All data that can be retrieved from the network traffic can be divided into several levels:
Full Packet Capture 100%
Packet String Data 4%
Sessions 0.1%
Statistics
Logs
It is obvious that, from the point of view of a forensics analyst, the most preferred method is to collect full traffic, as in this case, we obtain the most complete dataset.
However, along with the obvious advantages, this approach has a number of drawbacks. A large amount of data for storage and subsequent analysis requires a lot of time and resources.
At the same time, other forms of data, such as NetFlow, in many cases is a reasonable alternative, and it requires fewer resources for the collection and storage and to process.
Compared to other forms of full traffic, data altogether constitutes only a few percent. It require less space for storage and, therefore, can be stored for a longer time period.
For clarity, consider the following example. Let's suppose an organization has a daily volume of network...