Passed: Wireshark Certified Network Analyst (WCNA)

Magic Johnson

To be fair I'd never even heard of it until my boss recommended it instead of the SIP School cert.

I remember a couple of months ago trying to deploy a phone system in a way that I'd never done before, and because of contradictory vendor documentation we had to use Wireshark to find out what was going on.

Unfortunately, neither myself, the IT manager nor the IT partner knew how to use Wireshark successfully (to the extent we needed). Fine, I had my CCNA etc but those skills would have come in extremely handy, as Laura herself says 'The packets never lie'. Screw documentation and what 'should' happen.

If recognition is the only reason you get when you ask yourself why I wouldn't have the motivation to do it, but my word I can guarantee this will make me a better engineer. I've also convinced my boss to get our first line support to go through the Wireshark 101 book too.

Mike, I bought the Wireshark Network Analysis Second Edition (Study Guide) and the Exam Prep book. There are no discs etc, all the material (traces etc) are on a website to download.

docrice

Yup, that's the classic example. Vendor documentation is often incorrect or based on incorrect assumptions. Never fully trust what the device is telling you. I've seen a phone claiming on the display that it was in the process of downloading an image from the phone server via TFTP. Actually looking at the packets proved that it was doing FTP instead. Makes a big difference in how you'd configure ACLs in that case.

Mike-Mike

docrice wrote: »

Not to downplay any enthusiasm, but almost no one recognizes the WCNA

However, the exam is a bit pricy and so from a resume-alphabet ROI, it provides little in the short-term until the rest of the world starts recognizing it. .

I dont expect any potential employer to be looking for that cert. I find that I study better when a cert is involved. I need a goal, and getting a cert is a way for me to set a goal for my studying.

As I said, I doubt any employer will care about the cert itself, but I do expect they all respect Wireshark skills, and this will be one way to validate that I have some level of experience with it

Mike-Mike

Magic Johnson wrote: »

Mike, I bought the Wireshark Network Analysis Second Edition (Study Guide) and the Exam Prep book. There are no discs etc, all the material (traces etc) are on a website to download.

Thanks for the feedback, I'll definitely go the Kindle route. It will be the first time I've used Kindle for certification study, interested in seeing how it goes

beads

Slowly building up some interest with a few of my analysts to go through and complete if not certify this course. For those who think its just about Wireshark itself consider broadening the viewpoint to include the term Network Forensics. In particular I recommend investigating ExtraHop and NetFort for your corporate networks.

When you look at all the possibilities available via network forensics the basics of wireshark look much more palatable as it provides insights otherwise not available. We are constantly finding new ways to these tools in ways no one considered before. New custom tools like these rock on a number of fronts.

- b/eads

Mike-Mike

Launchpad wrote: »

Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems by Chris Sanders

Stole my wife's Kindle and just bought this one, gonna see how I like studying on a Kindle

Kai123

The Chris Sanders book is vastly cheaper then Laura Chappells. I study better with the framework of a certification and will definitely pick this up.

One of our senior IP guys says the same thing, the CLI never lies! I think a deep understand of wireshark would be an amazing way to show off in any future interviews and anyone technical would appreciate it.

Mike-Mike

Kai123 wrote: »

The Chris Sanders book is vastly cheaper then Laura Chappells.

So far I really like his book

Magic Johnson

Struggling with my notes here. There are no 'key topic' indicators so I'm not sure what I should be noting down. How 'deep' do I need to go? Overnoting is just as bad as undernoting.

dou2ble

beads wrote: »

Slowly building up some interest with a few of my analysts to go through and complete if not certify this course. For those who think its just about Wireshark itself consider broadening the viewpoint to include the term Network Forensics. In particular I recommend investigating ExtraHop and NetFort for your corporate networks.

When you look at all the possibilities available via network forensics the basics of wireshark look much more palatable as it provides insights otherwise not available. We are constantly finding new ways to these tools in ways no one considered before. New custom tools like these rock on a number of fronts.

- b/eads

After taking the WCNA class I have better understanding of what you mean by Network Forensics and I'm fully on board. I can't believe I've been wasting my time with inferior products and sometimes just Google trying to identify unmarked open ports.

beads

dou2ble wrote: »

After taking the WCNA class I have better understanding of what you mean by Network Forensics and I'm fully on board. I can't believe I've been wasting my time with inferior products and sometimes just Google trying to identify unmarked open ports.

@dou2ble;

I am telling you when you look at some of the detail really available to you in say ExtraHop alone its scary. In the past week my NOC guy and I have found two bad pieces of hardware and a hidden ICMP C2 channel used by an unknown piece of malware. Ummm... I doubt very much I could find things like that on 16,000 device network armed strictly with Wireshark. Not that it isn't a great tool but the size alone precludes us from being able to carve out much usable detail from such a flow.

I rarely gush about products but in this case I will gush and gush hard.

- b/eads

stryder144

@b/eads...ExtraHop sounds interesting. I was mucking about on their site and found that they have a Discovery Edition virtual appliance that you can get for free with a perpetual license. Very interesting.

the_Grinch

Here's a question, WCNA than CCNA or CCNA than WCNA?

