Category Archives: How to monitor internet usage

Monitor network bandwidth with cisco switch.

In this post, I will bring you a bandwidth monitoring solution based on your cisco switch. In case your router/firewall does not have bandwidth monitoring features, or you need more detailed reports, this solution can help you.

First, the network topology diagram:


Most cisco switch supports “port mirroring(SPAN)” feature. You may use below commands to enable it:

1. Set source port

Switch(config)#monitor session 1 source interface Fa0/23

2. Set target port

Switch(config)#monitor session 1 destination interface Fa0/22 ingress vlan 1

Then, you need to install a passby filtering program(ie: WFilter internet content filter) in a windows PC, and connect this PC to the “target port”. So you can monitor internet bandwidth and live connections of network clients.

The new diagram:


Now let’s check what you can monitor with WFilter:
1. Clients List

2. Live Connections

3. Bandwidth Reports




How to monitor wireless users in network with WFilter?

Since most wireless devices obtain IP addresses dynamically, management of wireless devices has become a challenge to network administrators. It’s not easy to identify wireless devices by IP addresses or MAC addresses. However, with WFilter, you can identify wireless devices by users.

When enabled, mobile users need to authenticate themselves to access internet. Both active directly authentication and WFilter local authentication are supported. Then you can check devices and users in WFilter console in a few clicks.

In this example, I will guide you to enable AD account monitoring for wireless devices.

1.Enable Domain account monitoring

In “Account Monitoring “, choose “Windows Active Directory”, click “Enabled”, add a Domain Controller.

2.Advanced Settings

Click “Advanced Settings”, choose “Require web authentication for devices which do not log into the domain”, Save Settings. You also can choose “Block all internet access when web authentication is required”and “Require re-authentication when an user has no internet activity for 30 minute(s)”.

3.Web authentication

Users will not be able to access internet until they’re authenticated. When user authentication web page will show up when browser is open as shown in below figure.

4.Online Users

In WFilter’s “Online Users”, you can get a list of online devices and users.

How to push web pages to network clients with Wfilter ?

In WFilter 4.1 version,a new feature named “web content pushing” is added. This feature enables you to push a web page to client devices at a time interval. You can define time interval, triggers for pushing and pushing pages.

In this example, I will guide you to use the “web content pushing”in WFilter 4.1.

1.Wfilter Settings

1.1New a blocking level

Add a “company broadcast” policy in “Policy Settings”->”Blocking Level Settings”. Check “Enable Web Content Pushing” and click “New”.

Add a new “web content pushing” named “broadcast”, in “Triggers”, input “” which means this web pushing shall be triggered when is visited.

In “Content”, you can put anything you want to broadcast. It will be displayed when triggered.

Apply this blocking policy to target ip ranges.

1.2 When an user visits, the broadcast message will show up every ten minutes.

How to monitor and filter internet activities of PPPOE users?

PPPOE is widely used for user authentication and traffic accounting. However, it’s a little difficult to monitor and filter PPPOE clients’ internet usage and behavior.

In this example, we will demonstrate you to monitor and filter PPPOE clients with WFilter Free. Please notice that only non-encrypted and uncompressed PPPOE traffic can be supported. So the first step is to configure your PPPOE server for non-encryption and non-compression.

1. PPPOE server settings

Let’s take windows 2003 and RouteOS for examples.

1). 2003 Server Configuration

If you are using windows 2003 server as the PPPOE server, please follow below steps to configure:

In “Properties” of the “Routing and Remote Access”, disable “software compression” and “LCP” in the “PPP” tab.

Edit “remote access policy” for “no encryption” in “Edit Profile”. Notice: The default two policies shall all be modified.

2). ROS Configuration

If you are using routeOS as PPPOE server, please follow these steps to disable compression and encryption:

In “PPP” tab of “Profiles”, click “Protocols” and disable compression and encryption.

2. Monitor PPPOE clients in WFilter

2.1) Choose the internal adapter

Now WFilter is able to parse PPPOE traffic. In this example, we just install WFilter free in the windows 2003 PPPOE server.

You need to choose the internal adapter as the “monitoring adapter” in “System Settings”->”Monitoring Settings” of WFilter.

2.2). Setup client policy

Add a block policy to block web surfing.

Apply this policy to PPPOE clients’ ip ranges

2.3). Check Blocking

PPPOE clients get blocked.

Blocking events in WFilter.

Wifi network monitoring solutions

Since most wireless network cards do not support “promiscuous mode”, it becomes complicated to deploy internet monitoring and filtering in a wifi network.

In this blog, I will list three common solutions for wifi network monitoring.

1. Port mirroring

Some wireless router can support “port mirroring” feature. If your router support this feature, you can enable the mirroring port and connect the WFilter computer to the mirroring port. The WFilter computer shall have a wired network card can be connected to the mirroring port by a cable.

