Wireshark Certified Network Analyst (WCNA)

docrice

There's not a whole lot of discussion here about this certification so I thought I might drop my few cents around. I passed this exam today after ordering the official study guide a couple of months back as well as the prep guide last month. Both were quite helpful. I hadn't actually given serious thought to pursuing the certification until this month. I've been using Ethereal / Wireshark for some years now so it's not like I went into studying for the WCNA cold, but I definitely did pick up some extra juicy nuggets of info here and there. I've also been conducting training sessions at work on this same topic so the reinforcement helped.

In short, if you know your protocol basics (IP, TCP, UDP, ICMP, and common ones like DNS, DHCP, ARP, HTTP, etc.) you should have a good majority of the exam covered. You don't need to be able to recite the RFCs, but in addition to knowing Wireshark as a tool you'll need a solid understanding of how everyday protocols work at a general level. The two books are very useful and if you're relatively new to protocol analysis, I highly recommend them, especially for the WCNA exam.

(Note that the official Wireshark study guide has a few errors here and there, so if you're reading through it be sure to check the errata:
http://www.wiresharkbook.com/updates.html)

Now that said, I didn't ace the exam. I did manage to pass it in 30 minutes, but it's not like I easily knocked down every bowling pin down the alley. I think the exam was pretty fair and you need to be detail-oriented (after all, it's protocol analysis) because when reviewing a network trace, one flipped bit in a field can make all the difference.

In general, it's my belief that being able to read and analyze network traffic is an extremely valuable skill. Sure, a lot of people can get by without it, but even if you're doing desktop support, I think it provides immediate evidence of something not behaving the way it should and you most likely will be able to point the finger directly to the offending host / router / user / application rather than making vague assessments like, "Seems to work after rebooting." This is especially true for the folks on the networking track (CCNA, etc.). While the CCNA may introduce you to subnetting, addressing, switching, routing, etc., it does not get into the protocols themselves that much. If you're serious about being a good network engineer, you should at least be able to comb through a trace file pretty competently. It'll put things in perspective that much better as you develop your career.

I didn't really pursue the WCNA for its marketing qualities in general. While it adds another four letters to my resume, practically no one knows what a WCNA is (yet, at least). Someone will probably guess that I misspelled CWNA. If you're going the security route, consider this cert as an opportunity to develop your ProtocolAnalysis-Fu because interpreting bits on the wire is an important part of the job.

jimmy6067

Thanks for the post I did not know such a cert existed for Wireshark. I definitly agree it is a great tool for networking and the security route. BTW I like that wireless offensive security cert you have I definitely want to get one of those certs after I graduate...gotta love BT.

Oh btw congrats on the WCNA cert!

wastedtime

Great review, I have considered this certification as a good foundation of information.

jovan88

congrats, I think this is something a lot of us will want to achieve

Devilsbane

There was a thread all about this a couple months ago, I wonder if I can find it for you.

RobertKaucher

docrice wrote: »

In general, it's my belief that being able to read and analyze network traffic is an extremely valuable skill. Sure, a lot of people can get by without it, but even if you're doing desktop support, I think it provides immediate evidence of something not behaving the way it should and you most likely will be able to point the finger directly to the offending host / router / user / application rather than making vague assessments like, "Seems to work after rebooting." This is especially true for the folks on the networking track (CCNA, etc.). While the CCNA may introduce you to subnetting, addressing, switching, routing, etc., it does not get into the protocols themselves that much. If you're serious about being a good network engineer, you should at least be able to comb through a trace file pretty competently. It'll put things in perspective that much better as you develop your career.
...

Someone will probably guess that I misspelled CWNA. If you're going the security route, consider this cert as an opportunity to develop your ProtocolAnalysis-Fu because interpreting bits on the wire is an important part of the job.

From the database/developer side I would argue the same is true. It is a very important, undervalued skill. I will not be working on the cert, but I may look into the study material.

Bl8ckr0uter

wastedtime wrote: »

Great review, I have considered this certification as a good foundation of information.

I second this. I think your write up was great. Do you feel like you learned to be a better analyst by going through the material or was it all review for someone at your career/experience level? I am seriously thinking about giving this one a go. It looks interesting and the information seems valuable. I am wondering about the value of the cert however.

Edit: I was thinking of using this cert as a good intro cert to the GCIA.

RobertKaucher

Bl8ckr0uter wrote: »

It looks interesting and the information seems valuable. I am wondering about the value of the cert however.

I agree about questioning the value of the cert. But I think for someone trying to break into the info sec area it might have some value as well as for those trying to break into networking as it might set them apart from the typical Net+/CCNA types.

If I were looking for an entry level Windows admin and I got someone's resume with this and say a Net+ and MCTS or MCP I would likely want to interview them as this shows some real initiative and indicates a likelyhood of depth of knowledge.

