Interview with Chris Sanders, Author of "Practical Packet Analysis"
by Mirko Zorz - Wednesday, 2 April 2008.
Chris Sanders is a Senior Support Engineer for KeeFORCE, a technology consulting firm. Chris writes and speaks on various topics including packet analysis, network security, Microsoft technologies, and general network administration.

What are, in your opinion, the best tools for packet analysis?

If I were to be asked what tool I couldn't live without then it would definitely be Wireshark. Analyzing things at "the packet level" is really where the meat of network analysis is, and to do that you have to have a proper packet sniffing application. There are quite a few of these out there, but Wireshark has always been my favorite for several reasons. First, it is one of the most widely used and accepted packet sniffers, so support is pretty readily available through its large community. Secondly, it has a nice GUI for those who fear the command line, but provides a command line alternative in the form of tshark. Along with these two things, it also uses the WinPCap capture driver which puts capture packets in a standardized format so that they can be exported to other applications if the need arises, allowing for great flexibility. Throw in the fact that it is freely distributed and it is really hard to beat.

Outweighing all of these is the fact that Wireshark is what I am comfortable with. I have found several people who are completely ineffective with Wireshark and will only use an application such as tcpdump, which is absolutely fine. Again, it's all about what tools you are most comfortable with using.

When it comes to managing a large network, how important is the ability to visualize the data flowing across a network?

Important is really understating it. I would say it is near critical. I often like to compare a network analyst working on a computer network to a doctor working on a human body. Regardless of whether you are seeing a cardiac, neurological, or orthopedic specialist, all of these doctors start with basic measurements of your overall well being. Where as a doctor might complete a blood culture, a network analyst will view a protocol hierarchy; where a doctor would complete a full medical history to get baseline of the patients overall health, a network analyst will perform a few packet captures to get a baseline of the networks overall health. The idea here is that you have to know what makes something tick before you can focus in on a specific problem. Visualizing a problem on a network isn't as easy as capturing a couple of packets and looking for the word "ERROR" in big bold print. You have to know what things look like when they are working properly to find the small subtleties that make the difference between a network in optimal health and one that creeps along at an alarming pace. The ONLY way to do this effectively is to be able to interpret the packets that are flowing across the wire.

Based on your experience, what advice would you give to users that are considering deploying wireless networks?

There are two big mistakes I see wireless network administrators make when they deploy a new wireless network.

The first of these is not planning for the future. The wireless administrator will deploy hundreds of access points and entirely blanket a company so that it's employees can have wireless access. This works fine for a while, but what happens when this is a public service entity, such as a hospital or government location, and management decides they want to offer a separate point of wireless connectivity (a hotspot) for non-employees to connect to? In lots of cases, the wireless administrator did not purchase his wireless equipment with this type of growth in mind, and therefore has to bare a lot of expense to upgrade his hardware.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th