One more.
From an Analysis of [Sampling Packet data], You can collect a [Selected Raw Packet Data] by an IP Flow control.
And then, DO an analysis of [Selected Raw Packet Data].
ex) if you found a packet [ destination port 22 to unknown destination IP address], You would wanna check all packets from [ unknown IP address] which my IP connected to SSH(22 port).
Lechuck Park 