Traffic analysis

Hey all, i have a question that might be relevant for more people around the world.

I am looking for a tool that can "categorize" my traffic and allows from some "drill down" stuff. I have young kids and I don't want to BLOCK their internet, however, i do want to "know what they are up to"... high level off course. Does anyone know a tool where it can show categories? Stuff like: Youtube for X hours, facebook/sociual media 50 times, and so on... filterable per device, time, ...?
Basically an IDS, but i don't care about content, blocking, blabla... it's just "knowing".
Ow, i have an x86_64 router, so i don't worry (yet) about performance :wink:

anyone clues on where to start?

Analyzing dns request could be one way of doing it, but then you need to make a catalog of which dns names, belong to which site.

Pihole can probably provide the insights, but can't be run on openwrt.

AdGuard home could perhaps be another option, but you might need to go for the non free subscription, not sure, I'm a pihole guy myself.

…and hope that they'll never learn about DoH (which modern browsers like to do without even asking).

The modern web is increasingly encrypted, partially for good reasons, but it makes this kind of monitoring somewhere between hard (without man-in-the-middle certificates) and impossible.

SNI headers could still be analyzed, but then you'd manually have to do the DNS request counting, based in the logs of the SNI proxy.

It also requires a custom local DNS, pointing all DNS lookups the SNI proxy IP.
Fully doable, but you need to know what you're doing.

Or just get a :slight_smile:

Well, yes, all that. I know it's all easy to bypass. I have adguard home running as DNS server (in a separate container on a different box). These are exactly the reason i don't want to block anything. I would just like to know... not give them a reason to outsmart dad :wink:
But maybe you're right, maybe it's not something i should strive for. I'm just a sucker for insights :grinning:

The SNI would only log the DNS names, not stop any HTTPS traffic, unless you'd like it to.

You can set up squid as an explicit proxy, and block outgoing port 443 and port 80. Then analyze the squid proxy logs. You just get DNS names of sites being requested, but it's mostly enough for what you want. You'll get the DNS names even if the browser does DoH

Works well, esp since you have an x86 router.

AdGuardHome on your router would do that and give u logs on a per client basis. You wouldn't have to enable filtering but I find just basic adblocking is a must.

By using client settings you could also enforce safe search for the kids machines, help hide some of the darker sides of the net that way.

Otherwise I think only other way would be to install parental software on their machine that logs everything.

My guess would be an http/https proxy server.