Packet analysis and packet sniffing are used by many devices on the network, including routers, switches, and firewall appliances. As data flows across the network, it passes through various network devices, which interpret the packet's raw bits and examine the field values in each packet to decide on what action should be taken.

A router captures the traffic and examines the IP header to determine where to send the traffic, as a part of the routing process. An IDS will capture the traffic and examine the contents and alert the network administrator if there is any unusual or suspicious behavior.

A firewall monitors all traffic and will drop any packets that are not in line with the Access Control List (ACL). For example, when data passes through a firewall, the device examines the traffic and determines whether to allow or deny the packets according to the ACL. For example, this ACL has the following entries:

• Allow outbound SYN packets. The destination port is 80.
• Allow inbound SYN-ACK packets. The source port is 80.

As shown in the following diagram firewall with an ACL, in order to decide whether to allow or deny a packet, the firewall must evaluate the packet header and check to see what TCP flags are set and what port numbers are in use. If the packet does not meet the ACL entry, then the firewall will drop the packet:

It's important to note that a packet sniffer sniffs traffic but doesn't modify the contents in any way. It simply gathers the traffic for analysis as it travels across the network.

As we can see, packet sniffing and analysis have been influential for many years as elements of managing networks. The first step in analysis is capturing traffic, which we will explore in the next section.