Methods and systems for monitoring activity on a local area networks (LAN). In particular, embodiments described herein provide systems and methods for associating packets with the devices from which they were communicated, despite the obfuscatory behavior of any network address translators (NAT). A processor first receives packets that were collectively communicated, by a plurality of devices, via a NAT-serviced LAN. The processor aggregates the packets into multiple packet aggregations on a per device basis. Fields that are contained in the respective packet headers of the packets are used. The packet aggregations may be grouped. The embodiments use unencrypted lower-level information (including, for example, IPIDs and domain names), such that aggregation and grouping may be successfully performed even if information in the application layer is encrypted.