Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems – 2nd Edition
By Chris Sanders
(No Starch Press, $49.95, paperback)
“A million different things can go wrong with a computer network on any given day – from a simple spyware infection to a complex router configuration error – and it’s impossible to solve every problem immediately,” notes the author of this well-written and nicely structured guidebook, Practical Packet Analysis.
“To better understand and solve network problems, we go to the packet level. Here, nothing is hidden from us — nothing is obscured by misleading menu structures, eye-catching graphics, or untrustworthy employees,” Chris Sanders writes.
His how-to manual for Wireshark is aimed not only at expert packet analysts but also newcomers to the process of using “packet sniffing” to solve common network problems such as malware infections, loss of connectivity, slow performance, printers running amok, and other issues.
This new second edition “contains almost all new content, with completely new capture files and scenarios,” the author states. Mastering the scenarios is particularly important, he adds, because the concepts they cover can apply to many real-world packet analysis situations.
The popular packet sniffing software known as Wireshark has its roots in Ethereal, which gives it a “rich history,” he points out. “Gerald Combs, a computer science graduate of the University of Missouri at Kansas City, originally developed it out of necessity. The very first version of Combs’ application, called Ethereal, was released in 1998 under the GNU Public License (GPL).”
Several years later, however, Combs was unable to obtain Ethereal’s trademark, so he spun off another product, Wireshark, which has “grown dramatically in popularity, and its development team now boasts over 500 contributors.”
The introduction and first two chapters of Practical Packet Analysis help the reader get up to speed on the basics of packet analysis. Routers, switches and hubs, the three main devices on a modern network, “each handle traffic differently, [so] you must be very aware of the physical setup of the network you are analyzing,” Chris Sanders cautions.
Indeed, he adds, “it is sometimes more difficult to place a packet sniffer on a network’s cabling system than it is to actually analyze the packets.” Fortunately, he presents some clear illustrations of where and how to position packet sniffers and how to use capabilities such as Address Resolution Protocol (ARP) cache poisoning (or “ARP spoofing”) to intercept traffic and get help from the popular security software package Cain & Abel.
An important goal in packet analysis, he contends, is the ability ”to see every packet sent across the wire so that we don’t risk missing some crucial piece of information.”
Practical Packet Analysis is 255 pages long and has the following structure:
Chapter 1: Packet Analysis and Network Basics
Chapter 2: Tapping into the Wire
Chapter 3: Introduction to Wireshark
Chapter 4: Working with Captured Packets
Chapter 5: Advanced Wireshark Features
Chapter 6: Common Lower-Layer Protocols
Chapter 7: Common Upper-Layer Protocols
Chapter 8: Basic Real-World Scenarios
Chapter 9: Fighting a Slow Network
Chapter 10: Packet Analysis for Security
Chapter 11: Wireless Packet Analysis
Appendix: Further Reading
Index (15 pages)
The appendix provides a brief introduction to a number of other packet analysis tools and resources.
The book’s index is expanded by 50% over the 1st edition and is nicely detailed by topic.
Along with packet analysis basics, some of the other major topics covered in the text are: (1) building customized capture and display filters; (2) monitoring and tapping into live network communications; (3) generating and using traffic pattern graphs to visualize network data flow; (4) creating reports and statistics that help non-technical users better understand a network’s technical information; and (5) using Wireshark’s advanced features to analyze confusing packet captures.
According to the author’s statements in the Introduction and on the back cover: “All of the author’s royalties from this book will be donated to the Rural Technology Fund (http://ruraltechfund.org).” The fund provides scholarships to “students living in rural communities who have a passion for computer technology and intend to pursue further education in that field.”
The author notes that Wireshark can be downloaded for free and used “for any purpose, whether personal or commercial.” The software “supports all major modern operating systems, including Windows, Mac OS X, and Linux-based platforms.”
Wireshark’s system requirements are: (1) a 400 MHz (or faster) processor; (2) at least 128 MB RAM; (3) at least 75 MB of available disk storage space; (4) a network interface card (NIC) that supports “promiscuous mode”; and (4) WinPcap capture driver. Promiscuous mode allows a network card to “listen for all network traffic on its particular network segment.”
The book’s author is a computer security consultant, author, and researcher. He writes regularly for WindowSecurity.com and his blog, ChrisSanders.org.
If you need or want to know what happens at the packet level in a computer network and how to identify and fix network problems, definitely consider getting this compact, thorough and well-illustrated how-to guide.
– Si Dunn