Practical Packet Analysis, 2nd Edition

Practical Packet Analysis, 2nd Edition
Using Wireshark to Solve Real-World Network Problems
Chris Sanders
July 2011, 280 pp.

All of the royalties from Practical Packet Analysis are donated. Check out where your dollars are going!

It's easy to capture packets with Wireshark, the world's most popular network sniffer, whether off the wire or from the air. But how do you use those packets to understand what's happening on your network?

With an expanded discussion of network protocols and 45 completely new scenarios, this extensively revised second edition of the best-selling Practical Packet Analysis will teach you how to make sense of your PCAP data. You'll find new sections on troubleshooting slow networks and packet analysis for security to help you better understand how modern exploits and malware behave at the packet level. Add to this a thorough introduction to the TCP/IP network stack and you're on your way to packet analysis proficiency.

Learn how to:

  • Use packet analysis to identify and resolve common network problems like loss of connectivity, DNS issues, sluggish speeds, and malware infections
  • Build customized capture and display filters
  • Monitor your network in real-time and tap live network communications
  • Graph traffic patterns to visualize the data flowing across your network
  • Use advanced Wireshark features to understand confusing captures
  • Build statistics and reports to help you better explain technical network information to non-techies

Practical Packet Analysis is a must for any network technician, administrator, or engineer. Stop guessing and start troubleshooting the problems on your network.

Author Bio 

Chris Sanders is a computer security consultant, author, and researcher. A SANS Mentor who holds several industry certifications, including CISSP, GCIA, GCIH, and GREM, he writes regularly for and his blog, Sanders uses Wireshark daily for packet analysis. He lives in Charleston, South Carolina, where he works as a government defense contractor.

Table of contents 

Chapter 1: Packet Analysis and Network Basics
Chapter 2: Tapping into the Wire
Chapter 3: Introduction to Wireshark
Chapter 4: Working with Captured Packets
Chapter 5: Advanced Wireshark Features
Chapter 6: Common Lower-Layer Protocols
Chapter 7: Common Upper-Layer Protocols
Chapter 8: Basic Case Scenarios
Chapter 9: Fighting a Slow Network
Chapter 10: Packet Analysis for Security
Chapter 11: Wireless Packet Analysis
Appendix A: Further Reading

View the detailed Table of Contents (PDF)

View the Index (PDF)


"The book is put together in a smart, yet very readable fashion and honestly made me excited to read about packet analysis. Wireshark is a great tool and something every network administrator or engineer should know about."
Lauren Malhoit, TechRepublic (Read More)

"I'd recommend this book to junior network analysts, software developers, and the newly minted CSE/CISSP/etc.—folks that just need to roll up their sleeves and get started troubleshooting network (and security) problems."
Gunter Ollmann, Chief Technical Officer of IOActive (Read More)

"The next time I investigate a slow network, I'll turn to Practical Packet Analysis, chapter 9. And that's perhaps the best praise I can offer on any technical book."
Michael W. Lucas, author of Absolute FreeBSD and Network Flow Analysis (Read More)

"An essential book if you are responsible for network administration on any level."
James Pyles, Linux Pro Magazine

"I really enjoyed this book. Any book that talks about how a protocol works, ties it to real life troubleshooting and security scenarios, and then seals the deal with using a tool is a winner in my book."
Jacob Uecker, Packet Pushers (Read More)

"I recommend this book to folks that aren’t Wireshark experts. (Even those who have plenty of Wireshark experience may pick up a new trick or two.)"
Jim Clausing, SANS Internet Storm Center Diary (Read More)

"An excellent jump-start for novices."
Jeremy Stretch, (Read More)

"Where this book really scores is in the step-by-step analysis of typical networking problems and how you need to interpret the captured packets."
Network Security Newsletter

"It makes a great addition for someone in the one-to-three year range of their career. Whether this career is security-centric, network administration, or simply as a hobbyist, Chris Sanders made great work of keeping things simple yet informative for his readers."
J. Oquendo, The Ethical Hacker Network

"Stands out as a book that's a very useful learning resource, and one that makes the learning process a lot of fun."
Peter N.M. Hansteen, author of The Book of PF

"A great way to start learning the tools to understand what is going on under the hood of networks."
Jayson Wylie, Infosec Island (Read More)

"Very informative. It does a great job of giving readers what they need to know to do packet analysis and then jumps right in with vivid real life examples of what to do with Wireshark."
Daniel Boland, (Read More)

"Are there unknown hosts chatting away with each other? Is my machine talking to strangers? You need a packet sniffer to really find the answers to these questions. Wireshark is one of the best tools to do this job and this book is one of the best ways to learn about that tool."
Brian Turner, Free Software Magazine

"Perfect for the beginner to intermediate."
Daemon News


Page 10
In the second paragraph below Figure 1-4, "Hub sends those packets to ports 1, 2, 3, and 4" should read "Hub sends those packets to ports 2, 3, and 4".

Page 11
In the caption underneath Figure 1-6, "24-port" should read "48-port".

Page 13
In the caption underneath Figure 1-8, "Cisco" should read "Enterasys".

Page 50
In Table 4-1, the second line in the Examples column read:
ip addr==

It should instead read:

Page 58
In the paragraph under Figure 4-11, "Given the components of an expression, a qualifier of src and an ID of" should read "Given the components of an expression, a qualifier of dst and an ID of".

Page 110
In the caption underneath Figure 6-34, "TLL" should read "TTL".

Page 115
In Figure 7-1, in the column headed "Bit Offset" the second to last box should read "192" instead of "196" and the last box should read "224+" instead of "228+".

Page 174
In Figure 9-14, the third box underneath Buffer Space Available should read "1000 Bytes" instead of "5000 Bytes".

Page 216
In the middle of the first paragraph underneath the Sniffing One Channel at a Time heading, "the wireless communication medium is the airspace client's share" should read "the wireless communication medium is the airspace clients share".

Page 231
In the second to last paragraph, "the wireless client (00:14:6c:7e:40:80) sends a probe request for the WAP (00:0f:b5:88:ac:82)" should read "the wireless client (00:0f:b5:88:ac:82) sends a probe request for the WAP (00:14:6c:7e:40:80)".