After the Wireshark Book?

Bl8ckr0uter

I am almost done with the Wireshark book. For those of you that have read it, what was the next protocol analysis book you read? I have a few really good tcp/ip books coming my way (stevens and the no starch guide) but I was wondering if any one had any suggestions for reading on packet analysis after the Wireshark book (and the NMAP book).

I guess also for followup any packet analysis sites, competitions or other sources of knowledge would be awesome as well. I know there was a really good site I was going to for a while but I lost the book mark. It had tons for pcaps and was very open with submissions. I think it might have been part of a IDS/IPS site. Man I can't remember.

RobertKaucher

Sorry to hijack the thread, but was this book worth the $90? I mean the normal retail price breaks down to nearly $0.15 per page...

I end up working with WireShark a lot. So reading the book might be worth my time but I'm not convinced that the book is worth the coin...

Bl8ckr0uter

RobertKaucher wrote: »

Sorry to hijack the thread, but was this book worth the $90? I mean the normal retail price breaks down to nearly $0.15 per page...

I end up working with WireShark a lot. So reading the book might be worth my time but I'm not convinced that the book is worth the coin...

I'm taking the test at the end of the month so I'll let you know a full review then.


As of right now, I have learned a few things. I don't feel like my money was wasted. That said, the fact that the book doesn't come with any testing engine (and said engine is a 30 dollar product) pisses me off. I also wish it came with some videos or something.

You want to talk about coin, the test is $300. I am questioning (even now) is $400 too much to be certified on a piece of software? I have been thinking about this for a little while now. At the time when I first thought about taking this test, I thought it would be a good warmup for GCIA but now that I know I won't get to that until next year, I am wondering about its cost. I mean, $400 would pay for all of the CCNP test or at least CWNA and CWSP I think.

I was also using the fact that Wireshark is popular on job boards as a justifier as well. I don't know. I do know that this will be my costliest cert in my career.

RobertKaucher

Bl8ckr0uter wrote: »

I was also using the fact that Wireshark is popular on job boards as a justifier as well. I don't know. I do know that this will be my costliest cert in my career.

Well, this is the major reason that I have been stalled on certs since the start of 2010. I plan on being in my current position for the next three years or more and I was getting certified as a way to break into the sort of position I am in currently. So spending a lot of my own money on certs is not a priority. But I think that I really need to know how to use WireShark to get my skills to the next level. And I'm not sure that the book is of much use. Either I will pay a lot to have a book giving me too much info that will go beyond what I need or it will just not be worth the cost as I have no plan on ever getting the WireShark cert. I'm working on Practical Packet Analysis right now (going through it slowly) and I think that will have most of the info that I will really need.

Bl8ckr0uter

RobertKaucher wrote: »

Well, this is the major reason that I have been stalled on certs since the start of 2010. I plan on being in my current position for the next three years or more and I was getting certified as a way to break into the sort of position I am in currently. So spending a lot of my own money on certs is not a priority.

That is exactly how I feel. Part of me is like for get it, just pick up a few more cisco certs and such. I have a network engineer job which was a mini career goal of mine so now its just save money (and food and ammo) and just learn.

Don't tell anyone but when I found out this job would be pure networking devices and almost no windows work, I was actually a little sad. In my mind I was like, awww man no gpos or workstation refreshes. But then it hit me -time to be a freaking specialist in Network and Network Security (and the lone linux user lol).

RobertKaucher wrote: »

But I think that I really need to know how to use WireShark to get my skills to the next level. And I'm not sure that the book is of much use. Either I will pay a lot to have a book giving me too much info that will go beyond what I need or it will just not be worth the cost as I have no plan on ever getting the WireShark cert. I'm working on Practical Packet Analysis right now (going through it slowly) and I think that will have most of the info that I will really need.

This book probably wont be worth it for you. I mean for me, my goal is close to that area. The funny thing is, part of the reason why I wanted this book was to help me learn analysis so it will be easier for me to learn TCPDUMP (which isn't as user friendly as wireshark lol). I feel like I won't be a "real" network (security) engineer until I master at least 2-4. What was really odd was talking to some net engineers I know who just don't look at packets at all. I mean period. It kind of boggled my mind. But to each his own.

Back on topic, how do you like that book? I was thinking about picking it up as a post WCNA read and gearing up to the GCIA.

This is probably better for what I am looking fo: http://danielmiessler.com/study/tcpdump/ - I've gone through it before. It's pretty good.

docrice

As probably the only WCNA holder on this forum (that I'm aware of), I'll tell you straight up that I don't think the certification exam is worth paying for unless you're catering to an organization that recognizes it. Protocol analysis is a skill benefit first, and the certification badge of honor is a far, far distant second. I only got mine because it seemed kind of cool to have and plus was relatively easy for me to attain. The cost of the exam wasn't too steep for me either.

A few hundred bucks can go a long way for a managed switch with SPAN capability, an AirPCap card (if you absolutely must do 802.11 captures on Windows), or other equipment you want to use in your lab to analyze network streams with.

