I'll try and clarify the first question...
I have a simple transparent bridge between my network and internet. Packets from the LAN are received on CARD A, then SEND out on CARD B to the Internet. Incoming Internet replies are received on CARDB and then SEND on Card A.
So both cards are always Capturing and Sending, and are doing this for ALL LAN traffic heading to the Gateway (which is 700+ PC's) no pcap filters are applied and the its not in stats mode.
This works perfectly.. But I would like to be able to pick any IP using the bridge and calculate their live/current bandwidth usage.
I can log the IP's, etc then divide per second etc.. Is this the right way to go ? Or can I enable stats and Capture/send at the same time ?
As for DNS... Its not for anything illegal.
Basically we can filter adult content/facebook/etc for students easily.... BUT some websites are switching to SSL which causes current webfilters problems. Short of blocking all SSL sites.
My thought is... If I can monitor each PC's DNS request.. I can see when a machine is trying to lookup say GOOGLE+ and redirect it to a blocking page. Currently we monitor HTTP requests and redirect, its just another level of student protection.
We can apply profiles to the desktops etc to stop students adding HOST entries etc.. And firewall alternate DNS servers etc...
Its a little cleaner than Man in the Middle for SSL monitoring of sites... Its also more flexible than forcing say OpenDNS, as it's not flexible enough for us. (Its got no Safe Search and missing LOTS of features).
I'll grab your latest source code and give it a try.