Wireshark is downloaded over 500,000 per month on average

Wireshark University

Get Certified on the Worlds Foremost Network Protocol Analyzer

ExamVersion100.1[Wiresharkversion1.4.x] 05/09/2011

Welcome to Wireshark University and the Wireshark Certified Network Analyst Program
Wireshark (formerly Ethereal) has become the de facto industry standard open source product for network analysis, troubleshooting and security. Over 500,000 IT professionals worldwide download Wireshark each month. Wireshark has proven to be a necessary tool for locating the cause of network performance issues and identifying security breaches. In addition, Wireshark is used in worldwide multi-vendor training programs to visualize network communication processes.

The Wireshark Certified Network Analyst Exam was designed to confirm individual competencies in using Wireshark to locate the cause of network problems (poor performance or securityrelated) and confirm your knowledge of TCP/IP network communications in general. The Wireshark Certified Network Analyst Exam was DoD 8570 certified by the U.S. Army in 2009. The Exam is based on the thirty-three areas of study defined in the Exam Focus and Content section of this document. The four primary areas covered in this Exam are: Wireshark Functionality TCP/IP Network Communications Network Troubleshooting Network Security

Register for the Wireshark Certified Network Analyst Exam at www.webassessor.com/pai.

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

Contents
Exam Overview............................................................................................................................................ 3 Online Proctored Exam Version .................................................................................................................. 3 Exam Time Limit/Question Count ................................................................................................................ 3 Exam Pricing ............................................................................................................................................... 3 Pass/Fail Grading ........................................................................................................................................ 3 Question Formats ........................................................................................................................................ 4 Test Retake Procedure ................................................................................................................................ 4 Exam Registration ....................................................................................................................................... 4 Taking Your Proctored Exam ....................................................................................................................... 4 Acceptable Forms of Identification ............................................................................................................... 4 Closed Book Policy ...................................................................................................................................... 5 Cancellation/Rescheduling Details .............................................................................................................. 5 Cancellation/Rescheduling within 72 Hours of Your Exam Appointment ..................................................... 5 Certification Maintenance and Expiration .................................................................................................... 5 Wireshark Certified Network Analyst Online Portal ...................................................................................... 5 In Case of Test Problems or Questions ....................................................................................................... 6

Frequently Asked Questions (FAQ) .................................................................. 7

Can I keep my belongings with me during the test session? ................................................................... 7 May I bring food or drinks into the testing room? .................................................................................... 7 How do I register for the Wireshark Certified Network Analyst Exam? .................................................... 7 Can I take the Exam at the same time I register? ................................................................................... 7 How long does the Exam take? ............................................................................................................... 7 Is the Exam in English only? ................................................................................................................... 7 Where can I take the Exam? ................................................................................................................... 7 What do I get when I pass my Exam? ..................................................................................................... 7 How long is my certification valid? .......................................................................................................... 8 What are the Continuing Professional Education (CPE) requirements? ................................................. 8 Do CPE Credits from other certification programs count towards my Wireshark Certified Network Analyst certification requirements? ......................................................................................................... 8 How do I take the Practice Exam? .......................................................................................................... 8 How do I prepare for the certification exam? ........................................................................................... 8 Should I register for the Exam before attending a Wireshark class? ....................................................... 8 How does the Wireshark Certified Network Analyst designation compare to other IT industry certifications? .......................................................................................................................................... 9 Who created this Certification? ............................................................................................................... 9 Will this certification help my job prospects/career advancement? ......................................................... 9 Will there be additional levels added to the certification program later? .................................................. 9 What's the WCNA Examination passing score? ...................................................................................... 9 Are there different versions of the Exam for each country?..................................................................... 9 Which version of Wireshark is the Exam based on? ............................................................................... 9

Exam Preparation ............................................................................................. 10

Online Self-Paced Training ........................................................................................................................ 10 Core 1: Analyzing TCP/IP Networks with Wireshark.......................................................................... 10 Core 2: Troubleshooting and Securing TCP/IP Networks with Wireshark ......................................... 10 All Access Pass Membership ................................................................................................................ 10 Instructor-Led Training Partners ................................................................................................................ 10 Books......................................................................................................................................................... 11 Customized Onsite and Online Training .................................................................................................... 11

