Here is a quick review of a book about the well-known network sniffer: Wireshark. This book is part of new collection called “Instant” edited by Packt Publishing. This is an interesting idea for people who don’t have time/don’t want to read a classic 200-pages book or that need to go straight forward to the minimum to start using a tool. This book has 68 pages and is of course cheaper!
What about “Wireshark Starter“? The sub-title says “A quick and easy guide to getting started with network analysis using Wireshark“. It describes correctly the book but I’d like to mitigate: Don’t expect being able to do network analysis after reading only this book! There is no coverage of the TCP/IP or others protocols basics at all. But you will be able to use Wireshark in the right way, that’s true!
The book is divided in a few chapters. After a classic brief introduction, the author starts a first chapter about the installation of Wireshark. Nothing fancy, download the archive, installer or package and install it. The installation from the source tree is also covered. In my opinion, this was not required. Except for specific usages, who will compile tools like Wireshark today?
The second chapter dives directly into the core function of Wireshark: the first packet capture: How to select the network interface? What are the core GUI components (capture panel, packet details panel and bytes panel? But, more important, how to work with filters to be sure to capture the right data. Good point: the author covers both filter types: the capture and display filters! Another great feature covered in the book: the coloring scheme and how to cutomize it to your needs.
The next chapter describes the top-5 features you need to know about Wireshark. They are:
- Working with streams
- Decoding packets and exporting objects
- Getting stats of the captured data
- Name resolution and packet reassembling
- Command line tools (tshark, rawshark, editcap, mergecap or text2pcap)
The last chapter is a small exercise. The analyze of a pcap file (a malware analysis) is performed using Wireshark in a step by step tutorial (the URL with the pcap is written in the book). I found this a very good idea! Finally, some online references are listed with documentation, tutorials, forums, etc.
What to say about this book? Wireshark is a classic tool, used by many people from many different landscapes in IT: securiy analysts, system admins, network admins and more. If you don’t have an experience with Wireshark, one day for sure it will help you. The book is definitively for the beginners. It’s NOT a cookbook. As said before, it will not prevent you to have a knowledge in protocols!
A final remark: In the installation chapter, the author could add a note about the importance of Wireshark patches! Wireshark is a tool which works exclusively with data grabbed from untrusted sources and regularly new security issues are discovered in protocol decoders (mainly buffer overflows). Keep your Wireshark always up-to-date!
The book is available online here (many versions available).