Packet captures: from noise to signal

Network traffic analysis is one of the most powerful tools in a security professional's arsenal, but it's also one of the most misunderstood. Most organisations either ignore their network traffic entirely or drown in alerts from poorly tuned detection systems. The key is knowing how to extract meaningful security intelligence from the noise.

Why packet captures matter

Full packet captures provide ground truth. While logs can be tampered with and endpoints can be compromised, network traffic tells an objective story. Every command-and-control channel, every data exfiltration attempt, and every lateral movement leaves traces in the packets.

The analysis pipeline

Effective network analysis isn't about staring at Wireshark all day. It requires a structured pipeline that progressively filters noise and surfaces actionable intelligence.

1. Baseline first

Before you can find anomalies, you need to understand normal. Capture traffic during typical business hours for at least two weeks. Document the expected protocols, traffic volumes, and communication patterns. This baseline becomes your reference point for detecting deviations.

2. Protocol analysis with Zeek

Zeek (formerly Bro) transforms raw packets into structured logs that are far easier to analyse than pcap files. Its protocol analysers extract metadata from HTTP, DNS, TLS, SMB, and dozens of other protocols, giving you searchable records of every connection.

Key Zeek logs to monitor:

• conn.log — Every connection with duration, bytes transferred, and state
• dns.log — All DNS queries and responses
• http.log — HTTP request/response metadata
• ssl.log — TLS handshake details including certificate information
• files.log — File transfers across all protocols

3. Detection with Sigma rules

Sigma provides a vendor-neutral format for writing detection rules. Convert your threat intelligence into Sigma rules that can be applied to your Zeek logs. This creates a repeatable, version-controlled detection pipeline.

Example detections:

• DNS queries to known malicious domains
• TLS connections with expired or self-signed certificates
• HTTP requests with suspicious user agents
• Unusually large data transfers outside business hours
• SMB connections to non-standard ports

4. Statistical anomaly detection

Not all threats match known signatures. Statistical analysis helps identify novel threats by detecting deviations from your baseline:

• Beaconing detection — Regular, periodic connections to external hosts often indicate command-and-control channels
• Volume anomalies — Sudden increases in outbound traffic may indicate data exfiltration
• New connection pairs — Previously unseen internal-to-external communication patterns deserve investigation
• Protocol anomalies — DNS tunneling, HTTP over non-standard ports, or encrypted traffic where it shouldn't be

Common pitfalls

Capturing too much

Full packet capture generates enormous volumes of data. Focus on capturing at network boundaries and key internal segments. Use Zeek for metadata and only store full packets where legally or operationally required.

Ignoring encrypted traffic

TLS encryption doesn't make traffic invisible. Certificate metadata, connection timing, packet sizes, and destination IPs all provide valuable intelligence without decrypting content.

Alert fatigue

A detection system that generates thousands of alerts per day is worse than no detection at all. Start with high-fidelity rules and gradually expand coverage. Every alert should be actionable.

Getting started

You don't need a massive security operations centre to benefit from network analysis. Start with:

1. Deploy Zeek on a network tap or mirror port
2. Establish a two-week traffic baseline
3. Implement 5-10 high-confidence detection rules
4. Review findings weekly and tune based on results
5. Gradually expand coverage as your analysis capability matures

The goal isn't to see everything — it's to see the right things at the right time.