Erroneous bandwidth output when making Log Analyzer queries with set time interval

Last modified on 5 Feb, 2021. Revision 11
Erroneous bandwidth output when making Log Analyzer queries with set time interval
Up to date for
2.33.00
Supported since
1.00.xx
Status OK

Question:

When i make a specific bandwidth time query (e.g. last 24 hours) in Log Analyzer i do not see the expected bandwidth usage, i know it should show more data being sent than what the query indicates.

Answer:

Bandwidth data queries can sometimes be difficult to get data from within 24 hours or specific time frames. The reason for that is that in many cases the transferred bandwidth is only written in the CONN_CLOSE log event. Not until the connection is closed will we know how much data that has been transferred in the connection and the time interval (the time duration when the connection was opened and closed). Meaning that if a connection was opened at “2018-10-10” and closed at “2018-10-12” and you make a query for 24 hours starting 2018-10-10 you will NOT see the bandwidth for this connection as it is/was still in open state (so at this time we do not know how much data that has been traversed in this connection).

To make an example:

Source IP address 192.168.10.10 transfers 10 Mbyte of data on 2018-10-10, the connection only lasted a couple of minutes before it was closed.
Source IP address 192.168.10.11 transfers 500 Gigabyte of data between 2018-10-10 and 2018-10-12, the connection was open for about 3 days.

If we make a log query for only the date 2018-10-10 (24 hours) you will only see 10 Mbyte of data transferred.


To get better bandwidth results we need to expand the query to contain more days to see if the data better matches our expectations. This is unfortunately not an exact science as there is no good way to know exactly how long connections are kept open by the application. How long a connection can stay open can be anything from milliseconds to weeks or even months depending on application and what the Firewall itself is doing.

Related articles

How to disable IP Reputation in cOS Core
21 Mar, 2023 core ipreputation log
The TCP Window Scale Log Event
15 Nov, 2022 tcp log core
Automatically stop active PCAPdump or Logsnoop in the CLI
7 Dec, 2022 pcapdump log cli core logsnoop
Why some log category ID's are missing
23 May, 2022 core log logreceiver
The meaning of the Default_Access_Rule log entry
7 Nov, 2022 core arp log routing