Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems (Paperback)

by Chris Sanders (Author)
Key Phrases: tapping into the wire, relative sequence number, forced decodes, Note Sequence, Packet List, Chat Sequence (more...)

Editorial Reviews

Product Description

It's easy enough to install Wireshark and begin capturing packets off the wire--or from the air. But how do you interpret those packets once you've captured them? And how can those packets help you to better understand what's going on under the hood of your network? Practical Packet Analysis shows how to use Wireshark to capture and then analyze packets as you take an indepth look at real-world packet analysis and network troubleshooting. The way the pros do it.

Wireshark (derived from the Ethereal project), has become the world's most popular network sniffing application. But while Wireshark comes with documentation, there's not a whole lot of information to show you how to use it in real-world scenarios. Practical Packet Analysis shows you how to:

• Use packet analysis to tackle common network problems, such as loss of connectivity, slow networks, malware infections, and more
• Build customized capture and display filters
• Tap into live network communication
• Graph traffic patterns to visualize the data flowing across your network
• Use advanced Wireshark features to understand confusing packets
• Build statistics and reports to help you better explain technical network information to non-technical users

Because net-centric computing requires a deep understanding of network communication at the packet level, Practical Packet Analysis is a must have for any network technician, administrator, or engineer troubleshooting network problems of any kind.

Technical review by Gerald Combs, creator of Wireshark.

About the Author

Chris Sanders is the network administrator for the Graves County Schools in Kentucky, where he manages more than 1,800 workstations, 20 servers, and a user base of nearly 5,000. His website, ChrisSanders.org, offers tutorials, guides, and technical commentary, including the very popular Packet School 101. He is also a staff writer for WindowsNetworking.com and WindowsDevCenter.com. He uses Wireshark for packet analysis almost daily.

Product Details

• Paperback: 192 pages
• Publisher: No Starch Press; illustrated edition edition (May 23, 2007)
• Language: English
• ISBN-10: 1593271492
• ISBN-13: 978-1593271497
• Product Dimensions: 9.1 x 6.9 x 0.7 inches
• Shipping Weight: 12.6 ounces (View shipping rates and policies)
• Average Customer Review: 3.8 out of 5 stars See all reviews (10 customer reviews)
• Amazon.com Sales Rank: #54,852 in Books (See Bestsellers in Books)

  Popular in these categories: (What's this?)

  #93 in	Books > Computers & Internet > Networking > Network Security
  #95 in	Books > Computers & Internet > Networking > Networks, Protocols & APIs > Networks

Customer Reviews

Most Helpful Customer Reviews

125 of 132 people found the following review helpful:

2.0 out of 5 stars A disappointment -- this author does not understand basic networking, so newbies will be misguided, June 23, 2007

By	Richard Bejtlich "TaoSecurity.com" (Washington, DC) - See all my reviews (TOP 500 REVIEWER)    (REAL NAME)

To use "American Idol" lingo, you've already read reviews by Randy Jackson and Paula Abdul. It's time for the truth from Simon Cowell -- Practical Packet Analysis (PPA) is a disaster. I am not biased against books for beginners; see my five star review of Computer Networking by Jeanna Matthews. I am not biased against author Chris Sanders; he seems like a nice guy who is trying to write a helpful book. I am not a misguided newbie; I've written three books involving traffic analysis. I did not skim the book; I read all of it on a flight from San Jose to Washington Dulles. I do not dislike publisher No Starch; I just wrote a five star review for Designing BSD Rootkits by Joseph Kong.

PPA is written for beginners, or at least it should be intended for beginners givens its subject matter. It appears the author is also a beginner, or worse, someone who has not learned fundamental networking concepts. This situation results in a book that will mislead readers who are not equipped to recognize the numerous technical and conceptual problems in the text. This review will highlight several to make my point. These are not all of the problems in the book.

p 21: This is painfully wrong on multiple levels: "When one computer needs to send data to another, it sends an ARP request to the switch it is connected to. The switch then sends an ARP broadcast packet to all of the computers connected to it... The switch now has a route established to that destination computer... This newly obtained information is stored in the switch's ARP cache so that the switch does not have to send a new ARP broadcast every time it needs to send data to a computer." This misconception is aggravated on p 62 in the discussion of ARP.

p 65, Figure 6-5: The TCP three way handshake is not SYN - ACK - SYN.

p 78, Figure 7-3: The TCP three way handshake is not SYN - ACK - ACK.

p 79: Packet 5 is not "the packet that was lost and is now being retransmitted." Packet 2 is.

p 80: There is no "ICMP type 0, code 1 packet."

p 85: This boggles the mind: "Immediately after that ARP packet, we see a bunch of NetBIOS traffic... If that other IP address wasn't a sign that something is wrong, then all of this NetBIOS traffic definitely is. NetBIOS is an older protocol that is typically only used as a backup when TCP/IP isn't working. The appearance of NetBIOS traffic here means that since Beth's computer was unable to successfully connect to the Internet with TCP/IP, it reverted back to NetBIOS as an alternate means of communication -- but that also failed. (Anytime you see NetBIOS on your network, it is often a good sign that something is not quite right.)"

p 85: This "troubleshooting" example highlights the different default gateways for Barry and Beth as being the "biggest anomaly" causing Beth's computer to not work. The author ignores the fact that Barry and Beth have computers with the same MAC addresses.

