Wireshark-users: Re: [Wireshark-users] Recommended reading and training for Wireshark and Protoco

Date Prev · Date Next · Thread Prev · Thread Next
From: "Richard Bejtlich" <taosecurity@xxxxxxxxx>
Date: Tue, 31 Oct 2006 23:13:52 -0500
Kim wrote:

May I know from you all Wireshark & Protocol analysis experts your
recommended reading material or training for Wireshark and protocol
analysis? I would like to be able to take Wireshark trace file and pinpoint
possible communication issue like slow network/server response time,
malware, fragmentation, and others.

Thanks.
Kim

Hi Kim,

When reading your post I just remembered addressing a similar issue in
my Amazon.com review of Charles Kozierok's "The TCP/IP Guide" (TTG):

-begin review excerpt-

For beginners, a better introduction is Jeanna Matthews' "Computer
Networking: Internet Protocols in Action." Matthews' book is shorter
(273 pages), more direct, and packet-example-based, meaning it ships
with a CD-ROM of traces that readers can analyze as they read
Matthews' commentary. The lack of examinations of packet traces is one
of my biggest problems with TTG. If TTG aims to be comprehensive, it
should have looked at real traffic using Ethereal/Wireshark instead of
staying at the specification level.

For intermediate readers, Eric Hall's "Internet Core Protocols: The
Definitive Guide" is a great look at the building blocks of
networking, albeit without IPv6 or application protocols. Hall's book
is also packet-oriented, with examples for each concept.

For expert readers, "Troubleshooting Campus Networks" by Priscilla
Oppenheimer and Joseph Bardwell is outstanding. J. Scott Haugdahl's
"Network Analysis and Troubleshooting" and Kevin Burns' "TCP/IP
Analysis and Troubleshooting Toolkit" are also excellent. All three
show packets.

Those with some networking experience looking for a thorough (but not
packet-example-based) examination should definitely read Adrian
Farrel's "The Internet and Its Protocols: A Comparative Approach."
Farrel demonstrates deep subject matter expertise by showing
similarities and differences between protocols. He also covers
protocols like MPLS and SCTP that are ignored by TTG.

-end review excerpt-

For training, I built my 4-day TCP/IP Weapons School class to teach
packet-level analysis of security events.  I taught the first two days
at USENIX in Vancouver and as a result USENIX invited me back.  :)

I've got a public offering scheduled in DC in December.  You can read
more about it on my Web site:

http://www.taosecurity.com/training.html

Thank you,

Richard