Q. I have a chart that shows a peak of traffic around 160 KB/sec. If I click and drag across that peak, the resulting zoomed chart peaks at around 210 KB/sec. Why does this happen if InterMapper Flows is collecting all the data and not aggregating, averaging, or taking time samples? Or is it?
A. This is not an inaccuracy, but an unavoidable result of the way NetFlow traffic must be collected and displayed.
An InterMapper Flows chart can conceptually be seen as a bunch of buckets. These buckets are filled with session data reported from the routers as a sequence of (start time, stop time, data volume) data points. It is not possible for InterMapper Flows to know exactly how the transfers were distributed over the timeframe of the sessions. For instance, a webpage typically has the bulk of the traffic at the beginning of the session (when you load the page), and then very little the rest of the session (as you're reading it). This information is lost at the router level, before it reaches InterMapper Flows.
Imagine each chart only consisted of 10 buckets. A chart that shows 10 minutes would divide all traffic into 1 minute buckets. This means that a session with a short, high spike will be smoothed out into a single-minute chunk. This has the effect of flattening the spike out.
When you drag across the chart to zoom into that minute, InterMapper Flows does something no other software does. It divides the new timeframe into another 10 (actually it's about 200) new buckets, which are then conceptually only 6 seconds wide. The spike will now be much more pronounced, as it falls in a much shorter timeframe, and its true height is much more accurate.
This effect actually occurs with any network monitoring product. The reason you don't detect this elsewhere is that you generally cannot zoom in to get a more accurate view.