Bl8ckr0uter

RobertKaucher wrote: »

I agree about questioning the value of the cert. But I think for someone trying to break into the info sec area it might have some value as well as for those trying to break into networking as it might set them apart from the typical Net+/CCNA types.

If I were looking for an entry level Windows admin and I got someone's resume with this and say a Net+ and MCTS or MCP I would likely want to interview them as this shows some real initiative and indicates a likelyhood of depth of knowledge.

That's interesting - especially coming from you since you were just in a hiring someone (correct?).

If the IT/hiring/recruiting manager was also a techie or at least savvy, the words wireshark and "network analyst" should help move the resume up a bit. The cost of the material seems kind of high. I have to look over the cpe aspect of the cert but I think it was relatively straight forward. I think someone going for it should also study other packet capture methods (tcpdump/windump etc). I believe in the other thread(s) about this cert someone said it was more "network analyst" than "wireshark".

docrice

Bl8ckr0uter wrote: »

Do you feel like you learned to be a better analyst by going through the material or was it all review for someone at your career/experience level? I am seriously thinking about giving this one a go. It looks interesting and the information seems valuable. I am wondering about the value of the cert however.

Edit: I was thinking of using this cert as a good intro cert to the GCIA.

The bulk of the material was review for me, but it did fill in a number of knowledge gaps here and there and it definitely improved my understanding of the tool in areas / features which I don't normally use. I think it's for sure a good introductory course for packet analysis. If you've already got experiencing look at traffic and pretty solid with TCP/IP, then I don't think it's necessary for the GCIA. There's a short assessment quiz for the GCIA to see if you have the foundation for it:

http://www.sans.org/security-training/tcpip_quiz.php

A good portion of the book covers Wireshark itself, but it all folds together in approaching the job as a network analyst. While you have to understand the traffic flow, you also have to know your tools to dissect it efficiently. Tcpdump / windump shares much in common with Wireshark / Tshark / etc. as they both use the same capture filtering syntax (BPF). Stuff like byte offset filtering, etc., are part of the picture.

While the cost of the exam is a bit on the high side compared to your associate-level Cisco exam, the subject material is rather unique. I think a practical component of the test would help validate the WCNA further since multiple-question formats make it somewhat artificially easier.

chrisone

Great job in passing the test and reviewing it here!

by the way what were your study habits for this exam? hours per day? labs?

i guess the labs come with the book, ok i probably answered my own question here

docrice

I'd say maybe a couple of hours per day, no labs specifically for the exam since I look at the wire daily at my job anyway. The two books certainly helped though. I highly recommend them.

Chris:/*

Thanks for the review good information as I eventually intend to pursue this certification in hopes of picking up new knowledge.

mikej412

Congratulations on the Pass!!

Nice Review

Bl8ckr0uter

docrice wrote: »

The bulk of the material was review for me, but it did fill in a number of knowledge gaps here and there and it definitely improved my understanding of the tool in areas / features which I don't normally use. I think it's for sure a good introductory course for packet analysis. If you've already got experiencing look at traffic and pretty solid with TCP/IP, then I don't think it's necessary for the GCIA. There's a short assessment quiz for the GCIA to see if you have the foundation for it:

SANS Institute - Basic TCP/IP & Hex Knowledge Quizzes

A good portion of the book covers Wireshark itself, but it all folds together in approaching the job as a network analyst. While you have to understand the traffic flow, you also have to know your tools to dissect it efficiently. Tcpdump / windump shares much in common with Wireshark / Tshark / etc. as they both use the same capture filtering syntax (BPF). Stuff like byte offset filtering, etc., are part of the picture.

While the cost of the exam is a bit on the high side compared to your associate-level Cisco exam, the subject material is rather unique. I think a practical component of the test would help validate the WCNA further since multiple-question formats make it somewhat artificially easier.

Thanks for the pointers. What's up next for you?

docrice

Bl8ckr0uter wrote: »

Thanks for the pointers. What's up next for you?

CCNA Wireless before moving onto the CCNP / CCSP since they're both going through revisions anyway. Maybe really finish up the 1DCPT final submission and finish the eCPPT course (although I might not go through the exam portion).

Lots of work ahead before the year's over...

Devilsbane

Here is the other thread about this exam.

http://www.techexams.net/forums/general-certification/56348-wireshark-cert-net-analyst-official-exam-prep-guide.html

Bl8ckr0uter

docrice wrote: »

CCNA Wireless before moving onto the CCNP / CCSP since they're both going through revisions anyway. Maybe really finish up the 1DCPT final submission and finish the eCPPT course (although I might not go through the exam portion).

Lots of work ahead before the year's over...

Just curious but what do you do? You seems to kill the certs.

docrice

Bl8ckr0uter wrote: »

Just curious but what do you do? You seems to kill the certs.

I should probably clarify a bit - while I'm planning on sitting for the CCNA Wireless exam in one month, I don't intend to start on the CCNP track until next year. I might start on one or two of the CCSP exams in a couple of months, assuming the study material is available for the revised track.

