Without unnecessarily belaboring the point, the events described in this chapter have demonstrated the added value of having TCPdump or Shadow running at a site to capture the background traffic. The first incident of a non-intrusion showed how TCPdump can be invaluable because its purpose is not exclusively to show alerts of events of interest, but to capture all traffic. It can provide an audit trail of activity that occurred, or more descriptively in this case, of activity that did not occur.
In addition, TCPdump was used in the scan incident to assess the reaction of hosts on the monitored network to the scan. Scans can be harmless distractions when there is no response by the scanned hosts, or in this case, they can be a reason for concern. Although most NIDS will inform you of scans, none will automatically alert you of responding hosts.
In the third and final events, TCPdump was used to get very specific information about the fragments or packets in order to make more accurate evaluations of the nature of the attack. You can even begin to do forensic investigation about the type of hosts that are conducting the hostile activity. You will see a more thorough discussion of passive analysis of hostile traffic in the next chapter.