 | | |
| Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems | 
| Author: Chris Sanders
Publisher: No Starch Press
Category: Book
List Price: $39.95
Buy New: $22.17
You Save: $17.78 (45%)
Buy New/Used from $21.05
Avg. Customer Rating:  (6 reviews)
Sales Rank: 147275
Format: Illustrated
Media: Paperback
Number Of Items: 1
Pages: 192
Shipping Weight (lbs): 0.8
Dimensions (in): 9.1 x 6.9 x 0.7
ISBN: 1593271492
Dewey Decimal Number: 004.66
EAN: 9781593271497
ASIN: 1593271492
Publication Date: May 23, 2007
Availability: Usually ships in 1-2 business days
|
| Editorial Reviews:
Product Description
It's easy enough to install Wireshark and begin capturing packets off the wire--or from the air. But how do you interpret those packets once you've captured them? And how can those packets help you to better understand what's going on under the hood of your network? Practical Packet Analysis shows how to use Wireshark to capture and then analyze packets as you take an indepth look at real-world packet analysis and network troubleshooting. The way the pros do it.
Wireshark (derived from the Ethereal project), has become the world's most popular network sniffing application. But while Wireshark comes with documentation, there's not a whole lot of information to show you how to use it in real-world scenarios. Practical Packet Analysis shows you how to: - Use packet analysis to tackle common network problems, such as loss of connectivity, slow networks, malware infections, and more
- Build customized capture and display filters
- Tap into live network communication
- Graph traffic patterns to visualize the data flowing across your network
- Use advanced Wireshark features to understand confusing packets
- Build statistics and reports to help you better explain technical network information to non-technical users
Because net-centric computing requires a deep understanding of network communication at the packet level, Practical Packet Analysis is a must have for any network technician, administrator, or engineer troubleshooting network problems of any kind.
|
| Customer Reviews: Read 1 more reviews...
 An excellent guide to true understanding of how a network works November 5, 2007
1 out of 6 found this review helpful
This is one of the best books, of hundreds, that I have ever put my hands on. I work as technical instructor for a Cisco Learning Parnter and I have been in IT for 15 years, teaching for the last 4. I encourage students of entry level networking classes to read this as well as students of my advanced firewall, intrusion detection and hacking classes. While I have read other books in the past that cover packet analysis or ethereal on it's own, this book is different because it can be easily digested on one weekend. The points are clear and concise and the books stays interesting.
 Packet traces don't match the text September 8, 2007
15 out of 18 found this review helpful
The conversational style of the book and the basic idea are very sound. Some of the information is well presented. So we'll start with 5 stars and see where we end up.
There are some typos and errors in the book (the Syn-Ack-Ack mentioned in two reviews is simply a typo in the diagram, the text on the same page correctly has it as Syn-Syn/Ack-Ack). Unfortunately, there are more serious errors than this, so there goes one star.
This is clearly a beginner's book, so some basic configuration explanations are needed to get Wireshark (and Cain and Able) set up properly. When the novice is presented with multiple network interfaces they can capture from, how do they decide which is the one to use? The author provides no help here, so the novice can do nothing but try each one in turn and see which one works. In my case, since I was using a notebook with a wireless connection, none of them worked in either program. Turning off promiscuous mode in Wireshark did the trick, but the author should have explained the need for that in the text. This book is about using these tools, so not explaining the basics is worth a star.
I downloaded the sample traces. The first one I tried: wrongdissector.dmp wasn't in the archive. An oversight perhaps? Let's try the next one in the text: suspectemployeechat.dmp. The content of this trace doesn't match the text all: the two individuals are chatting on a similar topic, perhaps, the contents of their conversation is complete different. There is no way to reconcile it with the text. Now we've moved from oversight to rubbish. Say goodbye to another star.
Final score: two stars out of five. If the publisher and/or their agents reads these reviews (they appear to have written some of them), please issue an errata and fix the download.
 Could be reviewed much better. July 3, 2007
6 out of 6 found this review helpful
I bought also "Computer Networks: Internet Protocols in Action
by Jeanna Matthews". Both as reference books. See also my review on that.
Let's start by saying it's very annoying if you have to read other material or have some doubt about your own knowledge concerning specific topics and then afterwards it proved to be your understanding and assumptions WHERE RIGHT and the book presented something wrong like the three way TCP way handshake is not SYN - ACK - SYN, Richard Bejtlich mentioned. These are crucial aspects of protocol understanding, the main reason you would buy a book like this. Nevertheless some faults can be made and maybe in the next version of the book this is reviewed and solved.
Rob Faber [CISSP, CEH, MCSE]
Security Consultant
The Netherlands
A disappointment -- this author does not understand basic networking, so newbies will be misguided June 23, 2007
111 out of 119 found this review helpful
To use "American Idol" lingo, you've already read reviews by Randy Jackson and Paula Abdul. It's time for the truth from Simon Cowell -- Practical Packet Analysis (PPA) is a disaster. I am not biased against books for beginners; see my five star review of Computer Networking by Jeanna Matthews. I am not biased against author Chris Sanders; he seems like a nice guy who is trying to write a helpful book. I am not a misguided newbie; I've written three books involving traffic analysis. I did not skim the book; I read all of it on a flight from San Jose to Washington Dulles. I do not dislike publisher No Starch; I just wrote a five star review for Designing BSD Rootkits by Joseph Kong.
