wsucertinfopk11Aug10[1]

8/8/2019 wsucertinfopk11Aug10[1]

1/21

Wireshark University

Get Certified on the Worlds

Foremost Network ProtocolAnalyzer

8/11/2010

Wireshark isranked #1 in IT

industry securitytools in the

SECTOOLS 2010Top Tools Survey


2/21

For more information visit www.wiresharktraining.com/certification 1[v100.1a 081110]

Welcome to Wireshark University and the

Wireshark Certified Network Analyst Program

Wireshark (formerly Ethereal) has become the de facto industry standard open source productfor network analysis, troubleshooting and security. Over 500,000 IT professionals worldwide

download Wireshark each month. Wireshark has proven to be a necessary tool for locating thecause of network performance issues and identifying security breaches. In addition, Wireshark isused in worldwide multi-vendor training programs to visualize network communication processes.

The Wireshark Certified Network Analyst Exam was designed to confirm individual competenciesin using Wireshark to locate the cause of network problems (poor performance or security-related) and confirm your knowledge of TCP/IP network communications in general.

The Exam is based on the thirty-three areas of study defined in the Exam Focus and Contentsection of this document. The four primary areas covered in this Exam are:

Wireshark Functionality

TCP/IP Network Communications

Network Troubleshooting

Network Security

Register for the Wireshark Certified Network Analyst Exam at www.webassessor.com/pai.


3/21


ContentsContents ....................................................................................................................................... 2Exam Overview ............................................................................................................................. 3Exam Pricing ................................................................................................................................. 3Pass/Fail Grading ......................................................................................................................... 3Question Formats ......................................................................................................................... 3

Test Retake Procedure ................................................................................................................. 3Exam Registration ........................................................................................................................ 4Taking Your Proctored Exam ....................................................................................................... 4Acceptable Forms of Identification ............................................................................................... 4Closed Book Policy ....................................................................................................................... 4Cancellation/Rescheduling Details ............................................................................................... 4Cancellation/Rescheduling within 72 Hours of Your Exam Appointment ..................................... 5In Case of Test Problems or Questions ........................................................................................ 5Certification Maintenance and Expiration ..................................................................................... 5

Frequently Asked Questions (FAQ) ................................................ 6Can I keep my belongings with me during the test session? ................................................... 6

May I bring food or drinks into the testing room? ..................................................................... 6How do I register for the Wireshark Certified Network Analyst Exam ? ................................... 6Can I take the Exam at the same time I register? .................................................................... 6How long does the Exam take? ................................................................................................ 6Is the Exam in English only? .................................................................................................... 6Where can I take the Exam? .................................................................................................... 6What do I get when I pass my Exam? ...................................................................................... 6How long is my certification valid? ............................................................................................ 7What are the Continuing Professional Education (CPE) requirements? .................................. 7How do I take the Practice Exam? ........................................................................................... 7How do I prepare for the certification exam? ............................................................................ 7Should I register for the Exam before attending a Wireshark class? ....................................... 7

How does the Wireshark Certified Network Analyst designation compareto other IT industry certifications ? ............................................................................................ 8Who created this Certification? ................................................................................................. 8Will this certification help my job prospects/career advancement? .......................................... 8

Exam Preparation ............................................................................. 9Online Self-Paced Training ........................................................................................................... 9

Core 1: Analyzing TCP/IP Networks with Wireshark ............................................................ 9Core 2: Troubleshooting and Securing TCP/IP Networks with Wireshark............................ 9All Access Pass Membership ................................................................................................... 9

Instructor-Led Training Partners ................................................................................................... 9Books .......................................................................................................................................... 10Customized Onsite and Online Training ..................................................................................... 10

Wireshark Certified Network Analyst Exam Objectives(Test WCNA100.1)........................................................................... 11


4/21


Exam OverviewSuccessful completion of the Wireshark Certified Network Analyst Exam indicates you have theknowledge required to capture network traffic, analyze the results and identify various anomaliesrelated to performance or security issues.

To earn the Wireshark Certified Network Analyst status, you must pass a single ExamtheWCNA-100x Exam and obtain twenty (20) CPE credits each year of your certification.

