Monitor IM traffic

phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
Anyone know of a good app that can monitor IM traffic? Management has their suspicions and now I need to audit a few users. Thanks.

Comments

  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    phoeneous wrote: »
    Anyone know of a good app that can monitor IM traffic? Management has their suspicions and now I need to audit a few users. Thanks.

    I would use WireShark and set the filters for whatever type of IM traffic you are looking to capture. Google Mail uses jabber, but AIM and the others I don't know what they use.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    For something RIGHT NOW a network capture is probably best. what info are you trying to find?

    Barracuda IM Firewall - Instant Messaging Management and Archiving

    I would suggest blocking all IM at the application layer level except for those who need it for business. For the company set up OpenFire. I have been using OpenFire here at work (it's running off a small CentOS VM on ESXi) and people love it. You can use MySQL database to archive chat histories.

    Depending on where you work some might still need to use an external IM. We do lots of business with China, so our China "devision" uses IM with our partners there.
  • unclericounclerico Member Posts: 237 ■■■■□□□□□□
    phoeneous wrote: »
    Anyone know of a good app that can monitor IM traffic? Management has their suspicions and now I need to audit a few users. Thanks.
    I second RobertKaucher's response for using OpenFire. I too have deployed it company wide and people love it. I have IM gateways for Yahoo, AOL, and MSN Messenger enabled to permit people to link their IM client to the external services. For people that need to use IM for business purposes we have them create a business specific profile on the public service. We archive all conversations on the Openfire server.
    Preparing for CCIE Written
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    unclerico wrote: »
    I second RobertKaucher's response for using OpenFire. I too have deployed it company wide and people love it. I have IM gateways for Yahoo, AOL, and MSN Messenger enabled to permit people to link their IM client to the external services. For people that need to use IM for business purposes we have them create a business specific profile on the public service. We archive all conversations on the Openfire server.

    I've also used OpenFire and love it!
  • Chivalry1Chivalry1 Member Posts: 569
    What platform is it? Live Communication Server 2005 has a archiving feature.
    "The recipe for perpetual ignorance is: be satisfied with your opinions and
    content with your knowledge. " Elbert Hubbard (1856 - 1915)
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    Also, if you have Enterprise Vault, you can integrate IM archiving into it with Symantec's IM Manager.
    Good luck to all!
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    I think I wrote my original message wrong. We don't use IM at all and are not going to. Some users have managed to download aim or yahoo im on their work pc's. I need to prove that they are overusing it on company time because management suspects that they are. The only thing I can think of is a sniffer and filter for those protocols.
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    phoeneous wrote: »
    I think I wrote my original message wrong. We don't use IM at all and are not going to. Some users have managed to download aim or yahoo im on their work pc's. I need to prove that they are overusing it on company time because management suspects that they are. The only thing I can think of is a sniffer and filter for those protocols.

    In that case I think Wire Shark would be best for this, and it has filters for IM traffic.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    I understood the question. The easiest thing to do would be to run a sniffer on the DNS servers and on the connection with the DFG.