NetworkNewb

the_Grinch wrote: »

Here's a question, WCNA than CCNA or CCNA than WCNA?

then**!!!

had to do it I'm going CCNA then WCNA though. After I get my CCNA next month (its going happen!) I was planning getting my Sec+ then take the GSEC course this fall, but doesn't look like I'm going to be getting accepted into the work-study program so going to need to use my time somewhere else... WCNA sounds interesting. Thinking with CCNA, Sec+, and WCNA I should be able to get a Security Analyst position

beads

Wireshark won't make you money but the skill set will certainly help any tech's career.

Forgot about the community edition. Check out the forum as well. I could spend a couple of days reading how other people use the tool outside of security. For me its an invaluable second opinion from the NBADs, MADs and SIEM tools.

- b/eads

dou2ble

beads wrote: »

@dou2ble;

I am telling you when you look at some of the detail really available to you in say ExtraHop alone its scary. In the past week my NOC guy and I have found two bad pieces of hardware and a hidden ICMP C2 channel used by an unknown piece of malware. Ummm... I doubt very much I could find things like that on 16,000 device network armed strictly with Wireshark. Not that it isn't a great tool but the size alone precludes us from being able to carve out much usable detail from such a flow.

I rarely gush about products but in this case I will gush and gush hard.

- b/eads

Amazing! Have you used Steel Central Packet Analyzer? Corporate edition comes with 90 day free trial. It works together with Wireshark. I'm not an expert at either of these tools yet, but the best explanation I heard is that WS is for zooming in on a part of the football field and PA is for the whole 100 yards. It handles more data and bigger files. Within PA there is a 'send to wireshark' option for further analysis.

SteveO86

That tool used to be called Cascade Pilot, prior to Riverbed's massive recent re-branding. It's definitely quicker at the high level capture filtering but still has limits.

Magic Johnson

the_Grinch wrote: »

Here's a question, WCNA than CCNA or CCNA than WCNA?

I did my CCNA first, though I'm not sure which would have been better first. They compliment each other really and I'm not sure there would be any advantage in doing a specific one before the other.

beads

We're using ExtraHop off an Arista SPAN so the only limitation is the number of machines we license to use versus the entire network - roughly a quarter. About to talk to folks about a site license if I dance and all that in, ironically, a few minutes.

I'll check out the other products mentioned but suspect EH is going to win but open to any better tool. Have I mentioned I love building tools? When you want to call yourself an Engineer you better be building tools like these or others.

- b/eads

Mike-Mike

Magic Johnson wrote: »

I did my CCNA first, though I'm not sure which would have been better first. They compliment each other really and I'm not sure there would be any advantage in doing a specific one before the other.

I also did my CCNA first, however these Wireshark books go into networking basics too, so it might be more helpful to do Wireshark first

mgmguy1

Mike-Mike wrote: »

I dont expect any potential employer to be looking for that cert. I find that I study better when a cert is involved. I need a goal, and getting a cert is a way for me to set a goal for my studying.

Last month, I was on two different job interviews and both places asked me directly if I was wireshark certified or had any wireshark experience.
Both positions were for a tier 1 Telecommunications position. in my opinion I think more employers are needing this skill set.

SteveO86

Interesting, the fact an employer wants in-depth Protocol knowledge at the Tier 1 position just shows how little the industry knows about protocol analysis. Protocol Analysis is usually very detailed and requires a good of attention to detail and patience. Especially since the issue may not be at the network layer but more-so higher-up in the application stack.

While the exam (WCNA) could use a bit more work IMO, the knowledge and time I spent/learned from the thoroughly reading was beneficial. (Albiet at the basic level). Depending on the issue, protocol analysis is not my first resort when troubleshooting certain issues.

greg9891

Congrats

UnixGuy

SteveO86 wrote: »

Protocol Analysis is usually very detailed and requires a good of attention to detail and patience. Especially since the issue may not be at the network layer but more-so higher-up in the application stack.....

Hey Steve, I'm interested in your opinion about protocol analysis. How much should we do? Where do u find this skill to be useful? I'm kind of lost, I don't know where to start and where to go in understanding protocols, and how much do I really need to know. I want to become an expert in technical infosec, and network security is important so that's what I want it for really..

--chris--

SteveO86 wrote: »

Interesting, the fact an employer wants in-depth Protocol knowledge at the Tier 1 position just shows how little the industry knows about protocol analysis. Protocol Analysis is usually very detailed and requires a good of attention to detail and patience. Especially since the issue may not be at the network layer but more-so higher-up in the application stack.

While the exam (WCNA) could use a bit more work IMO, the knowledge and time I spent/learned from the thoroughly reading was beneficial. (Albiet at the basic level). Depending on the issue, protocol analysis is not my first resort when troubleshooting certain issues.

My first interview for an IT job was for a helpdesk at an MSP, $10/hour. The person interviewing me was the technical manager/team lead and posed this question to me:

"Do you have experience with Wireshark and if so what have you used it for?"

Since then its always been on my radar as a "must have" skill...probably for the wrong reason.

