Although primarily a mainstay as a diagnostic tool for network administrators, network monitors and protocol analyzers can be tremendously useful to the incident response team. Such tools should be standard issue for every incident response team. Their primary uses for incident response is their ability to dig deep into the network datagrams for low-level attack analysis and their ability to store network data to disk for further analysis. In short, these tools are like microscopes that reveal the inner contents of the data you’re dealing with on an incident.

The one common and vital requirement for the network monitors, protocol analyzers, and the network-based intrusion detection systems discussed later is that they must perform their tasks silently and invisibly. We frequently refer to this as blackening the network monitor. A properly-configured network monitor should be completely invisible on a target network. In other words, an intruder should never be able to discover that he is being monitored. There are numerous ways of accomplishing the blackening of the tools, some mechanical and some logical, but any network monitoring device used for incident response should almost certainly be blackened, and the blackening should be thoroughly tested prior to actually using the tool. While there may be exceptions to this rule, they are few and far between.