WireShark WCNA - Anyone pursuing or got this?

When I first heard about the wireshark certificate I thought, why would I bother with it.. It's never mentioned anywhere, their is no demand for it all (that I can find maybe I'm not looking hard enough?) and why would I want to be certified for a free packet sniffer I already use.

However after I read the exam topics I can see the usefulness of the knowledge, but not the usefulness of the certificate. (If that makes sense).

So I'm thinking of buying the WCNA Book for $80 just to read.. I think I should be able to get fairly useful knowledge out of it.

I was just wondering if anyone has pursued this certification how their experience was with it - Did you learn any new stuff, did the certificate help you at all with career, those types of things.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

powerfool

I do packet analysis for about 70% of my work and I have been reluctant to do it. Honestly, I don't think that there is much call for it; also, I don't use WireShark for my job, but I do have experience with it. That being said, I did purchase the study guide to use in developing some training for the product that we use. I may give it a tumble.

docrice

I learned new stuff, and that's a good book. It helped me become aware of some features within the tool and ways of utilizing it which I wasn't previously aware of and also provided stronger reinforcement of traffic protocol knowledge.

Studying for the cert will at the very least help you become familiar with normal / abnormal traffic patterns if your packet-analysis-fu is relatively weak, but if you already have a lot of experiencing dealing with traces and finding blondes and brunettes within TCP streams, then the effort probably won't really help much.

The cert itself hasn't helped my career in terms of recognition, nor do I expect it to in the near future, but the skill gained from it definitely is without question. The exam is somewhat about Wireshark as a tool, but is very much more about how IP behavior works and strategies on finding the needle in the haystack. I got the certification because it was a somewhat low-hanging fruit. Once you're certified, you have to maintain it by obtaining CPEs and you can do that by going through additional free training on the WCNA portal (which you need to hold to cert to get access to).

An unexpected side benefit so far is that since it took them a while to bring that portal online after I got certified, they sent me a nice gift to make up for it - an AirPcap EX adapter (similar to the TX, but comes with an external antenna). I don't think CACE / Riverbed sells this anymore, but a year or two ago when they did, it wasn't cheap. If you have to use Windows to do your 802.11 captures, these AirPcap devices are hard to beat.

Bl8ckr0uter

I plan to take this exam. Sometime in June or say (after I finish the elearnsecurity course).

I think the exam will be "worth it" for a few reasons:

1: Almost every JR Network Engineer/Analyst and JR Networks Security Analyst/Engineer position in my area mentions "wireshark" AND "packet capture"

2: Many of them don't even list any certs BUT do mention that strong packet capture and analysis is required.

3: While I don't think the cert is very well known, most hiring managers will be able to put together that someone with a WCNA isn't aiming at helpdesk work (or the like) so for people who are still in the entry level stages of their career can help show their career direction with it.

4: At 300 dollars it is somewhat expensive but compared to the GCIA (which I also want, badly and plan to challenge at the end of the year) it is reasonable.

4a: I plan to use the WCNA to gauge my possible readiness for the GCIA (even though I know the GCIA will be much easier, I just want to see if I think it will be reasonable for me to try GCIA this year. My experience is lacking

)

I think it will be kind of fun. I have been going through the labs and through the honeynet projects pcaps and I am truly interested in this kind of work. I don't know how much it will help my resume but it couldn't hurt. At least it could be a good conversation point for a technically oriented Hiring Manager. What's funny is I basically sat down with my wife and talked out my career goals. We were basically trying to figure out if I should go for the CISSP right now (which I decided not too, despite external pressures from recruiters to do it). Since I am not doing that and I can't miss class to do the SSCP. I was reading on another forum and a very well respected pentester basically said that WCNA and CCDA studies would be extremely helpful to security analyst and pentesters alike. I basiclaly decided to do it because for the aforementioned reasons and the fact that I don't want to be a networking pro without understanding of packet level analysis (at least at the CCNA level). Which isn't to say that those without the cert don't understand but I can say that most CCNAs I talk to don't. Hell a lot of the CCNPs I know don't either. I don't want to be like that. If there was no cert and only the book I would just read the book but since there is a cert, I should go for it for the sake of positive reenforcement right? Lol.

Do you plan on taking it? If so, when? There aren't many folks on here who have mentioned it so I'd like to get a little group going (if you would like).

docrice

Bl8ckr0uter wrote: »

I plan to use the WCNA to gauge my possible readiness for the GCIA (even though I know the GCIA will be much easier, I just want to see if I think it will be reasonable for me to try GCIA this year. My experience is lacking )

As someone who is about to sit for the GCIA exam, I will say that I found taking the WCNA exam to be much easier. While preparing for the WCNA requires an attention to detail, for the GCIA you really need to be able to consider every field and bit value from layers 2 through 7, and many times by translating the hex output of tcpdump.

