User’s Guide Kerio Technologies
C 2001–2003 Kerio Technologies. All rights reserved. Printing date: April 10, 2003 Current product version: Kerio Network Monitor 2.1.0. All additional modifications and up-dates reserved.
Contents 1 Introduction ............................................................... 5 2 Quick Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3 Technical Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.1 Kerio Network Monitor Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.
8 Web 8.1 8.2 8.3 8.4 8.5 8.6 8.7 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connection to the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page Main . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 1 Introduction Kerio Network Monitor is a small, though powerful tool for online monitoring of network traffic. It offers a whole set of choices which activities and events can be monitored. Line load chart The online display of the Internet connection load (incoming and outgoing traffic) in the time range from 1 minute and 1 year. The average transfer speeds are shown for 3 seconds (1 minute graph) up to for 3 days intervals (for 1 year graph).
Chapter 1 Introduction transferred using encrypted connections). The sender address, the recipient address and the size of sent message are stored. ICQ log Use the ICQ Log dialog to view information on communication through ICQ and ICQ2Go protocols. ICQ numbers and nicknames of senders and recipients as well as message body are logged. Remote access Kerio Network Monitor has separated monitoring service (Daemon) and the user interface. These two components communicate together via the TCP/IP protocol.
Chapter 2 Quick Checklist This chapter gives you a basic step-by-step guide to quickly set up the important parameters of Kerio Network Monitor program so that it can be used immediately. If you are unsure about any of its steps, look up the chapter dealing with the appropriate problems. 1. Choose suitable computer in your network and install both components of Kerio Network Monitor on it (see chapters 4 and 3.3). 2. Log in to the viewer (see chapter 5.
Chapter 2 Quick Checklist 8
Chapter 3 Technical Information 3.1 Kerio Network Monitor Components Kerio Network Monitor consists of two separate components: Watching service (Daemon) The executive core of the program that captures the packets and saves the data into a file on the disk. It runs as a service (in Windows NT/2000/XP) or as a background application (in Windows 9x/Me). Viewer It is intended for viewing and analyzing gathered data and configuration of the service.
Chapter 3 Technical Information including headers, etc.). The information gathered by Kerio Network Monitor can therefore differ from those acquired by the other tools (the deviation should not excess 40% — if there is several times higher difference, it is necessary to look for the mistake in the network or in the program configuration). Viewing current connections All captured IP packets are scanned for TCP segments opening and closing connection (with attributes SYN and FIN ).
3.2 How does Kerio Network Monitor work? data (the high resolution data — one file per day, the low resolution data — one file per 28 days). Then there are created the following subfolders: • browse — the information about the captured objects of the monitored services (URLs of web pages, E-mail addresses, FTP relations, etc.) • captured — captured objects (e.g. captured WWW pages, E-mail messages, etc.) • logs — files with the logs (see chapter 7.
Chapter 3 Technical Information Warning: Subfolder license must remain in the same folder as the program files (i.e. where was Kerio Network Monitor originally installed)! After changing the folder and possible copying the measured data you can again run Network Monitor Daemon. 3.3 Technical Limitations The principle how Kerio Network Monitor works implies some small limitations.
3.3 Technical Limitations The most common case is the situation when the mail server runs on the computer that is also the internet gateway. Kerio Network Monitor then “sees” only the local communication of the clients with the mail server. In the default configuration of Kerio Network Monitor are created rules, which consider this communication to be the Internet communication (so that the volume of the data is measured.
Chapter 3 Technical Information 14
Chapter 4 Installation Kerio Network Monitor can be installed on any computer in your local network running Windows 95 OSR2, 98, Me, NT 4.0, 2000 or XP operating system. Older versions are not supported. Installation is performed by running the installation archive e.g.: kerio-netmon-2.10-en-win.exe During the installation, the user can choose, which components of Kerio Network Monitor are to be installed: NetMon Daemon Monitoring service (Daemon).
Chapter 4 Installation NetMon Application Viewer. It can be installed on any number of computers, where you will connect to the service from. Note: We recommend to install the viewer also on the computer, where will be the monitoring service (Daemon) installed (to allow local connection in case of any problems with the network; in the case of Windows 9x/Me it is the only way how to stop and start the service — see chapter 5.2).
