Network Data Visibility

Understanding Where Your Traffic Data Comes From

Section 1 of 4 0% Complete

Why Data Visibility Matters

As a SOC analyst, you can only detect what you can see. Data visibility refers to your ability to observe network traffic and extract meaningful information for security analysis.

The Visibility Challenge

  • Modern networks are fast and complex — you can't manually watch everything
  • Attackers exploit blind spots — places where you have no visibility
  • Different collection methods provide different levels of detail
  • Strategic sensor placement is critical for effective monitoring

Two Types of Network Data

Full Packet Capture (PCAP)

Complete copy of all traffic — headers AND payload

Frame 1: 342 bytes on wire
Ethernet II, Src: aa:bb:cc:11:22:33
Internet Protocol, Src: 192.168.1.100
TCP, Src Port: 52431, Dst Port: 443
[Payload: encrypted TLS data...]

Flow Data (NetFlow/IPFIX)

Metadata about connections — headers only, no payload

Flow Record:
SrcIP: 192.168.1.100 DstIP: 10.0.0.50
SrcPort: 52431 DstPort: 443
Protocol: TCP Bytes: 15420
Packets: 24 Duration: 3.2s

Key Tradeoff

  • PCAP: Full detail, but massive storage requirements
  • Flow: Less detail, but feasible to store long-term
  • Most SOCs use both — flow for broad visibility, PCAP for deep dives

Traffic Collection Methods

There are three primary ways to capture network traffic for analysis. Each has distinct advantages and use cases.

Network TAP Hardware

Test Access Point — physical device that copies traffic

  • Captures 100% of traffic (no drops)
  • Passive — no network impact
  • Fail-safe — link stays up if TAP fails
  • Requires physical installation
  • One TAP per link needed
  • Higher upfront cost

SPAN/Mirror Port Switch Feature

Switched Port Analyzer — switch copies traffic to monitoring port

  • No additional hardware needed
  • Flexible — can mirror multiple ports
  • Easy to reconfigure
  • May drop packets under load
  • Consumes switch resources
  • Can miss some traffic types

NetFlow/IPFIX Protocol

Flow export — router/switch generates flow metadata

  • Scalable to large networks
  • Low storage requirements
  • Long-term retention feasible
  • No packet payload
  • Sampling may miss events
  • Delay in flow export

When to Use Each Method

Scenario Best Method Why
Critical network segment TAP Can't afford to miss any packets
Quick troubleshooting SPAN Fast to set up, no hardware needed
Enterprise-wide visibility NetFlow Scales across many devices
Malware analysis TAP + PCAP Need full payload for analysis
Bandwidth trending NetFlow Flow data perfect for statistics

Strategic Sensor Placement

Where you place your sensors determines what you can see. Click on network locations to learn about visibility at each point.

Internet Firewall Perimeter DMZ Switch Web/Mail Core Switch Internal Workstations Servers

Click a network location

Select a device or segment to learn about sensor placement and visibility at that point.

Common Placement Strategies

North-South Traffic Monitoring

Focuses on traffic entering and leaving the network (perimeter)

  • TAP or SPAN at network perimeter (before/after firewall)
  • Catches external attacks, C2 traffic, data exfiltration
  • Misses lateral movement between internal systems
  • Best for: Internet-facing threat detection

East-West Traffic Monitoring

Focuses on traffic between internal systems (lateral)

  • Sensors on core switches and between VLANs
  • Catches lateral movement, internal reconnaissance
  • Higher volume — may require sampling
  • Best for: Insider threats, post-compromise detection

Hybrid Approach (Recommended)

Combines perimeter and internal visibility

  • TAP at perimeter for full packet capture of external traffic
  • NetFlow on core switches for internal flow visibility
  • SPAN on critical segments for targeted deep inspection
  • Best for: Comprehensive enterprise security monitoring

Knowledge Check: Match the Scenario

Drag each scenario to the most appropriate collection method.

TAP (Hardware)

SPAN (Switch)

NetFlow

Full PCAP