Wireshark Certified Network Analyst (WCNA)

docricedocrice Member Posts: 1,706 ■■■■■■■■■■
There's not a whole lot of discussion here about this certification so I thought I might drop my few cents around. I passed this exam today after ordering the official study guide a couple of months back as well as the prep guide last month. Both were quite helpful. I hadn't actually given serious thought to pursuing the certification until this month. I've been using Ethereal / Wireshark for some years now so it's not like I went into studying for the WCNA cold, but I definitely did pick up some extra juicy nuggets of info here and there. I've also been conducting training sessions at work on this same topic so the reinforcement helped.

In short, if you know your protocol basics (IP, TCP, UDP, ICMP, and common ones like DNS, DHCP, ARP, HTTP, etc.) you should have a good majority of the exam covered. You don't need to be able to recite the RFCs, but in addition to knowing Wireshark as a tool you'll need a solid understanding of how everyday protocols work at a general level. The two books are very useful and if you're relatively new to protocol analysis, I highly recommend them, especially for the WCNA exam.

(Note that the official Wireshark study guide has a few errors here and there, so if you're reading through it be sure to check the errata:
http://www.wiresharkbook.com/updates.html)

Now that said, I didn't ace the exam. I did manage to pass it in 30 minutes, but it's not like I easily knocked down every bowling pin down the alley. I think the exam was pretty fair and you need to be detail-oriented (after all, it's protocol analysis) because when reviewing a network trace, one flipped bit in a field can make all the difference.

In general, it's my belief that being able to read and analyze network traffic is an extremely valuable skill. Sure, a lot of people can get by without it, but even if you're doing desktop support, I think it provides immediate evidence of something not behaving the way it should and you most likely will be able to point the finger directly to the offending host / router / user / application rather than making vague assessments like, "Seems to work after rebooting." This is especially true for the folks on the networking track (CCNA, etc.). While the CCNA may introduce you to subnetting, addressing, switching, routing, etc., it does not get into the protocols themselves that much. If you're serious about being a good network engineer, you should at least be able to comb through a trace file pretty competently. It'll put things in perspective that much better as you develop your career.

I didn't really pursue the WCNA for its marketing qualities in general. While it adds another four letters to my resume, practically no one knows what a WCNA is (yet, at least). Someone will probably guess that I misspelled CWNA. If you're going the security route, consider this cert as an opportunity to develop your ProtocolAnalysis-Fu because interpreting bits on the wire is an important part of the job.
Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
«1

Comments

  • jimmy6067jimmy6067 Registered Users Posts: 9 ■□□□□□□□□□
    Thanks for the post I did not know such a cert existed for Wireshark. I definitly agree it is a great tool for networking and the security route. BTW I like that wireless offensive security cert you have I definitely want to get one of those certs after I graduate...gotta love BT.

    Oh btw congrats on the WCNA cert!
  • wastedtimewastedtime Member Posts: 586 ■■■■□□□□□□
    Great review, I have considered this certification as a good foundation of information.
  • jovan88jovan88 Member Posts: 393
    congrats, I think this is something a lot of us will want to achieve
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    There was a thread all about this a couple months ago, I wonder if I can find it for you.
    Decide what to be and go be it.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    docrice wrote: »
    In general, it's my belief that being able to read and analyze network traffic is an extremely valuable skill. Sure, a lot of people can get by without it, but even if you're doing desktop support, I think it provides immediate evidence of something not behaving the way it should and you most likely will be able to point the finger directly to the offending host / router / user / application rather than making vague assessments like, "Seems to work after rebooting." This is especially true for the folks on the networking track (CCNA, etc.). While the CCNA may introduce you to subnetting, addressing, switching, routing, etc., it does not get into the protocols themselves that much. If you're serious about being a good network engineer, you should at least be able to comb through a trace file pretty competently. It'll put things in perspective that much better as you develop your career.
    ...

