1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Bandwith montoring; results, concerns and questions

Discussion in 'Tomato Firmware' started by CheapScotsman, Feb 21, 2007.

  1. CheapScotsman

    CheapScotsman LI Guru Member

    The bandwith monitoring on this thing looks so cool ... but I am a bit confused (and concerned) so I decided to run a little test last night

    At 3am
    1. I disconnected all devices off my network except one computer
    2. I shutdown almost everything I could think of on my computer (killed a bunch of processes, etc)
    3. I logged onto router (Tomato 1.04.0944)
    4. The device list shows vlan1 and br0 (one computer and the router are the only items on the the network). I closed all my "open" ports
    5. I got the stats from the Bandwidth displays
    6. I ran windump on the network adapter on the PC (windows xp SP2)
    7. I went to bed

    At 9am
    1. I logged onto router (Tomato 1.04.0944)
    2. The device list shows vlan1 and br0 (one computer and the router are the only items on the network).
    3. I got the stats from the Bandwidth displays
    4. Windump indicates I got a block of Udp packets every hour (see the attached file) and that was it

    The bandwidth results from Tomato are:

    Comments / Questions/ Concerns / Suggestions
    1. From last 5 hours inbound average ... 35.5kbps by 5hrs by 3600 sec/hr yields 78 MB (8 bits/byte, 1024kbits/megabit) but the The Bandwith Daily Page
      indicated 90.85 MB downloaded. Where did the other ~12MB go?
    2. How do I find out who/what/where is bombing my router with 90MB of data in a 5 hour period? ... which if I have read this correctly, does not appear to be making it through the firewall
    3. The Bandwidth Daily/Monthly appears to show the total data that hits the router before the firewall ... would it not be just (or more) useful to show the data that actually got downloaded through the firewall to the switch/wireless?

    Attached Files:

  2. larsrya8

    larsrya8 LI Guru Member

    It's probably stuff from your ISP... maybe DHCP/DNS? There was a thread about this not long ago. Notice how your modem light is still flashing even though all of your computers are turned off? It could also be from P2P... other users are still trying to connect to you even though you've exited your client.

    When all of our computers are idle/off we average about the same data rate that your Tomato is reporting.

    The Bandwidth monitor is showing the data on the WLAN port... regardless of whether it makes it through the firewall it has to arrive on WLAN first, so it must be shown on the monitor.
  3. CheapScotsman

    CheapScotsman LI Guru Member

    The router log shows DHCP renew to my ISP every 30 minutes (even though the lease time is 3600) but that shouldn't be taking the bandwidth. I don't think its DNS as nothing running to make any DNS requests. Any info to point me to that thread?
    Yep, the lights are always going and the WLAN bandwidth is always showing data ... so I can definitely see that my router is being bombarded with data
    I don't run any P2P and had killed everything for the 4hr test (nothing on the windump which was monitoring every byte going out the NIC)
    Good to know
    don't get rid of monitoring total data hitting the router ... but it would be more than nice to monitor how much data (daily/monthly) went through the firewall
  4. Joro711

    Joro711 Network Guru Member

    Wait for answer from Bill Gates. :) Sorry for my bad english.
  5. GeeTek

    GeeTek Guest

    More Info

    No, that would be limiting you to less information about your system. More info is good. It's good to know that the router is blocking things, and it is good to know how much. Why would you not want to have this info available ? As you pointed out, you already know how much is getting in by watching the LAN stats. Why put blinders on the router for no reason ? If you do not want to know how much info is being blocked, just don't look at it ! I vote no on your idea.
  6. CheapScotsman

    CheapScotsman LI Guru Member

    Hmmm ... well, I never said to get rid of the WAN stats but I am advocating to include firewall stats as well ...

    while I can determine the amount of data limited by the firewall in my contrived test above (caused I externally controlled/measured the data on the LAN/Wireless), in general, there is no way to determine the amount of data (either real time or daily/monthly totals) going THROUGH the firewall.

    Here is why:

    a) The daily/monthly totals are only summarized for WAN activity (stuff hitting the router; most blocked), nothing else

    b) The bandwidth graphs include

    WAN/Vlan1 ... all data hitting the router
    WL/eth1 ... all data going across the wireless (including to each other and to/from BR0 and to/from WAN)
    BR0 ... all data going across the wired switch ports (including to each other and to/from wireless and to/from WAN)

    Based on this thread (http://www.linksysinfo.org/forums/showthread.php?t=51637) there is some confusion on what eth0 and vlan0 are

    vlan0 .... perhaps BR0 + WL ???
    eth0 ... perhaps val1 + vlan0 ???

    Given that I do backups, shares drives and play games across my LAN ... and given that BR0 and WL includes data to/from LAN, wireless and WAN .. I can't determine data to the WAN (hence through the firewall) only.
  7. GeeTek

    GeeTek Guest

    I did indeed misinterpret your statement. Sorry ! Since I have never needed that specific detail, I have never thought it through the way you did. I have tested syslogging, and have noticed a goodly glut of random stuff being dropped from outside. A breakdown of the stats as you have suggested would be interesting.
  8. larsrya8

    larsrya8 LI Guru Member

    A quick Google search revealed that the "data bombardment" is normal for cable and DSL internet connections. Both modems need to stay in communication with the ISP for various reasons: diagnostics, stay-alive, etc. Even if it was malicious, the amount of data is insignificant for any broadband connection, and it isn't even coming into your network.

    If you are still concerned, you can call your ISP and they will tell you the same thing.

Share This Page