Traffic Analysis

Traffic analysis is all about analysing the traffic pattern and not about looking at the contents of the traffic. Who communicates with whom, when, how much, how regular or non-regular and so on.

Bruce Schneier formulates it in his book Secrets & Lies:

The simple fact that Alice telephones a known terrorist every week is more important than the details of their conversation.

In computer communication and networking this kind of analysis is quite often neglected in favor of content analysis. Every intrusion detection system (IDS) is able to distinguish "bad" content from "good" (or, actually "unknown"), but very few tools exists for traffic analysis, despite of the fact that a traffic analysis often can give more relevant information about the condition of the network. A seemingly trivial question about what traffic actually travels in the network can be hard to answer even for the network administrators. Often only a vague answer and possible some statistics can be presented. A more specific question like "what new things have our users done the last week not consistent with our firewall policy" is even more likely to stay unanswered.

One of the reasons traffic analysis isn't done, is that it is hard to do. There are very few tools for it available, and such an analysis done manually is very time consuming.

The benefits of network traffic analysis

Traffic analysis show you the traffic in your network. This can sound trivial - isn't it just to use a packet sniffer like ethereal, snoop or tcpdump? No, not at all. A network sniffer is used to look at specific traffic, but do not perform any analysis of it. Using a sniffer require you to know exactly what you are looking for, and will not give you much help in giving you an overview of the network. Traffic analysis, on the other hand, will help you isolate the traffic you really should look closer on.

Trouble shooting is a common application of traffic analysis. In all larger networks, there are errors that not yet have been detected. Without traffic analysis, the errors will not be detected before they cause a network failure. On the other hand, with traffic analysis, those errors can be detected and corrected pro-actively.

Anomaly and deviation detection is another application of traffic analysis. By comparing the traffic patterns today with what they looked like yesterday, you get valuable information about the changes in the network. This will detect new software causing new traffic patterns, like viruses, trojans, peer to peer users and cracker tools. Of course this kind of deviation reports also will show legitimate traffic patterns. The main feature with anomaly detection, is that you only need to focus on the new traffic patterns in your network.

In all situations you have a need of knowing what network traffic goes in to, out from or within your networks, you need traffic analysis.


Network traffic analysis will detect the network errors, thus making it possible for you to correct them pro-actively, before they cause some form of network failure.

Mikael Kuisma, Ping Research AB

Ping Research