Packet analysis extracts indicators and reconstructs events from network captures — identifying C2 beaconing, data exfiltration, lateral movement, and protocol anomalies.
Zeek (formerly Bro) automatically generates structured logs from packet captures. Suricata/Snort write alerts from PCAP. Zeek connection logs show communication metadata without storing full packets. Full packet capture enables complete forensic reconstruction but requires massive storage.