Mysterious Bandwidth Usage

We use a SonicWall NSA 3500 as our main router. We have a SonicWall Analyzer virtual appliance too that takes information from the NSA 3500 and determines all kinds of stuff, such as bandwidth usage.

We have 2 internet connections from the same ISP. One is cable, and the other is fiber. The fiber connection is the one that we have a 100 GB/mo limit on and have to pay overage charges. From here on out this is only about the fiber connection.

Our ISP and the Analyzer appliance seem to give me different monthly readings, however.

In November, Analyzer reported 118.1 GB of bandwidth usage on our fiber connection. our ISP's invoice shows we used 505.1 GB.

How can these numbers vary so widely? How can I troubleshoot the cause of this bandwidth usage? In SonicWall analyzer I'm looking at the whole month of November for the SonicWall interface that has our fiber connection connected to it, and that's when I get 118 GB.

We've already contacted our ISP and they claim that there's nothing wrong with their reading system.

We first started noticing spikes in our usage after I implemented a new backup system that replicates backups over the internet off-site, however the past 2 months that's been completely removed from the network while we figure this out. When I say completely removed, I mean I went into the SonicWall and disabled the VPN connection. I also went into the backup software and turned off replication.

Enable Tap mode on your NSA 3500 for the port that your ISP's drop connects into. Pump traffic into a node running tcpdump (or whatever your TCP sniffing tool of choice is on your platform of choice). Now you can analyze that dump. You're not dealing in massive amounts of bandwidth (500GB over a month is nothing) so it should be easy to manage from a technical perspective. From there you've got proof that either your SonicWALL Analyzer is misconfigured and not seeing all traffic, the NSA 3500 itself is somehow not reporting right, or your ISP is shady.