    Someone will probably guess that I misspelled CWNA. If you're going the security route, consider this cert as an opportunity to develop your ProtocolAnalysis-Fu because interpreting bits on the wire is an important part of the job.

    From the database/developer side I would argue the same is true. It is a very important, undervalued skill. I will not be working on the cert, but I may look into the study material.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    wastedtime wrote: »
    Great review, I have considered this certification as a good foundation of information.

    I second this. I think your write up was great. Do you feel like you learned to be a better analyst by going through the material or was it all review for someone at your career/experience level? I am seriously thinking about giving this one a go. It looks interesting and the information seems valuable. I am wondering about the value of the cert however.

    Edit: I was thinking of using this cert as a good intro cert to the GCIA.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    It looks interesting and the information seems valuable. I am wondering about the value of the cert however.

    I agree about questioning the value of the cert. But I think for someone trying to break into the info sec area it might have some value as well as for those trying to break into networking as it might set them apart from the typical Net+/CCNA types.

    If I were looking for an entry level Windows admin and I got someone's resume with this and say a Net+ and MCTS or MCP I would likely want to interview them as this shows some real initiative and indicates a likelyhood of depth of knowledge.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    I agree about questioning the value of the cert. But I think for someone trying to break into the info sec area it might have some value as well as for those trying to break into networking as it might set them apart from the typical Net+/CCNA types.

    If I were looking for an entry level Windows admin and I got someone's resume with this and say a Net+ and MCTS or MCP I would likely want to interview them as this shows some real initiative and indicates a likelyhood of depth of knowledge.

    That's interesting - especially coming from you since you were just in a hiring someone (correct?).

    If the IT/hiring/recruiting manager was also a techie or at least savvy, the words wireshark and "network analyst" should help move the resume up a bit. The cost of the material seems kind of high. I have to look over the cpe aspect of the cert but I think it was relatively straight forward. I think someone going for it should also study other packet capture methods (tcpdump/windump etc). I believe in the other thread(s) about this cert someone said it was more "network analyst" than "wireshark".
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Do you feel like you learned to be a better analyst by going through the material or was it all review for someone at your career/experience level? I am seriously thinking about giving this one a go. It looks interesting and the information seems valuable. I am wondering about the value of the cert however.

    Edit: I was thinking of using this cert as a good intro cert to the GCIA.

    The bulk of the material was review for me, but it did fill in a number of knowledge gaps here and there and it definitely improved my understanding of the tool in areas / features which I don't normally use. I think it's for sure a good introductory course for packet analysis. If you've already got experiencing look at traffic and pretty solid with TCP/IP, then I don't think it's necessary for the GCIA. There's a short assessment quiz for the GCIA to see if you have the foundation for it:

    http://www.sans.org/security-training/tcpip_quiz.php

    A good portion of the book covers Wireshark itself, but it all folds together in approaching the job as a network analyst. While you have to understand the traffic flow, you also have to know your tools to dissect it efficiently. Tcpdump / windump shares much in common with Wireshark / Tshark / etc. as they both use the same capture filtering syntax (BPF). Stuff like byte offset filtering, etc., are part of the picture.

    While the cost of the exam is a bit on the high side compared to your associate-level Cisco exam, the subject material is rather unique. I think a practical component of the test would help validate the WCNA further since multiple-question formats make it somewhat artificially easier.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • chrisonechrisone Member Posts: 2,278 ■■■■■■■■■□
    Great job in passing the test and reviewing it here! icon_thumright.gif

    by the way what were your study habits for this exam? hours per day? labs?

    i guess the labs come with the book, ok i probably answered my own question here icon_lol.gif
    Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
    2023 Cert Goals: SC-100, eCPTX
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I'd say maybe a couple of hours per day, no labs specifically for the exam since I look at the wire daily at my job anyway. The two books certainly helped though. I highly recommend them.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • Chris:/*Chris:/* Member Posts: 658 ■■■■■■■■□□
    Thanks for the review good information as I eventually intend to pursue this certification in hopes of picking up new knowledge.
    Degrees:
    M.S. Information Security and Assurance
    B.S. Computer Science - Summa Cum Laude
    A.A.S. Electronic Systems Technology
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    Congratulations on the Pass!! icon_cheers.gif