PPA is written for beginners, or at least it should be intended for beginners givens its subject matter. It appears the author is also a beginner, or worse, someone who has not learned fundamental networking concepts. This situation results in a book that will mislead readers who are not equipped to recognize the numerous technical and conceptual problems in the text. This review will highlight several to make my point. These are not all of the problems in the book.
p 21: This is painfully wrong on multiple levels: "When one computer needs to send data to another, it sends an ARP request to the switch it is connected to. The switch then sends an ARP broadcast packet to all of the computers connected to it... The switch now has a route established to that destination computer... This newly obtained information is stored in the switch's ARP cache so that the switch does not have to send a new ARP broadcast every time it needs to send data to a computer." This misconception is aggravated on p 62 in the discussion of ARP.
p 65, Figure 6-5: The TCP three way handshake is not SYN - ACK - SYN.
p 78, Figure 7-3: The TCP three way handshake is not SYN - ACK - ACK.
p 79: Packet 5 is not "the packet that was lost and is now being retransmitted." Packet 2 is.
p 80: There is no "ICMP type 0, code 1 packet."
p 85: This boggles the mind: "Immediately after that ARP packet, we see a bunch of NetBIOS traffic... If that other IP address wasn't a sign that something is wrong, then all of this NetBIOS traffic definitely is. NetBIOS is an older protocol that is typically only used as a backup when TCP/IP isn't working. The appearance of NetBIOS traffic here means that since Beth's computer was unable to successfully connect to the Internet with TCP/IP, it reverted back to NetBIOS as an alternate means of communication -- but that also failed. (Anytime you see NetBIOS on your network, it is often a good sign that something is not quite right.)"
p 85: This "troubleshooting" example highlights the different default gateways for Barry and Beth as being the "biggest anomaly" causing Beth's computer to not work. The author ignores the fact that Barry and Beth have computers with the same MAC addresses.
p 89: Traces recorded at a client and server are compared. The author says "The two capture files look amazingly similar; in fact, the only difference between the two files is that the source and destination addresses on the SYN packets have been switched around." Good grief.
p 106: Another "troubleshooting" scenario wonders if a "slow network" problem is related to the fact that tracerouting out from a host fails to produce a response from the router. However, the traceroute continues past the router, so connectivity exists (missed by the author). He says "we know our problem lies with our network's internal router because we were never able to receive an ICMP response from it. Routers are very complicated devices, so we aren't going to delve into the semantics of exactly what is wrong with the router."
pp 107-8: Yet another "troubleshooting" issue wonders why seemingly "double packets" are seen while sniffing on a host. The author wonders if "misconfigured port mirroring" could be the problem, ignoring his statement that the trace was collected on the host in question. He doesn't notice that each "double packet" has a unique MAC address pairing, i.e., packet 1 involves 00:d0:59:aa:af:80 > 00:01:96:3c:3f:54 and packet 2 involves 00:01:96:3c:3f:a8 > 00:20:78:e1:5a:80. Assuming 00:d0:59:aa:af:80 is the only MAC address for the troubled host, there is no way this machine could see traffic "bouncing back" -- the destination MAC address for the dupe packet is 00:20:78:e1:5a:80.
p 110: Another "troubleshooting" example fails to recognize that packets 1-18 and 29 are part of one unique TCP session, and 19-28 are an entirely different session. Packet 29's RST ACK is not an "acknowledgement" of the RST in packet 28; besides not being an actual protocol mechanism, those packets are from different sessions anyway!
p 112: "More ominously, most of the traffic is being sent with the TCP PSH flag on, which forces a receiving computer to skip its buffer and push that traffic straight through, ahead of any other traffic. That is almost always a bad sign." It's a bad sign when you don't know what you're talking about, apparently.
p 129: "Display filters make it easy to search for traffic such as DCEPRC (sic), NetBIOS, or ICMP, which should not be seen under normal circumstances." I guess Windows networks never use at least DCERPC regularly?
This book should not have been published. The author should sit down with Interconnections, 2nd Ed by Radia Perlman, Troubleshooting Campus Networks by Priscilla Oppenheimer/Joseph Bardwell, and The Internet and its Protocols by Adrian Farrel, and learn how networks operate. Then he should have Gerald Combs REALLY provide a technical edit of PPA, since it's clear Mr Combs probably skimmed this book without catching the issues noted above.
The only positives I can say for PPA is that, like other No Starch books, it's form factor and readability is excellent. The diagrams are clear (albeit often misunderstood) and the obvious typos are few. As far as learning anything, the mention of "Expert Infos" on p 100 was nice.
A must have for packet analysis June 19, 2007
2 out of 11 found this review helpful
This book is well written and easy to read and understand. The author covers the basics of the WireShark protocol analyzer, and provides real-world examples of what could go wrong with your network, as well as examples of what a well running one look like.
|
|
|
Powered by: Dknc, inc. and Amazon.com | | 
For your safety and security, orders are processed through amazon.com
|
|
|
|