4.2 Importing the License Key Pressing the button Import license displays a dialog for opening the file with the license (license.key). When it is loaded successfully, the information about current license will appear in the section License information: ID Identifier of the license (serves e.g. for verification of the license authenticity) Holder Holder of the license — individual or organization, which bought the product. Number of users The number of users (i.e.
Chapter 4 Installation 18
Chapter 5 Program Control 5.1 Logging in the Viewer The viewer can be started by choosing Programs → Kerio → Network Monitor in the menu Start. The login dialog is shown after the program is started . In the section Login to choose, where the Kerio Network Monitor Daemon service is running: local NetMon service Daemon The service is running on the same computer as the viewer. remote service on T he service is running on another (remote) computer.
Chapter 5 Program Control User authentication — enter your user name and password. In case you are logging to Kerio Network Monitor for the first time (after installation), use the predefined user account Admin and leave the password empty. To store passwords in user profiles so that it is not necessary to specify them for each connection use the Store password in user profile option. You can perform the login by pressing the button Login.
5.3 Initial Configuration cation (Installed (APP) — in Windows 9x/Me) or is not installed as service (Not installed (SVC)). Start Runs the service (if stopped). Reinitialize the service Reinitialization of the service (de facto stopping and rerunning) — only when the service is already running. Stop Stops the service (if running).
Chapter 5 Program Control if the network address translation is used (NAT), we can see only the address of the computer, which Kerio Network Monitor is running on. By pressing the Done button, the settings will be stored and the viewer itself will start. This dialog will not be displayed on any other login. The settings can be, of course, modified in the program.
Chapter 6 Configuration All settings of Kerio Network Monitor are done in the Configuration window, which can be accessed by choosing Settings / Configuration in the main menu or by pressing the Ctrl+S shortcut. Note: All settings in the Configuration dialog have immediate effect (after pressing the OK button). In any case there is no need to restart the Kerio Network Monitor Daemon service. 6.
Chapter 6 Configuration to the most general. The arrow buttons are used for moving the selected definition up or down in the list. Definition of IP Addresses Group After pressing the Add or Edit button the dialog for IP addresses group definition will appear. IP range specification Type of the group. One of the following types can be chosen: • Host — IP address of a particular computer • Subnet: IP address / mask — IP subnet with appropriate mask.
6.1 IP Addresses Ranges Domain type specification Type (domain) of IP addresses group. This option defines, how will the packets, whose source and target address belong to this group, be processed. The group of addresses can be included in one of the following domains: • LAN — local network. The specific property of this group is that all captured addresses from this group are added to the list of computers (see chapter 7.1).
Chapter 6 Configuration • TCP protocol with port — the rule will be valid only for the TCP protocol and the given port. The protocol and the port define particular service (e.g. SMTP, WWW, etc.) The port number 0 (zero) means all ports — so all services using the TCP protocol. • UDP protocol with port — the rule will be valid only for the UDP protocol and the given port. The similar considerations are valid as in the case of the TCP protocol.
6.2 Monitored Services If your network is not created from cascading segments (e.g. more subnets interconnected by routers), you have not to define any other rule for IP addresses. All the predefined rules can be modified or deleted if they do not meet the particular configuration. Usually it is not necessary — if there are e.g. in the local network used only the IP addresses from the range 192.168.0.0, the rules for other private ranges (10.0.0.0 and 172.16.0.
Chapter 6 Configuration List of services The window shows the list of the defined services (in the default settings, there is already predefined the majority of the standard services).
6.3 User Accounts All traffic of ... protocol type Protocol, which is used by the given service. The possibilities are: TCP, UDP, ICMP (Internet Control Messages Protocol), PPTP (Point to Point Tunneling Protocol ) and All (any protocol — i.e. whole IP communication). with port / subprotocol number Port number, which is used by the service (e.g. 25 = SMTP, 80 = WWW etc.). The value0 (zero) means all ports (i.e. all communication with the selected port).
Chapter 6 Configuration access to the data and the program configuration and no data breach or its intentional falsification by changing the configuration, should appear. Any number of user accounts with different levels of access rights can be defined in Kerio Network Monitor. There is a tab Users for this purpose in the configuration dialog (this tab can be also opened using the Settings / Users) menu.
6.3 User Accounts User Definition The dialog for definition of the user account will be shown after pressing the Add or Edit buttons . Username Name of the user. It should not contain blanks and punctuation marks. Small and capital letters are not distinguished. Password The user password. Can contain any printable characters (including spaces); distinguishes capital and small letters.
