19.1  Active hosts and connected users

In Status → Active Hosts, the hosts within the local network or active users using WinRoute for communication with the Internet will be displayed.

Note: For more details about the firewall user's logon see chapter 10.1  Firewall User Authentication.

Look at the upper window to view information on individual hosts, connected users, data size/speed, etc.

List of active hosts and users connected to the firewall

Figure 19.1. List of active hosts and users connected to the firewall


The following information can be found in the Active Hosts window:

Hostname

DNS name of a host. In case that no corresponding DNS record is found, IP address is displayed instead.

User

Name of the user which is connected from a particular host. If no user is connected, the item is empty.

Currently Rx, Currently Tx

Monitors current traffic speed (kilobytes per second) in both directions (from and to the host — Rx values represent incoming data, Tx values represent outgoing data)

The following columns are hidden by default. To view these columns select the Modify columns option in the context menu (see below).

IP address

IP address of the host from which the user is connecting from

Login time

Date and time of the recent user login to the firewall

Login duration

Monitors length of the connection. This information is derived from the current time status and the time when the user logged on

Inactivity time

Duration of the time with zero data traffic. You can set the firewall to logout users automatically after the inactivity exceeds allowed inactivity time (for more details see chapter 11.1  Web interface preferences)

Start time

Date and time when the host was first acknowledged by WinRoute. This information is kept in the operating system until the WinRoute Firewall Engine disconnected.

Total received, Total transmitted

Total size of the data (in kilobytes) received and transmitted since the Start time

Connections

Total number of connections to and from the host. Details can be displayed in the context menu (see below)

Authentication method

Authentication method used for the recent user connection:

  • plaintext — user is connected through an insecure login site plaintext

  • SSL — user is connected through a login site protected by SSL security system SSL

  • proxy — a WinRoute proxy server is used for authentication and for connection to Websites

  • NTLM — user was authenticated with NTLM in NT domain (this is the standard type of login if Internet Explorer 5.5 or later or Firefox/SeaMonkey core version 1.3 or later is used)

  • VPN client — user has connected to the local network using the Kerio VPN Client (for details, see chapter 23  Kerio VPN).

    Note: Connections are not displayed and the volume of transmitted data is not monitored for VPN clients.

For more details about connecting and user authentication see chapter 10.1  Firewall User Authentication.

Information displayed in the Active Hosts window can be refreshed by clicking on the Refreshbutton.

Use the Show / Hide details to open the bottom window providing detailed information on a user, host and open connections.

Active Hosts dialog options

Clicking the right mouse button in the Active Hosts window (or on the record selected) will display a context menu that provides the following options:

Context menu for the Active Hosts window

Figure 19.2. Context menu for the Active Hosts window


User quota

Use this option to show quota of the particular user (Administration Console switches to the User quota tab in Status → Statistics and selects the particular user automatically).

The User quota option is available in the context menu only for hosts from which a user is connected to the firewall.

Refresh

This option refreshes information in the Active Hosts window immediately (this function is equal to the Refresh button displayed at the bottom of the window).

Auto refresh

Settings for automatic refreshing of the information in the Active Hosts window. Information can be refreshed in the interval from 5 seconds up to 1 minute or the auto refresh function can be switched off (No refresh).

Logout user

Immediate logout of a selected user.

Logout all users

Immediate logout of all firewall users.

Manage Columns

By choosing this option you can select columns to be displayed in the Active Hosts window (see chapter 3.2  View Settings).

Detailed information on a selected host and user

Detailed information on a selected host and connected user are provided in the bottom window of the Active Hosts section.

Open the General tab to view information on user's login, size/speed of transmitted data and information on activities of a particular user.

Information about selected host/user — actions overview

Figure 19.3. Information about selected host/user — actions overview


Login information

Information on logged-in users:

  • User — name of a user, DNS name (if available) and IP address of the host from which the user is connected

  • Login time — date and time when a user logged-in, authentication method that was used and inactivity time (idle).

If no user is connected from a particular host, detailed information on the host are provided instead of login information.

Host info (if no user is connected from it)

Figure 19.4. Host info (if no user is connected from it)


  • Host — DNS name (if available) and IP address of the host

  • Idle time — time for which no network activity performed by the host has been detected

Traffic information

Information on size of data received (Download) and sent (Upload) by the particular user (or host) and on current speed of traffic in both directions.

Overview of detected activities of the particular user (host) are given in the main section of this window:

Activity Time

Time (in minutes and seconds) when the activity was detected.

