Network investigations can be far more difficult than a typical computer examination, even for an experienced digital forensics examiner, because there are many more events to assemble in order to understand the case and the tools do not do as much work for the examiner as traditional computer forensics tools. If an investigator is looking for chat logs, images, or e-mail messages, for example, most common computer forensics tools will specifically find those types of files. Examining live network traffic, however, requires that the examiner understand the underlying network communications protocol suite, be it TCP/IP or something else. While a packet sniffer can grab the packets, and a protocol analyzer can reassemble and interpret the traffic, it requires a human to interpret the sequence of events.
From: The Case for Teaching Network Protocols to Computer Forensics Examiners: Part 1 by Gary C. Kessler and Matt Fasulo