Wireshark Certified Network Analyst Exam Objectives (Test WCNA100.1) . 12

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

Exam Overview
Successful completion of the Wireshark Certified Network Analyst Exam indicates you have the knowledge required to capture network traffic, analyze the results and identify various anomalies related to performance or security issues. To earn the Wireshark Certified Network Analyst status, you must pass a single Examthe WCNA-100x Exam and obtain twenty (20) CPE credits each year of your certification. The Wireshark Certified Network Analyst Exam is available at hundreds of testing centers around the world. You can take your Exam at a KRYTERION High-stake Online Secure Testing (HOST) location. Register for the proctored Wireshark Certified Network Analyst Exam online at www.webassessor.com/pai.1

Online Proctored Exam Version

The Exam is also available in an Online Proctored (OLP) format which allows you to schedule to take the test at your home or office. Biometric authentication steps are required (photo and keyboard analytics) in order to register for an OLP Exam. OLP Exams are proctored via webcam following the requirements defined by Kryterion, Inc. To view a tutorial on the OLP option, register for a free test taker account at www.webassessor.com/pai and login to your Home page. Click the Launch Tutorial button next to Prepare Yourself Try an Online Secured Assessment Now. Visit www.kryteriononline.com/delivery_options/online_proctoring/ for more information on OLP technology.

Exam Time Limit/Question Count

The Wireshark Certified Network Analyst Exam is a closed-book Exam consisting of 100 questions. The Exam time limit is 2 hours (120 minutes).

Exam Pricing
The Wireshark Certified Network Analyst Exam cost is USD 299 for a single Exam sitting. The Wireshark Certified Network Analyst Exam Practice Exam (online) cost is USD 29 for a single Practice Exam session. Additional Exam sittings and Practice Exam sessions must be paid for separately at the full price. If you require more than one Practice Exam session, we recommend you purchase the Wireshark Certified Network Analyst Official Exam Prep Guide (see Books on page 11).

Pass/Fail Grading
The Wireshark Certified Network Analyst Exam is graded on a pass/fail basis. Passing scores are set by using statistical analysis. At the completion of the Exam, Candidates receive a score report along with a score breakout by Exam section.

PAI represents the Protocol Analysis Institute, the parent company of Wireshark University and Chappell University.

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

Question Formats
There are two forms of questions in the Wireshark Certified Network Analyst Examtrue/false and multiple choice. Only one answer is correct for each multiple choice question. Many questions include images of Wireshark graphs or packet details.

Test Retake Procedure

If you fail the Exam, you must wait five (5) business days before retaking the Exam. You must purchase another Test Taker Authorization Code at www.webassessor.com/pai. Only three (3) Exams with the same Exam identification number may be taken per calendar year. You must purchase another Exam sitting at the full price if you require a retake.

Exam Registration
Register for the proctored Wireshark Certified Network Analyst Exam online at www.webassessor.com/pai. Step-by-step Exam Registration instructions are available at www.wiresharktraining.com/certification.

Taking Your Proctored Exam

Once your registration and scheduling is complete, you will receive an email confirmation which includes the details of your registration including your Test Taker Authorization Code. The email also includes the HOST location address and the date and time of your test session. This email is the only receipt you will receive from Kryterion. You are required to bring two forms of identification with you to the HOST location, which your proctor verifies and records. In addition, you must bring your Test Taker Authorization Code which you received in your registration confirmation email. The proctor will hand you a document to read in the waiting room while they load your Exam in the testing area. The testing center document prepares you for your Exam session. Once your Exam has loaded, your proctor will show you where the restrooms are, store your personal belongings in a secure compartment and answer any Exam session questions you may have. You may then begin your Exam. The Exam engine provides you with detailed instructions on how to take the Exam and guides you through each step of the Exam process. You have two hours (120 minutes) to complete the Wireshark Certified Network Analyst Exam. You may review your answers before submitting your Exam. Unanswered questions are graded as incorrect. When finished, you are prompted to notify your proctor that you have completed the Exam. The proctor will then close your Exam session. You will receive your pass/fail notification upon completion of the Exam.

Acceptable Forms of Identification

Acceptable forms of photo ID include: government-issued drivers license or ID card, passport, military identification, an employee identification card or a student picture ID from an accredited college or university. The following forms of non-photo ID are acceptable: credit card, check cashing card or a bank debit card. A social security card is not an acceptable form of identification.

