9

Chapter 3

Technical Information

3.1 Kerio Network Monitor Components

Kerio Network Monitor consists of two separate components:
Watching service (Daemon)Theexecutive core of the program that captures the pack-
ets and saves the data into a file on the disk. It runs as a service (in Windows
NT/2000/XP) or as a background application (in Windows 9x/Me).
Viewer It is intended for viewing and analyzing gathered data and configuration of
the service. The communication between the viewer and the Daemon is kept using
the protocols of the TCP/IP standard — thanks to this fact it is possible to connect
not only from local (from the same computer) but also from any other computer in
the local network respectively in the Internet. Thedetail description is located in
chapter 5.1.

3.2 How does Kerio Network Monitor work?

Packet Monitoring
Kerio Network Monitor Daemon watches the network traffic in so called promiscuous
mode (i.e. it can accept also the data that isnot addressed to the computer on which it
is running). It captures all the IP protocol packets from which it extracts the required
information:
Volume of transferred data In each captured IP packet test of the source and the
target address is performed. If one of these addresses belongs to the local network
and the other to the Internet (it deals with transfer between the local network and
the Internet), the size of the data part of transport protocol (TCP or UDP) is measured
and this figure is stored. In case that both addresses belong to the local network or
to the Internet, size of the data is not stored.
Program configuration defines if the IP addresses belong to the local network or to
the Internet — see chapter 6.1.
Note: Various network monitoring tools use different methods for measuring of the
volume of transferred data (e.g. whole Ethernet frames, size of the data in IP packets