The Wireshark Certified Network Analyst Exam is available at hundreds of testing centers aroundthe world. You can take your Exam at a KRYTERION High-stake Online Secure Testing (HOST)location. Register for the proctored Wireshark Certified Network Analyst Exam online atwww.webassessor.com/pai.

1

The Wireshark Certified Network Analyst Exam is a closed-book Exam consisting of 100questions. The Exam time limit is 2 hours (120 minutes).

Exam Pricing

The Wireshark Certified Network Analyst Exam cost is USD 299. The Wireshark CertifiedNetwork Analyst Exam Practice Exam (online) cost is USD 29.

Pass/Fail GradingThe Wireshark Certified Network Analyst Exam is graded on a pass/fail basis. Passing scores areset by using statistical analysis. At the completion of the Exam, Candidates receive a score reportalong with a score breakout by Exam section.

Question FormatsThere are two forms of questions in the Wireshark Certified Network Analyst Examtrue/falseand multiple choice. Only one answer is correct for each multiple choice question. Manyquestions include images of Wireshark graphs or packet details.

Test Retake ProcedureIf you fail the Exam, you must wait five (5) business days before retaking the Exam. You mustpurchase another Test Taker Authorization Code at www.webassessor.com/pai. Only three (3)Exams with the same Exam identification number may be taken per calendar year.

1PAI represents the Protocol Analysis Institute, the parent company of Wireshark University and

Chappell University.


5/21


Exam RegistrationRegister for the proctored Wireshark Certified NetworkAnalyst Exam online at www.webassessor.com/pai.Step-by-step Exam Registration instructions areavailable at www.wiresharktraining.com/certification.

Taking Your Proctored ExamOnce your registration and scheduling is complete, youwill receive an email confirmation which includes thedetails of your registration including your Test Taker Authorization Code. The email also includesthe HOST location address and the date and time of your test session. This email is the onlyreceipt you will receive from Kryterion.

You are required to bring two forms of identification with you to the HOST location, whichyour proctor verifies and records. In addition, you must bring your Test TakerAuthorization Code which you received in your registration confirmation email.

The proctor will hand you a document to read in the waiting room while they load your Exam inthe testing area. The testing center document prepares you for your Exam session.

Once your Exam has loaded, your proctor will show you where the restrooms are, store yourpersonal belongings in a secure compartment and answer any Exam session questions you mayhave. You may then begin your Exam. The Exam engine provides you with detailed instructionson how to take the Exam and guides you through each step of the Exam process.

You have two hours (120 minutes) to complete the Wireshark Certified Network Analyst Exam.You may review your answers before submitting your Exam. Unanswered questions are gradedas incorrect. When finished, you are prompted to notify your proctor that you have completed theExam. The proctor will then close your Exam session. You will receive your pass/fail notificationupon completion of the Exam.

Acceptable Forms of IdentificationAcceptable forms of photo ID include: government-issued drivers license or ID card, passport,military identification, an employee identification card or a student picture ID from an accreditedcollege or university. The following forms of non-photo ID are acceptable: credit card, checkcashing card or a bank debit card. A social security card is not an acceptable form ofidentification.

Closed Book PolicyThe Wireshark Certified Network Analyst Examis closed book format. No Internet access or opencomputer (other than the Exam system) is allowed during the Exam. Candidates may not accessany printed materials or electronic devices such as extra computers or USB flash drives.

Cancellation/Rescheduling DetailsIf you need to reschedule your Exam appointment, you may do so earlier than 72 hours of yourExam appointment. Log into your KRYTERION account at www.webassessor.com/pai and clickon View Schedule Details and the Reschedule button. IMPORTANT: Read the next sectionregarding cancellation and rescheduling within 72 hours of your Exam appointment.


6/21


Cancellation/Rescheduling within 72 Hours of YourExam AppointmentIf you wish to cancel or reschedule your Exam within 72 hours of your appointment, please callthe PAI Customer Support line at +1 408-378-7841.Do not attempt to contact Kryterion or thetesting center directly. You will be charged a $175 seating fee if you reschedule or cancel your

Exam appointment within 72 hours of your Exam appointment or do not show for your Examappointment.

