The trick is to do packet capturing prior to the need for forensics. Most people want to find out what happened to their systems after the fact but they didn't do any logging or any other type of tracking. Packet capturing can take alot of resources such as storage space but can be invaluable when combined with syslog, IDS alerts, ACL logs, etc.