You can easily create a filter which can differentiate between the traffic directed to the internet and traffic directed to your other sites.
All my sites are numbered using the RFC1981 address space. This makes is really easy to define an external and internal filter. The internal filter is defined as “traffic from a RFC1991 source to a RFC 1981 destination”. The external filter is the opposite of this.
The nfdump filter are:
Internal: (src net 10.0.0.0/8 or src net 172.16.0.0/12 or src net 192.168.0.0/16) and (dst net 10.0.0.0/8 or dst net 172.16.0.0/12 or dst net 192.168.0.0/16)
External: not ((src net 10.0.0.0/8 or src net 172.16.0.0/12 or src net 192.168.0.0/16) and (dst net 10.0.0.0/8 or dst net 172.16.0.0/12 or dst net 192.168.0.0/16)) and not proto esp
My sites are connected by IPsec and the “not ESP” make sure that you don’t include this traffic in the external filter. This simplistic filter has an issue: for example if you have an inside user (eg guest) that is VPNing back to their office.
These filters can give you some nice graphs as shown below where red = External traffic and blue = internal traffic.
In this graph you can clearly see that an internal backup is running from Thursday 10th to Sat 12th. Otherwise most of the traffic from this site is directed towards the internet.