    Nice Review icon_thumright.gif
    :mike: Cisco Certifications -- Collect the Entire Set!
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    docrice wrote: »
    The bulk of the material was review for me, but it did fill in a number of knowledge gaps here and there and it definitely improved my understanding of the tool in areas / features which I don't normally use. I think it's for sure a good introductory course for packet analysis. If you've already got experiencing look at traffic and pretty solid with TCP/IP, then I don't think it's necessary for the GCIA. There's a short assessment quiz for the GCIA to see if you have the foundation for it:

    SANS Institute - Basic TCP/IP & Hex Knowledge Quizzes

    A good portion of the book covers Wireshark itself, but it all folds together in approaching the job as a network analyst. While you have to understand the traffic flow, you also have to know your tools to dissect it efficiently. Tcpdump / windump shares much in common with Wireshark / Tshark / etc. as they both use the same capture filtering syntax (BPF). Stuff like byte offset filtering, etc., are part of the picture.

    While the cost of the exam is a bit on the high side compared to your associate-level Cisco exam, the subject material is rather unique. I think a practical component of the test would help validate the WCNA further since multiple-question formats make it somewhat artificially easier.


    Thanks for the pointers. What's up next for you?
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Thanks for the pointers. What's up next for you?

    CCNA Wireless before moving onto the CCNP / CCSP since they're both going through revisions anyway. Maybe really finish up the 1DCPT final submission and finish the eCPPT course (although I might not go through the exam portion).

    Lots of work ahead before the year's over...
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    docrice wrote: »
    CCNA Wireless before moving onto the CCNP / CCSP since they're both going through revisions anyway. Maybe really finish up the 1DCPT final submission and finish the eCPPT course (although I might not go through the exam portion).

    Lots of work ahead before the year's over...

    Just curious but what do you do? You seems to kill the certs.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Just curious but what do you do? You seems to kill the certs.

    I should probably clarify a bit - while I'm planning on sitting for the CCNA Wireless exam in one month, I don't intend to start on the CCNP track until next year. I might start on one or two of the CCSP exams in a couple of months, assuming the study material is available for the revised track.

    I already went through the 1DCPT course, but my final report (exam) is still in beta. The eCPPT I've dove into a bit, but I'm nowhere near complete. Getting certified in the eCPPT and the 1DCPT is not a "must" goal of mine (the knowledge is more important to me in this case).

    The certs I've been getting lately are the relatively easy ones, which explains why I've been pushing through them. I'm no packet ninja, but I use Wireshark almost daily to some degree which is why the WCNA exam wasn't all that difficult for me.

    My title at work is Sr. Systems Engineer. I'm still unsure what this means. I just know it deals with computers or something.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • bertiebbertieb Member Posts: 1,031 ■■■■■■□□□□
    I'll chime in with my thoughts - I agree with everyone else's feedback. That was a great review, thanks for posting.

    Oh yeah, and congrats on the pass.
    The trouble with quotes on the internet is that you can never tell if they are genuine - Abraham Lincoln
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    docrice wrote: »
    I should probably clarify a bit - while I'm planning on sitting for the CCNA Wireless exam in one month, I don't intend to start on the CCNP track until next year. I might start on one or two of the CCSP exams in a couple of months, assuming the study material is available for the revised track.

    I already went through the 1DCPT course, but my final report (exam) is still in beta. The eCPPT I've dove into a bit, but I'm nowhere near complete. Getting certified in the eCPPT and the 1DCPT is not a "must" goal of mine (the knowledge is more important to me in this case).