In Case of Test Problems or QuestionsPlease first review the FAQ section of this document. If you have additional questions regardingthe certification process, your certification status or the Kryterion testing engine, contactWireshark University at [email protected] or call +1 408-378-7841.

Certification Maintenance and ExpirationYour Wireshark Certified Network Analyst status is valid for three (3) years from the date ofsuccessful Exam completion. Twenty (20) Continuing Professional Education (CPE) credits arerequired yearly to maintain your certification in good standing. CPE credits must be obtained inthe area of (a) network communications, (b) troubleshooting, (c) network testing/optimization or(d) network security. For more information on obtaining and reporting CPE credits, refer towww.wiresharktraining.com/certification.


7/21


Frequently Asked Questions (FAQ)

Can I keep my belongings with me during the test session?Your personal items may not be accessed during the test session. Personal items include: bags,

wallets, purses, briefcases, watches, books, beepers, cell phones, electronic organizers andcalculators. You should, however, keep your identification with you at all times.

May I bring food or drinks into the testing room?No, tobacco products, food, drink, and chewing gum are not allowed in the testing area.

How do I register for the Wireshark Certified Network Analyst Exam?Step-by-step Exam Registration instructions are available atwww.wiresharktraining.com/certification.

Can I take the Exam at the same time I register?

Not the proctored Examthe earliest you can schedule your Exam is 72 hours before yourdesired Exam date/time. Registrants can take the unproctored Practice Exam immediatelyfollowing registration.

How long does the Exam take?Candidates are provided two hours (120 minutes) to complete the Exam. An Exam timer indicatesthe remaining Exam time. A question counter indicates the number of questions answered andtotal number of questions in the Exam. A Review Test option allows you to mark questions forreview and revisit all questions and answers in the Exam. You may skip questions during theExam, but it is recommended you complete each question before submitting your Exam forgrading. Unanswered questions are marked incorrect. The Practice Exam also includes a twohour (120 minutes) time limit.

Is the Exam in English only?Currently the Exam and Practice Exam are only available in English.

Where can I take the Exam?The Wireshark Certified Network Analyst Exam is delivered by Kryterion, Inc. Kryterion hashundreds of testing centers around the world. Visit www.kryteriononline.com/host_locations/tolocate a Kryterion High-stake Online Secure Testing (HOST) location near you.

What do I get when I pass my Exam?Within fifteen (15) business days of successful completion of the Exam, Wireshark University willsend your Wireshark Certified Network Analyst Welcome Kit. The Welcome Kit includes yourCertificate, Certification ID Number, valid certification date details and additional informationregarding your certification maintenance, CPE credits and information regarding access to andusage of the Wireshark Certified Network Analyst logo.


8/21


How long is my certification valid?Wireshark Certified Network Analyst status is validfor three (3) years from the date of successful Examcompletion. During that three (3) year period, youmust retain your Wireshark Certified Network Analyst

certification in good standing by obtaining twenty (20)CPE credits yearly.

What are the Continuing ProfessionalEducation (CPE) requirements?Twenty (20) CPE credits will be required to maintain your certification in good standing byensuring you are staying current with network analysis practices and technologies. CPE creditsmust be obtained in the areas of:

(a) network communications(b) network troubleshooting(c) network testing/optimization

(d) network security

CPE credit information must be submitted to Wireshark University on an annual basis. For furtherinformation on acceptable CPE options and to submit your CPE information, visitwww.wiresharktraining.com/cpe.

How do I take the Practice Exam?Register for the Practice Exam just as you register for the final Exam. Your Practice Exam isavailable for you to take as soon as you have completed the registration process atwww.webassessor.com/pai. Locate the Launch button for your Exam on your Webassessorhome page. If you need to stop your Practice Exam for some reason, you may do so simply byclosing the Practice Exam window. Any questions you have already answered have been savedfor you. If the Practice Exam was interrupted due to technical issues, you may re-launch the

Practice Exam by logging into your Webassessor home page and clicking the Launch button.The Practice Exam will resume at the first unanswered question. You have two hours (120minutes) of active time to complete the Practice Exam.

