From the DATASHIELD Resource Library:

The Packet Advantage

Learn why packet level detail and full packet capture are critical to the forensic capabilities of a security analyst.

Posted On:




Read Time:

2 Minutes



Listed below are the top 7 reasons why packets are superior to logs alone.

1) Root cause analysis – Logs usually provide insight into how devices responded, but full packet capture tells the story of what actually happened.  Packet data eliminates ambiguity and provides context that simply isn’t available in any other alerting or monitoring medium.

2) Higher resolution alerting – Packet capture provides insight into the life cycle of a session, what it contained, and how it evolved.  This is extremely valuable for alerting, and provides threat analysts with more tools to detect malicious activity faster and with greater accuracy.

3) Protocol details – Packets provide hundreds of additional data points that can be queried, analyzed, and correlated that aren’t available in logs alone.  Deeper inspection of protocols gives both security analysts and system engineers better awareness of their environment.

4) Vendor agnostic – With access to raw data, an analyst does not need to rely on what an IDS/IPS/firewall vendor thinks is important in a session.  While useful and often relevant, vendor severity thresholding may not keep pace as quickly as needed with the evolving threat landscape.

5) Forensic replay and reconstruction – The ability to replay a session and extract files or other artifacts enriches and advances threat intelligence and investigations.  This eliminates doubt as to the contents of a flagged event and gives analysts more actionable data and intelligence on what’s actually moving over the wire.

6) Device policy vetting and enhancement – Comparing packet data to IDS/IPS/firewall responses can aid in network hardening by identifying misconfigurations and device rules that are inadequate in stopping malicious activity.  Packet data improves security posture and helps get the most out of existing security infrastructure.

7) Reduced false positives – Logs simply don’t contain the wealth of data seen in packets.  There are fewer avenues of whitelisting available in logs, whereas packets may have dozens of headers, payload specifics and enrichments that can be used to refine and streamline noisy alerts.  Packet data reduces analyst – and customer – workload, enriching the entire solution.

About the Author:

Dave Norlin
Dave Norlin

Dave Norlin is the Director of Security Operations at DATASHIELD and contributes technical content to the DATASHIELD resource library.

Read More From

Dave Norlin