Network Traffic Analysis
Expert-defined terms from the Professional Certificate in Network Performance Testing Techniques course at London School of Business and Administration. Free to read, free to share, paired with a professional course.
Anomaly Detection – a process of identifying patterns that deviate from e… #
Related terms: baseline, outlier. By comparing current traffic to normal profiles, analysts can spot intrusions, misconfigurations, or performance spikes. Example: a sudden surge in DNS queries that exceeds typical hourly volume. Practical application includes automated alerts for security operations. Challenges involve high false‑positive rates and the need for continuous baseline updates.
Application Layer – the topmost layer (OSI Layer 7) where user‑level prot… #
Related terms: OSI model, payload. Traffic analysis at this layer provides insight into content types, request methods, and response codes. Example: inspecting HTTP GET requests to determine popular web resources. Useful for performance tuning of web services and detecting application‑level attacks. Difficulty arises from encrypted traffic (HTTPS) which masks payload details.
Asymmetric Routing – a routing condition where the path taken by packets… #
Related terms: routing loop, path asymmetry. In traffic analysis, asymmetry can cause incomplete flow records if capture points miss one direction. Example: outbound traffic via ISP A, inbound via ISP B. Analysts must correlate timestamps and flow identifiers to reconstruct full sessions. Managing asymmetric paths complicates capacity planning and troubleshooting.
Bandwidth – the maximum data transfer rate of a network link, typically e… #
Related terms: throughput, capacity. Monitoring bandwidth utilization helps detect congestion and plan upgrades. Example: a 1 Gbps link consistently operating above 80 % during peak hours. Practical use includes SLA compliance verification. Challenges include distinguishing between sustained high usage and transient spikes, and accounting for protocol overhead.
Baseline – a statistical representation of normal network traffic behavio… #
Related terms: normal profile, trend analysis. Establishing a baseline enables detection of anomalies and capacity forecasting. Example: average packet size and flow count per hour for a corporate LAN. Baselines must be refreshed regularly to adapt to business changes. Over‑reliance on outdated baselines can lead to missed alerts.
BGP (Border Gateway Protocol) – the exterior routing protocol that exchan… #
Related terms: AS path, route flap. Traffic analysis of BGP updates can reveal routing hijacks, misconfigurations, or DDoS mitigation actions. Example: sudden withdrawal of a prefix affecting inbound traffic. Analysts monitor BGP messages for stability and convergence times. Complexity stems from the sheer volume of updates on large ISP backbones.
Byte‑Level Analysis – inspection of raw packet data at the individual byt… #
Related terms: hex dump, payload inspection. This deep inspection uncovers protocol violations, covert channels, or malformed packets. Example: detecting a custom binary protocol embedded in UDP payloads. Useful for forensic investigations and reverse engineering. It is resource‑intensive and often hindered by encryption.
Capture Point – a network location where traffic is duplicated for analys… #
Related terms: SPAN port, network TAP. Selecting optimal capture points ensures visibility of relevant flows while minimizing packet loss. Example: placing a TAP at the edge router to monitor inbound/outbound traffic. Practical considerations include bandwidth of the monitoring link and device capacity. Misplaced capture points can produce incomplete data sets.
Classification – the act of assigning traffic to predefined categories su… #
Related terms: signature, machine learning. Accurate classification enables policy enforcement and usage reporting. Example: distinguishing video streaming from file transfer traffic on a shared link. Techniques range from port‑based heuristics to deep packet inspection. Challenges include encrypted traffic and evolving application behaviors.
Congestion Control – mechanisms that prevent network overload by regulati… #
Related terms: TCP window, queue management. Analysis of congestion indicators like packet loss and latency informs tuning of protocols. Example: observing increasing TCP retransmissions during peak usage. Application includes adjusting buffer sizes or implementing QoS policies. Over‑aggressive control can degrade performance for latency‑sensitive applications.
Correlation Engine – a software component that aggregates events from mul… #
Related terms: SIEM, event fusion. In traffic analysis, correlation links flow records with alerts, configuration changes, or threat intel. Example: correlating a spike in outbound traffic with a recent firewall rule modification. Enables faster root‑cause analysis. Complexity grows with data volume and heterogeneous log formats.
