Design preview · adopts the Kaharagian design system
An official training service of the State of the Kaharagians
Royal Army CollegeRoyal Army CollegeRoyal Kaharagian ArmyThe College of the Army
SIG 220 Communications Security and Digital Discipline
Lesson 6 of 10SIG 220

Traffic Analysis: What the Pattern Reveals

Lesson Overview

Most people think of communications security as keeping the content of a message secret, so that an enemy who intercepts it cannot read it. That is real and important, but it misses a threat that is often more dangerous precisely because it does not need to read anything: traffic analysis, the art of learning from the pattern of communications, who talks to whom, when, how often, and how much, without ever understanding a single word. An enemy who cannot break your messages can still learn an astonishing amount from their pattern alone: your command structure, the location of your headquarters, which station matters most, and, most dangerously, that an operation is about to begin. Lessons 01 to 05 protected the message and the device; this lesson takes the threat that survives all of that, the information leaked by the pattern itself, and the discipline that closes it.

The reason traffic analysis matters so much, and matters more in the digital age, is that the pattern leaks even when the content is perfectly secure. You may use unbreakable encryption, or, on amateur radio where you may not encrypt at all, perfect brevity and authentication, and still give the whole game away by the shape of your traffic: a surge of messages before every operation, one station that everyone calls, a fixed daily routine an enemy can set a watch by. The content was never compromised; the pattern told the story anyway. And in an age where even encrypted digital communications leave a trail of metadata, who contacted whom, when, and how often, traffic analysis has become more powerful, not less. So the operator must learn to see their own traffic as an analyst would, and to deny that analyst the patterns they feed on.

This is the knowledge layer. It teaches you what traffic analysis is, what patterns reveal, why it works even against secure content, and the discipline that defeats it, so that you understand the threat the pattern carries and how to close it. The practised habit of disciplined, pattern-free communication is built by operating on real nets and exercises under qualified supervision and certified in person. Read this to know what the pattern reveals; the habit is built in the doing.

By the end you will be able to explain what traffic analysis is and why it works without breaking content, describe what communication patterns reveal to an analyst, explain why metadata makes the threat worse in the digital age, and apply the discipline that denies an analyst the patterns of life they exploit.

Key Terms

  • Traffic analysis: learning about a force from the pattern of its communications, who, when, how often, how much, rather than from the content of its messages.
  • Pattern of life: the regular, repeating habits of a station, net, or force, the routine an observer can learn and predict, which reveals structure and intentions.
  • Metadata: the data about a communication other than its content, the parties, the time, the frequency, the volume, the duration, which leaks even when the content is secure.
  • Traffic volume: the amount of communication on a net or from a station, whose level and changes reveal importance and imminent activity.
  • Net structure: the picture of who communicates with whom, from which an analyst reconstructs the command and organisational structure of a force.
  • Pre-activity surge: the rise in communications that typically precedes an operation, one of the clearest signals traffic analysis detects.
  • Steady state: a uniform, unchanging pattern of traffic maintained so that no change reveals anything, the chief countermeasure to the pre-activity surge.
  • Dummy traffic: deliberate, meaningless communication added to keep traffic uniform and hide real activity within a constant level.
  • Net uniformity: keeping all stations on a net similar in their traffic and manner, so that no single station stands out as more important.
  • Minimisation: sending as little as possible, so there is less pattern to analyse; the most secure message is the one not sent.

What traffic analysis is, and why it works

Traffic analysis is the extraction of intelligence from the pattern of communications rather than their content, and its power is that it needs no access to what is actually said. An analyst watching a force's communications records who transmits, who they transmit to, at what times, how often, for how long, and how much, and from this metadata alone reconstructs a great deal about the force, all without breaking a single message. This is not a lesser substitute for reading the content; it is a distinct and often sufficient source, and history shows forces giving away decisive information through traffic patterns while their actual messages remained perfectly secure.

The reason it works is that communication is activity, and activity has structure and rhythm that the communication reflects. Who talks to whom mirrors who commands whom and who works with whom; how much a station communicates mirrors how busy and important it is; when communication rises and falls mirrors the tempo of operations. These correspondences mean the pattern of the traffic is a shadow of the organisation and activity behind it, and an analyst reads the organisation and activity off the shadow. The content is the message; the pattern is also a message, an unintended one, broadcast by the mere act and shape of communicating, and it is sent whether or not the content is secure.

This is why traffic analysis is the threat that survives everything the earlier lessons taught. Emission control reduces it but does not eliminate it; authentication and brevity protect the content but not the pattern; encryption, where lawful, hides the words but not the metadata. The pattern leaks through all of these, and defeating it requires its own discipline, aimed not at hiding what is said but at denying the shape of the saying. The operator who has perfectly secured their content and ignored their pattern has locked the door and left the windows open.

What the pattern reveals

It is worth being concrete about what an analyst actually learns from traffic, because seeing it makes the discipline obvious. Several things are read straight off the pattern.

