I checked in my R81.20 lab where I have dedicated SE server and could not find something similar. I also verified in SV monitor (you need that blade enabled for full functionality), but cant seem to find much better there either. Maybe Im just looking at the wrong places...

Anyway, tagged @Amir_Senn , Im positive he will know, as he helped me with similar queries in the past.

Have a nice weekend!

Andy

One roundabout way you could get this information is via the fw ctl multik print_heavy_conn command which reads the kernel table heavy_conn_table containing all current elephant flows, and also those detected for the last 24 hours.  There does not seem to be any way to immediately alert when a heavy connection is detected nor is there any logfile of such that you could follow with tail -f.  If you have at least R81.10 or the latest Jumbo HFA for R81/R80.40, another mechanism you can use to show current top connections (not necessarily declared elephants) is the top_conns command described here: sk172229: Top Connections Tool

So perhaps you could write a script that occasionally runs one of the above commands on your gateway searching for any displayed entries emanating from the subnets/VLANs where your user population is located.  This could be done once an hour for top_conns (which is realtime only) or once a day for fw ctl multik print_heavy_conn.  This solution wouldn't notify you in real time if some user was starting to hog bandwidth and is certainly not perfect, but if they are doing it constantly you will eventually catch them.  Both of these great commands are covered and utilized for lab exercises in my Gateway Performance Optimization class.