Book Review: Practical Packet Analysis, 2nd Edition

Practical Packet Analysis, 2nd Edition. Copyright © 2011 by Chris Sanders. No Starch Press, Inc (255 pages).

Author Chris Sanders is a computer security consultant, currently working for the US Government. He is CISSP certified, & blogs at

The author admits “nothing beats real-world experience”, but argues “the closest you can come to that experience in a book is through practical examples of packet analysis with real-world scenarios”.


Chapters 1 to 3 (of 12) take the reader over the very basics of data communication & data networks. A chapter is devoted to how & where to take live packet traces, followed by one on installing & using Wireshark.

The majority of the book is “devoted entirely to practical cases that you could easily encounter in day-to-day network management.”

The book’s mid-section consists of examples of how to use Wireshark to analyse common protocol behaviours including ARP, IP, TCP & UDP, ICMP, DHCP, DNS & HTTP.

Chapter 8, entitled “Real World Scenarios” is superflous. It describes the use of Wireshark analysis to examine Twitter & Facebook login authentication, & analyses traffic generated by accessing

The final 3 chapters return to the general theme of practical i.e. “real-world” trace analysis. TCP error-recovery & flow control is demonstrated. Troubleshooting high transaction latency is demonstrated. Security breaches such OS fingerprinting & SYN scanning & some examples of hacker exploits such as ARP Cache Poisoning are demonstrated.

The book closes with a chapter on Wireless packet tracing, including a brief overview of 802.11 packet structures & 802.11-specific filters.

This chapter is also useful in demonstrating WEP & WPA authentication processes.

As an experienced user, I found the final section, “Further Reading” most useful. It lists & describes various packet analysis tools & other related online resources.

All capture files used in the demonstrations are available at

All author proceeds from the book go to the Rural Technology Fund


The book is effectively a short-cut to acquiring expertise in Wireshark use. For an already-experienced user, the final chapter is probably of most use. Other material such as that on the Berkely Packet Filter syntax (which I’ve found under-documented by tcpdump man pages) & the brief description of protocol dissectors & how to get access to dissector source code, were highlights.

I would recommend a future enhancement to include more on Display Filters. The useful Analyze->Prepare a Filter or Analyze->Apply as Filter functionality deserves more attention.

The author does not specify which version of Wireshark with which he was working when producing the book, hence I can only assume this functionality was not supported at the time.

In summary I would recommend this book to beginners for the purposes of getting up to speed with Wireshark quickly.

Available from:


    Leave a Reply

    Fill in your details below or click an icon to log in: Logo

    You are commenting using your account. Log Out /  Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )


    Connecting to %s

  • I review for the O'Reilly Blogger Review Program

%d bloggers like this: