all my links in one spot.



Grokking TCP/IP and other network protocols is hard. Richard Stevens' classic text, TCP/IP Illustrated Volume 1: The Protocols is probably the clearest, and easiest to understand reference you'll find on the topic. Concisely breaking down the protocols at the bit level, this is the place to go if you really want to get your hands dirty in the TCP/IP stack. If you want extra credit, you can even set up a few Virtual Machines and follow along using Wireshark as a packet sniffer. Once you've got your feet wet, you may also want to delve into these other beautifully rendered protocol diagrams


spending a good chunk of my day doing dissections of traces and other things, there are some essential things to know if you want to spend some happy fun time in packetland.

1) wireshark is your friend, but until you know the display filter language and the ins and outs of some of the protocol dissectors like http, you will only be getting about 5% of the functionality. Access to protocol RFCs can also help (e.g. http)

2) looking at individual sessions is fun. pulling apart hundreds of megs or gigs worth of traffic can be skull-crushingly hard to do when dealing with raw pcaps. look at Argus or SANCP for summarizing large traffic dumps.

3) tcpdump -nnqi can be more fun than tshark because it produces minimally decorated ascii output that can be piped through awk/sed/cut/sort stuff.

4) would like to do stuff like pull email attachments from smtp traces and files from ftp/http traces? chaosreader is pretty simple, and usually a pretty good bet. gets lost in some types of traffic, but generally works.

5) daemonlogger is wicked cool if you want to have a rotating ring buffer of network packet storage. As long as you've got access to disk that can keep up with your max burstable bitrates, it is extremely worthwile to throw a few hundred gig at to keep the past N days history of network traffic for those "wtf was that" moments when you wish you could rewind time.

aw crap - forgot one of the most basic - 

6) know the pcap filter syntax also - it is documented in the tcpdump man page. wireshark uses it as a first level of capture filtering.