Kerio Network Monitor Daemon watches the network traffic in so called promiscuous mode (i.e. it can accept also the data that isnot addressed to the computer on which it is running). It captures all the IP protocol packets from which it extracts the required information:
In each captured IP packet test of the source and the target address is performed. If one of these addresses belongs to the local network and the other to the Internet (it deals with transfer between the local network and the Internet), the size of the data part of transport protocol (TCP or UDP) is measured and this figure is stored. In case that both addresses belong to the local network or to the Internet, size of the data is not stored.
Program configuration defines if the IP addresses belong to the local network or to the Internet — see chapter 6.1.
Note: Various network monitoring tools use different methods for measuring of the volume of transferred data (e.g. whole Ethernet frames, size of the data in IP packets including headers, etc.). The information gathered by Kerio Network Monitor can therefore differ from those acquired by the other tools (the deviation should not excess 40% — if there is several times higher difference, it is necessary to look for the mistake in the network or in the program configuration).
All captured IP packets are scanned for TCP segments opening and closing connection (with attributes SYN and FIN). So Kerio Network Monitor has information about all open connections of individual workstations in the network. In similar way information about communication via UDP protocol is displayed. Because it is datagram-oriented protocol so called pseudo-connections are evaluated — connection lasts until interval of UDP datagram exchange between source and target station exceed predefined time (default: 180 seconds).
Each of the captured IP packets is checked if it contains data from some of the defined services (see chapter 6.2). In positive case the data is stored.
As an example, we present the transfer of E-mail via the SMTP protocol. If the TCP connection with the target port 25 is recorded, all packets belonging to this connection are monitored and from them E-mail address of the sender and the recipient of the message, eventually the content of the message can be reconstructed.
Kerio Network Monitor configuration information is stored in the NetMon2.cfg file. This file is saved under the directory where Kerio Network Monitor is installed (typically C:\Program Files\Kerio\Network Monitor). Simply copy this file to backup your settings.
Warning: Stop Kerio Network Monitor Daemon before taking any action with the configuration file (refer to chapter 5.2)!
The measured data is stored in binary files on the disk. In the data folder (by default the same, where Kerio Network Monitor is installed), the following subfolders are created:
high — data with high resolution (sampling rate 3 seconds)
low — data with low resolution (sampling rate 1 hour)
In these folders are created another subfolders according to the IP addresses of individual computers in the local network and in them are stored the files with the acquired data (the high resolution data — one file per day, the low resolution data — one file per 28 days).
Then there are created the following subfolders:
browse — the information about the captured objects of the monitored services (URLs of web pages, E-mail addresses, FTP relations, etc.)
captured — captured objects (e.g. captured WWW pages, E-mail messages, etc.)
logs — files with the logs (see chapter 7.7)
debug — the data stored for detail monitoring of particular service (see chapter 6.2)
The folder structure for storing the data is rather flexible because it enables e.g.
merging of the data with other data (if it deals with two mutually exclusive time periods)
deleting the logs for a particular computer (IP address)
deleting the data of a particular service (e.g. WWW).
Before performing operations of this type, it is necessary to stop Kerio Network Monitor Daemon (see chapter 5.2).
In case you need to change the folder for storing the measured and captured data and the log files (so that they are for example stored to the different disk), it is possible to carry it out by modifying appropriate parameter in the configuration file.
First of all it is necessary to stop the Network Monitor Daemon service (see chapter 5.2). Then open in any editor (e.g. Notepad) the file NetMon2.cfg (the Configuration File section). The data folder is written in the main_dir parameter. For technical reasons the backslashes must be doubled in the path name — the path to the chosen data folder can look like this:
main_dir = "d:\\netmon_data"
The change of the data folder is best to perform immediately after the Kerio Network Monitor program installation, when there are not yet any measured real data. If you are changing the folder after some time of using the program, it is necessary to copy (respectively move) to the new location the folders with the acquired data and the logs, i.e. browse, captured, debug, high, logs, low a www.
Warning: Subfolder license must remain in the same folder as the program files (i.e. where was Kerio Network Monitor originally installed)!
After changing the folder and possible copying the measured data you can again run Network Monitor Daemon.