The byte counters I see wrapping at 32 bits unsigned now (in a different
product which appears to be the predecessor of LanHound) are the
following, on an Internet connection that is by a T1 link:
total traffic bytes in a summary
byte total in the "most talkative" conversations ("traffic matrix")
byte total in the "most talkative or talked at" endpoints ("Hosts")
Once a network monitor is installed, it's easy to observe these
behaviors. Just put up a summary, conversations display, or
endpoints display, on a reasonably busy network segment, and
wait. A T1 circuit operating at 25% of capacity inbound will carry
1536000 /8 *25% = 48Kbytes/second = 4,147,200,000 bytes/day,
96.56% of a 32 bit counter; counter rolls over in under 25 hours.
Faster or busier links roll over quicker.
(Fully utilized T1 in both directions: 3.1 hours;
10Mbit Ethernet data rate: <1 hour;
100Mbit Ethernet data rate: <0.1 hours;
1Gbit, forget about it)
In these days of 0.2 to 2 GB video file downloads, a single Appropriate
Use Policy violation involving a few downloads can involve more than
4GB of traffic, wrapping 32bit counters.
Another application of long-term link monitoring is determining typical
traffic rates for charging of link costs, either for sampling traffic level
and billing the cost of the link according to traffic, or for apportioning a
fixed annual link cost among multiple organizational units according to
relative usage of a shared link. For cost & traffic purposes, monitor
periods of about a week are useful. In my experience doing the relative
usage measurement on a T1, 32-bit counters require breaking up a
week into about 10 separate periods to avoid counter overflow.
Thanks,
Ken
