I mean it depends on what you are looking for. If you are afraid that someone is exfiltrating large amounts of data to unknown destinations, then looking at amount of data being transferred is a good idea. But if someone hacks your phone or computer and the attacker is only looking for a PDF document, then the total size of the transfer will probably not help you. In this case, you want to monitor all destinations to make sure they are not malicious. But if you are really paranoid you need to be able to view all HTTPS traffic so you can verify that certain documents are not being exfiltrated.In addition to the above, there are lot's tricks for identifying certain traffic based on the attributes and metadata of the connection.
No comments yet.