The command and organisational structure, from net structure, who communicates with whom. The station that many others report to is a headquarters; the stations that report to it are its subordinates; the links between stations map the organisation. An analyst who plots who-talks-to-whom over time draws the force's command chart without reading a word, and from that chart knows the shape of the force and where its nerve centres are.

The important stations and people, from traffic volume and centrality. The station that transmits most, or that everyone else calls, is doing the most and matters the most, which marks it as a priority, to watch, to locate, to target, or to imitate. One unmistakable station that always speaks for the commander tells the analyst exactly whose traffic to follow and whom to impersonate, as the authentication lesson warned.

The location of headquarters and key nodes, from the concentration and volume of traffic, and combined with direction-finding (the next lesson), the busiest stations can be physically located. A surge of traffic from one place marks it as important and worth finding.

Imminent activity, from the pre-activity surge, and this is the most dangerous revelation of all. Operations are preceded by communication, orders, coordination, reports, so traffic typically rises before an operation begins. An analyst who sees the traffic of a normally quiet force suddenly climb knows something is about to happen, often before any content could have told them, and sometimes in time to react. The pattern announces the operation that the messages were carefully encrypting.

   WHAT TRAFFIC ANALYSIS READS  (without breaking a single message)

   NET STRUCTURE        who talks to whom -> the COMMAND CHART and
   (who -> whom)        organisation, drawn without a word read
   TRAFFIC VOLUME       who transmits most / is most called -> the
   (how much)           IMPORTANT stations and people (to watch, locate,
                        or impersonate)
   CONCENTRATION        where traffic clusters -> the location of HQ and
                        key nodes (with DF, Lesson 07, physically found)
   THE PRE-ACTIVITY     traffic RISES before an operation -> "something is
   SURGE                about to happen", often before content could tell

   The content was secure. The PATTERN told the story anyway.

Metadata and the digital age

Traffic analysis is older than radio, but the digital age has made it far more powerful, because modern communications generate enormous quantities of metadata, the data about a communication other than its content, and metadata is exactly what traffic analysis feeds on. Every digital message, even a perfectly encrypted one, typically reveals who sent it, who received it, when, how often, how large it was, and sometimes from where; the content is locked, but all of that surrounds it in the clear. So the comforting belief that encryption solves security is, against traffic analysis, false: encryption protects the content and leaves the metadata, which may be all an analyst needs.

This matters directly to the Royal Kaharagian Army, which operates in the digital world the comsec course has described, using connected devices, accounts, and its own digital systems. Each of these generates metadata, and a force that secures its content while ignoring its metadata is exposed to exactly the traffic analysis this lesson describes, now automated and at scale. Who contacts whom, how often, and when, drawn from device and account metadata, can reconstruct the same organisational picture and the same activity signals that radio traffic analysis reconstructs, and digital metadata is often more complete and easier to collect than radio traffic ever was. The pattern problem has grown, not shrunk, with the move to digital.

The lesson the operator takes is that securing content is not enough; the pattern and the metadata must be guarded too. This does not mean abandoning encryption or digital tools, which protect content that would otherwise be wholly exposed, but recognising their limit: they do not hide the pattern, and the pattern must be defended by its own discipline, on the radio and in the digital world alike. The member who understands metadata sees that the question is not only "could someone read this?" but "what does the mere fact, timing, and pattern of this communication reveal?", and disciplines accordingly.

Defeating traffic analysis: deny the pattern

The defence against traffic analysis is to deny the analyst the patterns they feed on, and it follows directly from what the pattern reveals. The measures are a discipline of how, when, and how much one communicates, aimed at keeping the traffic flat, uniform, and uninformative.

Minimise. The less traffic there is, the less pattern there is to analyse, so the first defence is the principle that runs through the whole course: send as little as possible, because the most secure message is the one not sent. Every unnecessary transmission adds to the pattern; ruthless economy starves it.

Maintain a steady state, and kill the surge. Because the pre-activity surge is the most dangerous signal, the countermeasure is to keep traffic at a steady, unchanging level so that an operation produces no visible rise. This may mean imposing radio silence or strict normalcy before an operation, so that nothing changes in the pattern, or, where traffic cannot simply stop, keeping it uniform so the real activity hides within a constant level. The goal is that an analyst watching the traffic sees the same picture the day of an operation as any other day.

Use dummy traffic and spread the load. Where a constant level must be maintained, dummy traffic, deliberate, meaningless communication, can fill the gaps so the level never drops and never surges, hiding the real within a steady hum. And spreading traffic across stations and times, rather than concentrating it, blurs the structure and the important nodes.

Keep the net uniform. Because the analyst picks out the important station by its prominence, net uniformity, keeping all stations similar in their traffic, manner, and prominence, denies the analyst the standout. No one station should be obviously the busiest, the one everyone calls, or the unmistakable voice of the commander; the more the stations resemble one another, the harder the structure is to read. This is the traffic-pattern side of the call-sign and pattern-of-life discipline the authentication lesson introduced.

