I manage a campus network and find many users download MP3, movies,
etc during the rush hours. It consumes 90% bandwidth to ISP. Since I
cannot afford enterprise solution e.g. websense to block such traffic,
I'm looking for a software (driod) which can do followings:

1. monitor the IP packets and report all websites visited by all users, and
2. allow manual input a list of disallow sites (URL or IP addr), and
3. sends TCP RESET to the PCs which are connected to the disallow sites

Win32 is preferred platform for the driod, but linux is also okay.

I'm not sure what a driod is, but here is a combination that might work for you:
1) Squid (squid-cache.org), a caching proxy server
2) Squidview (link from dansguardian.org), a squid log analysis utility
3) Dan's Guardian (dansguardian.org), internet filtering software that
runs with Squid
4) Shorewall (shorewall.net) firewall (actually a configuration tool
for Linux iptables)

There are numerous ways to configure the software and hardware, but
here is a basic one:

You set up your Linux box (I'll call it a squidserver) running the
above software as the default gateway for the network, and tell your
router to block any outgoing traffic coming from other addresses.
Alternately you can install two NICs and place the squidserver between
your network and gateway router and make all outbound traffic traverse
your squidserver.

Either way, incoming http traffic is redirected by iptables to a tcp
port that Dan's Guardian is listening to. The software examines the
request and decides whether it should be allowed to pass. If so, it
forwards it to squid, which forwards it to the default gateway. If
not, the user is advised that access has been denied and why (the
message and detail is configurable), and the IP address is logged (it
can also be configured to use and report usernames and groups if squid
is so configured). Squid can also be configured to cache web objects
like images so bandwidth the request doesn't have to go over the
Internet connection, but is served locally.

Dan's guardian examines the incoming content and determines if it is
acceptable, and if not again warns the user. If it is acceptable it is
forwarded to the user. If the user doesn't attempt to access
unacceptable content the process is transparent.

Now for the best part (other than all of this software being free as
in speech and beer): Dansguardian is very flexible about how and what
it filters. It can be black/white/grey lists of sites, IP addresses,
or URLs; content in a page (lists of weighted words and phrases);
content in a URL; mime types; file extensions; and can be customized
for users and groups if squid is configured for authentication. Lists
for the above categories are available for download (free or
subscription) and are easy to modify plain-text files.

With regard to your specific needs, here is how it answers them:
"1. monitor the IP packets and report all websites visited by all users"
Squid can be configured to log all websites visited and the ip address
of the requesting machine, and the user name if configured for
authentication. If you actually want to monitor IP packets you could
use Ethereal which is included in most Linux distros.

"2. allow manual input a list of disallow sites (URL or IP addr)"
Dansguardian does that and you can download pre-loaded lists, and edit
those or create your own. Also disallows file extensions, mime types,
and page content.

"3. sends TCP RESET to the PCs which are connected to the disallow sites "
This it doesn't do; instead access is blocked and the user is told so
and why (configurable; you could just pop up a fake 404 or not
authorized page).

I'm not a Google researcher, but I recently implemented this setup and
was surprised at how easy it was, and how powerful and configurable
(if that's a word).

Maybe "driod" = "droid"???

Thanks for your input. Unfortuately, it doesn't work in my situation
but I agree it's the logical setup. I manage the LAN switches only,
but not router & firewall and the internal bureaucracy prohibits me to
touch them.  Therefore, I need a droid sits silently on the LAN and
shoot down illegal TCP session by listening to the traffic. The
operation is like websense in transparent mode.

PS. It should be droid (robot). Sorry for my spelling mistake.

I actually figured out you meant droid right after I hit the Post button:)

I didn't explain myself very well. You actually wouldn't need admin
access to the router or firewall to implement the 2 NIC solution: just
put the server in between the switch and the router. Unplug the switch
end of the patch cable coming out of the switch and going to the
router port, plug it into the outgoing NIC, and patch the switch port
to the incoming NIC. You would need to change the default gateway on
your PCs; I assume you use DHCP so this shouldn't be too difficult as
you can run DHCP on the Linux server if you don't have the ability to
change the current DHCP server. The outgoing NIC would be in the
subnet the router expects to see, and the incoming NIC would be in a
separate private subnet. This page explains it fairly well:
http://www.shorewall.net/two-interface.htm

The only difference is that you are adding squid and Dan's guardian on
top of the basice Linux iptables firewall.

Since you are in a switched environment, the only way you can monitor
the traffic is to make it go to the device running the droid. If you
can't do that I don't think there is any way to do what you are
asking, since your droid has to see the traffic to be able to respond.
If you can do that, squid and Dan's guardian will work, at least to
block the traffic.

Thanks for the clarification and I'll try it. Let me keep this
question here and see if there is any other input.