This cisco article provides a good guide: Configuration of Port Mirroring on WRVS4400N Wireless-N Gigabit Security Router

2. Deploy WFilter in an upper layer device

In case you have an upper layer device with “port mirroring” feature, you can deploy WFilter in the upper layer. Check this solution: WFilter deployment in a wireless network

3. Configure the WFilter PC as internet gateway.

This solution is helpful when you only have ONE wireless router in your network, it’s rather simple for WFilter deployment. This solution rather helps when you don’t have a port mirroring switch or router.

Check this solution at here: A simple deployment of WFilter with wireless router

4. Turn your PC into a Wi-Fi HotSpot to deploy WFilter

You can turn your windows PC into a wifi hotspot, so clients connected to this wifi hotspot can be monitored by WFilter.

Check this solution at here: Turn your PC into a Wi-Fi HotSpot to deploy WFilter

5. Reflash your router into an embeded linux system.

If none of above solutions works for you, you can choose to reflash your router into openwrt/ddwrt/tomato/gargoyle firmware. These firmware allows you to install software port-mirroring solutions.

Here is a guide: WFilter deployment with openwrt router.



WFilter deployment with gargoyle router.

1. Gargoyle Router Introduction

Gargoyle is an OpenWrt distribution which aims to be easy to use through a simplified Web interface. Gargoyle can extend your wireless router into a powerful Linux system. even if your router hardware does not support “port mirroring” function, you can also enable traffic mirroring by software mirroring.

This blog will guide you to install “port-mirroring” program in your Gargoyle router and deploy WFilter for internet monitoring and filtering. We assume you already has an Gargoyle router, if not, please check Gargoyle homepage to get the latest firmware.

2. Port-mirroring program

Port-mirroring is an open source project sponsored by IMFirewall Software, it is designed to mirror network traffic on linux systems.

2.1. Installation

For detailed installation guide, please check Port-mirroring open source packet mirroring. In this guide, let’s take linksys wrt54g router as an example.


a). opkg update.

b). opkg install

Because gargoyle is based on openwrt attitude adjustment 12.09 branch, we need to install the build for openwrt 12.09.

2.2. Configuration

You need to edit /etc/config/port-mirroring to set the mirroring target and mirrored source interfaces.

In this example, we choose “eth0″ wireless adapter as the mirrored source interface.

2.3. Start Port-mirroring

/etc/init.d/port-mirroring start

3. Check monitoring in WFilter

Now WFilter shall be able to monitor client computers.

WFilter deployment with a network tap.

1. What is network tap?

Network tap is also a good way to monitor network traffic. Comparing to “port mirroring” switch, it has several advantages:

  1. Handy and flexible, requires no power supply.
  2. Once a network tap is in place, the network can be monitored without interfering with the network itself.
  3. Low cost, you even can dry it by yourself.

Guide to make a network tap can be found at below links:

  1. Throwing Star LAN Tap
  2. Building an Ethernet Tap
  3. Throwing Star LAN Tap
  4. Create a passive network tap for your home network

The disadvantages of network tap:

  1. Can not monitor gigabit networks. Requires “filterable tap”.
  2. The monitoring port does not allow outgoing traffic. Therefore you need three network cards in the monitoring computer, two for monitoring, another for communication.

This blog will guide you to deploy WFilter with “Throwing Star LAN Tap”.

2. Deploy the LAN Tap.

First, you need to attach three network cards in the monitoring computer.

In this example, this lan tap is connected between the router and first switch(J1 and J2). Monitoring ports J3 and J4 are connected to two adapters of the monitoring computer.

Actually it does not require ip address for the monitoring adapters. In this example, we assign “″, “″ to the two monitoring adapters(Assigning an ip address makes it easier for us to identify the adapter in WFilter). The third adapter is assigned with “″.

3. Setup WFilter

Check the two monitoring adapters in “System Settings”->”Monitoring Settings”. The blocking adapter shall be choosed as the third adapter for sending blocking packets.

Now we’re able to monitor client computers. You will notice that one monitoring adapter only get incoming packets, while another adapter only get outgoing packets. This is how network tap is designed.

Client computers also can be blocked.

Management of multiple deparments in WFilter

You may use WFilter to setup internet access policies for network computers. However, it could be a very complicated mission for IT department to set the policies when you have a lot of departments and users.

In this case, the solution is to setup multiple WFilter operators for departments. Each operator only can set policies for users in certain departments. For example, department manager has the privilege to set internet policies for department staffs.

In this topic, I will guide you to manage multiple operators in WFiler Enteprise 4.0.

1. Add departments

You can add departments in Policy Settings->Department Settings

2. Add operators

Add operators in System Settings->Manage Operators.

The “Supervising Dept.” defines the users whom this operator can see and configure. You also can define the WFilter menu for each operator.

3. Policy Settings

You can define departments’ ip ranges in “Default Ip Policy”. So ip addresses will be added to certain deparment automatically.

