tcp-ip

As a network security monitoring analyst, I like to read network troubleshooting books. They help me understand protocols I see on the wire, usually using case studies that are far more exciting than reading dry Request For Comment (RFC) documents. "TCP/IP Analysis and Troubleshooting Toolkit" (TAATT) isn't a "tool" book like Wiley's "Network Performance Open Source Toolkit." Rather, TAATT tries to explain the operations of many popular protocols. It does a fairly good job, and deserves a look.

TAATT's best material appears in ch. 8, "Microsoft-Related Protocols." While it makes little sense to include DHCP in this chapter (DHCP isn't used exclusively by Microsoft), the explanations of NetBIOS and Server Message Block (SMB) are helpful. The author explains the right aspects of NetBIOS and SMB and leaves the rest to other sources. (Two new books merit mention -- "Implementing CIFS: The Common Internet File System" and "The Official Samba 3 How-To and Reference Guide.") I also enjoyed case studies on firewalls offering artificial MAC addresses in ch. 3 and descriptions of "hidden master" DNS servers in ch. 7.

On the down side, the book has a handful of typos, plus a major error in ch. 7 regarding active vs. passive FTP modes. Page 271 states "the PASV command allows you to use what is called a passive file transfer, whereby the client initiates the port 20 connection to the server... In Frame 23, you see the server responding with the port and IP address pair for the client to use in making its port 20 connection to the server." This is false; the traffic trace shows the passive data transfer comes from port 2392 TCP on the client to port 4293 on the server. This may not seem like a big deal, but this is a book explaining how protocols work!

Overall, I liked TAATT. I found the Shockwave videos and tracefiles posted to the publisher's web site to be good references, although not all traces discussed in the book are reproduced on the Web. Along with Haugdahl's "Network Analysis and Troubleshooting" and Bardwell/Oppenheimer's "Troubleshooting Campus Networks," you should get a good sense of how many popular protocols operate. Note all three books tend to sidestep the use of port 445 TCP to offer SMB directly over TCP, concentrating on SMB over NetBIOS over port 139 TCP. Everyone still talks about primary and backup domain controllers, although Windows 2000 uses Active Directory with all domain controllers being "primaries." Windows 2000 prefers port 445 TCP, but no one shows traces of its activities. (Only Haugdahl has an excuse -- Addison Wesley published his book in 2000.)