Browsing Time is calculated by Fastvue's own algorithm to estimate how long a user's machine has been generating activity through your Sophos UTM, or how long a site has been actively sending and receiving data through the UTM.
The calculation works like this:
- When a user starts browsing the web or generating any sort of network activity, this activity is sent to Fastvue Reporter via Sophos UTM's's syslog messages.
- When Fastvue Reporter first encounters log records for a particular user or site, it opens a session for that user or site.
- Fastvue Reporter keeps that session open until there are no records encountered for five minutes or more.
- The session is then closed at the time the of the last record and the entire session’s time is calculated.
- The Browsing Time shown in Reports is the sum of these sessions for the item in the report, whether that is a user, site, category and so on.
Browsing Time Confusion
It is important to note that Browsing Time is an estimation only. Fastvue Reporter is looking purely at web requests flowing through your Sophos UTM. It is not standing over a user's shoulder watching what browser tab they're looking at, or noting when they've walked away from their machine.
Some web pages may poll their website even when it is not the active browser tab (to get chat notifications etc). This behavior will keep a user's browsing session alive even if they are not physically looking at the page or even sitting at their computer.
On the other hand, other websites may download all web content to the user's machine in the first five seconds without any further polls or requests. The user may then spend 2 hours reading the web page, but Fastvue Reporter only knows about those first 5 seconds of activity.
So think of Browsing Time more along the lines of 'something was happening from the user's machine for this amount of time'.
Investigating Browsing Session Details
If you need exact details about when a user was browsing, and what exactly they were accessing, run an Activity Report for that user for the timeframe you're interested in. This will break down the user's browsing by sites accessed each hour of the day, with log-level detail available by simply clicking the rows in the report.
Activity Reports will show you green bars to indicate the start and end time of the browsing session to each site. This gives you a simple visual indication of which sites were being browsed simultaneously.
In the above screenshot, you can see that four websites have overlapping browsing sessions; producthunt.com, facebook.com, workable.com and github.com.
You can click on the rows in the report to view the full details about each browsing session. Here is some of the detail for the session to producthunt.com.
You may then find that the last 10 minutes are filled with the same URL repeating every 15 seconds. This is a good indication of a poll. Of course, the user could still be reading the web page at this stage, or perhaps they've gone to another tab, or walked away from their machine.
Either way, it is still an indication that there is activity between the user's machine and the website. They have not fully closed down the web page, or they have a background application running that is hitting the site regularly (dropbox is a good example of such a background application).
Why Don't Browsing Times Add Up?
There can be confusion when comparing the browsing time for a user, and the browsing time for the sites that the user visited.
For example, a Company Overview report may state that a user has been browsing for 6 hours, but when you run a report on the user’s activity, you may see browsing to site A being 4 hours, site B being 5 hours, site C being 6 hours - a total of 15 hours!
The totals obviously do not add up here.
The main reason for this is that the user may be browsing in multiple windows or tabs simultaneously, and other applications on their machine may also be generating traffic at the same time.
Another major reason for this is that their browser may accessing many different sites simultaneously without the user knowing it.
When you browse to a website, your web browser actually downloads material from several different sites. These can be advertising servers such as doubleclick.net, visitor tracking scripts such as google-analytics.com, Content Delivery Networks (CDNs) such as fbcdn.net or akamaihd.net (both used by Facebook), social sharing widgets such as addthis.com, tweet buttons and so on.
Fastvue's Site Clean feature attempts to solve this problem, however there are various reasons why certain traffic may not be 'cleaned'.
Any sites that cannot be 'cleaned' by Fastvue Site Clean will show up as separate domains that have been accessed by the user, and each will have its own browsing time.
Fastvue is continually improving the Site Clean algorithm, but please be aware that certain traffic (such as HTTPS traffic) is very difficult to clean accurately, and the 'extra' domains in the reports may bloat the browsing time figures.