Network Security Monitoring aka NSM involves the collection of a variety of information elements by passive observation of network traffic. There are essentially two ways to run packet analytics, Live Capture vs Reading PCAP files. They may appear to be the same, but there are some crucial differences that are hidden only to surface when you try to read in PCAP files.

When you have a large PCAP file , say covering 6 hours of traffic. You have two choices, you can choose to replay the file to a NSM system using a tool like TCPReplay. But that would take 6 hours !! If you speed it up or play it at top speed, you lose crucial information about traffic metrics.

But if you played it back at natural rate, then that is an enormous waste of CPU and time. You could be processing packets at the natural rate of 1MB/s for hours when your powerful CPU can do 800Mbps. This is why we prefer to read PCAP files, presumably we can just let our CPU rip through as fast as possible.

In Live traffic capture, the wall time is the clock. During low traffic periods your CPU and Memory usage goes down, but the rate of time is fixed.

When you read PCAPs, most tools are clocked on the timestamp present in the PCAP file, not on the wall clock. So it comes down to this rule.

• A single