- cOS Core all versions
When i make a specific bandwidth time query (e.g. last 24 hours) in Log Analyzer i do not see the expected bandwidth usage, i know it should show more data being sent than what the query indicates.
Answer:
Bandwidth data queries can sometimes be difficult to get data from within 24 hours or specific time frames. The reason for that is that in many cases the transferred bandwidth is only written in the CONN_CLOSE log event. Not until the connection is closed will we know how much data that has been transferred in the connection and the time interval (the time duration when the connection was openend and closed). Meaning that if a connection was opened at "2018-10-10" and closed at "2018-10-12" and you make a query for 24 hours starting 2018-10-10 you will NOT see the bandwidth for this connection as it is/was still in open state (so at this time we do not know how much data that has been traversed in this connection).
To make an example:
Source IP address 192.168.10.10 transfers 10 Mbyte of data on 2018-10-10, the connection only lasted a couple of minutes before it was closed.
If we make a log query for only the date 2018-10-10 (24 hours) you will only see 10 Mbyte of data transferred.Source IP address 192.168.10.11 transfers 500 Gigabyte of data between 2018-10-10 and 2018-10-12, the connection was open for about 3 days.
To get better bandwidth results we need to expand the query to contain more days to see if the data better matches our expectations. This is unfortunately not an exact science as there is no good way to know exactly how long connections are kept open by the application. How long a connection can stay open can be anything from milliseconds to weeks or even months depending on application and what the Firewall itself is doing.