I already went through the 1DCPT course, but my final report (exam) is still in beta. The eCPPT I've dove into a bit, but I'm nowhere near complete. Getting certified in the eCPPT and the 1DCPT is not a "must" goal of mine (the knowledge is more important to me in this case).

The certs I've been getting lately are the relatively easy ones, which explains why I've been pushing through them. I'm no packet ninja, but I use Wireshark almost daily to some degree which is why the WCNA exam wasn't all that difficult for me.

My title at work is Sr. Systems Engineer. I'm still unsure what this means. I just know it deals with computers or something.

bertieb

I'll chime in with my thoughts - I agree with everyone else's feedback. That was a great review, thanks for posting.

Oh yeah, and congrats on the pass.

Bl8ckr0uter

docrice wrote: »

I should probably clarify a bit - while I'm planning on sitting for the CCNA Wireless exam in one month, I don't intend to start on the CCNP track until next year. I might start on one or two of the CCSP exams in a couple of months, assuming the study material is available for the revised track.

I already went through the 1DCPT course, but my final report (exam) is still in beta. The eCPPT I've dove into a bit, but I'm nowhere near complete. Getting certified in the eCPPT and the 1DCPT is not a "must" goal of mine (the knowledge is more important to me in this case).

The certs I've been getting lately are the relatively easy ones, which explains why I've been pushing through them. I'm no packet ninja, but I use Wireshark almost daily to some degree which is why the WCNA exam wasn't all that difficult for me.

My title at work is Sr. Systems Engineer. I'm still unsure what this means. I just know it deals with computers or something.

I think you were pretty clear in your answer before. I was asking what you did because I have been reading some of your post and I was curious.

veritas_libertas

Nice review! Is the book enough to study for it if you have very little experience with Wireshark?

docrice

Bl8ckr0uter wrote: »

I was asking what you did because I have been reading some of your post and I was curious.

I manage a relatively small (but complex) network environment with a lot of moving parts to simulate many use-case scenarios for my company's software and services. This means I cover Active Directory, Cisco, Linux, VPN appliances, AAA, and other miscellaneous stuff as needed. To echo another thread on the forum, skillset-wise I'm relatively wide and only somewhat deep. I have my hands in a lot of cookie jars (layers 1 through 7), but over time in my career I've noticed that there are some basics that I missed out on because I do "a little of a lot." This is one of the reasons I decided to pursue a formal certification route to help fill in those gaps.

I think the WCNA was a good example. I'm pretty fluent with packet analysis basics, but actively going for the cert allowed me to pick up on small details that I totally missed out on before. I'm pretty sure we've all been there when we thought we were on top of our game on a piece of technology and then someone walks by and points out a setting that's been staring at us in the face for years that we never bothered to explore.

So on an average day, I'll be looking through the firewall syslogs and EtherApe output to check for abnormal protocols running through the network, writing technical documentation, conducting training sessions (on protocol analysis, for example), setting up new test AD domains, working with other department teams to isolate connectivity / authentication / software issues, setting up new Linux boxes, re-configuring the various VPN appliances we test with, expanding the virtualization environment, taming the spaghetti monster (or at least that's what it's starting to look like), troubleshooting a customer escalation, and apparently spending some quality time on techexams.net. The term "computer handyman" comes to mind.

veritas_libertas wrote: »

Nice review! Is the book enough to study for it if you have very little experience with Wireshark?

I think the official study guide is solid enough to hold its own for the exam, although I also do recommend getting the prep guide. Those two should be good enough to get an idea what the exam covers. That said, for anyone who doesn't have experience doing packet analysis, expect to spend a lot of time looking at traces. There's no substitute for doing the actual work. Even if you are good at book studying / cramming, you owe it to yourself to actually be able to do the work efficiently.

L0gicB0mb508

I think I might do this one for funzies.

Bl8ckr0uter

Well I ordered my Wireshark book today. It should be here in 2 days. I am still waiting on my LPIC in a nutshell to arrive to this might be something to kill some time.

RobertKaucher

Bl8ckr0uter wrote: »

Well I ordered my Wireshark book today. It should be here in 2 days. I am still waiting on my LPIC in a nutshell to arrive to this might be something to kill some time.

You should let me borrow it when you are done.

Paul Boz

Positive rep for a great review, thanks.

L0gicB0mb508

I just got the book on my Kindle, so I'll start reading it here soon.

Bl8ckr0uter

I got my book yesterday. Signed and all lol.

Devilsbane

Bl8ckr0uter wrote: »

I got my book yesterday. Signed and all lol.

Very exciting. I don't think I own a single signed book.

powerfool

L0gicB0mb508 wrote: »

I just got the book on my Kindle, so I'll start reading it here soon.

Is it available on the Kindle now? Last I checked it wasn't.