[Ekaros]

Haven't read the thread but logging all traffic?

Take just the IP address, That is 4bytes, if you want to pair it with where it came from, it's 8 bytes. That could be considered the low bound of any time you load new website. How many sites you visit per day 20? 80 bytes, for a year that is ~29kbytes. Still real number is much much higher. I might need to run Wireshark for day to get some data on just how many SYN-packets(opening new connection) is made.

EDIT: Few more things, I didn't calculate things like time 4 bytes or 8 bytes(future proof to sufficient distance), and ports, 2 bytes. Also 20 is very low estimate. It's more of line in log for each time you open new tab in browser. And this is just for HTTP and considering each site doesn't have content located on other servers.
Logging certain specific things is cheap, like port-scans and other abnormal behavior. But logging visited websites quickly explodes to huge amount of data.

Also one thing which can explain old times in log-files is that clock isn't battery back-up and as such it resets when power is lost for certain period of time.


Finding out route is achieved by different means than routers. Usually with option of TTL and multiple packets in which case you often get answer for each router when packet was lost.