Finding the cause of data leaks can be very frustrating I know.
I am going to repost a previous reply in an effort to provide you with information on the various connection paths that may exist in your network and some procedures that hopefully will allow you to regain control of your data usage:
If a user has a single computer connected directly to the modem it is a simple matter to see what programs and processes are using the data by installing the free version of Glasswire.
The inclusion of a router really complicates the issue because of the shear number of connection paths that it offers as well router security.
There has been a number of "sneaky" changes of late ....
Microsoft "telemetry" in Win10 as well as in Win7 and 8.1 depending on installed updates.
Some software that has undergone changes ... AVG antivirus now shares "telemetry"
Some versions of Nvidia video card drivers now sharing "user data"
Many mainstream websites that now load more Ads, perform frequent auto-refreshes, contain more Flash content and now have HTML5 video "pre-fetch".
Some serious router vuln erabilities that if not patched with firmware updates can leave a users network compromised. These would include Netgear, Linksys and Cisco routers.
It all depends on having a clear understanding of the "shape" of your network and connected devices.
I have previously posted the following. Hopefully it will give you a little better insight to your network and offer a roadmap of sorts to follow in finding your answer:
Networks, even residential networks are much more complex than most of us realize.
In the not so distant past routers and switches and "Networking" were pretty much limited to businesses and perhaps the more "geeky" subscriber.
A typical satellite users connection looked like this:
A single computer directly connected to the Modem. There is only one path that data can be used. There are no "cross roads" no chance of anything using data beyond those two devices.
Things however even at this level are more complex than meets the eye. That single computer by itself has 65,536 connection ports.
There are broadly speaking two things in play here:
Applications ... Those are PROGRAMS that we start .. we can see them running such as a web browser of an email client program.
A look at Windows Task Manager reveals:
Three running Applications:
An email client program, a web browser and an open file.
However a look at running Processes shows something much more complex:
I currently have a whopping 102 Processes running in the background unseen, unknown. Not all of these of course are going to be connected to the Internet at any given time. They "turn on", perform their function and turn off.
In our very simple "network" (single computer directly connected) we could install a program like GlassWire on that computer and it will show all data used by THAT computer and what programs and processes used that data:
Our simple Network now has two "measuring points":
Point A is going to be the point along the single "data path" that is monitored by GlassWire.
Point B is going to be the usage registered by the Modem as "traffic" to be charged against the user monthly data allowance.
The two values should pretty much coi ncide within reason.
It is possible to look at a usage meter that has yet to "refresh" or register the usage in the last few minutes.
It is possible for the ISP to have "compressed" data and a smaller amount is shown by the Modem as being charged against the allowance than indicated by GlassWire.
At this point the perimeters are pretty straight forward:
Do the amounts measured at points A (computer) & B (Modem) match ?
If they do NOT and the Modem claims greater usage then I suggest the following process:
Take a screenshot of your remaining allowance (allow for data that has yet to be recorded)
Disconnect the LAN cable from the rear of the Modem and note the exact time.
Let a number of hours pass (overnight ?)
Reconnect the LAN cable and again note the time and the amount of remaining data. Again an allowance must be made for the usage meter to update itself. What we are looking for here is a major discrepancy.
In the event that A and B match then we have to conclude the all of the data used (and charged against the users allowance) was indeed used by the directly connected computer.
A careful look at GlassWire will reveal what program and what processes are using data.
There are many things that can be done to conserve data .. browser extensions that block ads and scripts among other things. Much easier to do once the source of usage has been identified.
As we look at the above example we can see plenty of opportunity for data use and this just by a single computer.
The problem is very few subscribers Networks look like the above.
This is more typical:
The above really multiplies the complexity. It offers multiple connection paths and each of those by itself has the same complexity as the single computer shown in the example above.
We have to take a much closer look at the Router itself:
The router as a central point in the network has three potential data use avenues:
#1: Its firmware/hardware:
would include automatic update checks, Remote Access
accounts/vulnerabilities, WPS settings/vulnerabilities and "front end"
username/password setup to name a few.
#2: Wired LAN
connections and the types of devices connected as well as their
settings. Specifically end users not understanding the differences
between "hard off", "sleep" and "hibernate" as well as other system
settings such as Wake On LAN, Wake On Ring and even extending to
We need not even go into the details of forced updates and data "sharing" inherent to Win10 and being back ported to Win7/8/8.1
#3: We come to the most difficult to control ... Wireless activity (on each frequency dual/triple band routers)
can start with what encryption level, if any, has been set up. We also
need to consider the username and password that limits access to the
routers front end so that unauthorized users can add themselves to the
wireless users list. It needs to be changed from the default values.
also have the multitude of settings of the many types of devices that
can connect wirelessly be they computers, notebooks, tablets, cell
phones or even thermostats.
It is often not apparent when all
apps on all devices have had their update ability turned off. Very
frequently an update will cause other settings to change to their
Considering the number of "connection avenues" provided by a router it is mandatory that it be included in any troubleshooting steps ...
We have to understand the Router is at the center of the Network ...ALL OF THE CONNECTION PATHS and ALL OF THE DATA USED have to pass through the Router therefore it I suggest a Router that allows the tracking of usage per device.
There are many brands and models available .. a user needs to research which one best serves the users needs.
I have a Asus RT-AC3100 that has traffic monitoring:
Main interface that has the routers options and displays among other things which devices are currently connected:
Which devices used how much data by IP and by date:
And a statistical analysis per device by the top consuming software or process:
One often overlooked area is usage by the Router itself in the form of its internal services:
I had enabled two of the above services and the router internally co nsumed nearly 1/2 GB within just several days.
Determining the cause of missing data or even excess use requires that a user have some degree of understanding their Network.
You may also wish to read the questions and responses to the following topics with a similar theme that includes details on using Glasswire and general information on data loss.