Book Review: Practical Packet Analysis

By stretch | Thursday, July 28, 2011 at 1:38 a.m. UTC
book_cover.png

I recently received a review copy of the second edition of Practical Packet Analysis by Chris Sanders, a No Starch Press book. No Starch has a tradition of providing excellent real-world explanation of topics which often stray from the beaten path, so I was eager to read a book on packet analysis under their label.

The book lives up to its title, with an emphasis on practical packet analysis. The author assumes no knowledge of packet analysis from page one, and explains some fundamentals of network operation, tapping into a live network, and exploring the Wireshark GUI. (Wireshark is the featured analysis application throughout the book, though the author does list supplementary tools in an appendix.) The rest of the book deals with the science of packet analysis itself and provides numerous true-to-life examples complete with corresponding packet captures (downloadable from No Starch) so readers can play along on their own.

Anyone who has been using Wireshark for years is unlikely to find anything surprising in this book, but it does provide an excellent jump-start for novices, especially those who aren't too familiar with Wireshark. It's also nice to have the steps of various packet analysis scenarios clearly illustrated, not only to serve as a reference for specific scenarios but to embed the common underlying deductive process in the reader's mind.

Chapter Six, Common Lower-Layer Protocols has been made available for free by No Starch for your consideration. One other neat bit of trivia: Chris has decided to donate all his royalties from sales of the book to the Rural Technology Fund, a non-profit dedicated to furthering IT education for students in rural areas.

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in Reviews

Comments


John (guest)
July 28, 2011 at 4:13 a.m. UTC

Hi Strech,

With due respect to all the very good articles you have written,and good blog you are maintaining,this one seems like a paid review.Thanks.


stretch
July 28, 2011 at 4:21 a.m. UTC

@John: What gave you that impression? While I wouldn't recommend the book for anyone experienced with Wireshark, I think it's an excellent read for a novice. I'm not sure why that would strike you as an unbiased position.

For the record, I have never done and will never do a paid review. I sometimes get stuff for free (like this book), but I don't ask for or accept compensation otherwise. My reviews are generally positive simply because if I don't like something, I don't spend the time to write a review of it.


John (guest)
July 28, 2011 at 4:50 a.m. UTC

Hi Jeremy,I am really sorry if i was wrong...As soon as i see your tweet about a new article,i am the first one to read your articles,because i simply love them.

I don't know what gave me that impression,but it was missing the "Jeremy factor"...Nd i don't know why !!...Well,thanks again for writing good articles.Please ignoe my last comment :) ,and i am not able to find a way to delete it...It was my mistake to reach at conclusion and writing in public forum.


dark
July 28, 2011 at 2:04 p.m. UTC

John : I had the same feeling. BUT ... it didn't come across as a bad thing to me. Even if Jeremy got paid for this I'm sure he's very selective about what he reviews instead of just raking in cash and reviewing any- and everything so this blog gets filled with crap. I don't believe that.

But if he got paid for this review, why not? It looks to me like he posted his own honest opinion. I have a lot of respect for Jeremy as he puts in a lot of effort, time and money into all this candy that we get for free. So if he finds a way to compensate for that than I support him.

On a side note, and I swear to god this is true. I was looking at the No Starch Press site yesterday because I'm interested in The Book of PF 2nd Ed, and I noticed this book there too and I was wondering if it would benefit me. This is a complete coincidence. However I'm happy to have a little more info now, given to me by a respected network engineer ... not bad for coincidence =)

edit: oh, and it seems he's donating it to a fund. So I see no issue at all ^^


ACKeepingThemHonest (guest)
July 28, 2011 at 9:10 p.m. UTC

"For the record, I have never done and will never do a paid review. I sometimes get stuff for free (like this book), but I don't ask for or accept compensation otherwise."

When your blog was in its infancy you mentioned your strict opposition to income via advertising. "I have a job, thanks" was your mantra, if I recall correctly. How did that work out for you?


