This is expected because when we aggregate the data we are double counting all the apps associated to each connection.
The term "Double Counting" in the above line means that in case if all the traffic seen is for "Facebook Msg", then we wil see same metric for HTTP, Facebook and Facebook Msg.
The reason for this behaviour is the DPI library tags each connection with a set of applications,
For example:
Connection1 - 1000 packets - HTTP > Facebook > Facebook Msg
Connection2 - 500 packets - SSL > WhatsApp > WhatsApp Voice
Connection3 - 1200 packets - SSL > HTTPS
After the aggregation the report will show:
HTTPS - 2200 pkts
SSL – 1700 pkts
Facebook – 1000 pkts
Facebook Msg – 1000 pkts
WhatsApp – 500 pkts
WhatsApp Voice – 500 pkts
As a workaround, a General Application could be defined that includes the recognized apps that show up as duplicates.
For example: If you define an Application as “WhatsApp” that includes WhatsApp and WatsApp Voice, you will only see the WhatsApp you defined (after the time you defined it) and AR11 will no longer track the corresponding recognized apps.
Make sure the “Collect Auto-recognized Application Data Separately” flag is not set in the General apps.
You need to go to "Definitions--> Applications-->General--> Click on the Edit button on the Right side of the Application" where you will see the below option.