Packet analysis can be done on an individual host. If the protocol analyzer is sniffing traffic on a switch, then the view of network traffic is limited as each switchport has its own collision domain. Therefore, on a switch on a specific port, you will only see broadcasts, multicast, and your own Unicast traffic.

To see all traffic on a switch, the network administrator can use port monitoring or SPAN (short for Switched Port Analyzer). Another option is to use a full-duplex tap in line with traffic. The tap makes a copy or mirror of the traffic, which is pulled into the device for analysis. If this option is used, then you may need a special adapter. In some cases, you may be able to monitor within the switch, as Wireshark is built into the Cisco Nexus 7000 series and many other devices.

In addition to using packet analysis on a LAN or on a host, packet analysis can be used in the real world to monitor traffic for threats.