• ARTICLES
SEARCH

How-To Geek

How to Configure Your Router for Network Wide URL Logging

2011-07-26_154759Don’t be in the dark about who is visiting what web sites on your LAN. Use our two-prong approach to lock in on who is browsing what on your home network.

Whether you want to keep an eye on what your kids are doing, monitor the activities of people connecting to your Wi-Fi hotspot, or you’re just a little more curious than the average person, the following guide will help you monitor both the global URL requests originating from your network and the requests originating from individual users on the network. It’s a two-prong approach so you can easily do one without the other (individual monitoring without global monitoring or vice versa).

What You’ll Need to Enable URL Logging

Because this technique is two-prong we’ll divide the What You’ll Need section into two portions. First, if you’re only interested in global logging—keeping a record of every URL visited from your internet connection but without the granularity of seeing which specific computer is doing the requesting—you’ll need the following things:

  • A router that allows you to set custom DNS servers (the vast majority of routers do)
  • A free OpenDNS account

If you want to get a more granular view of the URL requests on your network and don’t mind exerting a little extra effort you’ll need

  • A router that allows logging (again, most routers do)
  • A free copy of WallWatcher

The first method is the simplest and requires only a few minutes of setup. The downside is that the router + OpenDNS method only allows you to see that requests are being made from your network and not who is making them. Thus you’ll know there have been multiple visits to ABC and XYZ site but all you’ll know is that they came from your network. A smaller downside is that it’s not in real time so you’ll have to wait roughly a day for the logs to update for review.

The second method involved enabling the Sys Log on your router and then pulling that log, putting into a program for analysis (specifically to resolve all those IP address to human readable URLs), and then reading over the list. With this technique you’ll see specifically which computer or device on the network, at what time, accesses what sites.

We recommend working through the tutorial and setting up both methods. Use the first method (OpenDNS) to keep a general eye on things and the second and more intensive method (analyzing the logs) when you notice something amiss and want to delve in deeper to see what’s going on.

Configuring Your Router for OpenDNS

2011-07-26_135643

First, pay a visit to OpenDNS and sign up for their free home-user account. Plug in your email, choose a strong password, and then make sure to check your email to confirm your identity and activate the account. Once you’ve confirmed your account you’ll need to add your home IP to a network. OpenDNS supports multiple networks but all we’re concerned with is making sure that your home network is recognized by OpenDNS.

2011-07-26_131246

Click Add a network in your OpenDNS Dashboard, confirm that the IP it suggests you use is the IP address of your home internet connection. Name the connection Home (or the name of whatever network you’re planning on logging the URLs for).

When you’re done if it doesn’t automatically kick you over to the Settings submenu of the dashboard click on the tab to navigate there on your own. There you’ll find the new network you made, listed by the label you gave it and your IP address. Before OpenDNS will start logging for us we need to give it the go ahead to do so. Click on the IP address to access the settings for that network.

2011-07-26_131646

Once inside the settings menu click Stats and Logs in the left hand column. Within the Stats and Logs menu check the box Enable stats and logs and then click Apply. Now that you’ve told OpenDNS to monitor your connection it’s time to go switch the DNS servers in your router to point at OpenDNS so it will have some traffic to monitor.

We’re using a Linksys router with custom Tomato firmware installed. In order to get to the DNS settings we logged into the router, navigated to Basic –> Network –> Static DNS, like so:

2011-07-26_130851

Your router should have a similar menu. For tips on your specific router, check out the OpenDNS router guide here. Depending on your router and firmware you’ll have slots for 2-4 DNS server addresses. Fill as many of the slots as you have available using the following IP addresses in the following order:

  • 208.67.222.222
  • 208.67.220.220
  • 208.67.220.222
  • 208.67.222.220

Once you’ve added the new DNS servers to your router, make sure to save your settings. From this point forward OpenDNS will log all the URL requests originating from your home network. To view them simply log into your OpenDNS account, click on the Stats tab and review the Domains data. It’s worth noting that the stats aren’t updated in real time and you should expect at least a 12-24 lag between when a site is visited and when the domain appears in your stats page. Need a more immediate and granular control? Read on to enable router-level logging.

