Passed SANS GCIA Exam - after failing both practive exams,

0xFEEDBEEF0xFEEDBEEF Registered Users Posts: 1 ■□□□□□□□□□
Hello All, First time poster, long time lurker...

Some backstory:
I took the SANS GCIA live training in Las Vegas Sept 2016, Mike Poor did an amazing job at teaching me these skills, while providing great anecdotes, and analogies that allowed me to understand the core fundamentals as best I could.

I took my first practice test two weeks prior to my exam, I scored 60%. For some odd reason, I did not reference my index or notes, whatsoever. I also only used two of the allotted four hours. I thought this was a decent mark for not referencing any material, I continued my studies in the areas SANS gave me my failing summary.

Come four days before my exam, I take practice test two, this time I used my index, and 2.5 of the allotted four hours, I still failed with a 65%. Now I was scared. I had no idea how I did so bad, I didn't reference as many answers as I liked, and I finished way ahead of schedule... Keep in mind, they give you the four hours for a reason... Use it.

Again, I took the output of my failing summary and began to meticulously scrub through each section I got under three stars in, re-writing my index for those subjects, while also reading the notes in the books. I started to use some packet **** because I was doing real bad on mapping headers / finding ports / protocols and checksums...

After re-reading the books (actually reading and highlighting) in the sections I didn't do well on, running through packet ****, familiarizing myself with concepts I was not comfortable with, re-indexing certain areas where I struggled, and being able to explain key concepts to my peers, I believe I was ready.

Exam day.
For some reason the testing centers in my city we're unavailable to book the GCIA, so I had to take a four hour road trip, I had my partner drive me, on the way to the exam, I kept going over the concepts I was not familiar with (IPv6, Packet Crafting, DNS, Application Protocols).

Once I got to the testing center I had some issues with the proctor not allowing me to bring my books into the exam, good thing I printed off the SANS FAQ that states they're allowed. I was brought to my desk, and I began the exam... Without getting into too much detail, I ended up referencing most questions(unless I was 100% sure), and using most of my time (used 3.5/4 hrs). I passed the exam with a whopping 84%... 84%!!! - I had no idea I was going to get a mark like that after failing both practice exams... I believe that the shock of failing kicked in after failing both practice tests, and this booted my brain into some kind of overdrive...

To sum it up; as long as you understand the base concepts, and how the underlying technologies work, you should be able to pass this exam.Also the index and packet headers, these helped immensely.

Questions were not binary, most questions were situational...

Materials going into Exam:
1. I have my 40+ page index (sorted A-Z by excel) (Followed this guide)
Example: (not sure if this falls under bad rules)


Fragmentation (DF Bit)

basic info
if flag set, packet will not be fragmented

Snort (Process Flow)

process flow

Packets > Decoder > Pre-processors > Snort Rules > Alerts / Logs


SHITTY, Low end, Half duplex, only understands layer 1 traffic

Silk (Flow)


Flow is unidirctional 5-tuple of:
- Source IP
- Dest IP
- Sport
- Dport
- Protoccol

Flow terminates when a FIN/RST found, inactivity of 63 seconds/ Activity for 30m

2. Had all my packet headers, and other docs
- IPv4
- IPv6
- ICMP & ICMPv6 (w/ Message Codes)
- Ethernet Header
- IPv6 Extension Headers

3. A few 'breakdown' images I made, that really clarified the fix position headers.

4. A 'Hex Math' sheet, so I could reference in case I forget something (although, extremely fundamental)

5. I practiced multiple packet hex ****, courtesy of

You can do it! Believe in yourself, but make sure you know your stuff!

Let me know if you have any questions!


Sign In or Register to comment.