4. Operator Features

In “User-computer table”, operator can only see users in its “Supervising Dept.”.

You can schedule standard reports to be sent to the department managers.

How to identify computers in WFilter?

WFilter can monitor and filter computers internet activities in your network. In WFilter, two monitoring modes are available: “by ip address” and “by MAC address”. In “by ip address” monitoring mode, WFilter identifies a computer based on its ip address, while it identifies a computer based on its MAC address in “by mac address” monitoring mode.

However, if computers ip addresses are not fixed in your network. You might have trouble to identify a computer to set its monitoring/blocking policy.

This tutorial will introduce you several solutions to identify computers in your network in WFilter.

1. Monitor and block by AD users

Since WFilter can be integrated with Microsoft active directory, you don’t need to face the trouble of identifying computers if you have an available AD.

With “account monitoring” enabled, you can set blocking policy based on AD users, despite which computers they are using.

Please check this document for more details about “account monitoring”: How to do monitoring based on user accounts?

2. Identify computers by MAC addresses

With “by mac address” monitoring mode, WFilter identifies a computer by its MAC address. MAC address is assigned by the manufacturer of a network interface card (NIC) and are stored in its hardware. It won’t change unless the NIC hardware is replaced.

When you set a recording policy or blocking policy to one computer in “user-computer table”, certain settings will be bound to its mac address. Even its ip address is changed, certain settings will not be lost.

However, “By MAC address” monitoring mode is only available for single-segment networks, because a computer’s mac address can not be retrieved when it’s located behind a router.

Therefore, in a single-segment network, “by mac addresses” will be a good choice if your ip addresses are dynamic.

3. Identify computers by IP addresses

If your network is multi-segments, you only can use “by ip address” monitoring mode. Therefore, we recommend you to make ip addresses static in a multi-segments network. If you want to leave the ip addresses as dynamic, the only solution left is “Monitor and block by AD users” as discussed above.

More information, please check “WFilter Enterprise”.

Other related links:

How to block internet

How to monitor
internet usage on company networks?

Internet monitoring
software for business

How to
filter web surfing?

How to block
websites and restrict internet access?

How to block HTTPS
websites on my network?

How to setup ip-mac binding in WFilter?
How to block facebook at work of network computers?

How WFilter works to block internet connections in network?

How WFilter works to monitor and archive internet activities?

WFilter is an enterprise Internet filtering software program. A business or
organization can implement its Internet communication policy into
WFilter and let it perform the work.
WFilter intercepts, records and monitors Internet behaviors of users
on a network, for the purpose of ensuring policy compliance, or
measurement on job performance in an organization.

A mirroring port replicates the data from other ports or VLAN’s. To monitor all internet activity, WFilter needs to be connected to a mirroring port of your switch.  And the mirroring port shall be configured to mirror your internet traffic.

When connected to a mirroring port, WFilter gets packet copies of all internet traffic, then decodes and saves them into log files. This is how WFilter works to monitor internet usage.

For more information about how to setup port mirroring, please check: WFilter Deployment Examples.
To check whether your port mirroring is properly configured, please check: How to check whether port mirroring is properly configured?
If you don’t have a manageable switch, you need to setup a windows gateway or proxy server to do monitoring, please check: How to monitor internet usage without a manageable switch?

How WFilter works to block internet connections?

Many users had asked: “Since WFilter only handles packet copies and the original packets don’t pass through WFilter machine, how WFilter works to block internet connections?”

Actually, there are two filtering technology: pass-through filtering and pass-by filtering.

With a pass-through filtering solution, packets shall pass through the filtering product; if a packet needs to be blocked, the filtering product just drop it.

However, a pass-by filtering product only handles copies of network packets, it can not hold the original packets. Therefore, it sends RST packets to terminate TCP connections. This is how WFilter works to block connections.

Please notice:

1. Since WFilter needs to send RST packets to block a connection, the “blocking adapter” of WFilter shall be able to access your network. The blocking adapter shall be configured in “System Settings”->”Monitoring Settings” of WFilter.

2. Some switches do not allow outgoing traffic on the mirroring port, if so, you need to setup a separate NIC as the blocking adapter. Even outgoing traffic is allowed on the mirroring port, we recommend you to use a secondary NIC for blocking when you’re managing over 100 computers.  Otherwise, the monitoring adapter will be overloaded.

3. If you have multiple VLANs, the blocking adapter shall belong to a VLAN which can communicate with other VLANs.

4. Sometimes you might need to set “Automatic Metric” of the blocking adapter for windows to recognize this adapter as the primary adapter. Please check this blog topic: Blocking adapter doesn’t work when using two network cards with WFilter.

For more information about difference of the two filtering solutions, please check: What’s the difference between Pass-by filtering and Pass-through filtering?
More details about WFilter filtering technology, please check: WFilter Technologies and Security