What Is Network Traffic Analysis (NTA)?

A workstation looks clean. The antivirus is quiet, the endpoint agent shows a normal signed process making web requests, and nothing on the host raises a flag. But on the wire, the same machine is reaching out to one external address every sixty seconds, around the clock, with small, near-identical requests. No human browses like that. A person watching the network traffic sees the rhythm immediately: that is a beacon, a compromised host checking in with its command-and-control server. The endpoint hid it. The network could not.

That is the value of network traffic analysis. The network is a witness an attacker cannot fully silence. They can disable an endpoint agent, delete local logs, and run entirely in memory, but to move, to communicate, to steal data, they have to put packets on the wire, and those packets can be watched. Network traffic analysis is the discipline of watching them.

This guide covers what network traffic analysis is and why it matters, what it inspects, how it works, the detection techniques, what it catches, how it relates to IDS and NDR, the tools, and where it sits in a SOC. It is written for blue teamers who have to find the attacker on the wire.

What is network traffic analysis?

Network traffic analysis (NTA) is the practice of capturing and examining the traffic moving across a network, the packets, flows, and sessions, to detect threats, investigate incidents, and understand what is actually happening on the network. It treats network traffic as evidence: every connection, every protocol, every byte transferred is a record of behavior that can be analyzed.

The premise is simple and powerful. Endpoints can be blinded and logs can be tampered with, but communication leaves the host and crosses infrastructure the attacker does not control. As long as a sensor is watching the right link, the attacker's traffic is visible, whether or not their malware was ever detected on a single machine.

The discipline has evolved. What the industry once called NTA has largely been folded into Network Detection and Response (NDR), which adds behavioral analytics and response actions on top of traffic analysis. The core skill is the same: reading the network to find what should not be there.

Why network traffic analysis matters

Network traffic analysis fills the gaps the other defenses leave.

It sees what the endpoint cannot. Not every device can run an agent, servers, IoT, appliances, personal devices, and an attacker's first move is often to blind the agents that do exist. The network sees those devices and that tampering regardless, because the traffic still flows.

It watches east-west, not just the perimeter. A firewall inspects traffic crossing the boundary. Most of an intrusion, the lateral movement, the internal reconnaissance, happens between internal hosts, traffic a perimeter device never sees. NTA watching internal links is how that movement becomes visible.

It is where dwell time is spent. Mandiant's M-Trends 2026 report puts the global median dwell time at 14 days, two weeks in which an attacker is communicating, moving, and staging data, all of it on the network. Each of those days is a chance for traffic analysis to catch the activity that the initial compromise slipped past.

What network traffic analysis inspects

Network traffic analysis works from a few different kinds of network data, each a trade-off between detail and scale.

Full packet capture records everything, which makes it the ground truth for deep investigation, but storing every packet across a large network is expensive and rarely feasible everywhere. Flow data keeps only the metadata of each connection, who talked to whom, when, and how much, which scales to the entire network and is enough to spot most anomalies. Transaction logs, the kind Zeek produces, sit in between: structured, searchable records of every connection with key fields extracted, the format many analysts live in.

A mature program uses all three: flow everywhere for breadth, transaction logs for everyday analysis, and full packet capture at key choke points for when you need the whole story.

How network traffic analysis works

Network traffic analysis runs as a pipeline from raw traffic to a decision.

1. Capture. A sensor gets a copy of the traffic, usually through a network TAP or a SPAN/mirror port on a switch, so it can see packets without sitting in their path.
2. Process and log. The sensor parses the traffic, identifies protocols, and turns raw packets into structured records, the job a tool like Zeek does, while a flow exporter summarizes connections.
3. Detect. The processed traffic is analyzed two ways: matched against signatures of known-bad activity, and evaluated for behavioral anomalies that no signature describes.
4. Alert and investigate. Detections become alerts an analyst triages, with the underlying traffic available as evidence, and analysts also hunt through the records proactively.

The capture point is a design decision that determines what you can see. A sensor only watching the internet boundary is blind to internal movement; covering east-west traffic means placing sensors where it matters most.

How NTA detects threats

Detection combines two complementary approaches, and the second is what makes NTA powerful.

Signature-based detection matches traffic against known-bad patterns: exploit attempts, known malware communication, and command-and-control indicators. This is the job of an IDS engine like Suricata or Snort, and it is fast and precise for threats that have been seen before.

Behavioral and anomaly detection looks for activity that is wrong in context rather than matching a known signature. This is where the novel attack gets caught, and it covers the patterns attackers cannot avoid creating:

• Command-and-control beaconing. The regular, machine-timed check-ins of a compromised host, like the sixty-second beacon in the opener, are visible as a rhythm no human generates.
• Data exfiltration. A large or unusual outbound transfer, or a steady trickle to an external host, stands out against an established baseline.
• DNS tunneling. Encoding stolen data or C2 traffic inside DNS queries is invisible to many tools but obvious in the abnormal volume and shape of the DNS traffic.
• Lateral movement and scanning. A host suddenly connecting to many internal systems, or probing ports, is reconnaissance or movement in progress.

