sure what you're seeking.
Rewriting your iptables rules actually seems easy to me.
- I know of no single solution to do this in OpenWrt, except for iptables.
- You may be able to setup a HTTP proxy and capture logs thru that?
If I were trying to accomplish the goal, I'd run suricata or a similar packet-inspection tool on a suitable host. It would surprise me if a consumer all-in-one has enough compute power to do packet inspection at more than a trickle. MIPS-based SoCs have trouble with something as computationally simple as SQM at around 100-200 Mbps, for example.
Even diverting all the packets to an external host for analysis may well be beyond what an all-in-one can accomplish. Many/most achieve high throughput by offloading the flows from the CPU to the ASIC switch framework.
Seems like you'd need a topology that separates your network into VLANs (or physical LANs) so that you can accomplish your objective of identification of where the associated host is connected.
I care about this issue, because I want to control ads and what is dangerous if any.
@jasonbourne, welcome to the community!
For just ad blocking, see:
Also, seeing traffic does not permit you to stop the dangerous thing. You need an IPS for that.
Instead of making a complete different thread, I'll just bump this one.
- (Not my first post, having difficulties to get access to correct account log in information)
As topic says "knowing what websites are visited. I have not been able to figure out how to do this with simplicity (a neat GUI), usually when I wanted more knowledge of this, I had to type several commands and so on when using OpenWRT. I then got tiered of this and decided the bridge my raspberry pi 3B (PiHole) to my WRT3200acm (OpenWRT), this worked flawlessly. But as of today, my raspberry is my cars new Brain and I can there for no longer use PiHole in a simple way. So my question is:
Could OpenWRT in anyways take over PiHole tasks in terms of providing a good and simple GUI to log IPs, Hostnames, data used, by whom and when (time) and so on...
What I'm trying to do here will not break any laws. I feel like this should be said so noone needs to remind me of GDPR and alike. Thank you.
Short answer: Yes, it could. Needs quite some work, though. In case, you are interested in a commercial solution, PM me.
Thank you for your reply, I'll be sure to remember your offer.