Editing Traffic analysis (section)

== In military intelligence ==
<!--[[File:GenCOM EOB snapshot.GIF|frame|An example of an electronic [[order of battle]] (EOB) geo-spectral analysis, automatically produced by Genesis EW's GenCOM EOB. It shows the geo-locations of different emitters and the connections between them. This illustrates the practical use of COMINT metadata/Traffic Analysis. By intercepting, processing and analyzing electromagnetic emission only,  the locations of different army units and the connections between them can be seen, without the need to monitor, translate and process their communications.]] -->
In a military context, traffic analysis is a  basic part of [[SIGINT|signals intelligence]], and can be a source of information about the intentions and actions of the target. Representative patterns include:

* Frequent communications – can denote planning
* Rapid, short communications – can denote negotiations
* A lack of communication – can indicate a lack of activity, or completion of a finalized plan
* Frequent communication to specific stations from a central station – can highlight the [[chain of command]]
* Who talks to whom – can indicate which stations are 'in charge' or the 'control station' of a particular network. This further implies something about the personnel associated with each station
* Who talks when – can indicate which stations are active in connection with events, which implies something about the information being passed and perhaps something about the personnel/access of those associated with some stations
* Who changes from station to station, or medium to medium – can indicate movement, fear of interception

There is a close relationship between traffic analysis and [[cryptanalysis]] (commonly called [[codebreaking]]). [[Callsign]]s and addresses are frequently [[encrypt]]ed, requiring assistance in identifying them. Traffic volume can often be a sign of an addressee's importance, giving hints to pending objectives or movements to cryptanalysts.

===Traffic flow security===
'''Traffic-flow security''' is the use of measures that conceal the presence and properties of valid messages on a network to prevent traffic analysis. This can be done by operational procedures or by the protection resulting from features inherent in some cryptographic equipment. Techniques used include:

* changing radio [[callsign]]s frequently
* encryption of a message's sending and receiving addresses ('''codress messages''')
* causing the circuit to appear busy at all times or much of the time by sending dummy [[traffic]]
* sending a continuous encrypted [[signal]], whether or not traffic is being transmitted. This is also called '''masking''' or  '''link encryption'''.

Traffic-flow security is one aspect of [[communications security]].

=== COMINT metadata analysis ===
{{multiple issues|section=y|{{Tone|section|date=November 2011}}
{{Unreferenced section|date=November 2011}}}}
The '''Communications' Metadata Intelligence''', or '''COMINT metadata''' is a term in [[communications intelligence]] (COMINT) referring to the concept of producing intelligence by analyzing only the technical [[metadata]], hence, is a great practical example for traffic analysis in intelligence.<ref>{{Cite web|date=12 April 2001|title=Dictionary of Military and Associated Terms|url=http://www.dtic.mil/doctrine/jel/new_pubs/jp1_02.pdf|url-status=dead|website=Department of Defense|archive-url=https://web.archive.org/web/20091108082044/http://www.dtic.mil/doctrine/jel/new_pubs/jp1_02.pdf|archive-date=2009-11-08}}</ref>

While traditionally information gathering in COMINT is derived from intercepting transmissions, tapping the target's communications and monitoring the content of conversations, the metadata intelligence is not based on content but on technical communicational data.

Non-content COMINT is usually used to deduce information about the user of a certain transmitter, such as locations, contacts, activity volume, routine and its exceptions.