A worked example: an analyst notices a single internal host opening connections to two hundred other internal addresses on port 445 within a minute. No signature fired, because nothing about any one connection is malicious. The pattern is the attack, a host scanning for SMB shares to spread. That is the kind of finding only network traffic analysis surfaces, because it lives in the shape of the traffic, not in any single packet.

Encrypted traffic does not blind this. Sensors do not need to decrypt TLS to analyze it; they reason about metadata, the timing, sizes, destinations, and fingerprints such as JA3, so a malicious beacon is detectable even inside an encrypted session. The result of both approaches is a set of indicators of compromise and behavioral detections, often mapped to MITRE ATT&CK techniques so an alert reads as a recognizable adversary action.

Network traffic analysis vs IDS vs NDR

These terms overlap and are easy to confuse.

IDS/IPS is signature-first: precise on known threats, blind to novel ones. NTA is the broader practice of analyzing traffic, including behavioral methods that catch the unknown. NDR is where the market landed: NTA plus analytics and the ability to respond, the network counterpart to EDR on the endpoint. They are layers of the same idea, not competitors, and most mature programs run signatures and behavioral analysis together.

Network traffic analysis tools

The tooling ranges from a single capture to an enterprise platform.

• Zeek. The open-source workhorse for turning traffic into rich, structured connection logs for analysis and hunting.
• Suricata and Snort. Open-source IDS engines that match traffic against signature rule sets, and can block inline as an IPS.
• Wireshark. The standard for deep, manual packet inspection during investigation.
• Flow analyzers and NDR platforms. Tools that ingest NetFlow/IPFIX or sensor data and apply behavioral analytics at scale.

For security work these are usually combined: Suricata for known-threat signatures, Zeek for visibility and forensics, Wireshark for hands-on packet analysis, all feeding a SIEM or NDR platform. The tools surface the traffic; the analyst still reads it.

The limits of network traffic analysis

Network traffic analysis is powerful but not complete, and a defender should know its blind spots. It only sees traffic that crosses a monitored link, so a sensor in the wrong place misses anything that routes around it, which makes sensor placement a real design problem. Encryption caps how deep it can go: behavioral analysis works on metadata, but the payload of a TLS session stays opaque without decryption. Volume is a constant pressure, since full packet capture cannot be kept everywhere, so teams trade fidelity for scale. And like any detection method, behavioral analysis needs a solid baseline and ongoing tuning, or it buries analysts in false positives. None of these negate the value; they are why network traffic analysis runs alongside endpoint and log telemetry, not instead of it.

Network traffic analysis in the SOC

In security operations, network traffic analysis is one of the core telemetry sources, and its real power is in combination. Network detections flow into a SIEM, where they correlate with endpoint and identity data so an analyst sees the beacon, the process that made it, and the account behind it as one incident. When an alert is confirmed, the captured traffic is primary evidence for incident response: packet captures and connection logs show exactly what an attacker did and took. And because the network records everything that crossed it, those logs are a rich hunting ground for proactive threat hunting.

Network traffic analysis also pairs with EDR to close each other's gaps: the endpoint explains what happened on the host, the network explains what happened between hosts, and together they tell the whole story. It is a central part of network security as practiced, not as a diagram.

The constant is the analyst. A tool flags a suspicious connection; a person who knows what the network normally does decides whether it is an attacker or a backup job. That judgment is the skill.

Getting started with network traffic analysis

If you are building the skill, work with real traffic.

1. Learn TCP/IP deeply. You cannot analyze what you do not understand. Know how the protocols behave so abnormal stands out.
2. Live in Wireshark. Open real packet captures and learn to read a conversation: the handshake, the request, the transfer, the anomaly.
3. Run Zeek and Suricata. Process captured traffic into logs and alerts, and learn what each tool shows you.
4. Reconstruct an attack from traffic. Take the PCAP of an intrusion and rebuild what happened, the single best exercise for the skill.

The bottom line

Network traffic analysis is the discipline of watching the one thing an attacker cannot avoid using: the network. They can blind endpoints and erase logs, but to communicate, move laterally, and steal data, they must put traffic on the wire, and that traffic, in packets, flows, and connection logs, is evidence. NTA reads it with signatures for the known and behavioral analysis for the unknown, catching beaconing, exfiltration, and lateral movement that host tools miss, even inside encrypted sessions.

It is strongest in combination, paired with the endpoint, correlated in a SIEM, and folded into the NDR platforms that now carry the practice forward. But the constant is the analyst who can look at a stream of connections and pick out the one that is an intruder.