Chris Sanders (guest)
July 28, 2011 at 9:57 p.m. UTC

Thanks a ton for the review! I can attest to the fact that this was NOT a paid review. No Starch doesn't pay folks to review their books (beyond providing free review copies), and I certainly don't either. Jeremy hit the nail on the head though...the book is definitely written exclusively for beginners (although I think the intermediate level folks can still garner a few good things from it). If you are looking for something with a bit more technical meat, I'd recommend Laura Chappell's book "Wireshark Network Analysis".


stretch
July 28, 2011 at 11:25 p.m. UTC

@AC: Who are you keeping honest? When I was working as a contractor in Iraq, I had no need for extra income. When I then became funemployed, I did. And now that I have a house and a wife, I definitely do.

At any rate, don't confuse an interest in legitimate advertising with a moral stance against paid reviews. I realize that wanting to turn even a meager profit from the hundreds of hours of work I put into providing free information and services for the community makes me a horrible person, but if you honestly can't stand an AdSense banner at the top of the page, just don't read the blog.


visibleivan (guest)
July 28, 2011 at 11:42 p.m. UTC

Thanks for the review. I enjoyed Network Flow Analysis from No Starch Press and a colleague had a similar impression of the first edition of practical packet analysis. Nice quick little reviews like this are welcome and totally reasonable to write up when you are receiving a review copy.


brooksa
July 28, 2011 at 11:44 p.m. UTC

Stretch, I didn't find this to be a biased vendor product review. People need to realize that the FREE community lab and cheat sheets you provide are done from your pocket with help from donations. I am sure donations are not enough to cover power, lab components, lab upgrades and your time, so I have no problem with advertising on the blog as it helps out the COMMUNITY you have built.


Ben (guest)
July 29, 2011 at 12:41 a.m. UTC

I have been keeping track of web based services that accept packet dumps for analysis. For checking out smaller packet captures online, there's a couple tools available: pcapr.net and cloudshark.org. Both are pretty similar to a stripped-down Wireshark. For larger packet captures the only place I know of is networktimeout.com. It's very different and comes in handy if you want to get an overview of traffic on your network.


Dayne (guest)
July 29, 2011 at 12:58 a.m. UTC

I trust Stretch enough to be honest is his opinions, he's never done anything that I consider worth questioning his integrity. I recommend No Starch books all the time, and I'm certainly not being paid for it, I don't even get free review copies!

Unless you have a valid reason for distrusting Stretch, I'd take it at face value - a fellow network geek finding value in a product, and sharing his opinion with a supposedly like minded group of his peers.


Luis (guest)
July 29, 2011 at 1:41 a.m. UTC

I read the announcement in Sanders blog and wanted this book as soon as I saw it. I really like his blog (even though he doesn't update that much) and this article http://chrissanders.org/2011/01/the-10-commandments-of-intrusion-analysis/ was one of the main things that made me get REALLY into security stuff. Definitively going to purchase this one. Big fan =D


Steve (guest)
July 29, 2011 at 2:04 a.m. UTC

Thanks for the review. I would actually like to see more reviews, if time permits. Maybe setting up a section for recommended products/books, and maybe another for not recommended where your really don't bother to write a whole review, just some bullet points as to your thoughts. There are a lot of books and products out there that on the cover look good, but once you start to read, it quickly become apparent that they are a dud! This would help me not waste my money, which I have very little of right now.


stretch
July 29, 2011 at 2:18 a.m. UTC

@Steve: Well, I did make this for books I own personally.


achilles
July 29, 2011 at 8:41 a.m. UTC

what is all the fuss abt ? its his blog and will do what he wants.

@Stretch: Maybe you should not respond to every comment u get!


JS (guest)
July 29, 2011 at 2:38 p.m. UTC

This was a very helpful review for me--I had this on my Amazon wish list, but as I'm a long-time Wireshark user, I won't be buying it for myself, but recommending to beginners instead.


Tony Murphy (guest)
July 29, 2011 at 9:40 p.m. UTC

This is a great little book that I have recommended to a number of telecoms colleges, I just wish there was an in between book between this and Laura "wireshark" Chappels' huge and expensive tome!


alewis
July 30, 2011 at 2:35 a.m. UTC

Stretch I have actually just found your site recently and appreciate everything you have done here. You put in a lot of time and effort and so far I trust your opinion greatly. I think you have just totally turned me on to no starch press...