    The certs I've been getting lately are the relatively easy ones, which explains why I've been pushing through them. I'm no packet ninja, but I use Wireshark almost daily to some degree which is why the WCNA exam wasn't all that difficult for me.

    My title at work is Sr. Systems Engineer. I'm still unsure what this means. I just know it deals with computers or something.

    I think you were pretty clear in your answer before. I was asking what you did because I have been reading some of your post and I was curious.
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    Nice review! Is the book enough to study for it if you have very little experience with Wireshark?
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I was asking what you did because I have been reading some of your post and I was curious.

    I manage a relatively small (but complex) network environment with a lot of moving parts to simulate many use-case scenarios for my company's software and services. This means I cover Active Directory, Cisco, Linux, VPN appliances, AAA, and other miscellaneous stuff as needed. To echo another thread on the forum, skillset-wise I'm relatively wide and only somewhat deep. I have my hands in a lot of cookie jars (layers 1 through 7), but over time in my career I've noticed that there are some basics that I missed out on because I do "a little of a lot." This is one of the reasons I decided to pursue a formal certification route to help fill in those gaps.

    I think the WCNA was a good example. I'm pretty fluent with packet analysis basics, but actively going for the cert allowed me to pick up on small details that I totally missed out on before. I'm pretty sure we've all been there when we thought we were on top of our game on a piece of technology and then someone walks by and points out a setting that's been staring at us in the face for years that we never bothered to explore.

    So on an average day, I'll be looking through the firewall syslogs and EtherApe output to check for abnormal protocols running through the network, writing technical documentation, conducting training sessions (on protocol analysis, for example), setting up new test AD domains, working with other department teams to isolate connectivity / authentication / software issues, setting up new Linux boxes, re-configuring the various VPN appliances we test with, expanding the virtualization environment, taming the spaghetti monster (or at least that's what it's starting to look like), troubleshooting a customer escalation, and apparently spending some quality time on techexams.net. The term "computer handyman" comes to mind.
    Nice review! Is the book enough to study for it if you have very little experience with Wireshark?

    I think the official study guide is solid enough to hold its own for the exam, although I also do recommend getting the prep guide. Those two should be good enough to get an idea what the exam covers. That said, for anyone who doesn't have experience doing packet analysis, expect to spend a lot of time looking at traces. There's no substitute for doing the actual work. Even if you are good at book studying / cramming, you owe it to yourself to actually be able to do the work efficiently.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • L0gicB0mb508L0gicB0mb508 Member Posts: 538
    I think I might do this one for funzies.
    I bring nothing useful to the table...
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Well I ordered my Wireshark book today. It should be here in 2 days. I am still waiting on my LPIC in a nutshell to arrive to this might be something to kill some time.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    Well I ordered my Wireshark book today. It should be here in 2 days. I am still waiting on my LPIC in a nutshell to arrive to this might be something to kill some time.

    You should let me borrow it when you are done. icon_cool.gif
  • Paul BozPaul Boz Member Posts: 2,620 ■■■■■■■■□□
    Positive rep for a great review, thanks.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    pbosworth@gmail.com
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • L0gicB0mb508L0gicB0mb508 Member Posts: 538
    I just got the book on my Kindle, so I'll start reading it here soon.
    I bring nothing useful to the table...
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    I got my book yesterday. Signed and all lol.
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    I got my book yesterday. Signed and all lol.

    Very exciting. I don't think I own a single signed book.
    Decide what to be and go be it.
  • powerfoolpowerfool Member Posts: 1,666 ■■■■■■■■□□
    I just got the book on my Kindle, so I'll start reading it here soon.

    Is it available on the Kindle now? Last I checked it wasn't.
    2024 Renew: [ ] AZ-204 [ ] AZ-305 [ ] AZ-400 [ ] AZ-500 [ ] Vault Assoc.
    2024 New: [X] AWS SAP [ ] CKA [ ] Terraform Auth/Ops Pro
Sign In or Register to comment.