I'm setting up a bandwidth monitoring tool to see who's been eating up the monthly cap over the past 2 months.
I installed bandwidthD on my Linux computer, which is a network monitoring tool that logs usage, sorted per local IP. In order for the monitoring to happen, I manually set the default gateway of all clients to the computer's IP address. I also added an exception to prevent logging of internal network usage (such as local FTP).

Here's my bandwidthd.conf:

####################################################
# Bandwidthd.conf
#
# Commented out options are here to provide
# documentation and represent defaults

# Subnets to collect statistics on. Traffic that
# matches none of these subnets will be ignored.
# Syntax is either IP Subnet Mask or CIDR
#subnet 192.168.0.0/24

subnet 192.168.1.0/24


# Device to listen on
# Bandwidthd listens on the first device it detects
# by default. Run "bandwidthd -l" for a list of
# devices.
#dev "eth0"

dev "wlan0"

###################################################
# Options that don't usually get changed

# An interval is 2.5 minutes, this is how many
# intervals to skip before doing a graphing run
#skip_intervals 0

# Graph cutoff is how many k must be transfered by an
# ip before we bother to graph it
#graph_cutoff 1024

#Put interface in promiscuous mode to score to traffic
#that may not be routing through the host machine.
#promiscuous true

promiscuous true

#Log data to cdf file htdocs/log.cdf
#output_cdf false

output_cdf true

#Set the cdf log output directory
#log_dir "/var/lib/bandwidthd"

#Read back the cdf file on startup
#recover_cdf false

recover_cdf true

#Libpcap format filter string used to control what bandwidthd see's
#Please always include "ip" in the string to avoid strange problems
filter "ip and not((src net 192.168.1.0/24) and (dst net 192.168.1.0/24))"

#Draw Graphs - This default to true to graph the traffic bandwidthd is recording
#Usually set this to false if you only want cdf output or
#you are using the database output option. Bandwidthd will use very little
#ram and cpu if this is set to false.
#graph true

#Set META REFRESH for static pages in seconds(default 150, use 0 to disable).
#meta_refresh 150

meta_refresh 150

#Set the static html output directory
#htdocs_dir "/var/lib/bandwidthd/htdocs"


The problem with this setup is that the computer is getting accounted for other devices' usage:

Image of network stats

The computer's IP is 192.168.1.96. The two other devices below have a combined usage of around 30MB, and the computer shows 40MB of usage. The problem is that the computer actually only used 10MB, but since it's the default gateway, it's logging the 30MB for itself too.

Any ideas what I should do or what am I understanding wrong ?

Thanks in advance.

PS: I understand that I can get a router and install custom firmware on it, but it's not worth it since I only want to do it to figure out the problem then stop.

PSS: I also understand that I shouldn't be doing this on a single NIC but since our bandwidth is only 4Mbps and we barely use bandwidth locally, it's fine.
Well either you want to monitor the gateway, in which case just leave it, since you know whats happening, and substract other computers traffic to get the traffic of the gateway alone, or you want to ignore it totally, in which case you can probably add a filter clause in your conf file, like the one which is already there, for that. But then you cant know if the gateway is overusing the connection for itself.
Also, if you just manually set the gateway on yiur computers to redirect the traffic, there is no guarantee that some computers are not bypassing this , maybe devices you dont know about.
I would recommend adding a setting in the firewall for your router (Adsl box or whatever youre using) to accept only traffic from your monitoring gateway.
But then of course you need to change that back when you dont want that anymore, like if the linux computer stops working in addition to the gateway setting in every machine.
You can use DHCP to make it easier to change network settings on your computers.
rolf wroteWell either you want to monitor the gateway, in which case just leave it, since you know whats happening, and substract other computers traffic to get the traffic of the gateway alone, or you want to ignore it totally, in which case you can probably add a filter clause in your conf file, like the one which is already there, for that. But then you cant know if the gateway is overusing the connection for itself.
Also, if you just manually set the gateway on yiur computers to redirect the traffic, there is no guarantee that some computers are not bypassing this , maybe devices you dont know about.
I would recommend adding a setting in the firewall for your router (Adsl box or whatever youre using) to accept only traffic from your monitoring gateway.
But then of course you need to change that back when you dont want that anymore, like if the linux computer stops working in addition to the gateway setting in every machine.
You can use DHCP to make it easier to change network settings on your computers.
Well I guess I can do solution 1 since it's just temporary. But I have no idea how I can do the DHCP thing to have the clients automatically change their default gateway when the Linux machine disconnects. If you could tell me more on how's that possible (verbosity not needed), it would be great.

