I believe the "tcpdump" gives the best analysis of packets sent/received. I then use "tshark -z conv,ip -r <pcap file>" on the Pi to break it down by IP. Would be nice to be broken down by IP/port as well, but that is something to work on.
I can see a couple of DNS look ups to "rut.teletonika.lt", what are these for please? All data traffic is "off" presently. There seem to be quite a lengthy exchange with port 5000 on IP 3.120.7.82, which I don't understand.
I am also uploading the /tmp/mdcollectd.db to the Pi, and using the sqlite browser to get access to the data. It looks like it gives a breakdown of total traffic per hour, which is nice :)
Unfortunately the values reported from the mdcollecteddctl remain a mystery.