Wireshark University
Welcome to Wireshark University and the Wireshark Certified Network Analyst Program
Wireshark (formerly Ethereal) has become the de facto industry standard open source product for network analysis, troubleshooting and security. Over 500,000 IT professionals worldwide download Wireshark each month. Wireshark has proven to be a necessary tool for locating the cause of network performance issues and identifying security breaches. In addition, Wireshark is used in worldwide multi-vendor training programs to visualize network communication processes.
The Wireshark Certified Network Analyst Exam was designed to confirm individual competencies in using Wireshark to locate the cause of network problems (poor performance or securityrelated) and confirm your knowledge of TCP/IP network communications in general. The Wireshark Certified Network Analyst Exam was DoD 8570 certified by the U.S. Army in 2009. The Exam is based on the thirty-three areas of study defined in the Exam Focus and Content section of this document. The four primary areas covered in this Exam are: Wireshark Functionality TCP/IP Network Communications Network Troubleshooting Network Security
Contents
Exam Overview............................................................................................................................................ 3 Online Proctored Exam Version .................................................................................................................. 3 Exam Time Limit/Question Count ................................................................................................................ 3 Exam Pricing ............................................................................................................................................... 3 Pass/Fail Grading ........................................................................................................................................ 3 Question Formats ........................................................................................................................................ 4 Test Retake Procedure ................................................................................................................................ 4 Exam Registration ....................................................................................................................................... 4 Taking Your Proctored Exam ....................................................................................................................... 4 Acceptable Forms of Identification ............................................................................................................... 4 Closed Book Policy ...................................................................................................................................... 5 Cancellation/Rescheduling Details .............................................................................................................. 5 Cancellation/Rescheduling within 72 Hours of Your Exam Appointment ..................................................... 5 Certification Maintenance and Expiration .................................................................................................... 5 Wireshark Certified Network Analyst Online Portal ...................................................................................... 5 In Case of Test Problems or Questions ....................................................................................................... 6
Exam Overview
Successful completion of the Wireshark Certified Network Analyst Exam indicates you have the knowledge required to capture network traffic, analyze the results and identify various anomalies related to performance or security issues. To earn the Wireshark Certified Network Analyst status, you must pass a single Examthe WCNA-100x Exam and obtain twenty (20) CPE credits each year of your certification. The Wireshark Certified Network Analyst Exam is available at hundreds of testing centers around the world. You can take your Exam at a KRYTERION High-stake Online Secure Testing (HOST) location. Register for the proctored Wireshark Certified Network Analyst Exam online at www.webassessor.com/pai.1
Exam Pricing
The Wireshark Certified Network Analyst Exam cost is USD 299 for a single Exam sitting. The Wireshark Certified Network Analyst Exam Practice Exam (online) cost is USD 29 for a single Practice Exam session. Additional Exam sittings and Practice Exam sessions must be paid for separately at the full price. If you require more than one Practice Exam session, we recommend you purchase the Wireshark Certified Network Analyst Official Exam Prep Guide (see Books on page 11).
Pass/Fail Grading
The Wireshark Certified Network Analyst Exam is graded on a pass/fail basis. Passing scores are set by using statistical analysis. At the completion of the Exam, Candidates receive a score report along with a score breakout by Exam section.
PAI represents the Protocol Analysis Institute, the parent company of Wireshark University and Chappell University.
Question Formats
There are two forms of questions in the Wireshark Certified Network Analyst Examtrue/false and multiple choice. Only one answer is correct for each multiple choice question. Many questions include images of Wireshark graphs or packet details.
Exam Registration
Register for the proctored Wireshark Certified Network Analyst Exam online at www.webassessor.com/pai. Step-by-step Exam Registration instructions are available at www.wiresharktraining.com/certification.
The OLP Exam requires a photo ID as well as keyboard analytic process to verify the identity of the test taker and match the registrant with the test taker. For more information regarding the OLP process and security, visit www.kryteriononline.com/delivery_options/online_proctoring/.