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

The OLP Exam requires a photo ID as well as keyboard analytic process to verify the identity of the test taker and match the registrant with the test taker. For more information regarding the OLP process and security, visit www.kryteriononline.com/delivery_options/online_proctoring/.

Closed Book Policy

The Wireshark Certified Network Analyst Exam is closed book format. No Internet access or open computer (other than the Exam system) is allowed during the Exam. Candidates may not access any printed materials or electronic devices such as extra computers or USB flash drives.

Cancellation/Rescheduling Details
If you need to reschedule your Exam appointment, you may do so earlier than 72 hours of your Exam appointment. Log into your KRYTERION account at www.webassessor.com/pai and click on View Schedule Details and the Reschedule button. IMPORTANT: Read the next section regarding cancellation and rescheduling within 72 hours of your Exam appointment.

Cancellation/Rescheduling within 72 Hours of Your Exam Appointment

If you wish to cancel or reschedule your Exam within 72 hours of your appointment, please call the PAI Customer Support line at +1 408-378-7841. Do not attempt to contact Kryterion or the testing center directly. You will be charged a $175 seating fee if you reschedule or cancel your Exam appointment within 72 hours of your Exam appointment or do not show for your Exam appointment.

Certification Maintenance and Expiration

Your Wireshark Certified Network Analyst status is valid for three (3) years from the date of successful Exam completion. Twenty (20) Continuing Professional Education (CPE) credits are required yearly to maintain your certification in good standing. CPE credits must be obtained in the area of (a) network communications, (b) troubleshooting, (c) network testing/optimization or (d) network security. For more information on obtaining and reporting CPE credits, refer to www.wiresharktraining.com/certification.

Wireshark Certified Network Analyst Online Portal

After successful completion of the Wireshark Certified Network Analyst Exam, you will be provided access to the Wireshark Certified Network Analyst Online Portal. Your Online Portal contains at least 20 hours of online training/study/enhancement and is a key resource for easily maintaining your certification in good standing with the required number of CPE credits. The Online Portal also contains case studies of network analysis projects completed by other WCNAs. You do not need to submit Online Portal activities for CPE credit. Wireshark University periodically polls your transcript information from the Online Portal and credits your account accordingly. To determine how many credits you have earned from your Online Portal activity, click the Transcript button on the Online Portal menu.

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

If desired, you may submit content to the Online Portal for CPE credits. First you must email your request to submit content and provide an outline of same to info@wiresharktraining.com. Release forms must be signed prior to posting WCNA documents to the Online Portal.

In Case of Test Problems or Questions

Please first review the FAQ section of this document. If you have additional questions regarding the certification process, your certification status or the Kryterion testing engine, contact Wireshark University at certification@wiresharktraining.com or call +1 408-378-7841.

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

Frequently Asked Questions (FAQ)

Can I keep my belongings with me during the test session?
Your personal items may not be accessed during the test session. Personal items include: bags, wallets, purses, briefcases, watches, books, beepers, cell phones, electronic organizers and calculators. You should, however, keep your identification with you at all times.

May I bring food or drinks into the testing room?

No, tobacco products, food, drink, and chewing gum are not allowed in the testing area.

How do I register for the Wireshark Certified Network Analyst Exam?

Step-by-step Exam Registration instructions are available at www.wiresharktraining.com/certification.

Can I take the Exam at the same time I register?

Not the proctored Examthe earliest you can schedule your Exam is 72 hours before your desired Exam date/time. Registrants can take the unproctored Practice Exam immediately following registration.

How long does the Exam take?

Candidates are provided two hours (120 minutes) to complete the Exam. An Exam timer indicates the remaining Exam time. A question counter indicates the number of questions answered and total number of questions in the Exam. A Review Test option allows you to mark questions for review and revisit all questions and answers in the Exam. You may skip questions during the Exam, but it is recommended you complete each question before submitting your Exam for grading. Unanswered questions are marked incorrect. The Practice Exam also includes a two hour (120 minutes) time limit.

Is the Exam in English only?

Currently the Exam and Practice Exam are only available in English.

Where can I take the Exam?

The Wireshark Certified Network Analyst Exam is delivered by Kryterion, Inc. Kryterion has hundreds of testing centers around the world. Visit www.kryteriononline.com/host_locations/ to locate a Kryterion High-stake Online Secure Testing (HOST) location near you.

What do I get when I pass my Exam?

