The next four chapters explore using TCPdump to analyze network traffic. TCPdump provides some wonderful benefits when used with a signature-based NIDS in a network. Most often, when signature-based NIDS detect some kind of anomalous activity, it is due to a pre-defined signature discovering a malicious packet. Typically, the NIDS will alert on the activity and perhaps capture the single packet that it perceives to contain an event of interest.

There are several problems with this method. First, as anyone who has ever used a NIDS knows, these systems are prone to generating alerts when there really is no ...