SteveO86
July 30, 2011 at 6:52 p.m. UTC

Your review is much appreciated I've used Wireshark for years and have been contemplating either getting this book or the official book from Wireshark. I was contemplating starting with this book as a starter/primer book but after your review and pointing out the free chapter I will probably skip this.


ttl255
July 31, 2011 at 7:24 p.m. UTC

Stretch,
I really appreciate all your works. Keep it up, and keep us sharp ! Thanks


Boo (guest)
August 1, 2011 at 10:51 a.m. UTC

@stretch,

You can't keep everyone happy.

Do not worry about a few people misunderstanding your genuine recommendation as being a paid review. Please do not stop posting your wonderful articles or anything you come across as interesting.


Sigmund C. Munster (guest)
August 3, 2011 at 9:26 p.m. UTC

I see that this is for the second edition. I read the first and was dumbfounded at the number of technical and typographical errors. I suppose you would have mentioned if you came across any, but you may have been influenced by the free Cesna jet you received for posting this review. Did you find many errors? I teach A+/Network+ and I tell people to avoid the first edition if they're interested in learning how to packet sniff.


jsicran (guest)
August 4, 2011 at 1:29 a.m. UTC

Having been a packet head from the arcnet days, I can tell you this book is worth a look. There were a bunch of protocol analysis books that came out in the mid 90s to early 00s but not much since. The official wireshark book is excellent, usually a laura chappel or pricilla oppenhimer book is great.


jsicuran (guest)
August 4, 2011 at 2:46 p.m. UTC

Some other great protocol analysis books, Troubleshooting Campus Networks, 2002
Bardwell and Oppenheimer.
Network Analysis and Troubleshooting, Haugdahl, The Art of Testing Network Systems, Buchanan,

all oldies but goldies on the fundamentals and you would be surprised what you learn in them. The Campus one is excellent.

Enjoy


omnibrain
August 10, 2011 at 2:26 p.m. UTC

@Sigmund C. Munster
According to the author these errors got already fixed in a new issue of the first edition. Working through it 1 or 2 years ago and I did not find much flaws, so I assume the author said the truth.


thegreattriscuit (guest)
August 11, 2011 at 5:10 p.m. UTC

I only ready about the first 1/2 of the comments on this page, so if this has already been said, I apologize...

About the suggestions that this is a paid review: I can see where the comes from, simply from the short and positive format. However, that seems to be more a function of his writing style than anything. Also, I read the book (not sure if this is a 2nd edition, or something) several years ago, and I found it informative and educational. The foundation of packet analysis it provides is just that. You're not going to walk into a site, flip open this book, and find the solution. But it gives a solid introduction to the fundamentals, which, for me, greatly increased my troubleshooting efficiency and allowing me to stop viewing my network as a "black box" (stuff goes in, stuff comes out, but I'm not sure if/when/how any changes are really made).

I've since grown a great deal as a technician, completed my CCNP and WCNA (Wireshark cert) as well as a few others, and agree that, at the stage I'm at now, the book wouldn't be of much use. However, when I read it, it was a great aid and I have recommeneded it several times sense. Packet analysis is an often overlooked aspect of network troubleshooting, when, in fact, it is one of the most powerfull and conclusive tools out there.

So I can understand why his review was positive.

As for the comments about Stretch taking advertising... Have you USED the internet lately? this is about the least intrusive form of advertising you can get, and for a guy that is producing a quality product, and actively improving the state of our profession, I can't understand how looking for compensation in a manner that doesn't violate the integrity of the site is in any way immoral, wrong, or injust.


jscott96
August 12, 2011 at 2:15 p.m. UTC

I am not a novice nor am I an expert, but this is a good book! I would and will recommend this to others.

Thanks for the honest review of it.


goofbox (guest)
November 24, 2011 at 8:33 p.m. UTC

Stretch,

I am humbled by your contribution to the community. You have put countless hours of work to share your knowledge with others and I don't think anyone can thank you enough...I hope all is well with you and I really hope you continue to share.


Kamil (guest)
April 22, 2013 at 10:58 p.m. UTC

Hi,

I do not understand the argument push-fights in this discussion, the rule is very simple - respect and focus on the knowledge and do not involve in how people earn for life unless it impacts you or harm (I mean harm) the others.

Thanks for the review.

Regards,

Comments have closed for this article due to its age.