Within fifteen (15) business days of successful completion of the Exam, Wireshark University will send your Wireshark Certified Network Analyst Welcome Kit. The Welcome Kit includes your Certificate, Certification ID Number, valid certification date details and additional information regarding your certification maintenance, CPE credits and information regarding access to and usage of the Wireshark Certified Network Analyst logo.

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

How long is my certification valid?

Wireshark Certified Network Analyst status is valid for three (3) years from the date of successful Exam completion. During that three (3) year period, you must retain your Wireshark Certified Network Analyst certification in good standing by obtaining twenty (20) CPE credits yearly.

What are the Continuing Professional Education (CPE) requirements?

Twenty (20) CPE credits will be required to maintain your certification in good standing by ensuring you are staying current with network analysis practices and technologies. CPE credits must be obtained in the areas of: (a) (b) (c) (d) network communications network troubleshooting network testing/optimization network security

CPE credit information must be submitted to Wireshark University on an annual basis. If you participate in the training activities on the Online Portal, you do not need to submit your CPE information your information will be automatically updated in your Wireshark Certified Network Analyst account. For further information on CPE options and manually submitting your CPE information, visit www.wiresharktraining.com/cpe.

Do CPE Credits from other certification programs count towards my Wireshark Certified Network Analyst certification requirements?
If your CPE activity falls in one of the four areas listed above, you may submit your activity at www.wiresharktraining.com/cpe.

How do I take the Practice Exam?

Register for the Practice Exam just as you register for the final Exam. Your Practice Exam is available for you to take as soon as you have completed the registration process at www.webassessor.com/pai. Locate the Launch button for your Exam on your Webassessor home page. If you need to stop your Practice Exam for some reason, you may do so simply by closing the Practice Exam window. Any questions you have already answered have been saved for you. If the Practice Exam was interrupted due to technical issues, you may re-launch the Practice Exam by logging into your Webassessor home page and clicking the Launch button. The Practice Exam will resume at the first unanswered question. You have two hours (120 minutes) of active time to complete the Practice Exam.

How do I prepare for the certification exam?

You can prepare for the Wireshark Certified Network Analyst Exam using self-paced, instructorled or on-the-job study. We recommend the Exam Prep Guide which contains over 300 practice questions and timed/untimed practice exams on the accompanying CD. The Exam Prep Guide is available through Amazon. Refer to Exam Preparation on page 10 for more details.

Should I register for the Exam before attending a Wireshark class?

Most students wait until after taking their Wireshark training courses to register for the Exam. You should only schedule your Exam after you feel comfortable with the subject material.

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

How does the Wireshark Certified Network Analyst designation compare to other IT industry certifications?
The Wireshark Certified Network Analyst designation is focused on not only Wireshark, but also key TCP/IP communications areas that can be investigated when troubleshooting or securing a network. The Wireshark Certified Network Analyst designation will identify you as an IT professional who is keeping up with current techniques and the worlds most popular network analyzer tool. The Wireshark Certified Network Analyst designation is an ideal complement to the CISSP, CCIE, CNP, Network+ and Security+ certifications.

Who created this Certification?

Wireshark University was co-founded by Gerald Combs (creator of Wireshark) and Laura Chappell, world-renown network analyst, in 2007. One element of Wireshark University is the Wireshark Certified Network Analyst designation. Topics included in the Exam come from the thirty-three areas of study for network analysts (see Wireshark Certified Network Analyst Exam Objectives on page 12).

Will this certification help my job prospects/career advancement?

If you want to attain a competitive edge and help improve employability and earning potential, obtaining your Wireshark Certified Network Analyst designation can help position you in the job market. Wiresharks increasing popularity (with over 500,000 downloads per month) and leading role as the in-house de facto tool for troubleshooting and security increases the value of this certification immensely.

Will there be additional levels added to the certification program later?

We have considered creating specializations, but at this time the only certification is the Wireshark Certified Network Analyst. If specialization certifications are created, the Wireshark Certified Network Analyst Exam must be completed successfully in order to achieve such specializations.

What's the WCNA Examination passing score?

The Wireshark Certified Network Analyst Exam is a Pass/Fail exam. You are provided with topics of the questions answered incorrectly on each Exam upon completion of the Exam. The passing score for each examination is calculated by equating the scoring values associated with each question. Passing rates are estimated to be in the 70% to 80% range.

Are there different versions of the Exam for each country?

