Transactions within a transmission stream are identified that are related to an activity. The transactions are classified utilizing characteristics that identify the activity. Packets of the transaction are extracted from the transmission stream that corresponds to the activity. The extracted packets are presented in a visualization that identifies the packets and source and sink devices of the packets. The packets may be identified from a network trace. Classifying transactions includes identifying patterns present in packets to identify related transactions and/or packets that are temporally correlated. The characteristics may include heuristics related to a communication protocol of the transactions, examining temporal relationships of the packets, and/or identifying DNS requests related to the packets. The extracted packets may be presented as a tier pair circle wherein related devices are presented around a circumference of the tier pair circle and packet traffic between devices is indicated by a joining line.