Make sure to explore the Support pages at OpenDNS to get a bigger idea of the other things you can do with OpenDNS (such as free content filtering). It’s more than just a faster DNS server with logging features!

Enabling Router Logging and Log Analysis

2011-07-26_145213

OpenDNS is definitely the simple route. If you don’t need real time second-by-second logging and you want someone else to do the heavy lifting of translating all the IP addresses into human-friendly reports, it’s the way to go. If you want a more detailed look, however, you’re going to need to get your hands dirty. In this section of the guide we’re going to help you enable logging on your router and then use free application Wall Watcher to analyze those logs in real time.

First, we need to enable logging on our router. We’ve never come across a router that doesn’t have a logging function so it’s highly probable that you can log connections with yours. We’re running a Linksys router with Tomato installed so we’re going to navigate to Status –> Logs –> Logging Configuration and then check Log To Remote System and then plug in the IP address of the computer we’re going to install Wall Watcher on. This IP address is the internal IP address on the LAN, in our case 192.168.1.117. Then under that in the Connection Logging section we toggled the Inbound and Outbound traffic to Both. Scroll down and click Save.

The router is now logging and broadcasting the logs out over the network to our host machine. Time to install Wall Watcher. Wall Watcher is not a straight forward one-click application to install so make sure to pay attention to the following instructions to avoid any unnecessary frustration.

First download both the Wall Watcher apps and the Wall Watcher Library. Extract them both to the same folder. Run Setup.exe (if you get an error about a missing Visual Basic file, download and install the missing component from Microsoft here). When you run Setup for the first time you’ll see the following dialog box:

2011-07-26_145525

We checked all four but at minimum you must check the first one, Install and register Library Files. Skipping this step inevitably leads to errors unless by chance you have the exact libraries and files installed that the application needs.

2011-07-26_145937

On the first run you’ll be prompted to select your router. If you choose to Auto-Select WallWatcher will go through every router in its 125+ router database and test it against your router configuration. If you know the router you have, pick it from the list to save yourself some time (note: if you’re running Tomato, DD-WRT, or another popular alternative firmware, choose that from the list instead of your router’s model number). Click OK.

At this point you’ll see a really busy window pane with all your traffic flowing by. All of it will be in IP form which sin’t particularly useful to you unless you feel like resolving the IPs by hand (which you can, by the way, using the included IP-URL.exe in the WallWatcher folder).

2011-07-26_153652

Click on Options –> Logging in the menu bar. With in the logging menu check Convert IP Addrs to URLs and OK to use NetBios 137. Click OK and return back to the main WallWatcher pane. Now, next to the IP addresses you should see actual URLs whirling by: 2011-07-26_151702

Even more important for the second prong of our whole monitoring project, the local IP address is displayed. All the traffic in the above screenshot originated from the *.117 computer. Glancing at the log I can easily see my visit to Reddit during the testing phase of the setup.  Although you can watch things in real time if you’re so inclined, WallWatcher logs all the connections and you can pull fresh logs from the router if need be on a case-by-case basis so feel free to just let it run in the background (or not at all until you feel the need to fire it up and do some analysis).

WallWatcher is absolutely packed with settings and filters so you can easily tweak it to hone in on a particular device on your network, ignore traffic to benign sources you’ve white listed, set up alerts for sites you’ve black listed, and more. With a little experimentation you’ll be examining your logs the way you want and with surgical precision.


With the two-prong approach we’ve laid out here you can easily keep a global eye on your network from the comfort of your OpenDNS dashboard and swoop down to do a request-by-request analysis of your log files to see who specifically is doing what. Miss Scarlett on the iPad visiting HelloKitty.com? You’ll have the mystery solved in no time.

Jason Fitzpatrick is warranty-voiding DIYer and all around geek. When he's not documenting mods and hacks he's doing his best to make sure a generation of college students graduate knowing they should put their pants on one leg at a time and go on to greatness, just like Bruce Dickinson. You can follow him on if you'd like.

