The analyzer took the impossible problem—watching billions of packets per second—and reduced it to a manageable stream of samples, then turned those samples into answers. It is the ultimate example of "a little data, well analyzed, is better than all the data, unanalyzed."
The analyzer keeps an in-memory hash table keyed by (src_ip, dst_ip, src_port, dst_port, protocol) . It adds the extrapolated bytes and packets to that key.
A modern analyzer (e.g., FastNetMon, Akvorado) uses sFlow to watch for SYN floods. When a DDoS starts, the analyzer detects the anomaly in <1 second, extracts the victim IP from the sFlow samples, and automatically injects a BGP FlowSpec rule to block the attack at the router—all without human intervention.
The analyzer sees: "1 packet for 192.168.1.100 -> 203.0.113.50, sample rate 1/1000". It immediately multiplies: This represents 1,000 real packets . It then multiplies by average packet size (from the header, say 500 bytes) to get 500,000 bytes (4 Mbits) of traffic contributed by that flow.