Together these measures aim at one effect: a net whose pattern tells an analyst nothing, flat, uniform, minimal, and unchanging, so that the shadow the traffic casts reveals no organisation, no priorities, and above all no imminent activity. The operator's part is to communicate by these disciplines as a habit, seeing their own traffic as an analyst would and giving that analyst nothing to work with.

   DENY THE PATTERN  (defeat traffic analysis)

   MINIMISE          send as little as possible; less traffic, less pattern
   STEADY STATE,     keep the level UNCHANGING so an operation makes no
     KILL THE SURGE  visible rise (silence or strict normalcy before activity)
   DUMMY TRAFFIC +   fill gaps to hold a constant level; spread traffic
     SPREAD          across stations and times to blur structure
   NET UNIFORMITY    no station stands out as busiest / most-called /
                     the commander's voice; stations resemble one another

   THE AIM: a net whose pattern reveals nothing, flat and unchanging,
   so the same picture shows the day of an operation as any other day.

In Practice: The Operation the Radio Announced

A signals NCO of the Royal Kaharagian Army reviews two exercises, and the contrast is the whole of this lesson. In both, the content of every message was perfectly secure, authenticated, brief, and, on the digital net, encrypted. In one, the operation was given away anyway; in the other, it was not. The difference was the pattern.

In the first, the net kept a quiet, predictable routine on ordinary days, and then, in the hours before the exercise activity, the traffic surged: orders, coordination, reports, a sudden rise from the usual hum, all concentrated through one busy headquarters station that every other station called. An analyst, the exercise's own assessors playing the part, needed not a word of content: the net structure drew them the command chart, the volume marked the headquarters and the key station, and above all the pre-activity surge told them an operation was imminent, in time to have reacted. The messages were secure; the pattern announced everything.

In the second, the NCO applied the discipline. The net kept a steady state: it did not surge before the activity, because a strict normalcy was imposed and what coordination was essential was kept within the constant level, padded where needed so the analyst saw no rise. Traffic was minimised and spread, and the net kept uniform, no single station standing out as the obvious headquarters or the commander's voice. The same assessors, watching the same kind of net, learned nothing: the pattern on the day of the operation looked exactly like any other day, the structure was blurred, and no surge betrayed the timing. The operation went in with surprise intact. Same secure content, opposite outcomes, because one net guarded only its messages and the other guarded its pattern too. That is traffic analysis, and the discipline that defeats it.

Check Your Understanding

  1. Explain what traffic analysis is and why it works without breaking the content of any message. Why is it "the threat that survives everything the earlier lessons taught," including encryption?
  2. Describe what an analyst reads from communication patterns, the net structure, the traffic volume, the concentration, and the pre-activity surge, and what each reveals. Why is the pre-activity surge the most dangerous revelation?
  3. Explain why metadata makes traffic analysis more powerful in the digital age, even against encrypted communications. Then set out the measures that defeat traffic analysis (minimise, steady state to kill the surge, dummy traffic and spreading, net uniformity) and the single effect they aim at.

Reflection (write a short paragraph): This lesson argues that a force can secure every message perfectly and still give away an operation through the shape of its traffic, and that the question is not only "could someone read this?" but "what does the mere pattern, timing, and volume reveal?" Think about your own digital life, the metadata of who you contact, when, and how often: what could an observer infer about you from the pattern alone, without reading anything? Then picture being the operator on a net before an operation: why is the discipline of keeping the traffic flat and unremarkable so hard to maintain when there is suddenly a great deal to coordinate, and what would help you hold it?

Summary

  • Traffic analysis learns about a force from the pattern of its communications, who, when, how often, how much, without reading any content. It works because communication reflects the structure and rhythm of the activity behind it, so the pattern is an unintended message broadcast by the act of communicating.
  • The pattern reveals the command and organisational structure (net structure, who talks to whom), the important stations and people (traffic volume and centrality), the location of headquarters (concentration, with direction-finding), and, most dangerously, imminent activity (the pre-activity surge), often before any content could.
  • It is the threat that survives content security: emission control reduces it, authentication and brevity protect content not pattern, and encryption hides words not metadata. The digital age, generating vast metadata even around encrypted traffic, makes traffic analysis more powerful, not less, so securing content is not enough.
  • Defeat it by denying the pattern: minimise (less traffic, less pattern), maintain a steady state to kill the pre-activity surge (silence or strict normalcy before activity), use dummy traffic and spread the load to hold a constant, blurred level, and keep net uniformity so no station stands out. The aim is a net whose pattern reveals nothing and looks the same on the day of an operation as any other.
  • This is the knowledge layer; the habit of disciplined, pattern-free communication is built on real nets and exercises under qualified supervision and certified in person. This lesson deepens the threat picture of Lesson 01 and the pattern-of-life discipline of Lesson 03, combines with direction-finding in Lesson 07, and feeds the operational security of Lesson 10.

Crown Copyright © 2026 | Published by Authority of H.R.H. The Prince of Kaharagia

Lesson 6 · Knowledge Check

Question 1 of 3

What does traffic analysis learn a force from?