Chapter 6 Configuration This right is in the column Rights in the list of the users shown as Conf . Change own password The user has the right to modify his own password (in the menu Action / Change password). If the option Can manage users is on, turning the option on or off has no effect. This right is not shown in the column Rights in the list of the users. 6.4 Log Settings The Database tab is intended for setting the parameters for storing the acquired data.
6.4 Log Settings The time for keeping of the data is determined by the two following parameters: • Data for the high resolution — data with the high resolution (3 seconds sampling rate). The time for keeping is given in weeks. This data represents the majority of the stored data. • Low resolution data — data with low resolution (1 hour sampling rate). This data occupies much less space than the data with high resolution but its accuracy is sufficient for observing longer time period (e.g. 1 week and more).
Chapter 6 Configuration Note: If the computer with Kerio Network Monitor is turned off in the given time, maintenance will be performed on the next start of the Kerio Network Monitor Daemon service. (Last cleaning took ... seconds) The time which took the last database maintenance (in seconds). 6.
6.6 WWW Interface Parameters The ICMP protocol and UDP protocol options are used for setting the above described intervals . TCP connection timeout The TCP protocol is relation based (first the relation, which the data is transferred in, is created). In this case we know exactly the time of creating and dropping the connection. If a small amount of data is transferred using a fast line the connection can last only a small time (often less than 1 second).
Chapter 6 Configuration Daemon is installed, it is possible to use the standard port 80 — then it will be no longer necessary to specify the port in the browser, when connecting to the WWW interface of Kerio NetworkMonitor. Accept ’X-Forwarded-for’ tag... This option enables the Kerio Network Monitor to get the IP addresses of the client computers from the X-Forwarded-for tag in the HTTP request, which was accepted by the embedded WWW server from the proxy server.
6.7 Additional Settings Log access rights Access rights to the logs (No logs access at all — no logs, My own logs only — only logs for the computer which he is connected from or All monitored stations — logs for all registered computers).
Chapter 6 Configuration Warning: Keep in mind that monitoring the contents of E-mail violates user privacy! If this option is not enabled, all the users should be informed that theirs mail is monitored! ICQ privacy Use this option to define how communication through ICQ and ICQ2Go protocols will be monitored: • No privacy — all transferred data will be monitored (ICQ numbers, nicknames, message bodies) • Do not save text of messages — Kerio Network Monitor will not store content of individual messages (onl
6.7 Additional Settings Note: If you want to compare data acquired by Kerio Network Monitor with data from other programs or with the data from the Internet provider, it is necessary to find out, which methods are used for getting them and set the option Include IP packet headers of Kerio Network Monitor in accordance. Daemon process priority class Kerio Network Monitor priority definition. The high priority is set by the default.
Chapter 6 Configuration 40
Chapter 7 Viewing and Analysis of Captured Data Kerio Network Monitor offers several tools for the presentation and analysis of the captured data. These functions can be chosen from the View menu or directly from a toolbar icon (the order of the functions is the same): Traffic chart Chart of the transferred data volume. You can display a transferred data for the chosen time interval in several graphical representations. The incoming and outgoing data, the particular computers, groups etc.
Chapter 7 Viewing and Analysis of Captured Data KNM access log Log of information on users connecting into the application and on access to the Web interface. Each row includes a corresponding date, time and information on the following issues: • user’s login (username and DNS name or IP address of the host from which he/she connects) Note: Failed login attempts are also logged — for example, you may find a log informing that an unauthorized person tried to connect.
7.1 List of Computers Use of List of Computers The list of computers is important for presentation of chart (see chapter 7.2) and table of transferred data volume (see chapter 7.6) presentation. These functions can display data either for all computers in a local network (All computers) or for only the selected computer (computers, respectively). Computers in the list can be arranged to groups (see later). One computer can act as a member of more groups. A computer/computers can be selected by mouse click.
Chapter 7 Viewing and Analysis of Captured Data Note: If the packet with the same IP address is detected anytime afterwards, the computer will be automatically included again. New group Creates a new group. The dialog for a creation or a change of a group contains the following parameters: • Group name — name of the group. It should be sufficiently descriptive (i.e. it should reflect, in general, the type of computers that will be included in this group).
