Differences between statistics and packets
Observer uses packets and statistics about your traffic to provide you with information about your network. This topic describes why each is useful and why there may appear to be discrepancies between a statistical view and the actual packets.
At times you may notice what appears to be a discrepancy between what you see in the GigaStor Control Panel and what you see when you are analyzing packets in a selected time frame. The difference stems from the fact that the GigaStor Control Panel displays statistics based on a sample of the packets seen, but when you are analyzing a specific time frame you are viewing all of the actual packets.
The GigaStor uses samples for a couple of reasons. First, it is more efficient to sample large sets of data rather than to process each data point individually. Network traffic is ideally suited for statistical sampling. Second, statistics serve a different role than actual packets. Statistics are intended to give you an indication of what is happening with your network. If the statistics indicate you may have an issue, then you can use the actual packets saved in your GigaStor to further analyze the traffic.
By default the GigaStor uses a dynamic sampling ratio for statistics. This can be changed in the GigaStor Control Panel > Settings > General tab to a fixed sampling ratio of 1, 100, or whatever you wish.
Using dynamic sampling allows the GigaStor to make decisions about how sampling for statistics should be accomplished. The GigaStor makes its decisions based on the amount of memory available in the statistics queue buffer and the amount of packets coming into the capture card. All statistical processing is handled in the statistics queue buffer (stored in RAM) and the size of this buffer is very significant for probe instances providing statistics information.
If you set GigaStor Packet Sampling to a fixed sampling ratio, the GigaStor collects its statistics based on your sampling ratio regardless of available system resources and traffic to the capture card. If, for example, you have the ratio set to 1, you are telling the GigaStor to sample every single packet that it sees. This has a potential negative side effect—especially in very high traffic conditions—because there could be a significant impact on the GigaStor’s processing resources (either write-to-disk or read-from-disk), thereby slowing other processes active at the same time. The potential advantage is that your statistics will more closely resemble what you see in actual packet analysis, but may not exactly match it.
There are millions and millions of packets traversing your network. Over a long enough time frame the statistics are going to be equally valid if you sample every 10 or 100 or 1000 packets rather than every single packet. Again, statistics sampling does not prevent you from clicking the Analyze button to view the actual packets the GigaStor captured with no sampling at all.
This explains why you might see more stations in Top Talkers within Decode and Analysis than in IP pairs on the GigaStor Control Panel. Usually, the risk of packet loss significantly outweighs any discrepancy between the statistics in the GigaStor Control Panel and the actual packets it captured.