I've installed OpenWRT 22.03.3 (including nlbwmon).
According to @jow's description on github:
nlbwmon tracks traffic by IP Version (ipv4/ipv6), by IP Address, by MAC address, and by layer7 protocol (ie, port numbers). ... The default protocol file contains approximately 45 port definitions. The user can add/remove ports to this file as necessary. Any traffic that doesn't match a port definition is classified as 'Other'.
I've added some entries to the protocol file to accomplish my personal needs. Nevertheless nlbwmon discovers a huge amount of other traffic.
I've tried to discover this other traffic with the help of tcpdump - without success so far.
I'm looking for the other traffic with the following command (all other traffic is generated by clients of the br-lan interface, p1 ... pn are port numbers):
tcpdump -i br-lan -nv 'not ( (tcp or udp) and port (p1 or ... or pn) )'
About every 10 to 20 seconds tcpdump lists some ARP records, nothing else:
20:50:55.778825 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.22.10.14 tell 172.22.10.1, length 28
20:50:55.779170 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.22.10.14 is-at <mac-addr>, length 42
20:51:12.978823 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.22.10.30 tell 172.22.10.1, length 28
20:51:12.979210 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.22.10.30 is-at <mac-addr>, length 46
I can't image, that these ARP queries sum up to more then 43 MBytes within one day (despite the fact that this traffic is between two br-lan clients).
I have a bad feeling, that I'm missing something. But what? Can anybody help?