Capturing network traffic is comparable to videotaping a crime it is live, complete, and compelling. Replaying an individual's keystrokes as recorded in a datagram log can give an otherwise intangible sequence of events a very tangible feel. In harassment/stalking cases that involve direct connections or unauthorized access to the victim's computer (e.g. ICQ, AOL IM, Trojan horse programs) one approach to gathering evidence is to record all traffic to and from the victim's machine. In addition to capturing the full communication stream, this approach is not detectable by the intruder. Of course, it is advisable to collect evidence from multiple independent sources, so netstat should still be used on the victim's computer along with any other means available.

When investigating computer intrusions, it may be fruitful to install a sniffer, provided the intruder returns to the crime scene. However, this does not shed light on the history of the intrusion. Amusingly, intruders sometimes catch themselves with their own sniffers, effectively video taping themselves committing a crime and providing investigators with a valuable source of evidence.

There are many programs that can be used to monitor network traffic, commonly referred to as network sniffers. ^[49] The raw data that these network sniffers capture are analogous to the sector-by-sector copies that forensic software applications make of disks - in both cases a snapshot of the data is obtained. Sniffers can also decode datagrams and display them in an easy-to-read format. For instance, Etherpeek (www.etherpeek.com) provides several views...