What's new

IPTraffic and Normal Traffic discrepancy

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

barzot

Occasional Visitor
What does the "normal" Traffic monitor track that the IPTraffic doesn't?
Shouldn't the ups and downs of one be equal to the totals of the other?

I ask because I just noticed an unusually big upload (3.7 GB) in the Daily "normal" stats on the 18th of may, but there's absolutely nothing in the IPTraffic stats for any of the devices connected that account for this.
I usually check the IPTraffic daily stats, rarely the daily "normal" stats.

  • I'm on RT-N66U, and at that time was on 380.65_4 (went on 380.66_2 on the 22nd, soon on _4);
  • Firewall is On;
  • no WAN access to admin page;
  • no WAN access to SSH; etc.
  • NAT acceleration disabled;
  • IPv6 and QoS disabled;
  • VPN and Tor disabled.
  • From global stats, whatever happened was between noon and midnight on the 18th.
  • I'm on a "basic" DSL with slow uploads (max of 800 Kb/s, or 100 KB/s), with upload totals usually in the 100-400 MB range.

    That huge upload would then mean around 10 hours of uploading at top speed, or an average of at least 90 KB/s for half the day (90% of my top up spead).
    Either way, I'd have noticed... I think. Usually when the Internet upload bandwidth is saturated, Internet navigation is slow, and I don't remember noticing anything particular.
    .
  • The daily stats on my ISP account page (Teksavvy, in Canada) are nonexistent for that day (for other users too, some bug on their side), so I can't even check if this was a real upload, or some router glitch. Annoying coincidence.
  • All that could be considered IoT's are in fact blocked from connecting to the Internet (IP cams, streamer).
  • I keep logs of my only Guest every 15 minutes (Guest barred from Intranet). No unusual upload numbers for that day.
  • Checking other rstats from the last few months didn't reveal anything that unusual. Never seen this happen before.
  • At least, I can be somewhat reassured by the system logs from that period, showing the Ins/Outs of the PPPoE connection:

    Code:
    May 18 22:17:07 pppd[28941]: Connect time 3264.5 minutes.                     [54 hours]
    May 18 22:17:07 pppd[28941]: Sent 409977670 bytes, received 3733900659 bytes. [391 MB]
    ...
    May 19 15:48:32 pppd[11122]: Connect time 1051.1 minutes.                     [17.5 hours]
    May 19 15:48:32 pppd[11122]: Sent 205696257 bytes, received 2979948779 bytes. [196 MB]

    So when I disconnected my Internet at 22:00 on the 18th, only 391 MB upload were reported for the last 54 hours.
    When I disconnected at 15:48 on the 19th, only 196 MB upload were reported for the last 18 hours.

So this 3.7 GB of uploads in the daily traffic wasn't Internet related, right? Right? (Crossing fingers...)

So, anyone have any idea what happened? How can such a huge (and long) upload occur without IP Traffic noticing, if it is Internet related? A glitch from the router?

Thanks for any input.
 
Well, it happened again yesterday.
A 3.8 GB upload unaccounted for in the daily stats, with nothing of the sort present in the IPTraffic stats.

2017-06-14 incident 02sb.png


rtats saved 4x/day this time, so I know it happened between 5:55 and 11:55.
(I also saved the rstats_speed.gz file, I'll find time later to decrypt/read the contents, the spike scales anything else invisible!)

In the logs, the only detail of interest is my manual disconnect/reconnect to Internet at 9:45...

... but, the Last 24 Hours graph shows a huge 123 MB/s upload spike at exactly 9:45, and only in the Ethernet WAN pane:

2017-06-14 incident 01bs.png


This is well beyond my Internet upload speed (100 KB/s max) !
(At that rate, 30 seconds would be enough to account for the 3.8 GB.)

Note also that on the 18th of may in my first post, a reconnect was also done at 22:17, during the interval where the big up was recorded.

So, is this some kind of glitch in rstats when reconnecting to Internet ? Some internal transfers at the circuit level that shouldn't be counted ? (just trying to imagine what...)

I tried to reproduce by disconnecting/reconnecting again : there was a spike in the Real-time graph which appeared on reconnection, but it did not show in the Last 24 Hours graph or daily stats.

I'll try again at another time, don't know the necessary conditions, if that is indeed what causes all this.

Something any of you have encountered before ?

/edit: forgot to say, presently on 380.66_4 AsusMerlin

/Another Edit: After viewing the array for the Last 24 Hours graph page, I see indeed a single "upload"/TX of 3886493191 bytes = 3.6 GB in a single period of 30 seconds (interval in which that graph is saved).

Its only in the INTERNET section (WAN), not in the WIRED or WIRELESS or BRIDGE sections of the Array.

So I think I'll put this on a glitch rather than being hacked!
 
Last edited:
The traffic reported by the traffic monitor can get glitchy, in part due to a rollover bug in the code. The Tomato devs spent a good amount of time trying to reduce the impact of that rollover issue a few months back, but there's no perfect solution. It's basically a design flaw I believe.
 
Another idea of the traffic discrepancy it may be because IPTraffic is crunching data output from iptables and you might have some traffic that it is not traversing the NAT/iptables.
For example I have enabled on my router FTPS and AiCloud and the uploads/downloads made on these ports and apps do not appear in IPTraffic but appear on the graphs on the Traffic Monitor -> Global (Real-Time).

It would be nice if there would be an option to see also the traffic per port on the router level, similar to ntop.
 
You say that it might be better to open a new thread for that subject?
"
I have enabled on my router FTPS and AiCloud and the uploads/downloads made on these ports and apps do not appear in IPTraffic but appear on the graphs on the Traffic Monitor -> Global (Real-Time).

It would be nice if there would be an option to see also the traffic per port on the router level, similar to ntop.
"
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top