Cancellation/Rescheduling Details
If you need to reschedule your Exam appointment, you may do so earlier than 72 hours of your Exam appointment. Log into your KRYTERION account at www.webassessor.com/pai and click on View Schedule Details and the Reschedule button. IMPORTANT: Read the next section regarding cancellation and rescheduling within 72 hours of your Exam appointment.
If desired, you may submit content to the Online Portal for CPE credits. First you must email your request to submit content and provide an outline of same to info@wiresharktraining.com. Release forms must be signed prior to posting WCNA documents to the Online Portal.
CPE credit information must be submitted to Wireshark University on an annual basis. If you participate in the training activities on the Online Portal, you do not need to submit your CPE information your information will be automatically updated in your Wireshark Certified Network Analyst account. For further information on CPE options and manually submitting your CPE information, visit www.wiresharktraining.com/cpe.
Do CPE Credits from other certification programs count towards my Wireshark Certified Network Analyst certification requirements?
If your CPE activity falls in one of the four areas listed above, you may submit your activity at www.wiresharktraining.com/cpe.
How does the Wireshark Certified Network Analyst designation compare to other IT industry certifications?
The Wireshark Certified Network Analyst designation is focused on not only Wireshark, but also key TCP/IP communications areas that can be investigated when troubleshooting or securing a network. The Wireshark Certified Network Analyst designation will identify you as an IT professional who is keeping up with current techniques and the worlds most popular network analyzer tool. The Wireshark Certified Network Analyst designation is an ideal complement to the CISSP, CCIE, CNP, Network+ and Security+ certifications.
Exam Preparation
The Wireshark Certified Network Analyst Exam focuses on TCP/IP communications analysis, methods for using Wireshark to identify the cause of network problems, and the evidence that a network is under reconnaissance or a host has been breached. Consider the following options for Exam preparation.
Visit www.chappellU.com to view the complete contents of the All Access Pass.
10
Books
Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide This comprehensive book covers all thirty-three areas of study for the Wireshark Certified Network Analyst Exam while providing numerous case studies, tips and tricks for using Wireshark efficiently to troubleshoot and secure networks. ISBN10: 1-893939-99-5 ISBN13: 978-1-893939-99-8 Paperback: 800 pages Book URL: www.wiresharkbook.com Retail Price: $99.95
Wireshark Certified Network Analyst: Official Exam Prep Guide This book provides 300+ practice quiz questions based on the thirty-three areas of study defined for the Wireshark Certified Network Analyst Exam and includes timed and untimed quizzes on the accompanying CD. This Official Exam Prep Guide offers a companion to Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide. 10-digit ISBN: 1-893939-98-7 13-digit ISBN: 978-1-893939-98-1 Paperback: 202 pages (includes CD) Book URL: www.wiresharkbook.com/epg Retail Price: $39.95
11
Section1:NetworkAnalysisOverview
