Certain network communication systems utilize network packets for network communications. When packets pass through a network device, such as a firewall device, there is a possibility that some packets will be blocked or added by the device, while other packets will be modified by the network device prior to being passed along as egress packets to other network devices. For example, NAT (network address translation), PAT (port address translation), TTL (time-to-live), tunneling, and/or other protocols applied by the network device can cause modifications to ingress packets prior to their being transmitted along as egress packets by the network device.
To assist in troubleshooting, it is desirable to determine which packets are being removed or modified by a network device and to determine if new packets are being generated by the device itself. Typically, this difference determination is accomplished by storing all packets entering a network device, storing all packets leaving a network device, and conducting a post-processing manual or automated comparison of all stored packets. While this technique can be used to determine removed, modified, or added packets, this post-processing technique is cumbersome, time consuming, and provides no real time information concerning the operations of the network device.