Chapter 7 Viewing and Analysis of Captured Data
56
Log files can be further processed by external analytical tools (e.g. by Kerio Log Analyzer
application — see www.kerio.com).
Connection Log
TCP: richard:1524 -> 205.107.97.6:80 171 + 2927By,
2s -HTTP:205.107.97.6
Fri 8/Mar/2002 10:18:31 — date and time of a connection creation (formation)
TCP: — used communication protocol at transport level (TCP/UDP)
richard:1524 — name or IP address of a client (computer that originated the
connection) and source port
205.107.97.6:80 — name or IP address of a target computer (server) and desti-
nation port
171 + 2927By — volume of sent (171) and received (2927) data in bytes (By)
2s — connection duration (in seconds)
-HTTP:205.107.97.6 — service description (if it is a service defined in Kerio Net-
work Monitor). This record shows “HTTP service on a server with IP address
205.107.97.6”. If Kerio Network Monitor doesn’t have such a service, the error
message unknown serviceis displayed.
Note: Kerio Network Monitor resolves names of computers in the Internet using a DNS
protocol analysis. This method can be used only if a DNS query had been sent before
the connection was established. If a client contains this information in its local DNS
cache, a DNS query is not sent and Kerio Network Monitor “sees” only the IP address
of a target server.
HTTP Log
richard - Fri 8/Mar/2002 11:57:46
GET http://www.kerio.com/resources/home.gif
HTTP/1.1 200 1221
richard — name (or IP address) of a client (i.e. the computer that sent the HTTP
query)
Fri 8/Mar/2002 11:57:46 — date and time of a request