DefinethePurposeofNetworkAnalysis ListTroubleshootingTasksfortheNetworkAnalyst ListSecurityTasksfortheNetworkAnalyst ListOptimizationTasksfortheNetworkAnalyst ListApplicationAnalysisTasksfortheNetworkAnalyst DetailSecurityIssuesRelatedtoNetworkAnalysis DefineLegalIssuesRelatedtoListeningtoNetworkTraffic Overcomethe"NeedleinaHaystack"Issue ReviewaChecklistofAnalysisTasks
Section2:IntroductiontoWireshark
DescribeWireshark'sPurpose KnowHowtoObtaintheLatestVersionofWireshark CompareWiresharkReleaseandDevelopmentVersions ReportaWiresharkBugorSubmitanEnhancement CapturePacketsonWiredorWirelessNetworks OpenVariousTraceFileTypes DescribeHowWiresharkProcessesPackets DefinetheElementsoftheStartPage IdentifytheNineGUIElements NavigateWireshark'sMainMenu UsetheMainToolbarforEfficiency FocusFasterwiththeFilterToolbar MaketheWirelessToolbarVisible AccessOptionsthroughRightClickFunctionality DefinetheFunctionsoftheMenusandToolbars
Section3:CaptureTraffic
KnowWheretoTapintotheNetwork KnowWhentoRunWiresharkLocally CaptureTrafficonSwitchedNetworks UseaTestAccessPort(TAP)onFullDuplexNetworks DefineWhentoSetupPortSpanning/PortMirroringonaSwitch AnalyzeRoutedNetworks AnalyzeWirelessNetworks DefineOptionsforCapturingatTwoLocationsSimultaneously IdentifytheMostAppropriateCaptureInterface
12
Section4:CreateandApplyCaptureFilters
DescribethePurposeofCaptureFilters BuildYourOwnSetofCaptureFilters FilterbyaProtocol CreateMAC/IPAddressorHostNameCaptureFilters CaptureOneApplication'sTrafficOnly UseOperatorstoCombineCaptureFilters CreateCaptureFilterstoLookforByteValues ManuallyEdittheCaptureFiltersFile ShareCaptureFilterswithOthers
Section5:DefineGlobalandPersonalPreferences
FindYourConfigurationFolders SetGlobalandPersonalConfigurations CustomizeYourUserInterfaceSettings DefineYourCapturePreferences DefineHowWiresharkAutomaticallyResolvesIP/MACNames ConfigureStatisticsSettings DefineARP,TCP,HTTP/HTTPSandOtherProtocolSettings ConfigureProtocolSettingswithRightClick
Section6:ColorizeTraffic
UseColorstoSeparateTraffic ShareandManageColoringRules IdentifyWhyaPacketisaCertainColor ColorConversationstoDistinguishThem TemporarilyMarkPacketsofInterest AlterStreamReassemblyColoring
Section7:DefineTimeValuesandInterpretSummaries
UseTimetoIdentifyNetworkProblems DefineHowWiresharkMeasuresPacketTime ChoosetheIdealTimeDisplayFormat DealwithTimeAccuracyandResolutionIssues IdentifyDelayswithTimeValues CreateAdditionalTimeColumns MeasurePacketArrivalTimesUsingaTimeReference IdentifyClient,ServerandPathIssues ViewaSummaryofTrafficRates,PacketSizes,andBytesTransferred
13
Section8:InterpretBasicTraceFileStatistics
LaunchWiresharkStatistics IdentifyNetworkProtocolsandApplications IdentifytheMostActiveConversations ListEndpointsandMapthemontheEarth ListConversationsorEndpointsforSpecificTrafficTypes EvaluatePacketLengths ListAllIPAddressesintheTraffic ListAllDestinationsintheTraffic ListAllUDPandTCPPortsUsed AnalyzeUDPMulticastStreams GraphicFlowofTraffic GatherYourHTTPStatistics ExamineAllWLANStatistics
Section9:CreateandApplyDisplayFilters
DefinethePurposeofDisplayFilters CreateDisplayFiltersUsingAutoComplete ApplySavedDisplayFilters UsetheExpressionsFilterSystem MakeDisplayFiltersQuicklyUsingRightClickFiltering DefineDisplayFilterSyntax CombineDisplayFilterswithComparisonOperators AlterDisplayFilterMeaningwithParentheses FilteronSpecificBytesinaPacket UseDisplayFilterMacrosforComplexFiltering AvoidCommonDisplayFilterMistakes ManuallyEditthedfiltersFile
