IP Merging

In order to maximize usage of the available disk space, some information is removed to allow better aggregation. This is the case for IP data of foreign host on aggregation levels 3 and 4.

Principle

Upon data consolidation at the third aggregation level, all IP tagged on the Internet zone (or whatever name was given to this default zone) will be removed in favor of a merged identifier. Consequently, these IPs will appear as merged in all tables where IP values are displayed if the IP was belonging to Internet Zone and your observation period is such that the third or the fourth aggregation level is used. This will happen with long observation periods (> 8 hours) and also on old data (> 1 week old).

Example

Let’s say a user has access to the Internet zone using the same application; for example, a web browser using HTTP on port 80 to have access to different web sites for a period of time. Originally, you will see for that period.

TCP conversation before degradation

Once data has been aggregated, if you query the same period of back in time, you will have:

TCP conversation after degradation

For the Client IP, merged means that the two conversations to the different Internet clients have been merged into one single entry. This is only done when the Zone is Internet and matches the same server / application couple. So, you still know that this server was accessed from the Internet zone with the http application on port 80.