NTOPNG reporting traffic incorrectly and impossibly high total bytes

[karl-angerer]

NTOPNG is reporting 7TB down and 5TB up of data over 43 days between a single dev box that is hardly used and us.archive.ubuntu.com

When selecting a single flow, at the bottom of the window under "Additional Host Names" a hostname is listed that has nothing to do with the 'us.archive.ubuntu.com' and it is us.api.endpoint.ingress.rapid7.com. The rapid7 hostname is correct for logging destination. However, even 7TB and 5TB would be horribly beyond the absolute capability of this lightly used dev box. Below: Image showing the single flow and the rapid7 hostname

On the dev box netstat does not show connection to either us.archive.ubuntu.com or the rapid7 servers.

Rapid7 is our SEIM service. We send all logs from our equipment to Rapid7. The total volume of logs over 43 days can be 7TB or 5TB total across the organization . But if that number was legitimate, the source and destination would be incorrect.

Below: image showing number of us.archive.ubuntu.. flows

[karl-angerer]

[karl-angerer]

Apologize, I submitted the case before I gave all the details.

Is there a known or other possible cause for the source and destination combined with the total bytes being mis-reported.