Deep Packet Inspection (DPI) – the examination of packet headers and payl… #
Related terms: payload analysis, protocol decoding. DPI reveals application signatures, policy violations, and hidden threats. Example: detecting BitTorrent traffic on a network that blocks peer‑to‑peer protocols. Widely used in security appliances and traffic shaping devices. Ethical and privacy concerns arise when inspecting user content, especially under encryption.
Distributed Denial‑of‑Service (DDoS) Detection – identification of large‑… #
Related terms: traffic flooding, botnet. Analysts monitor for abnormal packet rates, SYN floods, or amplification patterns. Example: a sudden increase of 10 Mpps UDP traffic directed at a public DNS server. Mitigation may involve rate limiting, scrubbing centers, or upstream filtering. Distinguishing legitimate spikes from attacks is a persistent challenge.
Flow Export – the transmission of aggregated traffic records (e #
g., NetFlow, IPFIX) from routers to collectors. Related terms: NetFlow, IPFIX. Exported flows provide summary statistics without capturing full packets, reducing storage needs. Example: a router exporting 5‑tuple flow records every 5 seconds. Enables long‑term trend analysis and anomaly detection. Accuracy depends on sampling rates and export interval configuration.
Flow Record – a concise representation of a unidirectional communication… #
Related terms: NetFlow record, IPFIX template. Flow records are the primary data source for traffic analytics platforms. Example: a record showing 500 packets and 400 KB transferred from a client to a web server over TCP port 80. Limitations include loss of payload visibility and possible sampling bias.
Forwarding Path – the sequence of network devices a packet traverses from… #
Related terms: hop count, routing table. Mapping the forwarding path aids in latency troubleshooting and fault isolation. Example: traceroute revealing 12 hops to a remote data center. Tools such as MPLS LSP monitoring provide deeper insight for provider networks. Changes in the path due to load balancing can affect performance metrics.
Header Compression – techniques that reduce the size of packet headers to… #
Related terms: ROHC, PPP compression. Analyzing compressed traffic requires decompression modules; otherwise, flow statistics appear abnormal. Example: VoIP streams using Robust Header Compression (ROHC) over cellular links. Challenges include maintaining synchronization and handling packet loss.
IPFIX (Internet Protocol Flow Information Export) – a standardized protoc… #
Related terms: NetFlow, flow template. IPFIX defines flexible templates allowing custom fields. Example: exporting VPN‑specific attributes alongside standard 5‑tuple data. Adoption enables vendor‑agnostic analytics. Implementations must manage template refresh and potential export bottlenecks.
Latency – the time elapsed between sending a packet and receiving a respo… #
Related terms: round‑trip time, jitter. Latency analysis identifies network delays affecting real‑time applications. Example: a 150 ms RTT observed for a VoIP call, exceeding the acceptable threshold. Techniques such as ping, traceroute, and synthetic transaction monitoring quantify latency. Variability due to congestion or routing changes complicates root cause identification.
Load Balancer – a device that distributes incoming traffic across multipl… #
Related terms: L4 load balancer, L7 load balancer. Traffic analysis of load‑balanced services reveals distribution patterns and potential hot spots. Example: a 70 % share of HTTP requests directed to Server 3, indicating uneven load. Adjustments may involve tweaking affinity rules or scaling resources. Encrypted traffic may obscure server‑side metrics.
Machine Learning (ML) for Traffic Classification – the application of sta… #
Related terms: supervised learning, unsupervised clustering. ML algorithms can adapt to evolving applications and encrypted protocols. Example: a random‑forest model distinguishing streaming video from web browsing based on flow metadata. Benefits include reduced manual rule maintenance. Drawbacks involve training data quality, model drift, and interpretability.
Metadata – information describing traffic characteristics without exposin… #
Related terms: flow records, header fields. Metadata enables privacy‑preserving analysis and compliance reporting. Example: using NetFlow metadata to audit bandwidth consumption per department. While less intrusive, metadata may still reveal sensitive patterns, requiring careful handling.