The WCNA does provide a very good foundation for the GCIA, however. The cert is cool, but the knowledge is priceless.

Bl8ckr0uter

docrice wrote: »

As someone who is about to sit for the GCIA exam, I will say that I found taking the WCNA exam to be much easier. While preparing for the WCNA requires an attention to detail, for the GCIA you really need to be able to consider every field and bit value from layers 2 through 7, and many times by translating the hex output of tcpdump.

The WCNA does provide a very good foundation for the GCIA, however. The cert is cool, but the knowledge is priceless.

Good my plan worked hehehe

(...that was to get you to reply since I know you are going for the GCIA and have the WCNA

)

Don't get me wrong I don't think the WCNA knowledge will be enough or something. I just want a simple gauge. Especially since I have to challenge the GCIA exam (3k just isn't going to happen).

EDIT:

I am just curious (maybe I have asked you before, if so, sorry) but what would you say is the difference between the two (in terms of difficulty on a scale of 1 to 10)? I have heard some people say GCIA is impossible without the material. Others have said that it is doable if you are dedicated. I am pretty dedicated to being a security analyst and I have a stack of books, white papers plus more to purchase and compile. I finally have a decent lab machine (which is a moral victory). I think it is doable with the right amount of time.

docrice

Bl8ckr0uter wrote: »

Good my plan worked hehehe

(...that was to get you to reply since I know you are going for the GCIA and have the WCNA )

its-a-trap-akbar-sega-star-wars-vector-trap-demotivational-poster-1219458713.jpg

Bl8ckr0uter wrote: »

...what would you say is the difference between the two (in terms of difficulty on a scale of 1 to 10)? I have heard some people say GCIA is impossible without the material. Others have said that it is doable if you are dedicated. I am pretty dedicated to being a security analyst and I have a stack of books, white papers plus more to purchase and compile. I finally have a decent lab machine (which is a moral victory). I think it is doable with the right amount of time.

I think the GCIA is doable to challenge, but you need to be comfortable with tcpdump (both standard and hex outputs) and filtering syntax, know layer 3 and 4 fields very well (and their offsets), be able to translate hex to decimal, distinguish normal and evil protocol behavior, and know some Snort basics. There's more, but that's the bulk of it. The SEC-503 syllabus provides a good outline. Having the course material definitely helps, however, due to the amount of presented "battle-hardened" field-knowledge and personally I think if you're going to pay for a SANS course, this would be it. I kind of regret paying for the GSEC and GCFW (401 and 502), but I definitely got my money's worth here.

For me, the WCNA exam felt like, say, a 5, while the SEC-503 piled on more (and caused me a number of buffer overflows during my studies) so I'd say maybe 8. I just finished one of my GCIA practice exams and while I did reference printed materials a few times, if you aren't careful and your packet interpretation is off by even one hex value or byte offset, you're screwed. Sure, you can reference a packet header chart during the test, but better to just know it off the top of your head.

The WCNA naturally has some overlap with the GCIA, but more in terms of fundamental protocol knowledge. Personally, studying for the former did give me a good leg up for the 503 course. Otherwise, it would have felt more overwhelming as parts of 503 goes by pretty fast and if you aren't already familiar with IP, it's a lot to digest.

brownwrap

Bl8ckr0uter wrote: »

I plan to take this exam. Sometime in June or say (after I finish the elearnsecurity course).

What do you think of the course, and how much is it?

Bl8ckr0uter

brownwrap wrote: »

What do you think of the course, and how much is it?

300. I literally started the class today. So far it is pretty basic but I am sure it will get better.

SteveO86

powerfool wrote: »

also, I don't use WireShark for my job, but I do have experience with it.

If not Wireshark what are you using for Packet Capturing/Analysis TCPDump? What is the reason you don't prefer Wireshark for packet capture/analysis?

docrice wrote: »

I learned new stuff, and that's a good book. It helped me become aware of some features within the tool and ways of utilizing it which I wasn't previously aware of and also provided stronger reinforcement of traffic protocol knowledge.

That is what I am expecting to get from this book, just more in depth knowledge and if I get the cert I get to put a few more letters on my resume.

Bl8ckr0uter wrote: »

I basiclaly decided to do it because for the aforementioned reasons and the fact that I don't want to be a networking pro without understanding of packet level analysis (at least at the CCNA level). Which isn't to say that those without the cert don't understand but I can say that most CCNAs I talk to don't. Hell a lot of the CCNPs I know don't either. I don't want to be like that. If there was no cert and only the book I would just read the book but since there is a cert, I should go for it for the sake of positive reenforcement right? Lol.

