Practical Packet Analysis Using Wireshark

Sunday, July 24, 2011

J. Oquendo

850c7a8a30fa40cf01a9db756b49155a

Book Review: Practical Packet Analysis Using Wireshark

After hijacking a copy of "Practical Packet Analysis Using Wireshark to Solve Real World Problems" from one of my colleagues, I decided to submit a review for my peers. 

Before moving on though, I would like to give readers of this review a brief overview of my history: I have close to 30 years computing.

Twenty of these years have been professional with over 14 or so years in security and networking specific roles. My day to day duties range as I work at a Telecommunications company which is also a Managed Services Provider.

Those services include: networking (design, administration, monitoring), VoIP (ITSP, trunking, design, configuration, deployment, management), security (SIEM, forensics, incident response, penetration testing, vulnerability assessments, application and code auditing).

My current position is Chief Security Architect at a company I disclose to trusted friends and peers. With this out of the way, I will now move on to the book.

Practical Packet Analysis is a decent book for readers who are relatively new to networking. It makes a great addition for someone in the one to three year range of their career.

Whether this career is security-centric, network administration, or hobbyist, Chris Sanders - the author - made great work of keeping things simple yet informative for his reader. While this is a plus for the entry person, it is also its minus.

Chapters 1 and 2 give an overview the OSI layer which I have found many in the IT industry skimp on. Whether you are in the security arena, networking, systems, programming, understanding the interconnections of protocols and how they operate with one another across the layers, should be the first and foremost knowledge one should memorize.

Because Chris took the time brought this out at the forefront, it will be beneficial to the reader, which once again, I feel would be a junior administrator (one to three years experience).

In the second chapter, Chris gets briefly into mirroring, yet there was little mention about VLANs. In an advanced network - and by advanced I mean a network built by someone with experience - there are a lot of caveats that will frustrate a reader of this book because there is no mention of VLAN monitoring.

Port sniffing VLANs is a different beast with switches offering a variety of different options which will yield different output. For example, in my real world, I am not always concerned with Egress traffic.

Egress is not even a term used in the book. Nor was say port mirroring across switches, which in the Cisco world would be labeled: RSPAN, VSPAN, PSPAN. While not a big deal for the junior level professional, it makes a world of difference for the professional.

Chapters 3 and 4 will introduce or re-introduce a reader to Wireshark on a very basic level. This will include introducing the reader into basic filters, basic dissectors and a few of the windows available to the reader.

Chapter 5 is labeled "Advanced Wireshark Features" which is a bit deceptive. Deceptive in the sense that it could have just been included into Chapter 4. When I started this review, I included my background so please take note that I am basing my review on experience.

In no way shape form or fashion am I trying to write a scathing review. I have used Wireshark since it was created in 1998 when it was called Ethereal. I use both Wireshark and Omnipeek (which is mentioned in the book) every single day and have done so for well over a decade. I have also contacted Wireshark developers over the years and discovered a vulnerability a few years back [1,2].

Positioning of Chapters 6 and 7 seem a bit confusing. However, I will call this an obsessive compulsive point of view. The two chapters consist of upper and lower layer protocols, however, I believe the reader should have read these two chapters before seeing a chapter called "Advanced Wireshark Features."

While this is not that big of a deal, the author gives a junior reader some solid information into understanding DHCP, DNS, IP, TCP, UDP, ARP, etc. Some of this information should have probably come after chapters 1 and 2 before even getting into Wireshark however, this is how the book flows. It will come in handy for the reader, don't get me wrong, however, this reader should likely not  be a hardcore network engineer or security engineer.

Chapter 8 seems slightly misplaced because of the naming as well. As a reader, you will see "Advanced" followed by "Basic Real-World Scenarios." In this chapter, the "real world" problems seem to be problems one might see in a very small office of perhaps 10-15 users or on a home network. This is not necessarily a "bad thing" however, because of the name of the book "Practical Packet Analysis...", I was expecting a little more.

Chapter 9 will give a brief overview of troubleshooting latency issues but is focused almost exclusively on TCP. The chapter is informative for someone new to troubleshooting will be very informative to up and coming administrator.

However, following this chapter as any kind of de-facto would be a bit disastrous. In almost all networks I have had my hands in over the years, it pays to focus on all protocols when trying to determine the cause of latency and bottlenecks.

For example, at face value, a reader my interpret this chapter as: "focusing on TCP windows sizes, re-transmissions and the likes, will let me know why my network isn't slow." This not always the case in fact in fact, even now I still see broadcast storms (a term also not even mentioned in the book) bring networks to a crawl. I have also seen UDP and RTSP streams make networks crawl as well.

When I got to Chapter 10, I had been hoping for some meatier security topics however, I was disappointed. The exploitation section titled: "Operation Aurora" seemed based on the author perhaps configuring Metasploit using its "aurora exploit browser module." This while giving the reader a briefer on "browser exploits" can also embed false sense of relevant information, almost misleading.

Because most of us learn by the writings and explanations of others, the reality behind Aurora was, it tunneled data through HTTPS (port 443) and used its own substitution and encoding to avoid detection [3].

Personally, I believe the author misleads anyone trying to get into the security arena by throwing out the term: "Operation Aurora" as the writing has nothing more to do with a browser exploit.

With the vast majority of this book out of the way, to be honest, I decided to simply put the book down after Chapter 10. To be quite candid and fair, As I stated in the beginning, this book is for someone new to networking and or security however, there is a lot of information that this book lacks.

If you are planning on getting into serious network analysis', troubleshooting, then this book ranks in what I would say "a slight step up from the For Dummies" series - get it if you need to pass some time and need a quick and dirty intro into Wireshark.

However, if you plan on using and understanding Wireshark to its maximum capabilities and potential, throw in a few more bucks and get Laura Chappell's "Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide." [4]

[1] http://www.wireshark.org/docs/relnotes/wireshark-1.0.14.html
[2] http://secunia.com/advisories/40112
[3] http://www.powersourceonline.com/magazine/2010/12/operation-aurora-attacks
[4] http://www.amazon.com/Wireshark-Network-Analysis-Official-Certified/dp/1893939995/ref=sr_1_1?ie=UTF8&qid=1310915865&sr=8-1

Possibly Related Articles:
10743
Network->General
Software
Vulnerability Assessments Penetration Testing SIEM Metasploit Network Security VLAN WireShark
Post Rating I Like this!
7502248ccd867f13312ea964fecb39eb
Kerry LeBlanc Good review. I agree that this is a good beginner book. I have used this myself to introduce new people to Wireshark.
Does not compare at all with Laura's book, but overall, nice clean intro.
1311612690
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.