Activity Event

Type of detected activity (network communication). WinRoute distinguishes between the following activities: SMTP, POP3, WWW (HTTP traffic), FTP, Streams (real-time transmission of audio and video streams) and P2P (use of Peer-to-Peer networks).

Note: WinRoute is not able to recognize which type of P2P network is used. According to results of certain testing it can only "guess" that it is possible that the client is connected to such network. For details, refer to chapter 17.1  P2P Eliminator.

Activity Description

Detailed information on a particular activity:

  • WWW — title of a Web page to which the user is connected (if no title is available, URL will be displayed instead). Page title is a hypertext link — click on this link to open a corresponding page in the browser which is set as default in the operating system.

    Note: For better transparency, only the first visited page of each web server to which the user connected is displayed. For detailed information about all visited pages, refer to Kerio StaR (see chapter 21  Kerio StaR — statistics and reporting).

  • SMTP, POP3 — DNS name or IP address of the server, size of downloaded/uploaded data.

  • FTP — DNS name or IP address of the server, size of downloaded/saved data, information on currently downloaded/saved file (name of the file including the path, size of data downloaded/uploaded from/to this file).

  • Multimedia (real time transmission of video and audio data) — DNS name or IP address of the server, type of used protocol (MMS, RTSP, RealAudio, etc.) and volume of downloaded data.

  • P2P — information that the client is probably using Peer-To-Peer network.

Informations about connections from/to the Internet

On the Connections tab, you can view detailed information about connections established from the selected host to the Internet and in the other direction (e.g. by mapped ports, UPnP, etc.). The list of connections provides an overview of services used by the selected user. Undesirable connections can be terminated immediately.

Information about selected host/user — connections overview

Figure 19.5. Information about selected host/user — connections overview


Information about connections:

Traffic rule

Name of the WinRoute traffic rule (see chapter 7  Traffic Policy) by which the connection was allowed.

Service

Name of the service. For non-standard services, port numbers and protocols are displayed.

Source, Destination

Source and destination IP address (or name of the host in case that the Show DNS names option is enabled —see below).

The following columns are hidden by default. They can be shown through the Modify columns dialog opened from the context menu (for details, see chapter 3.2  View Settings).

Source port, Destination port

Source and destination port (only for TCP and UDP protocols).

Protocol

Protocol used for the transmission (TCP, UDP, etc.).

Timeout

Time left before the connection will be removed from the table of WinRoute's connections.

Each new packet within this connection sets timeout to the initial value. If no data is transmitted via a particular connection, WinRoute removes the connection from the table upon the timeout expiration — the connection is closed and no other data can be transmitted through it.

Rx, Tx

Volume of incoming (Rx) and outgoing (Tx) data transmitted through a particular connection (in KB).

Info

Additional information (such as a method and URL in case of HTTP protocol).

Use the Show DNS names option to enable/disable showing of DNS names instead of IP addresses in the Source and Destination columns. If a DNS name for an IP address cannot be resolved, the IP address is displayed.

You can click on the Colors button to open a dialog where colors used in this table can be set.

Note:

  1. Upon right-clicking on a connection, the context menu extended by the Kill connection option is displayed. This option can be used to kill the particular connection between the LAN and the Internet immediately.

  2. The selected host's overview of connections lists only connections established from the particular host to the Internet and vice versa. Local connections established between the particular host and the firewall can be viewed only in Status → Connections (see chapter 19.2  Network connections overview). Connections between hosts within the LAN are not routed through WinRoute, and therefore they cannot be viewed there.

Histogram

The Histogram tab provides information on data volume transferred from and to the selected host in a selected time period. The chart provides information on the load of this host's traffic on the Internet line through the day.

Information on selected host and user — traffic histogram

Figure 19.6. Information on selected host and user — traffic histogram


Select an item from the Time interval combo box to specify a time period which the chart will refer to (2 hours or 1 day). The x axis of the chart represents time and the y axis represents traffic speed. The x axis is measured accordingly to a selected time period, while measurement of the y axis depends on the maximal value of the time interval and is set automatically (bytes per second is the basic measure unit — B/s).

This chart includes volume of transferred data in the selected direction in certain time intervals (depending on the selected period). The green curve represents volume of incoming data (download) in a selected time period, while the area below the curve represents the total volume of data transferred in the period. The red curve and area provide the same information for outgoing data (upload). Below the chart, basic statistic information, such as volume of data currently transferred (in the last interval) and the average and maximum data volume per an interval, is provided.

Select an option for Picture size to set a fixed format of the chart or to make it fit to the Administration Console screen.