// Comparison

Linux Firewalls vs Practical Packet Analysis: Which Should You Read?

Two cybersecurity books on Networking, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

4/52007

Linux Firewalls

Attack Detection and Response with iptables, psad, and fwsnort

Michael Rash

Michael Rash, author of psad and fwsnort, on building and operating Linux-native packet filtering and intrusion-response tooling. Pre-nftables in detail but conceptually durable.

Beginner

4/52017

Practical Packet Analysis

Using Wireshark to Solve Real-World Network Problems

Chris Sanders

Chris Sanders' working manual for Wireshark, geared at troubleshooting and incident response rather than abstract protocol theory. Updated for Wireshark 2.x.

Read this if

Linux administrators and defensive practitioners who need to actually configure a firewall, not just understand the concept. Rash's iptables coverage remains the cleanest practical introduction; psad and fwsnort for the active-response side.

Anyone who needs to read pcaps fluently: SOC analysts, incident responders, network engineers, security students. Sanders teaches Wireshark at exactly the level that turns the tool from intimidating into a working extension of your hands.

Skip this if

Readers fully on nftables / firewalld / cloud-native security groups, or anyone wanting an architecture-level treatise. The book is hands-on iptables rules and analysis, not a strategic frame.

Readers wanting deep protocol theory, custom-protocol auditing, or attack-side network research. For depth beyond troubleshooting and IR, follow with Attacking Network Protocols (Forshaw) and Silence on the Wire (Zalewski).

Key takeaways

iptables remains the foundational mental model; even in nftables-or-eBPF environments, understanding match-and-target chains is required to read the rule sets the field still ships.
Active response is a real defensive option that's easy to overstate; the book's chapter on the trade-offs is appropriately cautious.
Port scanning detection (psad) and signature-based blocking (fwsnort) are still useful primitives that punch above their weight in budget-constrained environments.

Capture filters are how you avoid drowning in volume; display filters are how you find the needle. The book teaches both fluently in the first hundred pages.
Reading TCP behaviour at the packet level (handshakes, retransmits, resets) is the core skill that makes every later analysis question tractable.
Wireshark's profile, coloring rule, and decode-as features turn it from a tool into a workflow; the book's chapter on customisation pays back fast.

How they compare

Linux Firewalls and Practical Packet Analysis are both rated 4/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Linux Firewalls is pitched at intermediate level. Practical Packet Analysis is pitched at beginner level. Read the easier one first if you're not yet comfortable with the topic.

Linux Firewalls and Practical Packet Analysis both cover Networking, Defensive, so reading them in sequence reinforces the same material from different angles.

Keep reading