Book Review: Practical Packet Analysis, 2nd Edition
Practical Packet Analysis, 2nd Edition. Copyright © 2011 by Chris Sanders. No Starch Press, Inc (255 pages).
Author Chris Sanders is a computer security consultant, currently working for the US Government. He is CISSP certified, & blogs at http://www.chrissanders.org/
The author admits “nothing beats real-world experience”, but argues “the closest you can come to that experience in a book is through practical examples of packet analysis with real-world scenarios”.
Chapters 1 to 3 (of 12) take the reader over the very basics of data communication & data networks. A chapter is devoted to how & where to take live packet traces, followed by one on installing & using Wireshark.
The majority of the book is “devoted entirely to practical cases that you could easily encounter in day-to-day network management.”
The book’s mid-section consists of examples of how to use Wireshark to analyse common protocol behaviours including ARP, IP, TCP & UDP, ICMP, DHCP, DNS & HTTP.
Chapter 8, entitled “Real World Scenarios” is superflous. It describes the use of Wireshark analysis to examine Twitter & Facebook login authentication, & analyses traffic generated by accessing ESPN.com.
The final 3 chapters return to the general theme of practical i.e. “real-world” trace analysis. TCP error-recovery & flow control is demonstrated. Troubleshooting high transaction latency is demonstrated. Security breaches such OS fingerprinting & SYN scanning & some examples of hacker exploits such as ARP Cache Poisoning are demonstrated.
The book closes with a chapter on Wireless packet tracing, including a brief overview of 802.11 packet structures & 802.11-specific filters.
This chapter is also useful in demonstrating WEP & WPA authentication processes.
As an experienced user, I found the final section, “Further Reading” most useful. It lists & describes various packet analysis tools & other related online resources.
All capture files used in the demonstrations are available at http://www.nostarch.com/packet2.htm
All author proceeds from the book go to the Rural Technology Fund http://www.ruraltechfund.org
The book is effectively a short-cut to acquiring expertise in Wireshark use. For an already-experienced user, the final chapter is probably of most use. Other material such as that on the Berkely Packet Filter syntax (which I’ve found under-documented by tcpdump man pages) & the brief description of protocol dissectors & how to get access to dissector source code, were highlights.
I would recommend a future enhancement to include more on Display Filters. The useful Analyze->Prepare a Filter or Analyze->Apply as Filter functionality deserves more attention.
The author does not specify which version of Wireshark with which he was working when producing the book, hence I can only assume this functionality was not supported at the time.
In summary I would recommend this book to beginners for the purposes of getting up to speed with Wireshark quickly.
Available from: http://oreilly.com/catalog/9781593272661/