I recently deployed a Tomato router (Toastman 1.28.7633.3 IPT-ND STD) behind a Comcast cable modem.The Bandwidth/Last 24 Hours page displays fairly constant RX (download) traffic on the WAN interface of about 20-25 kbps, 7x24. That's around 250 MB per day. I inspected the IP Traffic stats to determine which of the devices on my LAN (there are only two) was consuming all this traffic. None of them, it seems. The IP Traffic reports are minimal. The two devices on the LAN have been essentially dormant, doing little more than getting an NTP time update occasionally. Do the Bandwidth stats captured by Tomato include packets that don't traverse the router to the LAN?? These would include: pings (ICMP packets) from the internet. These are dropped by the firewall. packets from port scanners looking to break in (hitting ports 80, 22, 139, 445, etc etc). These are also dropped by firewall. DHCP traffic flowing to/from Comcast's DHCP servers. These messages (DHCP Discover, Offer and Accept) are all broadcast messages sent to destination 255.255.255.255 on the subnet. It's my understanding that every router on a network segment sees every DHCP message sent to/from all the other routers (since they are all broadcast messages). response to traffic initiated by Tomato itself. These would include responses to time queries (to NTP servers), and responses to DDNS address updates. If Tomato's bandwidth monitor is indeed counting all of the 'internet background' traffic, is there any way to configure the bandwidth logging process to only count 'legitimate' traffic originated or terminated by devices on the LAN? I'd just as soon not have 250MB/day of spurious noise included in the daily/weekly/monthly stats. Thanks.