I live in Canada and have a bandwidth cap. I've been using a Netgear UTM5 to log WAN usage and attempt to reconcile the UTM5's counts with my ISP's (Rogers). I have two observations:
- The UTM5's counts are close to the ISP's counts;
- Once you have the aggregate count you immediately need drill down capability: by IP on the LAN and by protocol (actually, by application using the LAN, but protocol is close enough).
The simply logs provided by routers (even a SOHO router like the UTM5) do not allow the drill down capability. For example, the UTM5 only provides detailed HTTP(S) logs; although it does keep aggregate counts for some other protocols.
My dilemma is that although I can determine how much HTTP(S) data my teens consume, I cannot determine what other applications they run are consuming. As a result, I haven't been able to completely get a handle on WAN usage and some months I am forced to block access to media streaming sites for the last few days of the month--so that we don't end up paying the ISP extra charges. My preference is to develop a better understanding of the traffic and then remove the offending applications from the LAN, but I simply don't have the data in hand to do that.