# Timelion : packetbeat per IPs bytes usage on bits per second

Using packetbeat to analyse my server traffic. there is no issue on data insert.

I tried the below query to view the IP [ byes_in ] inbound usage metrics on Timelion. But getting different graph pattern. I compared it with normal network usage tools [ MRTG ].

I used packetbeat default settings [ period - 10s ]

.es(index=packetbeat-*,q=dest.ip:172.16.10.10,metric=avg:dest.stats.net_bytes_total).divide(10).multiply(8)

Any chance you could post what you're seeing and what you expect? It would be helpful for understanding what might be wrong.

Timelion Graph:

Another tool graph:

Sample data:

Timelion Query:

.es(index=packetsflow-,q=dest.ip:10.21.98.204,metric=avg:dest.stats.net_bytes_total).divide(10).multiply(8).title(Bandwidth).label(In).yaxis(units=bits/s),
.es(index=packetsflow-
,q=dest.ip:10.21.98.204,metric=avg:source.stats.net_bytes_total).divide(10).multiply(8).title(Bandwidth).label(Out).yaxis(units=bits/s)

The time range on the two graphs here isn't the same, there's very little overlap, so it's hard to see if the data looks the same or not. The fluctuations you see in timelion aren't really visible in the other graph. This is the overlapping view:

## Other tool But maybe you just mean the values are off (~700kbps vs ~6mbps). I believe the problem there is your math. Why are you dividing the value by 10 before you multiply it by 8? There are 8 bits in a byte, and since you're trying to convert bytes to bits, you need only multiply by 8.

So if we look at the output value at, say, 9:26, that value looks to be about 640kB/s. 640kB/s * 8 = 5120kbps. The graph on the other tool seems to be closer to 6000kbps. That's a sizable discrepancy, and I'm not sure why. Assuming that other tool is traffic from the same box/IP, I would indeed expect the numbers to be closer. Perhaps the time bucketing is different between the two, and that's why the average values are a bit different? I'm not sure I buy that though.

Is it possible to compare the values you see at a given time between the 2 tools? Not the average value, but the value at a single slice of time. That way you could see if the source records are off.