The same English language version is given throughout the world.

Which version of Wireshark is the Exam based on?

The current Exam is based on Wireshark version 1.4.x.The Study Guide and Exam Prep Guide are also based on Wireshark version 1.4.x.

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

Exam Preparation
The Wireshark Certified Network Analyst Exam focuses on TCP/IP communications analysis, methods for using Wireshark to identify the cause of network problems, and the evidence that a network is under reconnaissance or a host has been breached. Consider the following options for Exam preparation.

Online Self-Paced Training

All Access Pass Membership
The All Access Pass (AAP) training membership provides access to Core 1, Core 2, Wireshark Certification Study Sessions, live online training events and additional online training in the areas of network analysis, troubleshooting, optimization and security.

Core 1: Analyzing TCP/IP Networks with Wireshark

In this self-paced course, students discover effective Wireshark operations and packetlevel TCP/IP communications by examining both properly-performing and poorlyperforming networks as they prepare for the Wireshark Certified Network Analyst Exam. [25 sections, 46 labs, approximately 22 hours of online training]

Core 2: Troubleshooting and Securing TCP/IP Networks with Wireshark

In this self-paced course, students gain the skills required to effectively troubleshoot and secure a TCP/IP network by analyzing network traffic with Wireshark as they prepare for the Wireshark Certified Network Analyst Exam. Student learns techniques to analyze traffic on poorly performing TCP/IP networks and identify reconnaissance processes on the network as well as indicators that a host is compromised. [19 sections, 53 labs,
approximately 25 hours of online training]

Visit www.chappellU.com to view the complete contents of the All Access Pass.

Instructor-Led Training Partners

For an updated list of Wireshark University Certified Training Partners, visit www.wiresharktraining.com/iltpartners. Global Knowledge - North America - www.globalknowledge.com Global Knowledge is the worldwide leader in IT and business training. Global Knowledge delivers training via training centers, private facilities, and the Internet, enabling customers to choose when, where, and how they want to receive training programs and learning services. SCOS Software bv Europe - www.scos.nl Polarisavenue 53 2132 JH Hoofddorp The Netherlands Email: info@wiresharkeurope.eu Phone: 0031 (0)23 568 5615 Fax: 0031 (0)23 562 1072

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

10

Books
Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide This comprehensive book covers all thirty-three areas of study for the Wireshark Certified Network Analyst Exam while providing numerous case studies, tips and tricks for using Wireshark efficiently to troubleshoot and secure networks. ISBN10: 1-893939-99-5 ISBN13: 978-1-893939-99-8 Paperback: 800 pages Book URL: www.wiresharkbook.com Retail Price: $99.95

Wireshark Certified Network Analyst: Official Exam Prep Guide This book provides 300+ practice quiz questions based on the thirty-three areas of study defined for the Wireshark Certified Network Analyst Exam and includes timed and untimed quizzes on the accompanying CD. This Official Exam Prep Guide offers a companion to Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide. 10-digit ISBN: 1-893939-98-7 13-digit ISBN: 978-1-893939-98-1 Paperback: 202 pages (includes CD) Book URL: www.wiresharkbook.com/epg Retail Price: $39.95

Customized Onsite and Online Training

Wireshark University www.wiresharktraining.com Wireshark University was founded in 2007 to provide training on Wireshark for troubleshooting, security and optimization. Customized onsite courses can be arranged to train multiple students at one time at your location or via the Internet for a geographically dispersed student base. Courses can be customized based on your network details and design. For more information on customized onsite courses, email info@wiresharktraining.com or call +1 408-378-7841.

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

11

Wireshark Certified Network Analyst Exam Objectives (Test WCNA100.1)

The Wireshark Certified Network Analyst Exam is based on thirty-three areas of concentration.

