Chappell University | WCNA Study Guide

Wireshark Network Analysis

The Official Wireshark Certified Network Analyst (WCNA) Study Guide

Wireshark is the world's most popular network analyzer tool with over 1 million downloads per month. This book provides insider tips and tricks to spot performance issues fast - no more finger pointing because the packets never lie! From "Death by Database" to "Troubleshooting Time Syncing," 49 case studies offer insight into performance and security situations solved with Wireshark. Learn to customize Wireshark for faster and more accurate analysis of your network traffic. Build graphs to identify and expose issues such as packet loss, receiver congestion, slow server response, network queuing and more.

This book is the Official Study Guide for the WCNA Certification (formerly known as the Wireshark Certified Network Analyst certification). This Second Edition includes an introduction to IPv6, ICMPv6 and DHCPv6 analysis, updated Wireshark functionality and new trace files. Refer to the Preview Pages at right to view the index, table of contents and more.

View the What's Changed (PDF) document for a list of additions/changes in this Second Edition.

Who is this book for?

This book offers an ideal reference for information technologists responsible for key network tasks including:

identifying poor network performance due to high path latency
locating internetwork devices that drop packets
validating optimal configuration of network hosts
analyzing application functionality and dependencies
optimizing application behavior for best performance
knowing how TCP/IP networks function
analyzing network capacity before application launch
verifying application security during launch, log in and data transfer
identifying unusual network traffic indicating potentially compromised hosts
studying for the Wireshark Certified Network Analyst (WCNA) Exam - now called the "WCNA Certification Exam"

"The book provides a solid foundational level of instruction on how to use Wireshark to conduct packet analysis at the data link, network, transport, and application protocol layers."

- James (Amazon Review)

Book Supplements

All Supplements (1.5 GB)

Wireshark Trace Files (1.5 GB)

Trace Files Part 1 (324 MB)

Trace Files Part 2 (212 MB)

Trace Files Part 3 (504 MB)

Trace Files Part 4 (504 MB)

arp-bootup Traces

Wireshark Configs (122 KB)

Chanalyzer Files (1.5 MB)

GeoIP Databases (40.5 MB)

PhoneFactor Files (612 KB)

Page Samples

Table of Contents

Index

Table of Contents/Index/Tips (Single Searchable PDF)

Looking at Link Aggregation Taps for Wireshark, Snort and Suricata traffic examination/capture

Using the new Filter Expression buttons to speed up troubleshooting and security analysis tasks

Creating a "butt-ugly" coloring rule to detect HTTP errors faster

Finding the most active conversations in a trace file

Finding network problems quickly using the properly defined tcp.analysis.flags Filter Expression button

Examining a web browsing session startup on a dual-stack host (IPv4/IPv6)

Examining packet loss detected by a host sending data - RTO timeout

Detecting unusual packet formation that indicates Nmap is running against our host

Examining malicious traffic using a non-standard port number and forcing a decode on the traffic

SG Supplements

Book Details

ISBN-10: 1-893939-94-4

ISBN-13: 978-1-893939-94-3

Paperback: 986 pages

Teaching Wireshark? Learn about the Student Manual version.

Go to Info for Educators.

Purchasing Options

This book is available through Amazon and any bookstore that orders through the Ingram Book Distribution system. New titles and editions may not be available through all global Amazon sites immediately.

Bulk purchases (over 50 books) can be ordered directly from Chappell University. For bulk purchases, please contact us.

Errata

As of Wireshark v3, you can now use dhcp as a display filter instead of bootp! Yay!

As of Wireshark v3, you can now use tls as a display filter instead of ssl. Both will work for a while, but if the traffic is TLS, use tls.

Last-minute changes to Wireshark 1.8.0 (and later) File menu item: use File | Export Specified Packets and File | Export Packet Dissections in place of File | Save As. This change affects Figure 20, Figure 23, and pages 45, 188, 193, 316, 665, 692.

The File | Export options are listed directly on the main File Menu drop down list. For example, rather than using File | Export | Objects | HTTP, you now use File | Export Objects | HTTP (one level was removed). This change affects pages 287, 289, 290, 311, 313, 320, 558, 574, 576, 860.

[Bug Fixed Now] Lab 10 and Wireshark Bug: In Lab 10 you are instructed to create File Sets. Unfortunately, we've found that the 32-bit version Wireshark 1.10.x won't create more than a single file. You must use the 64-bit version of Wireshark 1.10.x or regress back to 1.8.x. Unfortunately, this bug still shows up in the 32-bit version of Wireshark 1.11.3.

Legal Stuff

You agree to indemnify and hold Protocol Analysis Institute and its subsidiaries, affiliates, officers, agents, employees, partners and licensors harmless from any claim or demand, including reasonable attorneys' fees, made by any third party due to or arising out of your use of the included trace files, your violation of the TOS, or your violation of any rights of another.

NO COMMERCIAL REUSE
You may not reproduce, duplicate, copy, sell, trade, resell or exploit for any commercial purposes, any of the trace files available on this site.