Packet Log Analytics

Introduction

Packet logs provide a wire-level view of network activity. Each packet captures source/destination addresses, ports, protocol, timing, sizes and flags—enough detail to reconstruct conversations, baseline normal traffic, and catch abnormalities in real time. Conatix uses deep-learning models to learn those baselines and surface anomalies such as scans, floods, unusual protocol mixes, and lateral movement—without relying on brittle rule sets.

What We Analyze

  • Packet volumes and burst patterns across time windows.
  • Protocol distribution shifts (e.g., UDP spikes vs. TCP data/connect events).
  • TCP flag irregularities (SYN, ACK, RST, FIN) that indicate scans or resets.
  • 5-tuple flow behaviors (source/destination IP/port + protocol) and deviations from baselines.
  • Latency/throughput outliers, fragmentation, and retransmission indicators.

Common Terms (Quick Reference)

  • Packet: The smallest unit of network transmission; analyzed to detect fine-grained anomalies.
  • Flow (5-tuple): Grouping of packets by src IP, dst IP, src port, dst port, protocol; core to behavior tracking.
  • Protocol: Communication rules (e.g., TCP, UDP, ICMP). Different protocols imply different risks and performance traits.
  • TCP Flags: Bits that describe connection state (SYN, ACK, RST, FIN); abnormal patterns are strong threat signals.
  • Throughput: Effective data delivered per unit time; drops often indicate congestion or faults.
  • Latency: Time for a packet to traverse the path; persistent spikes may reflect routing or capacity issues.
  • Ports: Logical endpoints (e.g., 53/DNS, 443/HTTPS); unexpected open/active ports are common indicators.
  • TTL: Time-to-Live prevents infinite routing; unusual TTL can hint at spoofing or atypical paths.
  • MTU/MSS: Maximum frame/segment sizes; mismatches cause fragmentation and throughput penalties.

How to Read Typical Packet Metrics

  • Count: Total number of anomalies or events in the selected window.
  • Heatmap of Anomalies by Day: Calendar-style density view for spotting recurring hotspots by date/hour.
  • Top Anomaly Reasons: Ranked breakdown (e.g., Port Scan, UDP Burst, Auth Failures) to prioritize response.
  • Packet Volume Over Time: Time-series of packets; spikes can indicate scans, floods or workload surges.
  • UDPv4 / TCP_DATAv4 / TCP_CONNECTv4: Example protocol/event classes commonly tracked; values like 468 / 211 / 50 indicate counts within the time range.