Section1:NetworkAnalysisOverview
DefinethePurposeofNetworkAnalysis ListTroubleshootingTasksfortheNetworkAnalyst ListSecurityTasksfortheNetworkAnalyst ListOptimizationTasksfortheNetworkAnalyst ListApplicationAnalysisTasksfortheNetworkAnalyst DetailSecurityIssuesRelatedtoNetworkAnalysis DefineLegalIssuesRelatedtoListeningtoNetworkTraffic Overcomethe"NeedleinaHaystack"Issue ReviewaChecklistofAnalysisTasks

Section2:IntroductiontoWireshark
DescribeWireshark'sPurpose KnowHowtoObtaintheLatestVersionofWireshark CompareWiresharkReleaseandDevelopmentVersions ReportaWiresharkBugorSubmitanEnhancement CapturePacketsonWiredorWirelessNetworks OpenVariousTraceFileTypes DescribeHowWiresharkProcessesPackets DefinetheElementsoftheStartPage IdentifytheNineGUIElements NavigateWireshark'sMainMenu UsetheMainToolbarforEfficiency FocusFasterwiththeFilterToolbar MaketheWirelessToolbarVisible AccessOptionsthroughRightClickFunctionality DefinetheFunctionsoftheMenusandToolbars

Section3:CaptureTraffic
KnowWheretoTapintotheNetwork KnowWhentoRunWiresharkLocally CaptureTrafficonSwitchedNetworks UseaTestAccessPort(TAP)onFullDuplexNetworks DefineWhentoSetupPortSpanning/PortMirroringonaSwitch AnalyzeRoutedNetworks AnalyzeWirelessNetworks DefineOptionsforCapturingatTwoLocationsSimultaneously IdentifytheMostAppropriateCaptureInterface

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

12

CaptureTrafficRemotely AutomaticallySavePacketstoOneorMoreFiles OptimizeWiresharktoAvoidDroppingPackets ConserveMemorywithCommandLineCapture

Section4:CreateandApplyCaptureFilters
DescribethePurposeofCaptureFilters BuildYourOwnSetofCaptureFilters FilterbyaProtocol CreateMAC/IPAddressorHostNameCaptureFilters CaptureOneApplication'sTrafficOnly UseOperatorstoCombineCaptureFilters CreateCaptureFilterstoLookforByteValues ManuallyEdittheCaptureFiltersFile ShareCaptureFilterswithOthers

Section5:DefineGlobalandPersonalPreferences
FindYourConfigurationFolders SetGlobalandPersonalConfigurations CustomizeYourUserInterfaceSettings DefineYourCapturePreferences DefineHowWiresharkAutomaticallyResolvesIP/MACNames ConfigureStatisticsSettings DefineARP,TCP,HTTP/HTTPSandOtherProtocolSettings ConfigureProtocolSettingswithRightClick

Section6:ColorizeTraffic
UseColorstoSeparateTraffic ShareandManageColoringRules IdentifyWhyaPacketisaCertainColor ColorConversationstoDistinguishThem TemporarilyMarkPacketsofInterest AlterStreamReassemblyColoring

Section7:DefineTimeValuesandInterpretSummaries
UseTimetoIdentifyNetworkProblems DefineHowWiresharkMeasuresPacketTime ChoosetheIdealTimeDisplayFormat DealwithTimeAccuracyandResolutionIssues IdentifyDelayswithTimeValues CreateAdditionalTimeColumns MeasurePacketArrivalTimesUsingaTimeReference IdentifyClient,ServerandPathIssues ViewaSummaryofTrafficRates,PacketSizes,andBytesTransferred

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

13

Section8:InterpretBasicTraceFileStatistics
LaunchWiresharkStatistics IdentifyNetworkProtocolsandApplications IdentifytheMostActiveConversations ListEndpointsandMapthemontheEarth ListConversationsorEndpointsforSpecificTrafficTypes EvaluatePacketLengths ListAllIPAddressesintheTraffic ListAllDestinationsintheTraffic ListAllUDPandTCPPortsUsed AnalyzeUDPMulticastStreams GraphicFlowofTraffic GatherYourHTTPStatistics ExamineAllWLANStatistics

Section9:CreateandApplyDisplayFilters
DefinethePurposeofDisplayFilters CreateDisplayFiltersUsingAutoComplete ApplySavedDisplayFilters UsetheExpressionsFilterSystem MakeDisplayFiltersQuicklyUsingRightClickFiltering DefineDisplayFilterSyntax CombineDisplayFilterswithComparisonOperators AlterDisplayFilterMeaningwithParentheses FilteronSpecificBytesinaPacket UseDisplayFilterMacrosforComplexFiltering AvoidCommonDisplayFilterMistakes ManuallyEditthedfiltersFile

Section10:FollowStreamsandReassembleData
FollowandReassembleUDPConversations FollowandReassembleTCPConversations IdentifyCommonFileTypes FollowandReassembleSSLConversations

