Book Review - Practical Packet Analysis by Chris Sanders

By Lauren Malhoit

Takeaway: A new book by Chris Sanders makes reading about packet analysis interesting.

I’ve been looking for a good way to really dive into Wireshark for a while now.  There’s Wireshark University, plenty of blogs and webcasts, and great information on the Wireshark website.  However, I’ve never really been able to stay focused using these various types of media.  There’s almost too much information out there and without knowing where to start, it’s a little overwhelming (and packet analysis can be a little dry, there…I’ve said it).  Then I came across the book Practical Packet Analysis by Chris Sanders from No Starch Press and I honestly had trouble putting the book down.  It made reading about packet analysis interesting because it made it about things that I have to deal with at work every day.  It included several packet captures (if you go to the website and download them) along with pictures in the book.  The pictures were great, but the actual captures that could be manipulated and seen on my monitor provided an even better understanding of what I was looking at.

The book is set up in a very logical way.  You start reading about the very basics in Chapter One, such as how network devices differ (ex: a router vs. a switch and what they do with packets), the OSI model, and multicast vs. unicast vs. broadcast.  These are things every network administrator/engineer should probably already know, and the book even says you can feel free to skip ahead, but it’s not a bad little review and the rest of the chapters build on it.  In Chapter Two it gets a little more technical by describing various protocols and how they work, such as ARP, how ARP works with NICs in promiscuous mode and why this is important to packet sniffing.  It also talks about the best ways to sniff a network, which is something that completely makes sense once you do it or read about it, but you may not immediately know the answer to if you’ve never done it.

I found it particularly interesting in Chapter Four when it goes through setting up filters using the Berkeley Packet Filter Syntax.  I know I’ve fumbled around with Wireshark before and maybe entered an IP address or something in the filter area, but this actually goes through and explains the syntax used to get more complex filters and therefore more efficient filtering.  The book also explains how to use Wireshark’s built-in Filter Expression Dialog wizard to create filters if you don’t want to create them yourself.  This is also when Sanders starts really getting into the TCP protocol and explaining various parts using the .PCAP (capture) files included.  He literally goes through the examples packet by packet to explain what’s going on, each syn and ack accounted for.
From here, the next few chapters describe various tools in Wireshark that can be used to make the network administrator’s life a little easier.  Examples of these are the Conversations Tool, Protocol Hierarch Statistics, Following TCP streams, Flow Graphing and Exporting information into a composite capture.  Sanders explains things as if you were just having a beer together and sharing stories.  I’ve been reading more and more technical books that don’t require you to be an ubergeek to figure out what they’re talking about, and this book is definitely one of them.  I’m hoping it’s a fad that never dies out!
Later in the book it goes into real-world scenarios, such as sniffing Facebook and Twitter traffic.  I was surprised to find out how much information is not encrypted!  Of course, everyone has covered their bases on logins, but what about private messages, and private Twitter accounts?  I think a lot of people will be shocked to find some of these messages are NOT encrypted!  Other real-world scenarios included figuring out why your network is slow.  This, by far, was the most interesting information to me.  He gives a few examples on how to figure out whether there is wire latency, client latency, or server latency.  Though Wireshark may not solve all your problems for you, it can be a huge help narrowing down where the issues lie.

In the last two chapters, he goes through using Wireshark for security and for wireless networks.  He admits that these two chapters could be entire books unto themselves, but these chapters are there just to help you get your feet wet and I think they were important chapters to include.  In the security chapter, Sanders talks a lot about reconnaissance.  It’s interesting to know that an attacker can merely run a tool like Wireshark and fingerprint your entire network to know which Operating Systems you’re using just by the ports in use.  It also talks about how one can use their Intrusion Detection System (IDS) with Wireshark to narrow down security threats.  A real-world example using Snort is given in the book. The wireless chapter is also interesting (and could quite possibly be an add-on to the security chapter).  He again starts with an explanation of the NICs, various channels networks will be on and how it’s different in Windows and Linux.  He explains that you may need an AirPCAP USB if your wireless NICs aren’t compatible (or if you’re using a virtual machine — from my own experience).

There is a wealth of information covered in this 240 page book, including suggestions for more reading to build on your Wireshark/network knowledge.  The book is put together in a smart, yet very readable fashion and honestly made me excited to read about packet analysis.  Wireshark is a great tool with multiple uses and is something every network administrator/engineer should know about, especially in an SMB (read: it’s free).