What I'm doing now is just setting each device individually with a static IP to the router, and the default gateway as the computer.

If anyone has a more official solution to the problem don't hesitate either.
Okay well without being verbose (at your request), the DHCP server is usually your router, and there is a high chance that it will not let you change the gateway option, although you can check. Also if you set the IP manually on your computers, it will not use DHCP anymore and stick to your manual settings.

The full answer (which I wrote first) is below. I believe in explaining the things in a simple but complete manner. Hoping it will be appreciated.

I guess you have a DHCP server on your network. This DHCP server automatically assigns (usually):
IP address, DNS server addresses and gateway address(es) to your computers (clients) when they request it.
Computers by default will try to find a DHCP server and request configuration from it.
When assigning IP addresses, the DHCP server will also make sure that there is no conflict, that two computers are not given the same IP. So that is one more thing it does to make your life easier.

Normally, when your IP is given by a DHCP server, it will be something like 192.168.x.x.
If you have a windows computer and it does not find a DHCP server, it will try autoconfiguration and you'll have an ip like 169.something. That is of course if you don't set the IP address manually.

Anyway an easy way to check if DHCP is enabled, and find the IP of the DHCP server, under windows, is to go to the command line (cmd) and type the command "ipconfig /all" and hit enter. It will show you configuration for all your network adapters. Find the one you are using and see if DHCP is enable and what IP is providing it. Normally, it will be your router!

Assuming it is your router (which it is in the majority of cases), depending on the model, there will usually be a page where you can can change settings, but I guess it will often not include the option of changing the gateway, only the range and DNS servers. But you should check, I think.
If you have a windows server, you can disable the DHCP on your router and use the one on your windows server, which you can configure in more details, and your computers will (automatically) start to use that instead after some time.

But if you don't, then setting up a DHCP server on Linux might be complicated, although TBH I know very little about that.

PS: DHCP in itself will not change anything if the Linux machine disconnects, but can let you change the setting in one place, and it will be applied to all your computers, that's all.
Well, I don't think it's necessary to do all that since the outcome is the same afterall (no flexible gateway), but I'll keep the information you've provided for when I need them, thanks !

Alright, I was talking yesterday with someone over IRC and he told me that monitoring would be possible by getting SNMP information from the router.

He gave me a command to test if my ADSL modem-router was SNMP compatible, it timed out so it was a no.

But today I found out that it existed, but it was disabled. I tried reading about SNMP but it looks like hardcore stuff and I'm barely understanding how to use it, I just understood what it's intended for.

Do you have any expertise in it ?
Basically I should be getting the SNMP information from the router, applying magic portions on it on the computer so it becomes a usage monitoring tool per IP similar to bandwidthd.
No expertise in SNMP, no. I also had the impression that it's more targeted to ISP and specialists.
A quick google search brings this up, maybe it can help?
http://www.howtogeek.com/141135/it-geek-monitor-network-devices-with-snmp-simple-network-management-protocol/

Another approach would be to set up a list on your router to limit access to it to only your computers - by Mac/hardware address. That is not 100% secure, it can be cheated with some expertise, but it will keep most people out - including myself. So this is to make sure that no other machines (eg: neighbours, etc.) are secretly using your connection.

Then you can set up bandwidth monitoring on each of your devices. There is detailed software for that and it usually much more user friendly than gateway-based solutions.

Otherwise your Linux gateway solution is usually the way to go in these situations, just make sure that nobody is going around it, because, in your case, you are using a single network adapter and your linux machine is essentially just another client on your network, nothing forces the connected devices to use it, except your manual configuration. If there are devices you don't know about and did not configure, they will never show up on your reports.

There are also many Linux distributions, some specifically built to act as a gateway.

If you have two network adapters on your linux machine, it should be possible to set up some kind of transparent gateway configuration in which you can remove it and use your old router again without having to change client configurations manually. Your linux machine would then sit between the router and the rest of the network. It might be easy to do or tricky, I'm not sure.
The config is wrong ..with one NIC you will always getthis issue..add another nic as mirrored to the lan
Alright, so no need to bother for a workaround with a single NIC. I'll stick to what I have for the moment. I don't mind manually setting the gateway since I'm sure no-one is stealing our Wi-Fi from outside, and we don't get so many guests usually. I'll keep your info in mind whenever I get to really invest in such a setup.

Thank you.
You can try gfi gateway. It supports single interface and has the reporting tools u need. 30 day trial should be enough to find the culprit
what is your router ? you can use PRTG if your router supports SNMP.