Section10:FollowStreamsandReassembleData
FollowandReassembleUDPConversations FollowandReassembleTCPConversations IdentifyCommonFileTypes FollowandReassembleSSLConversations
Section11:CustomizeWiresharkProfiles
DefinethePurposeofWiresharkProfiles ShareProfiles CreateaCorporateProfile CreateaWLANProfile CreateaVoIPProfile CreateaSecurityProfile
14
Section12:Save,ExportandPrintPackets
SaveFiltered,MarkedandRangesofPackets ExportPacketContentsforUseinOtherPrograms SaveConversations,Endpoints,I/OGraphsandFlowGraphInformation ExportPacketBytes
Section13:UseWiresharksExpertSystem
LaunchExpertInfoQuickly ColorizeExpertInfoElements FilteronTCPExpertInformationElements DefineTCPExpertInformation
Section14:TCP/IPAnalysisOverview
DefineBasicTCP/IPFunctionality DefinetheMultistepResolutionProcess DefinePortNumberResolution DefineNetworkNameResolution DefineRouteResolutionforaLocalTarget DefineLocalMACAddressResolutionforaTarget DefineRouteResolutionforaRemoteTarget DefineLocalMACAddressResolutionforaGateway
Section15:AnalyzeDomainNameSystem(DNS)Traffic
DefinethePurposeofDNS AnalyzeNormalDNSQueries/Responses AnalyzeDNSProblems DissecttheDNSPacketStructure FilteronDNSTraffic
Section16:AnalyzeAddressResolutionProtocol(ARP)Traffic
DefinethePurposeofARPTraffic AnalyzeNormalARPRequests/Responses AnalyzeGratuitousARP AnalyzeARPProblems DissecttheARPPacketStructure FilteronARPTraffic
Section17:AnalyzeInternetProtocol(IPv4)Traffic
DefinethePurposeofIPv4 AnalyzeNormalIPv4Traffic AnalyzeIPv4Problems DissecttheIPv4PacketStructure SetYourIPProtocolPreferences FilteronIPv4Traffic
15
Section18:AnalyzeInternetControlMessageProtocol(ICMP)Traffic
DefinethePurposeofICMP AnalyzeNormalICMPTraffic AnalyzeICMPProblems DissecttheICMPPacketStructure FilteronICMPTraffic
Section19:AnalyzeUserDatagramProtocol(UDP)Traffic
DefinethePurposeofUDP AnalyzeNormalUDPTraffic AnalyzeUDPProblems DissecttheUDPPacketStructure FilteronUDPTraffic
Section20:AnalyzeTransmissionControlProtocol(TCP)Traffic
DefinethePurposeofTCP AnalyzeNormalTCPCommunications DefinetheEstablishmentofTCPConnections DefineHowTCPbasedServicesareRefused TrackTCPPacketSequencing DefineTCPFlowControl DefineHowTCPRecoversfromPacketLoss ImprovePacketLossRecoverywithSelectiveAcknowledgments AnalyzeTCPProblems DissecttheTCPPacketStructure FilteronTCPTraffic SetTCPProtocolParameters
Section21:GraphIORatesandTCPTrends
UseGraphstoViewTrends GenerateBasicI/OGraphs FilterI/OGraphs GenerateAdvancedI/OGraphs CompareTrafficTrendsinI/OGraphs GraphRoundTripTime GraphThroughputRates GraphTCPSequenceNumbersoverTime InterpretTCPWindowSizeIssues InterpretPacketLoss,DuplicateACKsandRetransmissions
16
Section22:AnalyzeDynamicHostConfigurationProtocol(DHCP)Traffic
DefinethePurposeofDHCP AnalyzeNormalDHCPTraffic AnalyzeDHCPProblems DissecttheDHCPPacketStructure FilteronDHCPTraffic DisplayBOOTPDHCPStatistics
Section23:AnalyzeHypertextTransferProtocol(HTTP)Traffic
DefinethePurposeofHTTP AnalyzeNormalHTTPCommunications AnalyzeHTTPProblems DissectHTTPPacketStructures FilteronHTTPorHTTPSTraffic ExportHTTPObjects DisplayHTTPStatistics GraphHTTPTrafficFlows SetHTTPPreferences AnalyzeHTTPSCommunications DecryptHTTPSTraffic
Section24:AnalyzeFileTransferProtocol(FTP)Traffic
DefinethePurposeofFTP AnalyzeNormalFTPCommunications AnalyzeFTPProblems DissecttheFTPPacketStructure FilteronFTPTraffic ReassembleFTPTraffic
