Dataset Workflow | NetMetria-X Community

Dataset consumer workflow

From generated PCAP to explainable detection review.

NetMetria-X datasets are meant to be inspected, tested, and explained. The PCAP is the packet evidence. The manifest, summary, and timeline provide the context needed to understand what the evidence represents.

Request early reviewer access View ATT&CK coverage

Bundle contents

What reviewers receive

Dataset bundle

A bundle is organized so packet evidence and interpretation context travel together. The exact optional observation outputs depend on the scenario configuration.

dataset_bundle/
  ground_truth.pcap       # complete generated packet evidence
  manifest.db             # authoritative ground truth
  summary.json            # compact dataset inventory
  timeline.json           # ordered scenario and packet context
  README.md               # handoff notes
  observed/               # optional sensor-visible PCAPs
  observation/            # optional observation metadata

Review sequence

A practical workflow for detection engineers

01. Read the summaryConfirm technique scope, packet count, scenario name, and high-level dataset inventory before opening the PCAP.

02. Review the timelineUnderstand the ordered scenario context so packet analysis is tied to declared evidence instead of timestamp guessing.

03. Inspect the PCAPUse Wireshark, tshark, tcpdump, Zeek, Suricata, Snort, NDR tooling, SIEM pipelines, or custom workflows.

04. Compare detectionsCheck generated alerts, parser output, enrichment, dashboards, or analyst notes against the known scenario evidence.

05. Trace contextUse manifest context to explain packet, flow, technique, actor, and scenario relationships without inventing meaning.

06. Provide feedbackEvaluate realism, usefulness, labeling clarity, workflow fit, and missing evidence types for future Community refinement.

Best use

Use NetMetria-X when known answers matter

Production captures remain valuable for understanding real networks. NetMetria-X serves a different purpose: controlled, repeatable, labeled packet evidence for validation and training.

Use the generated bundle to test whether a rule fires, whether a parser extracts what it should, whether an analyst can follow the evidence, and whether the dataset explanation is clear enough for repeatable review.

The important distinction is simple: the PCAP shows generated network evidence for a declared scenario. The supporting context explains why that evidence exists.

Early review

Evaluate the workflow against your detection process

Reviewer feedback should focus on whether the packet evidence, context, and workflow are useful for real validation work.

Request early reviewer access