// Comparison

Practical Packet Analysis vs The Practice of Network Security Monitoring: Which Should You Read?

Two cybersecurity books on Networking, compared honestly: who each is for, what each does best, and which to read first.

Beginner

4/52017

Practical Packet Analysis

Using Wireshark to Solve Real-World Network Problems

Chris Sanders

Chris Sanders' working manual for Wireshark, geared at troubleshooting and incident response rather than abstract protocol theory. Updated for Wireshark 2.x.

Intermediate

5/52013

The Practice of Network Security Monitoring

Understanding Incident Detection and Response

Richard Bejtlich

Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.

Read this if

Anyone who needs to read pcaps fluently: SOC analysts, incident responders, network engineers, security students. Sanders teaches Wireshark at exactly the level that turns the tool from intimidating into a working extension of your hands.

Every SOC analyst and detection engineer. Bejtlich's foundational text on NSM: collect-everything, alert-on-narrow, investigate-broadly. Defines the vocabulary the modern detection field still uses.

Skip this if

Readers wanting deep protocol theory, custom-protocol auditing, or attack-side network research. For depth beyond troubleshooting and IR, follow with Attacking Network Protocols (Forshaw) and Silence on the Wire (Zalewski).

Readers wanting current SIEM tooling specifics. The book pre-dates EDR-as-default and modern cloud-native telemetry; the principles transfer, the tooling specifics don't.

Key takeaways

Capture filters are how you avoid drowning in volume; display filters are how you find the needle. The book teaches both fluently in the first hundred pages.
Reading TCP behaviour at the packet level (handshakes, retransmits, resets) is the core skill that makes every later analysis question tractable.
Wireshark's profile, coloring rule, and decode-as features turn it from a tool into a workflow; the book's chapter on customisation pays back fast.

Detection without prevention is a strategic choice, not a fallback; Bejtlich was years ahead in arguing the case and the book remains the clearest argument.
The four data types (full content, session, transactional, statistical) are still the right framework for thinking about detection coverage.
Most SOC failures are organizational and procedural, not tooling; the book's chapters on workflows, runbooks, and analyst growth are still the best in print.

How they compare

We rate The Practice of Network Security Monitoring higher (5/5 against 4/5 for Practical Packet Analysis). For most readers, that means The Practice of Network Security Monitoring is the primary pick and Practical Packet Analysis is a useful follow-up.

Practical Packet Analysis is pitched at beginner level. The Practice of Network Security Monitoring is pitched at intermediate level. Read the easier one first if you're not yet comfortable with the topic.

Practical Packet Analysis and The Practice of Network Security Monitoring both cover Networking, Defensive, so reading them in sequence reinforces the same material from different angles.

Keep reading