How do I prepare for the certification exam?You can prepare for the Wireshark Certified Network Analyst Exam using self-paced, instructor-led or on-the-job study. Refer to Exam Preparation on page 9 for more details.

Should I register for the Exam before attending a Wireshark class?Most students wait until after taking their Wireshark training courses to register for the Exam. Youshould only schedule your Exam after you feel comfortable with the subject material.


9/21


How does the Wireshark Certified Network Analyst designationcompare to other IT industry certifications?The Wireshark Certified Network Analyst designation is focused on not only Wireshark, but alsokey TCP/IP communications areas that can be investigated when troubleshooting or securing anetwork. The Wireshark Certified Network Analyst designation will identify you as an ITprofessional who is keeping up with current techniques and the worlds most popular networkanalyzer tool. The Wireshark Certified Network Analyst designation is an ideal complement to theCISSP, CCIE, CNP, Network+ and Security+ certifications.

Who created this Certification?Wireshark University was co-founded by Gerald Combs (creator of Wireshark) and LauraChappell, world-renown network analyst, in 2007. One element of Wireshark University is theWireshark Certified Network Analyst designation. Topics included in the Exam come from thethirty-three areas of study for network analysts (see Wireshark Certified Network Analyst ExamObjectives on page 11).

Will this certification help my job prospects/career advancement?If you want to attain a competitive edge and help improve employability and earning potential,obtaining your Wireshark Certified Network Analyst designation can help position you in the jobmarket. Wiresharks increasing popularity (with over 500,000 downloads per month) and leadingrole as the in-house de facto tool for troubleshooting and security increases the value of thiscertification immensely.


10/21


Exam PreparationThe Wireshark Certified Network Analyst Examfocuses on TCP/IP communications analysis, methodsfor using Wireshark to identify the cause of network

problems, and the evidence that a network is underreconnaissance or a host has been breached.Consider the following options for Exam preparation.

Online Self-Paced Training

Core 1: Analyzing TCP/IP Networks with WiresharkIn this self-paced course, students discover effective Wireshark operations and packet-level TCP/IP communications by examining both properly-performing and poorly-performing networks as they prepare for the Wireshark Certified Network Analyst Exam.The Core 1 course is available online at www.chappellU.com and is included in the AllAccess Pass listed below. [25 sections, 46 labs, approximately 22 hours of online training]

Core 2: Troubleshooting and Securing TCP/IP Networks withWiresharkIn this self-paced course, students gain the skills required to effectively troubleshoot andsecure a TCP/IP network by analyzing network traffic with Wireshark as they prepare forthe Wireshark Certified Network Analyst Exam. Student learns techniques to analyzetraffic on poorly performing TCP/IP networks and identify reconnaissance processes onthe network as well as indicators that a host is compromised. The Core 2 course isavailable online at www.chappellU.com and is included in the All Access Pass listedbelow. [19 sections, 53 labs, approximately 25 hours of online training]

All Access Pass Membership

The All Access Pass (AAP) training membership provides access to Core 1, Core 2,Wireshark Certification Study Sessions, live online training events and additional onlinetraining in the areas of network analysis, troubleshooting, optimization and security.Visit www.chappellU.com to view the contents of the All Access Pass.

Instructor-Led Training PartnersFor an updated list of Wireshark University Certified Training Partners, visitwww.wiresharktraining.com/iltpartners.

Global Knowledge - North America - www.globalknowledge.comGlobal Knowledge is the worldwide leader in IT and business training. Global Knowledgedelivers training via training centers, private facilities, and the Internet, enabling

customers to choose when, where, and how they want to receive training programs andlearning services.

