I wrote a page on how to visualise traffic volumes on Darknets using tcpdump and mrtg. A darknet is a section of network that is explicitly assigned to not be used. As such, any traffic heading into that network (or even worse, any traffic coming out of it) is suspicious traffic.

Monitoring the traffic flows to a Darknet is very useful as an early warning system for new network-based exploits, or for detecting attempted Denial of Service attacks. I operate one of those Darknets for UvT-CERT, and it has always provided us with very useful information about attempted abuse, but also about misconfigured systems on our own network.