What are the primary indicators of compromise you would look for when analyzing raw network packet captures?