7.2 Traffic chart 7.2 Traffic chart Shows the chart of transferred data. The horizontal axis shows time, the vertical axis the connection load (in bytes per second). Buttons with arrows above the chart moves the vertical axis (from left to right): • Jump to the beginning of the chart (i.e.
Chapter 7 Viewing and Analysis of Captured Data axis to the maximum captured value in the given representation (the option is implicitly turned on). This guarantees good readability of the chart. Right mouse click in the chart area shows a menu with the following items: Save chart as picture Saves the chart as a picture in JPEG or BMP format. Zoom in, Zoom out Zooms in/zooms out the scale of the horizontal axis (time interval).
7.3 Current Connections The Current connections window shows only the computers (or groups, respectively) that have at least one connection open (the inactive computers are not displayed). Computers included in a group are displayed under the group. Particular connections of a computer are displayed under each computer. The log for the concrete connection has the following structure: TCP: zdenci:3568 -> 12.249.134.
Chapter 7 Viewing and Analysis of Captured Data Closed connections remain displayed in the Current connections window for time specified in the program configuration (see chapter 6.5). An error occurs when a packet from a connection is lost and the connection lost synchronization (consecutively, the connection is terminated and the new one is established, if needed). • *unknown* — name of service (if it is defined in Kerio Network Monitor — e.g. SMTP, HTTP, FTP etc.
7.4 Tree of Scanned Data Columns included in the connection list The user can select which columns (information) will be displayed in the Current connections window.
Chapter 7 Viewing and Analysis of Captured Data Tree of data (in the left part of the window) contains two base branches: • By client — data sorted according to the IP address of clients (i.e. computers in a local network) • By protocol — data sorted by particular protocols (services) Both branches contain identical data — they differ only in the type of sorting. The user can expand the selected branch of the tree and click on a concrete object (e.g. WWW page on a given server).
7.5 Status Information Stop current transfer Stops the transfer of the opening WWW pages (as in a browser) Refresh tree Updates information in a tree (new data could be scanned since the Scanned data window was opened). This function can be invoked by F5 key. Max age The maximum age of data, which should be presented in the tree (in an interval from 5 minutes to one week, or unlimited age — *unlimited*). The Max age option affects noticeably the size and the readability of a tree.
Chapter 7 Viewing and Analysis of Captured Data • Packets filtered — number of filtered (discarded) packets — their source and target address belongs to the same group or some of these addresses belongs to the group Discard packet (see chapter 6.1) • Too big packets — number of packets that couldn’t be processed because their size exceeded the maximum size of the cache of the low-level driver of Kerio Network Monitor. Greater number of these packets can indicate a system error or a possible attack.
7.6 Transferred Data Volume Table Disk space used by logs The total disk space occupied by recorded files and the total number of lines in these files. 7.6 Transferred Data Volume Table The Report function shows - according to the specified paramaters - a window with the table of transferred data volume.
Chapter 7 Viewing and Analysis of Captured Data Example: If we set the extent of a table according to the previous example, button Suggest start date sets the date and time seven days ago (i.e. the final table will display seven days). Checkbox When suggesting, include the current interval governs whether the suggested start time includes the current interval (which is not finished yet). Example: Today is Saturday 1st June, 2002, 12:00 p.m. We consider the same interval as in the previous example (i.e.
7.7 Log Windows Print the report Prints the table. This option opens a standard system print dialog where a printer etc. can selected. Save the report Saves the table as an HTML page or in a CSV format (Comma Separated Values). The CSV format is relatively common and it can be opened in a lot of programs (e.g. Microsoft Excel). Sort the table Sorts the table according to the selected column. This option can be used repeatedly — a new table need not to be created.
Chapter 7 Viewing and Analysis of Captured Data Log files can be further processed by external analytical tools (e.g. by Kerio Log Analyzer application — see www.kerio.com). Connection Log TCP: richard:1524 -> 205.107.97.6:80 171 + 2927By, 2s -HTTP:205.107.97.
7.7 Log Windows • GET — method of HTTP protocol (GET /POST ) • http://www.kerio.com/resources/home.gif — complete URL of a requested object • HTTP/1.1 — HTTP protocol version (currently 1.0 or 1.1) • 200 — HTTP protocol return code (see document RFC2068 — www.ietf.org/rfc) • 1221 — size of an object (in bytes) Mail Log richard - Fri 8/Mar/2002 14:26:01 SMTP From:"Richard Gabriel" , to:, subj:Order, 43 lines, 1366 bytes • richard — name (or IP address) of a client (i.e.