Metric – a quantifiable measurement used to assess network performance, s… #
Related terms: KPI, SLA. Selecting appropriate metrics aligns analysis with business objectives. Example: monitoring packet loss below 0.1 % for critical voice services. Metric selection influences alert thresholds and reporting dashboards. Misaligned metrics can lead to misguided optimization efforts.
MPLS (Multiprotocol Label Switching) – a forwarding technique that routes… #
Related terms: LSP, label stack. MPLS traffic analysis involves tracking label distribution and LSP performance. Example: measuring latency across an LSP used for VPN traffic. Challenges include limited visibility of label information in standard flow exports, requiring specialized monitoring.
NetFlow – Cisco’s proprietary flow export protocol that records informati… #
Related terms: flow export, IPFIX. NetFlow provides granular statistics for capacity planning and security monitoring. Example: a NetFlow collector showing a sudden increase in UDP traffic to port 53. Legacy devices may only support older NetFlow versions, limiting field availability. Sampling may reduce accuracy for low‑volume flows.
Network TAP (Test Access Point) – a hardware device that creates an exact… #
Related terms: SPAN port, passive monitoring. TAPs ensure lossless capture for forensic analysis. Example: deploying a fiber‑optic TAP at a core link to feed a high‑speed analyzer. Considerations include insertion loss, power requirements, and the need for multiple TAPs in a redundant topology.
Packet Capture (PCAP) – the process of recording raw packets to a file fo… #
Related terms: wireshark, tcpdump. PCAP files preserve full header and payload data, enabling deep inspection. Example: capturing a TLS handshake to verify certificate exchange. PCAPs can become large quickly; efficient filtering and storage management are essential. Encryption limits visibility unless decryption keys are available.
Packet Loss – the percentage of packets that fail to reach their destinat… #
Related terms: retransmission, QoS. Loss impacts applications sensitive to reliability, such as VoIP or streaming. Example: a 2 % loss observed on a WAN link during peak hours. Analysis involves correlating loss with queue lengths, error counters, and link utilization. Distinguishing random loss from systematic issues is a key challenge.
Passive Monitoring – observing traffic without injecting probes or alteri… #
Related terms: network TAP, SPAN. Passive techniques preserve network performance and avoid side effects. Example: using a SPAN port to monitor a VLAN for security events. Limitations include possible packet sampling and missing asymmetric flows. Proper placement is critical for comprehensive visibility.
Port Mirroring (SPAN) – a switch feature that copies traffic from one or… #
Related terms: network TAP, monitoring session. SPAN enables inexpensive traffic capture but may drop packets under high load. Example: mirroring all traffic from a server farm to a security appliance. Configuring appropriate VLAN filtering and buffer sizes mitigates loss. SPAN cannot capture traffic that bypasses the switch, such as direct fiber links.
Quality of Service (QoS) – mechanisms that prioritize certain traffic cla… #
Related terms: DSCP, traffic shaping. QoS analysis validates that high‑priority flows receive the intended bandwidth and latency guarantees. Example: confirming that voice packets receive DSCP EF markings and experience less than 50 ms latency. Misconfiguration can cause starvation of lower‑priority traffic. Monitoring requires both flow statistics and queue depth measurements.
Queue Depth – the number of packets waiting in a device’s buffer before t… #
Related terms: bufferbloat, congestion control. High queue depth leads to increased latency and jitter. Example: observing a router’s egress queue reaching 80 % capacity during a file transfer. Analysts use SNMP or telemetry to collect queue metrics. Reducing queue size improves real‑time performance but may increase packet loss if not managed carefully.
Rate Limiting – the practice of restricting traffic flow to a specified m… #
Related terms: throttling, policing. Rate limiting protects networks from abuse and ensures fair usage. Example: applying a 10 Mbps limit on a guest Wi‑Fi network to prevent saturation. Implementation can be static or dynamic based on traffic patterns. Over‑aggressive limits may degrade legitimate user experience.