SCOS Software bv Europe - www.scos.nlPolarisavenue 532132 JH HoofddorpThe NetherlandsEmail: [email protected]: 0031 (0)23 568 5615Fax: 0031 (0)23 562 1072


11/21


Procyon Networks bv Europe - www.procyon.nlAnna Blamanstraat 85803 AW VenrayThe NetherlandsPhone: 0031 (0)478 568 568Fax: 0031 (0)478 568 553

BooksWireshark Network Analysis: The Official WiresharkCertified Network Analyst Study GuideThis comprehensive book covers all thirty-three areas of studyfor the Wireshark Certified Network Analyst Exam while providingnumerous case studies, tips and tricks for using Wiresharkefficiently to troubleshoot and secure networks.ISBN10: 1-893939-99-5ISBN13: 978-1-893939-99-8Paperback: 800 pagesBook URL: www.wiresharkbook.com

Wireshark Certified Network Analyst: OfficialExam Prep GuideThis book provides 300+ practice quiz questionsbased on the thirty-three areas of study defined forthe Wireshark Certified Network Analyst Exam andincludes timed and untimed quizzes on theaccompanying CD. This Official Exam Prep Guideoffers a companion to Wireshark Network Analysis:The Official Wireshark Certified Network AnalystStudy Guide.10-digit ISBN: 1-893939-98-7

13-digit ISBN: 978-1-893939-98-1Paperback: 202 pages (includes CD)Book URL: www.wiresharkbook.com/epg

Customized Onsite and Online TrainingWireshark Universitywww.wiresharktraining.comWireshark University was founded in 2007 to provide training on Wireshark fortroubleshooting, security and optimization. Customized onsite courses can be arrangedto train multiple students at one time at your location or via the Internet for ageographically dispersed student base. Courses can be customized based on yournetwork details and design. For more information on customized onsite courses, [email protected] or call +1 408-378-7841.


12/21


Wireshark Certified Network Analyst Exam

Objectives (Test WCNA100.1)The Wireshark Certified Network Analyst Exam is based on thirty-three areas of concentration.

Section1:NetworkAnalysisOverview

DefinethePurposeofNetworkAnalysis

ListTroubleshootingTasksfortheNetworkAnalyst

ListSecurityTasksfortheNetworkAnalyst

ListOptimizationTasksfortheNetworkAnalyst

ListApplicationAnalysisTasksfortheNetworkAnalyst

DetailSecurityIssuesRelatedtoNetworkAnalysis

DefineLegalIssuesRelatedtoListeningtoNetworkTraffic

Overcomethe"NeedleinaHaystack"Issue

ReviewaChecklist

of

Analysis

Tasks

Section2:IntroductiontoWireshark

DescribeWireshark'sPurpose

KnowHowtoObtaintheLatestVersionofWireshark

CompareWiresharkReleaseandDevelopmentVersions

ReportaWiresharkBugorSubmitanEnhancement

CapturePacketsonWiredorWirelessNetworks

OpenVariousTraceFileTypes

DescribeHowWiresharkProcessesPackets

DefinetheElementsoftheStartPage

IdentifytheNineGUIElements

NavigateWireshark'sMainMenu

UsetheMainToolbarforEfficiency

FocusFasterwiththeFilterToolbar

MaketheWirelessToolbarVisible

AccessOptionsthroughRightClickFunctionality

DefinetheFunctionsoftheMenusandToolbars

Section3:CaptureTraffic

KnowWheretoTapintotheNetwork

KnowWhen

to

Run

Wireshark

Locally

CaptureTrafficonSwitchedNetworks

UseaTestAccessPort(TAP)onFullDuplexNetworks

DefineWhentoSetupPortSpanning/PortMirroringonaSwitch

AnalyzeRoutedNetworks

AnalyzeWirelessNetworks

DefineOptionsforCapturingatTwoLocationsSimultaneously

IdentifytheMostAppropriateCaptureInterface


13/21


CaptureTrafficRemotely

AutomaticallySavePacketstoOneorMoreFiles

OptimizeWiresharktoAvoidDroppingPackets

ConserveMemorywithCommandLineCapture

Section4:

