3.5  Users' Activity

The Users' Activity tab allows showing of detailed information on “browsing activities” of individual users. This section answers questions like What was this user doing in the Internet in the selected period? How much time did this user spend by browsing through web pages?, etc.

In the top right section of the Users' Activity tab, select a user whose activity you wish to see.

Selection of a user

Figure 3.12. Selection of a user


The top left section of the page shows a header with all available information about the selected user (username, email address, etc.)

User's Activity — user info

Figure 3.13. User's Activity — user info


Under this header, all detected activities of this user in the selected time period are listed. If there are no records meeting the criteria, the No data available information is displayed. Technically, it is not possible to recognize whether there was any activity by this user in the period or not, but is has not been recorded for any reason.

Note:

  1. The Users' Activity section provides overview of user's activity for a certain period, but it is not useful for real-time monitoring of the use activity. Detected activities are always shown with certain delay caused especially by these factors:

    • Updating data in StaR — to WinRoute, gathering and evaluation of information for StaR means processing of large data volumes. To reduce load on the firewall, data for StaR is updated approximately once in an hour (see information about the last data update).

    • Delay in recording of activities — each activity is recorded 15 minutes after it's finished. The reason for this is that similar activities in row are counted as one record (for better transparency of user's activity).

  2. User's activity can be shown for up to 7 days (for better transparency). If a longer period is selected, shorter periods covering the selected period will be provided.

Activity Categories

Detected activities are sorted in a few categories. Under the title of each category, summary information (total number of connections, total volume of transferred data, etc.) is provided, followed by detailed overview of activities. Details can be optionally hidden. If a period longer than one day is selected, records are divided in sections by days. Optionally, daily records can also be hidden.

Each activity record includes this time information: start time and duration of the activity. If an activity is marked as unfinished, the particular connection has not been closed yet (it is still open).

Activity categories are ordered as listed in the following description. If there was no corresponding activity by the user in the selected period, the category will not be shown.

Web Pages

This category addresses one of the top user activities, web browsing.

User's Activity — access to web pages

Figure 3.14. User's Activity — access to web pages


The header informs about the total number of visited web pages in the selected period and the total number of web searches. WinRoute correctly detects most of the common web browsers.

Each record of connection to a web page includes:

  • Start time and duration (see above).

  • Domain to which the page belongs (statistics in StaR are created by domains — see e.g. chapter 3.7  Top Visited Websites).

  • Number of visits — the number says how many times the page was visited within this activity.

  • Page category — site classification by the ISS OrangeWeb Filter module. If ISS OrangeWeb Filter is not running or classification failed, category will not be displayed.

  • Page title. Page title is displayed as a link — it is possible to simply click on the link to open the page in a new window (or a new tab) of the browser. If the page has no title, it will not be included in the activity list.

Connections to secured pages (HTTPS) are encrypted; therefore, titles and URLs of these pages cannot be recognized. In these cases, the record includes only the following information:

  • Name (or IP address) of the server.

  • Protocol (HTTPS).

  • Volume of data transferred in each direction.

The search record includes:

  • Search engine (only domain).

  • Searched string. The searched string is displayed as a link which can be clicked to perform the corresponding search in the relevant search engine and to view the search results in a new window (or a new tab) of the browser.

Messages (e-mail and instant messaging)

This category covers two types of activity: email communication (by SMTP, IMAP and POP3 protocols) and Instant Messaging — services such as ICQ, AOL Instant Messenger (AIM), Yahoo! Messenger, MSN Messenger, etc.

User's Activity — email and Instant Messaging

Figure 3.15. User's Activity — email and Instant Messaging


The header informs about number of detected email messages and total volume of data transferred by email protocols. WinRoute can recognize only email communication by SMTP and POP3 unless the traffic is encrypted. Otherwise (the IMAP protocol, encrypted communication, etc.), only volumes of data transferred by individual protocols are monitored.

The Messaging section includes the following types of records:

  • Connection to server — connection of email client to SMTP, IMAP or POP3 server. The record includes name (or IP address) of the server, used protocol and volume of data transferred in each direction.

  • Sent/Received messages — number of messages (transferred within one connection), name (or IP address) of the incoming/outgoing email server, used protocol and volumes of data transferred in each direction.

    Note: Volume of transferred data is rounded to kilobytes. If data volume is smaller than 0.5 KB, the value is set to 0.

  • Instant messaging — only connection to and disconnection from the server is recorded. The record includes protocol (IM service) and name (or IP address) of the login server.

    In this case, duration of the activity stands for the length of connection to the service, regardless of how many messages the user sent or received.

Large File Transfers

This category addresses user activities where large data volumes are transferred — downloads from web and FTP servers, uploads to FTP servers or sharing of files in P2P networks. “Large files” are files exceeding 1 MB (or 2 MB of data transferred by an unknown connection — see below).

User's Activity — large file transfers and usage of P2P networks

Figure 3.16. User's Activity — large file transfers and usage of P2P networks


The header informs about total number of recognized files, total volume of transferred data (in both directions), data transferred via P2P networks (in both directions) and number of blocked attempts for sharing of files in P2P networks (this information is displayed only if there was such attempt detected and blocked).

Types of records in the Large File Transfers category:

  • File downloads and uploads — the record includes name (or IP address) of the server, volume of transferred data and name of the transferred file.

    If the record points at download from a web server or from an anonymous FTP server, the file name is displayed as a link. Clicking on the link downloads the file.

  • Sharing (transfers) of files in P2P networks — the record includes name of detected P2P network and volume of data transferred in each direction.

  • Blocked P2P file sharing attempts — information about attempts for file sharing in P2P networks that was blocked by P2P Eliminator.

  • Unknown connection — any traffic between the local network and the Internet within which more than 2 MB of data was transferred and which cannot be sorted in another category (e.g. in Multimedia). The record includes name or IP address of the server, protocol/service (if recognized) and volume of data transferred in each direction.

Multimedia

The Multimedia category includes real-time transfers of multimedia data — so called streaming (typically online radio and television channels).

User's Activity — multimedia

Figure 3.17. User's Activity — multimedia


The header informs about total volume of data transferred by multimedia protocols and total number of connections to such servers.

Records addressing individual activities include the following information:

  • Stream name (or URL, if the name is not available). Under certain circumstances, name can be displayed as a link by which the stream can be opened.

  • Name (or IP address) of the server.

  • Volume of data transferred in each direction.

Remote Access

This category addresses remote access to Internet hosts (e.g. Microsoft Remote Desktop, VNC, Telnet and SSH) as well as VPN access to remote networks. Remote access (if not used for work purposes) can be quite dangerous. User can use it to get round local firewall rules — e.g. by browsing through banned web pages on a remote host or by transferring forbidden files by VPN.

User's Activity — remote and VPN access

Figure 3.18. User's Activity — remote and VPN access


The Remote Access header informs about:

  • number of VPN connections and total volume of data transferred via VPN,

  • number of remote connections and total volume of transferred data.

Records addressing individual activities include the following information:

  • name (or IP address) of the server to which the user connected,

  • name of protocol/service,

  • volume of data transferred by the connection in each direction.