Section11:CustomizeWiresharkProfiles
DefinethePurposeofWiresharkProfiles ShareProfiles CreateaCorporateProfile CreateaWLANProfile CreateaVoIPProfile CreateaSecurityProfile

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

14

Section12:Save,ExportandPrintPackets
SaveFiltered,MarkedandRangesofPackets ExportPacketContentsforUseinOtherPrograms SaveConversations,Endpoints,I/OGraphsandFlowGraphInformation ExportPacketBytes

Section13:UseWiresharksExpertSystem
LaunchExpertInfoQuickly ColorizeExpertInfoElements FilteronTCPExpertInformationElements DefineTCPExpertInformation

Section14:TCP/IPAnalysisOverview
DefineBasicTCP/IPFunctionality DefinetheMultistepResolutionProcess DefinePortNumberResolution DefineNetworkNameResolution DefineRouteResolutionforaLocalTarget DefineLocalMACAddressResolutionforaTarget DefineRouteResolutionforaRemoteTarget DefineLocalMACAddressResolutionforaGateway

Section15:AnalyzeDomainNameSystem(DNS)Traffic
DefinethePurposeofDNS AnalyzeNormalDNSQueries/Responses AnalyzeDNSProblems DissecttheDNSPacketStructure FilteronDNSTraffic

Section16:AnalyzeAddressResolutionProtocol(ARP)Traffic
DefinethePurposeofARPTraffic AnalyzeNormalARPRequests/Responses AnalyzeGratuitousARP AnalyzeARPProblems DissecttheARPPacketStructure FilteronARPTraffic

Section17:AnalyzeInternetProtocol(IPv4)Traffic
DefinethePurposeofIPv4 AnalyzeNormalIPv4Traffic AnalyzeIPv4Problems DissecttheIPv4PacketStructure SetYourIPProtocolPreferences FilteronIPv4Traffic

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

15

Section18:AnalyzeInternetControlMessageProtocol(ICMP)Traffic
DefinethePurposeofICMP AnalyzeNormalICMPTraffic AnalyzeICMPProblems DissecttheICMPPacketStructure FilteronICMPTraffic

Section19:AnalyzeUserDatagramProtocol(UDP)Traffic
DefinethePurposeofUDP AnalyzeNormalUDPTraffic AnalyzeUDPProblems DissecttheUDPPacketStructure FilteronUDPTraffic

Section20:AnalyzeTransmissionControlProtocol(TCP)Traffic
DefinethePurposeofTCP AnalyzeNormalTCPCommunications DefinetheEstablishmentofTCPConnections DefineHowTCPbasedServicesareRefused TrackTCPPacketSequencing DefineTCPFlowControl DefineHowTCPRecoversfromPacketLoss ImprovePacketLossRecoverywithSelectiveAcknowledgments AnalyzeTCPProblems DissecttheTCPPacketStructure FilteronTCPTraffic SetTCPProtocolParameters

Section21:GraphIORatesandTCPTrends
UseGraphstoViewTrends GenerateBasicI/OGraphs FilterI/OGraphs GenerateAdvancedI/OGraphs CompareTrafficTrendsinI/OGraphs GraphRoundTripTime GraphThroughputRates GraphTCPSequenceNumbersoverTime InterpretTCPWindowSizeIssues InterpretPacketLoss,DuplicateACKsandRetransmissions

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

16

Section22:AnalyzeDynamicHostConfigurationProtocol(DHCP)Traffic
DefinethePurposeofDHCP AnalyzeNormalDHCPTraffic AnalyzeDHCPProblems DissecttheDHCPPacketStructure FilteronDHCPTraffic DisplayBOOTPDHCPStatistics

Section23:AnalyzeHypertextTransferProtocol(HTTP)Traffic
DefinethePurposeofHTTP AnalyzeNormalHTTPCommunications AnalyzeHTTPProblems DissectHTTPPacketStructures FilteronHTTPorHTTPSTraffic ExportHTTPObjects DisplayHTTPStatistics GraphHTTPTrafficFlows SetHTTPPreferences AnalyzeHTTPSCommunications DecryptHTTPSTraffic

Section24:AnalyzeFileTransferProtocol(FTP)Traffic
DefinethePurposeofFTP AnalyzeNormalFTPCommunications AnalyzeFTPProblems DissecttheFTPPacketStructure FilteronFTPTraffic ReassembleFTPTraffic