Create

and

Apply

Capture

Filters

DescribethePurposeofCaptureFilters

BuildYourOwnSetofCaptureFilters

FilterbyaProtocol

CreateMAC/IPAddressorHostNameCaptureFilters

CaptureOneApplication'sTrafficOnly

UseOperatorstoCombineCaptureFilters

CreateCaptureFilterstoLookforByteValues

ManuallyEdittheCaptureFiltersFile

ShareCaptureFilterswithOthers

Section5:

Define

Global

and

Personal

Preferences

FindYourConfigurationFolders

SetGlobalandPersonalConfigurations

CustomizeYourUserInterfaceSettings

DefineYourCapturePreferences

DefineHowWiresharkAutomaticallyResolvesIP/MACNames

ConfigureStatisticsSettings

DefineARP,TCP,HTTP/HTTPSandOtherProtocolSettings

ConfigureProtocolSettingswithRightClick

Section

6:

Colorize

Traffic

UseColorstoSeparateTraffic

ShareandManageColoringRules

IdentifyWhyaPacketisaCertainColor

ColorConversationstoDistinguishThem

TemporarilyMarkPacketsofInterest

AlterStreamReassemblyColoring

Section7:DefineTimeValuesandInterpretSummaries

UseTimetoIdentifyNetworkProblems

DefineHowWiresharkMeasuresPacketTime

Choosethe

Ideal

Time

Display

Format

DealwithTimeAccuracyandResolutionIssues

IdentifyDelayswithTimeValues

CreateAdditionalTimeColumns

MeasurePacketArrivalTimesUsingaTimeReference

IdentifyClient,ServerandPathIssues

ViewaSummaryofTrafficRates,PacketSizes,andBytesTransferred


14/21


Section8:InterpretBasicTraceFileStatistics

LaunchWiresharkStatistics

IdentifyNetworkProtocolsandApplications

IdentifytheMostActiveConversations

ListEndpointsandMapthemontheEarth

ListConversations

or

Endpoints

for

Specific

Traffic

Types

EvaluatePacketLengths

ListAllIPAddressesintheTraffic

ListAllDestinationsintheTraffic

ListAllUDPandTCPPortsUsed

AnalyzeUDPMulticastStreams

GraphicFlowofTraffic

GatherYourHTTPStatistics

ExamineAllWLANStatistics

Section9:CreateandApplyDisplayFilters

DefinethePurposeofDisplayFilters

CreateDisplayFiltersUsingAutoComplete

ApplySavedDisplayFilters

UsetheExpressionsFilterSystem

MakeDisplayFiltersQuicklyUsingRightClickFiltering

DefineDisplayFilterSyntax

CombinedDisplayFilterswithComparisonOperators

AlterDisplayFilterMeaningwithParentheses

FilteronSpecificBytesinaPacket

UseDisplayFilterMacrosforComplexFiltering

AvoidCommonDisplayFilterMistakes

ManuallyEditthedfiltersFile

Section10:FollowStreamsandReassembleData

FollowandReassembleUDPConversations

FollowandReassembleTCPConversations

IdentifyCommonFileTypes

FollowandReassembleSSLConversations

Section11:CustomizeWiresharkProfiles

DefinethePurposeofWiresharkProfiles

ShareProfiles

CreateaCorporateProfile

CreateaWLANProfile

CreateaVoIPProfile

CreateaSecurityProfile


15/21


Section12:Save,ExportandPrintPackets

SaveFiltered,MarkedandRangesofPackets

ExportPacketContentsforUseinOtherPrograms

SaveConversations,Endpoints,I/OGraphsandFlowGraphInformation

ExportPacketBytes

Section13:UseWiresharksExpertSystem

LaunchExpertInfoQuickly

ColorizeExpertInfoElements

FilteronTCPExpertInformationElements

DefineTCPExpertInformation

Section14:TCP/IPAnalysisOverview

DefineBasicTCP/IPFunctionality

DefinetheMultistepResolutionProcess

DefinePort

Number

