# Network Traffic, Packet, and Protocol Analysis

* What’s in a network packet?
* Capture entire traffic
  * Inline capture
  * Make a copy of the traffic (SPAN, port mirroring)
  * MiTM
* Receive just a summary
  * Like a phone call log
  * Flow: sequence of packets that share specific fields (like src and dst addresses and ports)
  * Netflow, Flexible Netflow, sFlow, J-Flow, IPFIX
  * Configured on networking devices (exporters)
  * Flow information
* Hardware:
  * LAN switch
  * Sniffer / TAP (Test Access Port)
    * Good: You see all traffic
    * Bad: You see all traffic
  * Use it to monitor critical network assets, or at critical network access points
* Software:
  * Tcpdump
    * -i eth0
    * -n turn off dns resolution
    * -e turn on MAC addresses
    * -v verbose -vv -vvv
    * -w writes to file. PCAP file.
    * -r reads a file
  * Wireshark
* Packet analysis vs protocol analysis
  * Packet analysis
    * Deep packet inspection (DPI), frame by frame
    * Headers and Contents
    * Can detect attack traces
    * File carving tools: reconstruct files from packet captures
      * Network miner
      * Suricata
      * Zeek
    * Huge data amounts
    * Encryption
    * File extraction based on headers (64B)
    * unknown protocols
  * Protocol analysis
    * Protocol info: headers and some payload data
    * Detect protocol anomalies.
    * Detect unknown protocols.
    * Detect statistical anomalies.
* Flow Analysis
  * Full packet capture is too costly, so flows provide just a summary of data.
  * Aggregation app required (can also be a SIEM, but it’s not mandatory)
  * Concept introduced by Cisco with Netflow
  * Pros:
    * Low resource requirements
    * No dedicated hardware required
    * Unified view among vendors
    * Great for reporting
  * Cons:
    * No payload visibility
    * Cannot be reviewed/processed manually
    * (mostly) sampled (1 out of N packets)
  * SolarWinds NetFlow Traffic Analyzer, ManageEngine NetFlow Analyzer, Cisco Secure Network Analytics, SiLK, Argus
  * MRTG – Not really flow analysis. About the whole device.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cysa.coantech.net/network-traffic-packet-and-protocol-analysis.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.