Section25:AnalyzeEmailTraffic
DefinethePurposeofPOP AnalyzeNormalPOPCommunications AnalyzePOPProblems DissectthePOPPacketStructure FilteronPOPTraffic DefinethePurposeofSMTP AnalyzeNormalSMTPCommunication AnalyzeSMTPProblems DissecttheSMTPPacketStructure FilteronSMTPTraffic

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

17

Section26:Introductionto802.11(WLAN)Analysis
AnalyzeSignalStrengthandInterference CaptureWLANTraffic CompareMonitorModeandPromiscuousMode SetupWLANDecryption ApplyaRadiotaporPPIHeader CompareSignalStrengthandSignaltoNoiseRatios Describe802.11TrafficBasics AnalyzeNormal802.11Communications FilteronWLANTraffic AnalyzeFrameControlTypesandSubtypes

Section27:VoiceoverIP(VoIP)AnalysisFundamentals
DefineVoIPTrafficFlows AnalyzeVoIPProblems AnalyzeSIPandRTPTraffic PlayBackVoIPCalls CreateaVoIPProfile FilteronVoIPTraffic

Section28:BaselineNormalTrafficPatterns
DefinetheImportanceofBaselining BaselineBroadcastandMulticastTypesandRates BaselineBootupSequences BaselineLogin/LogoutSequences BaselineTrafficDuringIdleTime BaselineApplicationLaunchSequencesandKeyTasks BaselineWebBrowsingSessions BaselineNameResolutionSessions BaselineThroughputTests BaselineWirelessConnectivity BaselineVoIPCommunications

Section29:FindtheTopCausesofPerformanceProblems
TroubleshootPerformanceProblems IdentifyHighLatencyTimes PointtoSlowProcessingTimes FindtheLocationofPacketLoss IdentifySignsofMisconfigurations AnalyzeTrafficRedirections IdentifySmallPayloadSizes IdentifyCongestion IdentifyApplicationFaults IdentifyNameResolutionFaults

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

18

Section30:NetworkForensicsOverview
CompareHostForensicstoNetworkForensics GatherEvidence AvoidDetection HandleEvidence RecognizeUnusualTrafficPatterns ColorUnusualTrafficPatterns IdentifyComplementaryForensicTools

Section31:DetectScanningandDiscoveryProcesses
DefinethePurposeofDiscoveryandReconnaissance DetectARPScans(akaARPSweeps) DetectICMPPingSweeps DetectVariousTypesofTCPPortScans DetectUDPPortScans DetectIPProtocolScans DefineIdleScans IdentifyICMPTypesandCodes AnalyzeTraceroutePathDiscovery DetectDynamicRouterDiscovery DefineApplicationMappingProcesses UseWiresharkforPassiveOSFingerprinting DetectActiveOSFingerprinting IdentifySpoofedAddressesandScans

Section32:AnalyzeSuspectTraffic
DescribeSuspectTraffic IdentifyVulnerabilitiesintheTCP/IPResolutionProcesses IdentifyUnacceptableTraffic FindMaliciouslyMalformedPackets IdentifyInvalidorDarkDestinationAddresses DifferentiatebetweenFloodingorStandardDenialofServiceTraffic FindClearTextPasswordsandData IdentifyPhoneHomeBehavior CatchUnusualProtocolsandApplications LocateRouteRedirectionthatUsesICMP CatchARPPoisoning CatchIPFragmentationandOverwriting IdentifyTCPSplicing WatchOtherUnusualTCPTraffic IdentifyPasswordCrackingAttempts KnowWheretoLookSignatureLocations

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

19

Section33:EffectiveUseofCommandLineTools
DefinethePurposeofCommandLineTools UseWireshark.exe(CommandLineLaunch) CaptureTrafficwithTshark ListTraceFileDetailswithCapinfos EditTraceFileswithEditcap MergeTraceFileswithMergecap ConvertTextwithText2pcap CaptureTrafficwithDumpcap DefineRawshark

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

20

For more information on the Wireshark Certified Network Analyst Exam, please visit www.wiresharktraining.com/certification or contact us directly. Wireshark University info@wiresharktraining.com 5339 Prospect Road, #343 San Jose, CA 95129 USA Phone: +1 408-378-7841 Fax: +1 408-387-7891

For more information visit www.wiresharktraining.com/certification

[v100.1b 05092011]

21