Some say that metadata is data that describes other data. It summarizes basic information about data like the name of a file or a website address. It is the footprint that's left behind by users on a network after they connect to servers or services.
Using metadata analysis bridges the gap between conventional tools and raw packet analysis. Traditional tools which use SNMP or flow data as a source typically lack detail when you need it to troubleshoot a problem or address a security problem. Raw packet analysis will have an incredible level of detail but you need lots of storage and most people only use it after an event has occurred.
|SMB (File shares)||File names, folder names and actions|
|SMTP (Email)||Sender, receiver, subject, date and time|
|HTTP (Web)||URL, URI, browser type, operating system|
|IP (Internet protocol)||Source address, destination address, source port, destination port, data.|
As an example I captured around 20 seconds of packets going to and from my laptop using Wireshark. The result was a 12.7MB file which is a treasure trove of data if you know what you are looking for.
See below for some of the metadata that was contained within it. Some of it was sensitive so I blacked it out, MAC addresses which are unique to my network. From the metadata I can see IP addresses, MAC addresses, file names, browser types, website addresses and protocol types.