Reasoning Capabilities of Large Language Models in Network Traffic Mining: A Comparative Evaluation of Zero-Shot and Few-Shot Prompting

This study investigates the reasoning capabilities of Large Language Models (LLMs) in network traffic mining by comparing zero-shot and few-shot prompting strategies for anomaly identification. The analysis was conducted using a publicly available network traffic dataset obtained from Kaggle, where structured flow summaries were used as input for model-based reasoning. In the experimental design, the complete dataset consisting of 25,192 network flow records was analyzed under both zero-shot and few-shot prompting configurations. While the zero-shot setup performed classification without prior examples, the few-shot configuration incorporated labeled flow samples within the prompt to guide the reasoning process. The results demonstrate that the inclusion of limited contextual examples significantly improves classification stability and interpretability when analyzing ambiguous traffic patterns. The comparative evaluation of different large language models further reveals notable differences in reasoning behavior and detection performance across models. Overall, the findings highlight the potential of prompt-based LLM reasoning as a complementary analytical tool for network traffic mining, offering an interpretable and lightweight alternative to conventional machine learning-based detection approaches.