I am in full agreement with you on this. Literally I was thinking that word for word. Plus I've come across a handful of issues I have been able to resolve by looking at the packets, I figure if I get a better grasp of wireshark filters and understanding traffic flows a bit better, it will make me more proficient at my job.

Bl8ckr0uter wrote: »

Do you plan on taking it? If so, when? There aren't many folks on here who have mentioned it so I'd like to get a little group going (if you would like).

I am really looking for a cert that will set me apart from the "normal Cisco guy". While I am not expecting the WCNA to do that, I am expecting the knowledge from this book to give me an edge as a networking professional.

With that said and hearing the feedback from everyone in this thread, I will probably pursue this cert. However I have no deadline yet, I'll probably end up purchasing the book within the next week or two and start from their.

How far along are you with your studies for the WCNA? I'd gladly join in with you, it will probably make studying for this a lot easier since we will be able bounce ideas off each other. Once I purchase the book and get it in my hand I could send you a PM and we can start coordinating from there.

Bl8ckr0uter

SteveO86 wrote: »

If not Wireshark what are you using for Packet Capturing/Analysis TCPDump? What is the reason you don't prefer Wireshark for packet capture/analysis?

Wireshark has some security issues. http://www.wireshark.org/security/

SteveO86 wrote: »

I am really looking for a cert that will set me apart from the "normal Cisco guy". While I am not expecting the WCNA to do that, I am expecting the knowledge from this book to give me an edge as a networking professional.

I think this is the correct mindset for this type of certification.

With that said and hearing the feedback from everyone in this thread, I will probably pursue this cert. However I have no deadline yet, I'll probably end up purchasing the book within the next week or two and start from their.

SteveO86 wrote: »

How far along are you with your studies for the WCNA? I'd gladly join in with you, it will probably make studying for this a lot easier since we will be able bounce ideas off each other. Once I purchase the book and get it in my hand I could send you a PM and we can start coordinating from there.

Not too far. Several major projects came up at work and basically sapped up all of my time for the last few months. Like I said I plan to do it in June (before the end of my current school quarter) so maybe in the middle or towards the end. Setting something up would be awesome.

powerfool

SteveO86 wrote: »

If not Wireshark what are you using for Packet Capturing/Analysis TCPDump? What is the reason you don't prefer Wireshark for packet capture/analysis?

I use Observer from Network Instruments. Honestly, after using Observer, I do prefer it to WireShark, but WireShark is my #2 tool. We use Observer becaues nobody wants to accept the risk of using WireShark.

SteveO86

Bl8ckr0uter wrote: »

Wireshark has some security issues. Wireshark Security Advisories

I see. Interesting I wonder if it's more so a bug or someone crafting the packets to maliciously crash any using Wireshark?

Bl8ckr0uter wrote: »

Not too far. Several major projects came up at work and basically sapped up all of my time for the last few months. Like I said I plan to do it in June (before the end of my current school quarter) so maybe in the middle or towards the end. Setting something up would be awesome.

Ok, good the last thing I want to do is hold you back or slow you down in your studies. I'm really surprised the book is so expensive, it's almost twice as much as Cisco Press and CWNP books.. Might have my employer buy it but this might be one of those books I want to keep for myself. (for reference purposes in the future)

powerfool wrote: »

I use Observer from Network Instruments. Honestly, after using Observer, I do prefer it to WireShark, but WireShark is my #2 tool. We use Observer becaues nobody wants to accept the risk of using WireShark.

That looks fairly expensive. I'd probably never get my employer to buy that. After looking through their website it looks like an awesome program.

zerglings

NetScout (Network General) and OPNET ACE Live/Analyst (AppResponse and AppTransaction) are the ones I've used so far for analyzing trace. They are expensive appliances and their license is not cheap either. I rarely use Wireshark for anything other than capturing my own laptop and then transfer it to Infinistream Console. We do use Wireshark for rebuilding audio of VoIP streams and/or capturing traces from the user's laptop/desktop itself. However, with ACE Analyst, you can deploy remote capture agents if you know the username and password for the workstation. Unfortunately, we don't have username and password for every single workstations in our company so we still need help from local techs and/or desktop support techs in our campus buildings.

I am not sure how many companies out there that actually use Wireshark as a solution for gathering packet captures, but I would assume that they'll buy something like a CACE appliance which is based on Wireshark technology. Then again, I still don't know how many companies out there actually buy them though. I've met some Network Analysts out there that use an appliance from NetScout or OPNET for their infrastructure and some are big and some are small companies.