Resolution

DefineNetworkNameResolution

DefineRouteResolutionforaLocalTarget

DefineLocalMACAddressResolutionforaTarget

DefineRouteResolutionforaRemoteTarget

DefineLocalMACAddressResolutionforaGateway

Section15:AnalyzeDomainNameSystem(DNS)Traffic

DefinethePurposeofDNS

AnalyzeNormalDNSQueries/Responses

AnalyzeDNSProblems

Dissectthe

DNS

Packet

Structure

FilteronDNSTraffic

Section16:AnalyzeAddressResolutionProtocol(ARP)Traffic

DefinethePurposeofARPTraffic

AnalyzeNormalARPRequests/Responses

AnalyzeGratuitousARP

AnalyzeARPProblems

DissecttheARPPacketStructure

FilteronARPTraffic

Section17:AnalyzeInternetProtocol(IPv4)TrafficDefinethePurposeofIPv4

AnalyzeNormalIPv4Traffic

AnalyzeIPv4Problems

DissecttheIPv4PacketStructure

SetYourIPProtocolPreferences

FilteronIPv4Traffic


16/21


Section18:AnalyzeInternetControlMessageProtocol(ICMP)Traffic

DefinethePurposeofICMP

AnalyzeNormalICMPTraffic

AnalyzeICMPProblems

DissecttheICMPPacketStructure

Filteron

ICMP

Traffic

Section19:AnalyzeUserDatagramProtocol(UDP)Traffic

DefinethePurposeofUDP

AnalyzeNormalUDPTraffic

AnalyzeUDPProblems

DissecttheUDPPacketStructure

FilteronUDPTraffic

Section20:AnalyzeTransmissionControlProtocol(TCP)Traffic

Definethe

Purpose

of

TCP

AnalyzeNormalTCPCommunications

DefinetheEstablishmentofTCPConnections

DefineHowTCPbasedServicesareRefused

TrackTCPPacketSequencing

DefineTCPFlowControl

DefineHowTCPRecoversfromPacketLoss

ImprovePacketLossRecoverywithSelectiveAcknowledgments

AnalyzeTCPProblems

DissecttheTCPPacketStructure

FilteronTCPTraffic

SetTCP

Protocol

Parameters

Section21:GraphIORatesandTCPTrends

UseGraphstoViewTrends

GenerateBasicI/OGraphs

FilterI/OGraphs

GenerateAdvancedI/OGraphs

CompareTrafficTrendsinI/OGraphs

GraphRoundTripTime

GraphThroughputRates

GraphTCPSequenceNumbersoverTime

InterpretTCP

Window

Size

Issues

InterpretPacketLoss,DuplicateACKsandRetransmissions


17/21


Section22:AnalyzeDynamicHostConfigurationProtocol(DHCP)Traffic

DefinethePurposeofDHCP

AnalyzeNormalDHCPTraffic

AnalyzeDHCPProblems

DissecttheDHCPPacketStructure

Filteron

DHCP

Traffic

DisplayBOOTPDHCPStatistics

Section23:AnalyzeHypertextTransferProtocol(HTTP)Traffic

DefinethePurposeofHTTP

AnalyzeNormalHTTPCommunications

AnalyzeHTTPProblems

DissectHTTPPacketStructures

FilteronHTTPorHTTPSTraffic

ExportHTTPObjects

Display

HTTP

Statistics

GraphHTTPTrafficFlows

SetHTTPPreferences

AnalyzeHTTPSCommunications

DecryptHTTPSTraffic

Section24:AnalyzeFileTransferProtocol(FTP)Traffic

DefinethePurposeofFTP

AnalyzeNormalFTPCommunications

AnalyzeFTPProblems

DissecttheFTPPacketStructure

Filteron

FTP

Traffic

ReassembleFTPTraffic

Section25:AnalyzeEmailTraffic

DefinethePurposeofPOP

AnalyzeNormalPOPCommunications

AnalyzePOPProblems

DissectthePOPPacketStructure

FilteronPOPTraffic

DefinethePurposeofSMTP

AnalyzeNormalSMTPCommunication

AnalyzeSMTPProblems

DissecttheSMTPPacketStructure

FilteronSMTPTraffic


18/21


Section26:Introductionto802.11(WLAN)Analysis

AnalyzeSignalStrengthandInterference

CaptureWLANTraffic

CompareMonitorModeandPromiscuousMode

