In Chess, everything is laid out in front of you. Nothing is Hidden. The outcome depends solely on your skill. No cards are hidden. You can’t be dealt a bad hand. No dice can give you snake eyes or boxcars.
When looking at Network traffic, Packets give you a chess player's view. It is all there in front of you, whether you are troubleshooting problems or looking for what the bad guy did. That doesn’t make it easy, of course. Your skill and knowledge determine how much you can do, especially against a stronger opponent.
Of course, Encrypted Traffic is different. Then it becomes more like poker. Much of what you would like to know is hidden. As the game goes on, you can get clues about what is hidden, but you cannot know for certain what is there.
To be more precise, looking at encrypted traffic is more like playing stud poker than draw. In the latter, all cards are hidden. In stud, some are dealt face up, so you always know something about the hands on the other side. Network packets always show their headers.
These are the cards you can see. Pulled together into session data, they give you a solid basis for analyzing what is going on.
This makes reading packets an important skill for network administration and an essential skill for network defense.
[Here comes the commercial part.]
For that reason, my favorite security course is Sans Security 503. It also happens to be one of the best courses SANS has put together. That is why I am teaching it in the SANS Mentor format this spring. The course will meet in Rockville, MD, each Wednesday beginning April 13.
In addition to reading packets you will learn about intrusion detection using Snort and Bro. As you might expect from a SANS course, there will be plenty of hands-on work, so you will come out knowing that you can actually do it.
You can find more information about it at https://www.sans.org/mentor/class/sec503-rockville-13apr2016-james-voorhees.
If you are in the DC area, I hope you’ll sign up.