    Once you start seeing the ports being used run a PowerShell script like this
    [FONT=Courier New][SIZE=2][COLOR=#800080][FONT=Courier New][SIZE=2][COLOR=#800080][FONT=Courier New][SIZE=2][COLOR=#800080]$computer[/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][FONT=Courier New][SIZE=2][COLOR=#ff0000][FONT=Courier New][SIZE=2][COLOR=#ff0000][FONT=Courier New][SIZE=2][COLOR=#ff0000]=[/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][B][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0]Read-Host [/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/B][FONT=Courier New][SIZE=2][COLOR=#800000][FONT=Courier New][SIZE=2][COLOR=#800000][FONT=Courier New][SIZE=2][COLOR=#800000]"Enter computer name"[/COLOR][/SIZE][/FONT]
    [/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][B][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0]get-wmiobject [/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/B][FONT=Courier New][SIZE=2][COLOR=#800000][FONT=Courier New][SIZE=2][COLOR=#800000][FONT=Courier New][SIZE=2][COLOR=#800000]Win32_ComputerSystem [/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][I][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0]-computername [/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/I][FONT=Courier New][SIZE=2][COLOR=#800080][FONT=Courier New][SIZE=2][COLOR=#800080][FONT=Courier New][SIZE=2][COLOR=#800080]$computer[/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][FONT=Courier New][SIZE=2][FONT=Courier New][SIZE=2] | [/SIZE][/FONT][/SIZE][/FONT][B][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0]format-table[/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/B][I][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0]-property [/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/I][FONT=Courier New][SIZE=2][COLOR=#800000][FONT=Courier New][SIZE=2][COLOR=#800000][FONT=Courier New][SIZE=2][COLOR=#800000]username[/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT]
    [B][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0]Get-Date[/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/B]
    
    To get the identity of the logged on user with a time stamp. You will then have network captures and data showing which user account was logged on to the PC at the time. But as a more perminent solution I suggest the Barracuda Networks IM filter.

    EDIT: And IMHO external IMs should be banned per company policy unless there is a valid business need for them. And in that case the employee should be using an IM account registered to a work email address with a password that is documented some place. External IM for a company is a lawsuit waiting to happen.
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    ...run a PowerShell script like this...

    I'm seriously have to learn more about PowerShell, I had know idea you could do stuff like that...
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    phoeneous wrote: »
    We don't use IM at all and are not going to. Some users have managed to download aim or yahoo im on their work pc's.

    My suggestion of OpenFire is that you may find out that people are using this for legit business purposes. There may be managers who areusing it or even just employees who are using it to chat with other employees.

    openFire is a free way to ensure that this communication is done securely and in a manner that can be monitored.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    I'm seriously have to learn more about PowerShell, I had know idea you could do stuff like that...

    I run SQL queries and import data into Excel and then format the Excel spread sheet using Powershell. I backup my WSS site using PowerShell. I run SQL Queries and export the data into WSS lists using PowerShell. I install VNC on remote PCs using PowerShell. I verify server uptime using PowerShell.

    I have one script that the AP person runs which gets information about the checks that have been run from the SQL server, formats the data per the bank's requirements, sends the data to the bank for security and then emails me, the AP person, and the group at the bank in charge of the "Poisitive Pay" accounting system when it is done. I was going to do it in C# but it was just easier in PowerShell.

    I believe there should be an MCTS on PowerShell...

    MCTS: PowerShell Scripting for Server Administration or something like that.
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    ... believe there should be an MCTS on PowerShell...

    MCTS: PowerShell Scripting for Server Administration or something like that.

    That would be cool!
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    I have one script that the AP person runs which gets information about the checks that have been run from the SQL server, formats the data per the bank's requirements, sends the data to the bank for security and then emails me, the AP person, and the group at the bank in charge of the "Poisitive Pay" accounting system when it is done. I was going to do it in C# but it was just easier in PowerShell.

    Yeah, feel free to send me this script anytime because I'm working on the same exact project :)

    Right now I'm using ssrs with a scheduled subscription to run the query and **** the file to a share. Then use task scheduler to kick off a seperate app provided by the bank to upload the file to their posi-pay site. Still working on the query, my concern is ssrs wont export it in the correct format...
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    Shoot me an email and I will give any help I can. I doubt we are using the same SQL based app, as mine is for manufacturing. The bank isn't 5/3 by chance? Not even sure if they are in Vegas... But I will email you the script to give you some ideas on text and number formatting.
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    Shoot me an email and I will give any help I can. I doubt we are using the same SQL based app, as mine is for manufacturing. The bank isn't 5/3 by chance? Not even sure if they are in Vegas... But I will email you the script to give you some ideas on text and number formatting.

    No, its Wells Fargo. I'll send a pm today.
Sign In or Register to comment.