SetupWLANDecryption

ApplyaRadiotap

or

PPI

Header

CompareSignalStrengthandSignaltoNoiseRatios

Describe802.11TrafficBasics

AnalyzeNormal802.11Communications

FilteronWLANTraffic

AnalyzeFrameControlTypesandSubtypes

Section27:VoiceoverIP(VoIP)AnalysisFundamentals

DefineVoIPTrafficFlows

AnalyzeVoIPProblems

Analyze

SIP

and

RTP

Traffic

PlayBackVoIPCalls

CreateaVoIPProfile

FilteronVoIPTraffic

Section28:BaselineNormalTrafficPatterns

DefinetheImportanceofBaselining

BaselineBroadcastandMulticastTypesandRates

BaselineBootupSequences

BaselineLogin/LogoutSequences

BaselineTrafficDuringIdleTime

BaselineApplication

Launch

Sequences

and

Key

Tasks

BaselineWebBrowsingSessions

BaselineNameResolutionSessions

BaselineThroughputTests

BaselineWirelessConnectivity

BaselineVoIPCommunications

Section29:FindtheTopCausesofPerformanceProblems

TroubleshootPerformanceProblems

IdentifyHighLatencyTimes

PointtoSlowProcessingTimes

FindtheLocationofPacketLoss

IdentifySignsofMisconfigurations

AnalyzeTrafficRedirections

IdentifySmallPayloadSizes

IdentifyCongestion

IdentifyApplicationFaults

IdentifyNameResolutionFaults


19/21


Section30:NetworkForensicsOverview

CompareHostForensicstoNetworkForensics

GatherEvidence

AvoidDetection

HandleEvidence

RecognizeUnusual

Traffic

Patterns

ColorUnusualTrafficPatterns

IdentifyComplementaryForensicTools

Section31:DetectScanningandDiscoveryProcesses

DefinethePurposeofDiscoveryandReconnaissance

DetectARPScans(akaARPSweeps)

DetectICMPPingSweeps

DetectVariousTypesofTCPPortScans

DetectUDPPortScans

DetectIPProtocolScans

DefineIdleScans

IdentifyICMPTypesandCodes

AnalyzeTraceroutePathDiscovery

DetectDynamicRouterDiscovery

DefineApplicationMappingProcesses

UseWiresharkforPassiveOSFingerprinting

DetectActiveOSFingerprinting

IdentifySpoofedAddressesandScans

Section32:AnalyzeSuspectTraffic

DescribeSuspect

Traffic

IdentifyVulnerabilitiesintheTCP/IPResolutionProcesses

IdentifyUnacceptableTraffic

FindMaliciouslyMalformedPackets

IdentifyInvalidorDarkDestinationAddresses

DifferentiatebetweenFloodingorStandardDenialofServiceTraffic

FindClearTextPasswordsandData

IdentifyPhoneHomeBehavior

CatchUnusualProtocolsandApplications

LocateRouteRedirectionthatUsesICMP

CatchARPPoisoning

CatchIP

Fragmentation

and

Overwriting

IdentifyTCPSplicing

WatchOtherUnusualTCPTraffic

IdentifyPasswordCrackingAttempts

KnowWheretoLookSignatureLocations


20/21


Section33:EffectiveUseofCommandLineTools

DefinethePurposeofCommandLineTools

UseWireshark.exe(CommandLineLaunch)

CaptureTrafficwithTshark

ListTraceFileDetailswithCapinfos

EditTrace

Files

with

Editcap

MergeTraceFileswithMergecap

ConvertTextwithText2pcap

CaptureTrafficwithDumpcap

DefineRawshark


21/21

For more information visit www.wiresharktraining.com/certification 20

For more information on the Wireshark Certified Network Analyst Exam, please visitwww.wiresharktraining.com/certification or contact us directly.

Wireshark [email protected]

5339 Prospect Road, #343San Jose, CA 95129USA

Phone: +1 408-378-7841Fax: +1 408-387-7891

Documents

wsucertinfopk11Aug10[1]