As digital transformation sweeps across the world, there is a driving need for more effective logging and data recording for incident response. In today’s IT world, your agency’s Computer Incident Response Team (CIRT) must have the capability to quickly determine the source and scope of an attack on its network in order to effectively mitigate it. In an attempt to do this, most administrators will build an audit trail of information collected from network traffic using either NetFlow or packet capture (PCAP). In reality, the best solution is to leverage both to your advantage.

It is important to realize that effective incident response it is all about size. For example, if you are collecting only PCAP, then you may have too much data over too short a time. Using PCAP to find out who one machine was connected with on a busy segment of the network is, at best, a lengthy query and, at worst, the TCP reconstruction can be computationally impossible.

With NetFlow, it’s a quick and speedy query over a  lengthy forensic record. This is because the space that could hold hours of PCAP could hold 2-3 months of NetFlow records. With full PCAP and NetFlow, it’s definitely an “and,” not an “or,” proposition. So the best approach for organizations is to use NetFlow first (due to the ease of collection and queries) then complement with PCAP later, as resources allow.

Here’s a good example: imagine you had a time window reflecting both NetFlow and PCAP. First, you would use NetFlow to know what and where to query, then you could filter those results down to the network for more precise capture, ending up with something that could be realistically returned. In comparison, if you use a week of PCAP with the best of breed full packet commercial solutions (on a busy enterprise point of presence), with the query “show me everything the computer gavin.reid-machine did on the network”, it will never return that query. In order to get something returned using PCAP, you must carefully define  your query. The more specific the better, such as “on June 12th between 10:15-10:30, over port 80, show me what gavin.reid-machine did on the network”. This type of query would return usable data.

In essence, with PCAP you need a more precise and focused query to achieve an optimal return, while NetFlow enables you to find out the “what and where” to query with. Plus, with flow data, you can easily and quickly query for everything gavin.reid-machine did on the network, and do so while covering a much longer period of time. So don’t be fooled into thinking your organization needs only one of the two. The reality is you need both since they support and feed off each other. And as digital transformation continues to push rapid change in IT, it is even more critical that NetFlow and PCAP – working together – become a significant piece of your CIRTs detection arsenal.


Gavin Reid


Public Sector