Bl8ckr0uter

docrice wrote: »

As probably the only WCNA holder on this forum (that I'm aware of), I'll tell you straight up that I don't think the certification exam is worth paying for unless you're catering to an organization that recognizes it. Protocol analysis is a skill benefit first, and the certification badge of honor is a far, far distant second. I only got mine because it seemed kind of cool to have and plus was relatively easy for me to attain. The cost of the exam wasn't too steep for me either.

An organizations that recognize the skill or the certification? Also what do you suggest for post WCNA?

docrice

The certification. I think any (decent) organization can definitely respect the skill, but I doubt 99% of IT professionals are even aware that a Wireshark certification exists. And if they do, most will assume it's an exam that just reviews the tool, not the process of analysis.

I wasn't aware of Practical Packet Analysis, so I'm going to look into that. But after reading the Wireshark book, I'd say do the work. Capture traffic in different conditions, when your system is idle, when you're running certain apps, read the RFCs, see how operating systems differ in their implementations, try to find out what a network-centric application is doing or if it's phoning-home, etc..

Do it everyday. Offer to baseline applications at work for future reference. See the packet. Be the packet. Feel the packet.

RobertKaucher

docrice wrote: »

The certification. I think any (decent) organization can definitely respect the skill, but I doubt 99% of IT professionals are even aware that a Wireshark certification exists. And if they do, most will assume it's an exam that just reviews the tool, not the process of analysis.

I wasn't aware of Practical Packet Analysis, so I'm going to look into that. But after reading the Wireshark book, I'd say do the work. Capture traffic in different conditions, when your system is idle, when you're running certain apps, read the RFCs, see how operating systems differ in their implementations, try to find out what a network-centric application is doing or if it's phoning-home, etc..

Do it everyday. Offer to baseline applications at work for future reference. See the packet. Be the packet. Feel the packet.

This has now been integrated into my theoretical study, development, and practical deployment of systems. Very good, simple advice. Cannot imagine why this did not occur to me.

L0gicB0mb508

docrice wrote: »

See the packet. Be the packet. Feel the packet.

I feel inspired. Excuse me while I go watch some packets.
You are the Mr. Miyagi of packet analysis.

docrice

L0gicB0mb508 wrote: »

I feel inspired. Excuse me while I go watch some packets.
You are the Mr. Miyagi of packet analysis.

That's actually a quote from Mike Poor in his SANS 503 class.

L0gicB0mb508

docrice wrote: »

That's actually a quote from Mike Poor in his SANS 503 class.

Haha actually I do remember him saying that now that you mention it.

powerfool

The videos and training are on the Wireshark University website. As far as books, I think that is probably about the pinnacle of packet analysis books. I have read others and they are typically junk. You may want to look at the Offensive Security pen testing curriculum and then the stuff from SANS. That is probably about it.

I got the book to try and use and translate over the Network Instruments Observer, and while the basic tenets are similar, the products don't translate very well. There are features of Wireshark that I really like, and for the money it is fantastic... but I think Observer is better in many aspects... it is just $3k for a license...

powerfool

docrice wrote: »

I wasn't aware of Practical Packet Analysis, so I'm going to look into that.

Yeah, don't bother... that book is the biggest piece of garbage I have ever read. It is technically inaccurate and useless.

Bl8ckr0uter

powerfool wrote: »

Yeah, don't bother... that book is the biggest piece of garbage I have ever read. It is technically inaccurate and useless.

I think many of those problems were solved in the 2nd edition.

docrice wrote: »

The certification. I think any (decent) organization can definitely respect the skill, but I doubt 99% of IT professionals are even aware that a Wireshark certification exists. And if they do, most will assume it's an exam that just reviews the tool, not the process of analysis.

I wasn't aware of Practical Packet Analysis, so I'm going to look into that. But after reading the Wireshark book, I'd say do the work. Capture traffic in different conditions, when your system is idle, when you're running certain apps, read the RFCs, see how operating systems differ in their implementations, try to find out what a network-centric application is doing or if it's phoning-home, etc..

Do it everyday. Offer to baseline applications at work for future reference. See the packet. Be the packet. Feel the packet.

Very sound advice. While I have been forcing myself to ready rfcs I most certainly need to do more. Thanks for the advice.

powerfool

Bl8ckr0uter wrote: »

I think many of those problems were solved in the 2nd edition.

Oh, he finally released the update? I think he owes me a free copy...

RobertKaucher

powerfool wrote: »

Yeah, don't bother... that book is the biggest piece of garbage I have ever read. It is technically inaccurate and useless.

I have the second edition and I believe most of the technical issues were corrected. But I can say I am nearly 1/3 of the way through the book and have learned nothing. I am not very certain that my assessment of it will improve. My opinion from flipping through the rest of it is that it is just too basic. I may learn something to improve my technique but I'm not expecting much from it. If you have more than a year's experience with WireShark then Practical Packet Analysis will be a total waste of money.

Everyone

docrice wrote: »

The certification. I think any (decent) organization can definitely respect the skill, but I doubt 99% of IT professionals are even aware that a Wireshark certification exists. And if they do, most will assume it's an exam that just reviews the tool, not the process of analysis.

I had no idea until I read this thread, and I've been using it since long before it was ever called "Wireshark" remember Ethereal?