SteveO86

UnixGuy wrote: »

Hey Steve, I'm interested in your opinion about protocol analysis. How much should we do? Where do u find this skill to be useful? I'm kind of lost, I don't know where to start and where to go in understanding protocols, and how much do I really need to know. I want to become an expert in technical infosec, and network security is important so that's what I want it for really..

@UnixGuy - It's tough to say how much protocol analysis we should do. In my mind it all depends on the issue hand, in my world I primarily focus on networks so when certain issues are brought to me I approach in a sense "Is it the network?" and "If it is not the network, who should look at this next?"

For me being a network engineer I find packet analysis to be very useful as a troubleshooting tool, in the InfoSec role packet analysis might be even more important depending on your role. (Attack mitigation/IPS Rule creation/etc)

As far as how much you should know that is question can definitely send you down the rabbit hole to wonderland, I've spent a fair amount of time in front of WireShark and other protocol analyzers and depending on the issue I may find myself looking at a protocol that I have no idea how it is supposed to operate. That in turn usually sends me to google to find out what I can about the protocol. However, I will say having a firm understanding of the base protocols TCP, UDP, IP, ARP, ICMP is the best place to start. Know why a protocol does something, and what affect certain field values have on communications. (For example, the IP Identifier field)

A few real life examples:

At one company people experienced issues logging into servers using a microsoft application, the application would return a generic 'network timeout' error, however attempting to login a second time immediately after the failure it was successful . After my initial troubleshooting I had passed the ticket to another team stating network communication existed something else must be occurring at the application level, after an escalation or two the ticket eventually came back to me insisting it was a network related issue. At that point I had started a packet capture on both ends of the conversation. After reviewing the capture all the packets were making it between the two endpoints, however the login process was being passed from the server to one of the active directory domain controllers and one of the domain controllers was returning a kerberos authentication error. Needless to say it wasn't the network like my initial conclusion

Another time it was useful for a different company - There was a slow performing application, the application passed data from one server to another. At first it was thought to be congestion on the network, however when the network was upgrade to 10Gb links and up the application still performed poorly. However network utilization was below 10% and the NIC on the server was running at 1% utilization so no one could blame the network anymore (even though they still did ). So we ran a packet capture on multiple endpoints to capture the traffic related to this issue, for giggles let's say this job transferred a total of 50Mb over the course of 4 hours on a 10Gb capable network. Once I had a chance to review the capture, I could see there was absolutely no packet loss during the transfer and there no delays in packets everything was being transferred with a round trip time of less then half a millisecond. The interesting thing stood out was the fact the application was transferring the data one database entry/table at a time meaning every packet around 60-bytes total. (Extra credit; out of the 60-bytes transferred how much of that the Overhead of TCP?). Once I discovered that, I realized it didn't matter if this application ran over a 10Mb network or a 10Gb network the application was holding itself back. The network was transferring the data as quickly as it received the packet it was the application choosing to send so little data at a time.

Those are just two examples I've encountered in the last so many years. Basically it comes down to the finish line, when the network looks completely healthy and something is still wrong.. That's when I break out the heavy guns.

As far as where to start with Protocol Analysis, I highly recommend the Wireshark WCNA book, it's a bit pricey but totally worth it. That book covers Wireshark as well the common underlying protocols.

--chris-- wrote: »

My first interview for an IT job was for a helpdesk at an MSP, $10/hour. The person interviewing me was the technical manager/team lead and posed this question to me:

"Do you have experience with Wireshark and if so what have you used it for?"

Since then its always been on my radar as a "must have" skill...probably for the wrong reason.

@Chris There is never a wrong reason to learn! Wireshark/Protocol Analysis will definitely become a skill that pays off if you are in the right environment.

NetworkNewb wrote: »

Just caved in and bought the "Official Wireshark Certified Network Analyst Study Guide". I want to give this cert a shot.

Just passed the Sec+ and watching CISSP videos right now... I feel these general security certs just don't go as deep in to the technical side as I want and think this should help. Maybe it will give me motivation to finish my CCNA too (passed the CCENT a couple months back). After I get my CISSP first though.

@NetworkNewb That is definitely the best place to start in my opinion. The WCNA Study guide definitely takes you deeper than you need but the knowledge totally pays off. Your CCENT will also definitely be beneficial on this road.

Good luck on the studies!!

UnixGuy

Excellent response Steve! Wish I could give you extra reputation points!

I could see packet captures being very helpful in troubleshooting application issues like you said, and honestly that's all we use it for at work...as far as I know anyway. I'm coming from the server/OS side of things, so the networky things are a bit new to me but I'm catching up quickly (I think).

Cheers for the detailed answer!

21ctl

how useful is whireshark university bootcamp video to WCNA exam.

sheiky

Congrats on nailing the cert. I will look into those guides...Thanks.

SteveO86

21ctl wrote: »

how useful is whireshark university bootcamp video to WCNA exam.

Honestly, I have no idea didn't even know there was a video series. I relied on the WCNA book (the big 1k page+ one) goes into all the detail (and then alot then needed)