Friday, April 16, 2010

Friday, April 9, 2010

Wireshark Network Analysis

For the last week I've been reading Laura Chappell's new book, Wireshark Network Analysis. I pre-ordered the book and was looking forward to it eagerly.

Overall, it's a superb book. First and foremost, I appreciate the fact that the writing has some personality to it. I've really enjoyed the author's footnotes, anecdotes, and humor.

Second, I like the fact that it's exhaustively thorough with both features and examples. There are relatively few cases where the Chappell simply describes a feature without offering an example of how it might be used in practice. Where she does so, the example is obvious enough to be unnecessary.

Particularly good are the examples of practical Wireshark tips and tricks in the protocol-specific sections. As an advanced Wireshark user with a thorough background in the internals of common network protocol operations, I was worried that this would be just another set of explanations of how various protocols work. Those explanations are there, but they are interspersed with many great tips and tricks about how to analyze the protocols more quickly and efficiently with Wireshark. I kept thinking, "why didn't I ever think of using that trick before?"

There is a lot here for both beginning and advanced Wireshark users.

I don't have a lot of criticisms to make: I thought the security sections were interesting, but a little dated. Exotic network and transport layer attacks just aren't all that common anymore; it would have been cool to have seen some analysis of a modern application-layer attack in action.

The other thing I would have liked is a discussion of the Lua scripting-language extensions to Wireshark. There is very little out there on the Internet about this so far, and most of what exists is oriented toward expert-level programmers. I was a bit disappointed to not even find Lua in the index. Still, the book is already huge, and adding a section on scripting might have made it unreasonably long. Maybe a volume 2?

Summary: if you use Wireshark, just buy it. This is an amazingly practical, hands-on book that will make you faster and more productive when analyzing network captures.

Blogging disclaimer: I paid full retail price for the book (and managed to somehow miss all the promo coupons) and am not being compensated in any way for this review.