p 89: Traces recorded at a client and server are compared. The author says "The two capture files look amazingly similar; in fact, the only difference between the two files is that the source and destination addresses on the SYN packets have been switched around." Good grief.

p 106: Another "troubleshooting" scenario wonders if a "slow network" problem is related to the fact that tracerouting out from a host fails to produce a response from the router. However, the traceroute continues past the router, so connectivity exists (missed by the author). He says "we know our problem lies with our network's internal router because we were never able to receive an ICMP response from it. Routers are very complicated devices, so we aren't going to delve into the semantics of exactly what is wrong with the router."

pp 107-8: Yet another "troubleshooting" issue wonders why seemingly "double packets" are seen while sniffing on a host. The author wonders if "misconfigured port mirroring" could be the problem, ignoring his statement that the trace was collected on the host in question. He doesn't notice that each "double packet" has a unique MAC address pairing, i.e., packet 1 involves 00:d0:59:aa:af:80 > 00:01:96:3c:3f:54 and packet 2 involves 00:01:96:3c:3f:a8 > 00:20:78:e1:5a:80. Assuming 00:d0:59:aa:af:80 is the only MAC address for the troubled host, there is no way this machine could see traffic "bouncing back" -- the destination MAC address for the dupe packet is 00:20:78:e1:5a:80.

p 110: Another "troubleshooting" example fails to recognize that packets 1-18 and 29 are part of one unique TCP session, and 19-28 are an entirely different session. Packet 29's RST ACK is not an "acknowledgement" of the RST in packet 28; besides not being an actual protocol mechanism, those packets are from different sessions anyway!

p 112: "More ominously, most of the traffic is being sent with the TCP PSH flag on, which forces a receiving computer to skip its buffer and push that traffic straight through, ahead of any other traffic. That is almost always a bad sign." It's a bad sign when you don't know what you're talking about, apparently.

p 129: "Display filters make it easy to search for traffic such as DCEPRC (sic), NetBIOS, or ICMP, which should not be seen under normal circumstances." I guess Windows networks never use at least DCERPC regularly?

This book should not have been published. The author should sit down with Interconnections, 2nd Ed by Radia Perlman, Troubleshooting Campus Networks by Priscilla Oppenheimer/Joseph Bardwell, and The Internet and its Protocols by Adrian Farrel, and learn how networks operate. Then he should have Gerald Combs REALLY provide a technical edit of PPA, since it's clear Mr Combs probably skimmed this book without catching the issues noted above.

The only positives I can say for PPA is that, like other No Starch books, it's form factor and readability is excellent. The diagrams are clear (albeit often misunderstood) and the obvious typos are few. As far as learning anything, the mention of "Expert Infos" on p 100 was nice.

20 of 24 people found the following review helpful:

2.0 out of 5 stars Packet traces don't match the text, September 8, 2007

By	Early Adopter (Denver, CO USA) - See all my reviews

The conversational style of the book and the basic idea are very sound. Some of the information is well presented. So we'll start with 5 stars and see where we end up.

There are some typos and errors in the book (the Syn-Ack-Ack mentioned in two reviews is simply a typo in the diagram, the text on the same page correctly has it as Syn-Syn/Ack-Ack). Unfortunately, there are more serious errors than this, so there goes one star.

This is clearly a beginner's book, so some basic configuration explanations are needed to get Wireshark (and Cain and Able) set up properly. When the novice is presented with multiple network interfaces they can capture from, how do they decide which is the one to use? The author provides no help here, so the novice can do nothing but try each one in turn and see which one works. In my case, since I was using a notebook with a wireless connection, none of them worked in either program. Turning off promiscuous mode in Wireshark did the trick, but the author should have explained the need for that in the text. This book is about using these tools, so not explaining the basics is worth a star.

I downloaded the sample traces. The first one I tried: wrongdissector.dmp wasn't in the archive. An oversight perhaps? Let's try the next one in the text: suspectemployeechat.dmp. The content of this trace doesn't match the text all: the two individuals are chatting on a similar topic, perhaps, the contents of their conversation is complete different. There is no way to reconcile it with the text. Now we've moved from oversight to rubbish. Say goodbye to another star.

Final score: two stars out of five. If the publisher and/or their agents reads these reviews (they appear to have written some of them), please issue an errata and fix the download.

7 of 8 people found the following review helpful:

3.0 out of 5 stars Could be reviewed much better., July 3, 2007

By	RP Faber "Rob Faber [CISSP, CEH, MCTS, MCSE]" (Netherlands) - See all my reviews (REAL NAME)

I bought also "Computer Networks: Internet Protocols in Action
by Jeanna Matthews". Both as reference books. See also my review on that.

Let's start by saying it's very annoying if you have to read other material or have some doubt about your own knowledge concerning specific topics and then afterwards it proved to be your understanding and assumptions WHERE RIGHT and the book presented something wrong like the three way TCP way handshake is not SYN - ACK - SYN, Richard Bejtlich mentioned. These are crucial aspects of protocol understanding, the main reason you would buy a book like this. Nevertheless some faults can be made and maybe in the next version of the book this is reviewed and solved.

Rob Faber [CISSP, CEH, MCSE]
Security Consultant
The Netherlands