Section25:AnalyzeEmailTraffic
DefinethePurposeofPOP AnalyzeNormalPOPCommunications AnalyzePOPProblems DissectthePOPPacketStructure FilteronPOPTraffic DefinethePurposeofSMTP AnalyzeNormalSMTPCommunication AnalyzeSMTPProblems DissecttheSMTPPacketStructure FilteronSMTPTraffic
17
Section26:Introductionto802.11(WLAN)Analysis
AnalyzeSignalStrengthandInterference CaptureWLANTraffic CompareMonitorModeandPromiscuousMode SetupWLANDecryption ApplyaRadiotaporPPIHeader CompareSignalStrengthandSignaltoNoiseRatios Describe802.11TrafficBasics AnalyzeNormal802.11Communications FilteronWLANTraffic AnalyzeFrameControlTypesandSubtypes
Section27:VoiceoverIP(VoIP)AnalysisFundamentals
DefineVoIPTrafficFlows AnalyzeVoIPProblems AnalyzeSIPandRTPTraffic PlayBackVoIPCalls CreateaVoIPProfile FilteronVoIPTraffic
Section28:BaselineNormalTrafficPatterns
DefinetheImportanceofBaselining BaselineBroadcastandMulticastTypesandRates BaselineBootupSequences BaselineLogin/LogoutSequences BaselineTrafficDuringIdleTime BaselineApplicationLaunchSequencesandKeyTasks BaselineWebBrowsingSessions BaselineNameResolutionSessions BaselineThroughputTests BaselineWirelessConnectivity BaselineVoIPCommunications
Section29:FindtheTopCausesofPerformanceProblems
TroubleshootPerformanceProblems IdentifyHighLatencyTimes PointtoSlowProcessingTimes FindtheLocationofPacketLoss IdentifySignsofMisconfigurations AnalyzeTrafficRedirections IdentifySmallPayloadSizes IdentifyCongestion IdentifyApplicationFaults IdentifyNameResolutionFaults
18
Section30:NetworkForensicsOverview
CompareHostForensicstoNetworkForensics GatherEvidence AvoidDetection HandleEvidence RecognizeUnusualTrafficPatterns ColorUnusualTrafficPatterns IdentifyComplementaryForensicTools
Section31:DetectScanningandDiscoveryProcesses
DefinethePurposeofDiscoveryandReconnaissance DetectARPScans(akaARPSweeps) DetectICMPPingSweeps DetectVariousTypesofTCPPortScans DetectUDPPortScans DetectIPProtocolScans DefineIdleScans IdentifyICMPTypesandCodes AnalyzeTraceroutePathDiscovery DetectDynamicRouterDiscovery DefineApplicationMappingProcesses UseWiresharkforPassiveOSFingerprinting DetectActiveOSFingerprinting IdentifySpoofedAddressesandScans
Section32:AnalyzeSuspectTraffic
DescribeSuspectTraffic IdentifyVulnerabilitiesintheTCP/IPResolutionProcesses IdentifyUnacceptableTraffic FindMaliciouslyMalformedPackets IdentifyInvalidorDarkDestinationAddresses DifferentiatebetweenFloodingorStandardDenialofServiceTraffic FindClearTextPasswordsandData IdentifyPhoneHomeBehavior CatchUnusualProtocolsandApplications LocateRouteRedirectionthatUsesICMP CatchARPPoisoning CatchIPFragmentationandOverwriting IdentifyTCPSplicing WatchOtherUnusualTCPTraffic IdentifyPasswordCrackingAttempts KnowWheretoLookSignatureLocations
19
Section33:EffectiveUseofCommandLineTools
DefinethePurposeofCommandLineTools UseWireshark.exe(CommandLineLaunch) CaptureTrafficwithTshark ListTraceFileDetailswithCapinfos EditTraceFileswithEditcap MergeTraceFileswithMergecap ConvertTextwithText2pcap CaptureTrafficwithDumpcap DefineRawshark
20
For more information on the Wireshark Certified Network Analyst Exam, please visit www.wiresharktraining.com/certification or contact us directly. Wireshark University info@wiresharktraining.com 5339 Prospect Road, #343 San Jose, CA 95129 USA Phone: +1 408-378-7841 Fax: +1 408-387-7891
21