At first glance, the ability to log packet data may seem like just another bell or whistle. However, as more IDSes are deployed, their use in criminal prosecution will increase. And while there are many complications surrounding the admissibility of electronic log data as evidence in U.S. courts, IDSes that don't perform packet logging won't help much when it comes to prosecution.

Packet dumps are also useful for reconstructing attack sessions. By reassembling sessions, you can sometimes determine how far an intruder got or trace the path of his or her movements.

Packet data helps in the investigation of false positives as well. Poorly written signatures, or signatures that are just too general, will often alert on benign traffic. By looking at the packets that cause the alert, IDS admins can take several actions to fix the problem. First, they can contact the vendor and explain what kind of packets are falsing; sometimes the vendor will provide an updated signature. Second, with some products -- Dragon and Snort, for example -- signatures can be updated by hand to make them more specific. Finally, in some cases administrators might simply want to disable the signature if most of the alerts aren't useful.