Thank you @jsirota for the explaination. I think I got the first part comfortably. However, the second part is still fuzzy to me where we narrow down to certain data to export out to PCAP format in order to view them in wireshark.
I was looking up for Metron meetup around NOVA/MD area, but couldn't find any. There are so much with Metron I would like to learn and understand better. I started to tap into our company network interface instead of the tap0 switch we created and I started to run into more issues with services being down.