Sampling – the technique of analyzing only a subset of packets or flows t… #
Related terms: sFlow, NetFlow sampling. Sampling provides scalable visibility but introduces statistical error. Example: configuring a router to sample 1 % of packets for NetFlow export. Analysts must account for sampling bias when estimating total traffic volume. Selecting an appropriate sampling rate balances accuracy with resource constraints.
Security Information and Event Management (SIEM) – a platform that aggreg… #
Related terms: correlation engine, log management. SIEMs ingest flow data to enrich threat detection. Example: a SIEM rule that triggers when a host initiates unusually high outbound traffic to multiple destinations. Integration challenges include normalizing diverse log formats and handling high‑velocity data streams.
Segment Routing – a source‑routing paradigm that encodes the path a packe… #
Related terms: SR‑SR, label stack. Segment routing simplifies traffic engineering and enables fine‑grained path control. Example: steering high‑priority traffic over a low‑latency segment path across an MPLS core. Monitoring segment routes requires telemetry that captures segment identifiers. Misconfiguration may lead to suboptimal routing or loops.
Signature‑Based Detection – a method that matches traffic patterns agains… #
Related terms: IDS, rule set. Signatures are effective for known threats but cannot detect novel attacks. Example: an IDS signature that flags traffic containing the “Conficker” worm payload. Maintaining an up‑to‑date signature database is essential. Encrypted traffic often bypasses signature detection unless terminated for inspection.
Statistical Anomaly Detection – the use of statistical models to identify… #
Related terms: z‑score, time‑series analysis. Techniques include moving averages, standard deviation thresholds, and entropy calculations. Example: detecting a 5‑sigma increase in outbound traffic volume during a normally quiet period. Advantages include detection of unknown threats; drawbacks involve sensitivity to baseline drift and potential false alarms.
Telemetry – the automated collection of performance and state data from n… #
Related terms: gNMI, streaming telemetry. Telemetry provides near‑real‑time visibility for analytics platforms. Example: receiving per‑interface counters every second from a router via gNMI. Benefits include reduced polling overhead and richer data. Implementations must handle high‑volume streams and ensure data integrity.
Traffic Engineering (TE) – the practice of optimizing the flow of traffic… #
Related terms: MPLS TE, segment routing. TE uses path computation, load balancing, and bandwidth reservation. Example: allocating a dedicated LSP for video conferencing traffic to guarantee latency. Effectiveness relies on accurate traffic measurement and dynamic adaptation. Poor TE can cause underutilized links or congestion hotspots.
Traffic Mirroring – the duplication of traffic streams for analysis, simi… #
Related terms: vSwitch mirroring, port mirroring. Cloud platforms provide mirroring APIs to send VM traffic to security appliances. Example: mirroring all traffic from a Kubernetes pod to a threat‑analysis service. Challenges include ensuring the mirrored stream does not affect the original traffic and handling encrypted workloads.
Transport Layer Security (TLS) Inspection – the process of decrypting, an… #
Related terms: SSL interception, certificate authority. TLS inspection enables detection of hidden malware and policy violations. Example: a firewall performing TLS termination for outbound HTTPS traffic to scan for malicious payloads. Legal and privacy concerns require proper certificate management and user consent. Performance overhead must be balanced against security benefits.
Throughput – the actual amount of data successfully transferred over a ne… #
Related terms: bandwidth, utilization. Throughput analysis determines effective capacity and identifies bottlenecks. Example: achieving 800 Mbps sustained throughput on a 1 Gbps link under load. Factors influencing throughput include protocol overhead, congestion, and hardware limitations. Continuous monitoring helps validate SLA commitments.
Time‑Series Analysis – the examination of data points collected over time… #
Related terms: ARIMA, moving average. In traffic analysis, time‑series models predict future usage and detect outliers. Example: applying a Holt‑Winters forecast to daily traffic volumes to anticipate peak demand. Accurate models require consistent sampling intervals and handling of missing data. Sudden changes in traffic patterns can invalidate existing forecasts.
