Packet Log Analytics

Introduction

Packet logs provide a wire-level view of network activity. Each packet captures source/destination addresses, ports, protocol, timing, sizes and flags—enough detail to reconstruct conversations, baseline normal traffic, and catch abnormalities in real time. Conatix uses deep-learning models to learn those baselines and surface anomalies such as scans, floods, unusual protocol mixes, and lateral movement—without relying on brittle rule sets.

You can explore live packet analytics, anomaly trends, and protocol breakdowns in our interactive Grafana dashboard:

View Packet Dashboard

What We Analyze

  • Packet volumes and burst patterns across time windows.
  • Protocol distribution shifts (e.g., UDP spikes vs. TCP data/connect events).
  • TCP flag irregularities (SYN, ACK, RST, FIN) that indicate scans or resets.
  • 5-tuple flow behaviors (source/destination IP/port + protocol) and deviations from baselines.
  • Latency/throughput outliers, fragmentation, and retransmission indicators.

Common Terms (Quick Reference)

  • Packet: The smallest unit of network transmission; analyzed to detect fine-grained anomalies.
  • Flow (5-tuple): Grouping of packets by src IP, dst IP, src port, dst port, protocol; core to behavior tracking.
  • Protocol: Communication rules (e.g., TCP, UDP, ICMP). Different protocols imply different risks and performance traits.
  • TCP Flags: Bits that describe connection state (SYN, ACK, RST, FIN); abnormal patterns are strong threat signals.
  • Throughput: Effective data delivered per unit time; drops often indicate congestion or faults.
  • Latency: Time for a packet to traverse the path; persistent spikes may reflect routing or capacity issues.
  • Ports: Logical endpoints (e.g., 53/DNS, 443/HTTPS); unexpected open/active ports are common indicators.
  • TTL: Time-to-Live prevents infinite routing; unusual TTL can hint at spoofing or atypical paths.
  • MTU/MSS: Maximum frame/segment sizes; mismatches cause fragmentation and throughput penalties.

How to Read Typical Packet Metrics

  • Count: Total number of anomalies or events in the selected window.
  • Heatmap of Anomalies by Day: Calendar-style density view for spotting recurring hotspots by date/hour.
  • Top Anomaly Reasons: Ranked breakdown (e.g., Port Scan, UDP Burst, Auth Failures) to prioritize response.
  • Packet Volume Over Time: Time-series of packets; spikes can indicate scans, floods or workload surges.
  • UDPv4 / TCP_DATAv4 / TCP_CONNECTv4: Example protocol/event classes commonly tracked; values like 468 / 211 / 50 indicate counts within the time range.