  • Published 07/26/11

Comments (18)

  1. Tim

    Cool but can’t stand opendns. Level3 ftw! ;)

  2. chmurli

    What about linux servers? Is it wall watcher alternative to other linux?

  3. Chris

    I would like to know about the linux part too!

  4. Jay

    Hi, can someone help me? i am using a DD-WRT router and have configured both the router and wall watcher correctly but no logs are being shown in my wall watcher. it only say starting but it didn’t progress anymore.

  5. xut

    Good article but like others, I’d like to know about linux side

  6. Jason

    Followed the steps, but I get an error message:

    Component ‘MSWINSCK.OCX’ not correctly registered: file is missing or invalid

    If this was the missing VB file, I’m totally clueless, because I had already downloaded that file as well.

  7. punkgamer

    This would work great for me. If my ISP didn’t redirect all my Port 53 traffic

  8. geek4d

    This is a great article, however it does not appear to achieve what the title implies; which is network wide URL logging. URL being a Uniform Resource Locator – not simply logging all of the IP/hostname lookups or traffic. Just knowing what server someone is accessing doesn’t tell you what they are doing.

  9. Alouis

    Will this work with a dynamic IP?

  10. Josh B.

    Also would like to know what you can do using linux.

  11. Psybernoid

    For Linux users, I’ve put this together.
    This is for Debian & Ubuntu systems, I also assume that you’re using root to install this.
    All commands are prefixed by $, if you’re not comfortable using nano, change to something else, like vi or gedit.

    Install syslog-ng

    $apt-get install syslog-ng

    edit syslog-ng.conf
    $nano /etc/syslog-ng/syslog-ng.conf
    in sources section, after the line that starts with #source s_net, add:
    source s_router ( udp(ip(your.linux.box.ip) port(514); };
    in destination section, after the line that starts with destination d_uucp, add:
    destination d_router { file(“/var/log/router.log”); };
    at the very end of the file, after the line that reads #log { sources(s_src) add:
    log { source(s_router); destination(d_wrt); };

    restart syslog-ng
    $/etc/init.d/syslog-ng restart

    confirm you have port 514 open on your linux box
    $netstat -an | grep 514
    hopefully you’ll see something like this:
    udp 0 0 linux.box.ip.address:514 0.0.0.0:*
    if not, open the port
    $iptables -A INPUT -p udp –dport 514 -j ACCEPT

    Add logfile rotation
    $nano /etc/logrotate.d/syslog-ng
    Before the very last entry – begins with:
    /var/log/syslog {
    add:
    /var/log/router.log {
    rotate 7
    weekly
    missingok
    notifempty
    compress
    }

    You can now view router logs by opening the file /var/log/router.log
    for added functionality, look into installing logzilla.

  12. Elazar55

    There’s a web usage function in TomatoUSB which sorts searches by ip. It can also store on a remote system if needs be.

  13. anu

    good!

  14. WestKY

    JAY >> from above post…Hi, can someone help me? i am using a DD-WRT router and have configured both the router and wall watcher correctly but no logs are being shown in my wall watcher. it only say starting but it didn’t progress anymore.

    I’m using DD-WRT v24-sp2 (01/02/10) mini on a Linksys/Cisco WRT160N v3. and having the same problem… ” starting” with a blank bar graph in front of the word ..( starting). Any ideas on how to solve this issue would be much appreciated.

  15. WestKY

    Sorry… the OS is Win 7 64 bit with the Winsock software installed.

  16. WestKY

    One other idea… I’m using Peerblock 1.0+ with a ton of filters so I think this may be a port forwarding issue perhaps?

  17. chris anzalone

    using syslog with wallwatcher is great

    but what do you do with thousands of pages of wallwatcher data?

    I’ve yet to find a simple syslog log viewer!

  18. P.Roxy

    Hi, same problem here. Can someone help me? Followed all steps; activated syslog in ZyXel P-2602HW-D1A router; WW doesn’t receive any data. Any ideas on how to solve this?

Enter Your Email Here to Get Access for Free:

Go check your email!