Chapter 7 Viewing and Analysis of Captured Data ’c:\Program Files\Kerio\Network Monitor\logs\mail.idx’ • Fri 8/Mar/2002 14:26:01 — date and time when the error was logged • Warn — type of a message (Warn — warning or Err: error number) xxx — error including the Warnings represent minor errors with smaller importance. The Kerio Network Monitor administrator should not ignore these warning and he should try to eliminate all errors. • 192.168.2.38 — IP address of a computer where the error was logged.
Chapter 8 Web Interface Kerio Netwok Monitor provides access to captured data using the basic Web interface. This interface can display a chart of connection load, list of current connections, and a transferred data volume table created according to the specified parameters. WWW interface operates in two modes: with an anonymous or authenticated user.
Chapter 8 Web Interface If you want to display data about all computers in a local network, log in the login section. Information about all computers becomes accessible after the successful login. In the other case, the WWW interface remains in the anonymous mode. 8.2 Page Main This section shows information about the system where the Kerio Network Monitor Daemon runs (system time, license information, used disk space...).
8.5 Page Connections Select format Formats of the table (HTML page or file in CSV format) Specify report parameters Table parameters settings (see chapter 7.6). Show the report Shows the table of transferred volume data according to the specified parameters. 8.5 Page Connections This page shows current connections of particular computers — it is an equivalent of the Current connections window. Page can not be configured. Details how to show current connections can be found in chapter 7.3. 8.
Chapter 8 Web Interface of transferred data volume or view of current connections etc.) can be integrated into your own web site in this way. General Format of URL URL of pages from the WWW interface has, in general, this format: http://netmon:81/directory/page ?parameter1=value¶meter2=value... where: • netmon — DNS name or IP address of the computer, where Kerio Network Monitor runs.
8.7 Integration of the WWW Interface into the Company Website Chart of Transferred Data Volume The following URL displays the page with the chart of transferred data volume: http://netmon:81/chart/form.html ?resolution=1&IP1=1.2.3.4&IP2=5.6.7.8 &IP3=10.11.12.
Chapter 8 Web Interface http://netmon:81/chart/image.png ?resolution=3&IP1=0.0.0.0&IP2=127.0.0.1&service=1 This example shows an isolated chart for time period 1 hour, the transferred data volume for all computers will be highlighted in red color. The green color will represent the computer used for page viewing. Table of Transferred Data Volume The following URL shows the table of transferred data volume (Report) according to the specified parameters: http://netmon:81/report/output.
8.7 Integration of the WWW Interface into the Company Website Value 1 2 3 Meaning incoming (download) outgoing (upload) sum of both directions • service — data volume will be displayed for this services (see above — section Chart of transferred data volume) Correct parameters settings will be demonstrated at the example. http://netmon:81/report/output.
Chapter 8 Web Interface 66
Chapter 9 Glossary of Terms E-mail address Determines message recipient and sender during communication using the electronic mail. HTTP Protocol for WWW pages transfer. By default, TCP protocol and port 80 is used. HTTPS Secured version of HTTP protocol. Security is ensured by the encrypted protocol SSL. By default, TCP protocol and port 443 is used. IMAP Clients can work with their e-mail messages on a server using IMAP. Messages don’t need to be downloaded to local computer.
Chapter 9 Glossary of Terms Proxy server An older method of Internet connection sharing. Client in a local network does not communicate directly with the target computer in the Internet but it passes its request to a proxy server. The proxy server will process the request and deliver the response. SMTP Basic protocol used for e-mail delivery in the Internet. Sender and recipient are identified by an e-mail address. By default, TCP protocol and port 25 is used.
Chapter 10 Index 31 storage time 33 storing to file 55 login to the viewer 19 WWW interface 59 logs location on the disk 11 adapter network 21 computers groups 44 list 42 names 43 connection log 56 principle of watching 10 connections active 61 current 46 protocol 25, 29 captured data view 50 connection monitoring 49 HTTPS 38 parameters 34 TCP 9 UDP 9 Daemon 9, 9, 15, 20 service 25 debugging 29 definition 27 display 54 principle of watching 10 interface network 23, 51 Web 59 WWW 35 IP addresses 23 I
