Chapter 3 Technical Information
including headers, etc.). The information gathered by Kerio Network Monitor can
therefore differ from those acquired by the other tools (the deviation should not
excess 40% — if there is several times higher difference, it is necessary to look for the
mistake in the network or in the program configuration).
Viewing current connections All captured IP packets are scanned for TCP segments
opening and closing connection (with attributes SYN and FIN). So Kerio Network Mon-
itor has information about all open connections of individual workstations in the net-
work. In similar way information about communication via UDP protocol is displayed.
Because it is datagram-oriented protocol so called pseudo-connections are evaluated
— connection lasts until interval of UDP datagram exchange between source and tar-
get station exceed predefined time (default: 180 seconds).
Monitoring of services Each of the captured IP packets is checked if it contains data
fromsome of the defined services (see chapter 6.2). Inpositive case the data is stored.
As an example, we present the transfer of E-mail via the SMTP protocol. If the TCP
connection with the target port 25 is recorded, all packets belonging to this connec-
tion are monitored and from them E-mail address of the sender and the recipient of
the message, eventually the content of the message can be reconstructed.
Configuration File
Kerio Network Monitor configuration information is stored in the NetMon2.cfg file. This
file is saved under the directory where Kerio Network Monitor is installed (typically
C:\Program Files\Kerio\Network Monitor). Simply copy this file to backup your
Warning: Stop Kerio Network Monitor Daemon before taking any action with the config-
uration file (refer to chapter 5.2)!
Data Storage
The measured data is stored in binary files on the disk. In the data folder (by default the
same, where Kerio Network Monitor is installed), the following subfolders are created:
high — data with high resolution (sampling rate 3 seconds)
low — data with low resolution (sampling rate 1 hour)
In these folders are created another subfolders according to the IP addresses of individ-
ual computers in the local network and in them are stored the files with the acquired