I picked up “Practical Packet Analysis: Using wireshark to solve real-world network problems” recently by Chris Sanders. Overall, it’s a little fluffy for my taste, I should know better than buying non ORA, AWP or Cisco Press books, but I’ve heard decent things about No Starch Press, somewhere.
If you’ve done any intermediate networking, the first chapter should be a quick review for you. If you’ve done any network troubleshooting with tcpdump/ethereal/wireshark, the next few chapters should be review as well. The rest of the book is mostly examples of traffic and how to tell what’s going on. This is nice, but at least once I felt the screenshots weren’t in the right order (DHCP DORA). All in all, I was really hoping this book would be more advanced than it was, but when you head in that direction, the author tells you to read an RFC.
There wasn’t any talk about TCP checksum offloading that I saw, or the heavier stuff like Chimney that microsoft is doing now that I don’t know anything about. Since I picked up the book because I’m having weird TCP segment timeouts and getting different traffic out of wireshark on the server and my workstation, I was hoping for more information that would be specific to this problem. Back to RFCs and google I guess.
If you consider yourself a senior linux systems administrator, most of this should be review for you. If you haven’t done much traffic analysis in the past, it’s worth picking it up and reading it. It’s a pretty light read, I didn’t skip any chapters but did skim a few and it was only a few hours of reading.