Book Reviews: Information Security Books and Product Reviews – Practical Packet Analysis

Book Title: Practical Packet Analysis

Subtitle: Using Wireshark to Solve Real-World Network Problems 2nd Edition

Author: Chris Sanders

Publisher: NO STARCH PRESS

Date of Publishing: 8 July 2011

ISBN(13): 9781593272661

Price (UK&US price – full price, not discounted price): £39.49,   $49.95

URL of Publisher Site: No Starch

URL of Amazon UK web page: Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems 2nd Edition

URL of Amazon US web page: Amazon.com

I have to admit upfront, I’m a huge Wireshark fan and have been using it for a long time.  In fact, it seems to have ruled my life over the last three years on a particular project I’m working on.  Frequently, I am called in to fire up Wireshark to investigate some interoperability issues, or even to prove a particular connection is secure (or insecure).  So, when I was asked to review this second edition I jumped at the chance.The book is not large: 255 pages and consists of 11 chapters. Chapter 1 sets the scene, defining some terms and basic networking as well as explaining why “packet sniffing” is so useful (and powerful). It also provides some selection criteria on how to chose a sniffer, although all the examples in the book are based on the freely available Wireshark.  Chapter 2 examines the decisions to be made as to where to locate the network sniffer, whether it is in a hub, switched or routed environment. Chapter 3 introduces the reader to Wireshark providing a brief history (including its predecessor, Ethereal).  The chapter explains how to install Wireshark as well as some basics of settings the preferences. Chapter 4 describes how to work with captured packets, such as saving and opening captures and setting capture options and filters. It provides some very useful explanations of the capture and display filters – which in a real-world environment are essential.  Chapter 5 goes on to describe some of the more advanced Wireshark features.  These include: viewing network and networking conversations; protocol statistics; and following TCP streams.  Chapter 6 provides the reader with a good overview of the “base” protocols any network investigator needs to understand, namely: ARP, IP, TCP, UDP and ICMP.  Chapter 7 then goes on to describe a number of upper layer protocols that one would normally come across; DHCP, DNS and HTTP.  As with the lower level protocols, these protocols should be understood by an investigator.  For each protocol, the author describes the protocol in detail then shows us exactly what it will look like in Wireshark using decent resolution screenshots.  Chapter 8 provides a number of real-world scenarios, social networking and ESPN.  Although I have to say most of my real-world situations, at least within an organization, seems to revolve around HTTP, SSL and LDAP.  Chapter 9 describes the issues of a “slow network” when retransmission becomes an issue.  Chapter 10 considers the use of Wireshark for security purposes, including reconnaissance and exploitation. This includes using Wireshark to quickly look for SYN attacks as well as for open TCP ports. It also provides some information about being able to fingerprint target computers, although of course tools such as Nmap would normally be used for such an activity.  There is also a very interesting section describing how a user of Wireshark can look for ARP Cache poisoning attacks. The final chapter examines the world of wireless sniffing, looking at both the Windows and Linux world.  Quite righty, the book explains that for most Windows environments you will not be able to sniff wireless networks unless you purchase AirPcap.Whilst the book did not teach me anything new, I did rather enjoy reading it.  It is well written and an excellent introduction to the art of network sniffing and the use of Wireshark.  Many of the examples it provides throughout the book can be downloaded as wireshark capture files and viewed by the reader.

In the future, rather than giving my colleagues a quick training course of Wireshark, I think I will just point them to this book.

Practical Packet Analysis is an excellent introduction to the world of network sniffing. I would recommend it to anyone wishing to enter this world.  Not only is it a gentle introduction it also allows the reader to start the road of mastering the subject.

Marks: 5 out of 5

*****