Traceroute – a diagnostic tool that discovers the path packets take to a… #
Related terms: hop count, path discovery. Traceroute helps locate latency sources and routing loops. Example: a traceroute revealing a detour through an unexpected ISP during a network outage. Limitations include ICMP filtering, asymmetric routes, and variability due to load‑balancing. Complementary tools like Paris‑Traceroute address some of these issues.
UDP Flood – a DDoS technique that overwhelms a target with large volumes… #
Related terms: DDoS, amplification attack. Detection involves spotting abnormal UDP traffic spikes and unusual source distributions. Example: a 20 Gbps UDP flood targeting port 53 on a DNS server. Mitigation strategies include ingress filtering, rate limiting, and upstream scrubbing. Distinguishing legitimate high‑volume UDP traffic (e.g., video streaming) from attacks requires contextual analysis.
Unified Threat Management (UTM) – an all‑in‑one security appliance that c… #
Related terms: next‑generation firewall, security appliance. UTM devices often include built‑in traffic analysis modules. Example: a UTM reporting a spike in detected malware downloads from a compromised endpoint. While convenient, UTMs can become single points of failure and may lack the depth of dedicated solutions. Proper sizing and regular updates are essential.
Virtual LAN (VLAN) – a logical segmentation of a physical network into se… #
Related terms: 802.1Q, trunking. VLAN traffic analysis isolates inter‑VLAN flows and identifies policy violations. Example: monitoring traffic between a finance VLAN and a guest VLAN to enforce access controls. Misconfigurations can lead to VLAN hopping attacks. Analysts must capture both access and trunk ports to obtain full visibility.
Visualization Dashboard – a graphical interface presenting key traffic me… #
Related terms: BI tool, heat map. Effective dashboards combine real‑time charts, drill‑down capabilities, and contextual information. Example: a dashboard showing per‑application bandwidth usage with color‑coded thresholds. Designing intuitive visualizations reduces cognitive load for operators. Overcrowding dashboards with too many metrics can obscure critical insights.
VLAN Tagging – the insertion of a VLAN identifier into Ethernet frames to… #
Related terms: 802.1Q, trunk port. Traffic analysis must decode VLAN tags to attribute packets to the correct logical segment. Example: capturing a frame with VLAN 200 indicating a marketing network. Tag stripping on certain devices can cause loss of segmentation information. Proper handling ensures accurate accounting and security enforcement.
Web Application Firewall (WAF) – a security device that monitors, filters… #
Related terms: OWASP Top 10, SQL injection. WAFs generate logs that can be correlated with network flow data for comprehensive threat detection. Example: a WAF alert indicating a cross‑site scripting attempt accompanied by increased POST request volume. Effective deployment requires tuning to reduce false positives while maintaining performance. Encrypted traffic inspection necessitates TLS termination.
Wi‑Fi Spectrum Analysis – the examination of radio frequencies used by wi… #
Related terms: channel utilization, RF noise. Spectrum analysis tools capture signal strength, channel occupancy, and device count. Example: identifying overlapping channels causing degraded throughput in an office Wi‑Fi deployment. Mitigation includes channel reallocation, power adjustments, and antenna placement. External sources (e.g., microwave ovens) may introduce unpredictable noise.
Wireshark – a widely used open‑source packet analyzer for detailed inspec… #
Related terms: PCAP, protocol decoder. Wireshark provides filters, statistics, and visualizations for protocol layers. Example: using Wireshark to dissect a TLS handshake and verify certificate chains. While powerful, the tool requires expertise to interpret complex protocols and large capture files. Exporting filtered data helps focus analysis on relevant traffic.
Zero‑Trust Network Architecture (ZTNA) – a security model that assumes no… #
Related terms: micro‑segmentation, identity‑based access. Traffic analysis in a zero‑trust environment focuses on identity, device posture, and contextual risk. Example: monitoring east‑west traffic between workloads to enforce least‑privilege policies. Implementation challenges include scaling verification mechanisms and integrating with existing monitoring tools. Continuous analytics are essential to detect policy violations.