Wednesday, July 21, 2010

Wireshark Exam Prep Guide in Final Editing!

Yes - this blog has been quiet for a bit - I've been putting in an unreal amount of
time prepping the Wireshark Certified Network Analyst Exam and the new
Wireshark Certified Network Analyst Official Exam Prep Guide (shown above).

After writing the Wireshark Network Analysis: Official Wireshark Certified Network
Analyst Study Guide, we had talked about building a prep guide to provide a feel
for the questions on the Exam.

The result is a 202-page Exam Prep Guide that covers over 300 questions in the
book and over 300 questions in both timed and untimed exam format on the
accompanying CD.

The Exam is about ready to release - both the Exam and Exam Prep Guide
should be announced on the same day (get ready). Measure and validate your
analysis skills using the Exam Prep Guide and taking the Wireshark Certified
Network Analyst Exam!

Are you ready? Check out the Exam Prep questions below:

The MAC name resolution process resolves the first 3 bytes of the
MAC address to the OUI value contained in Wireshark’s manuf file.

__ True
__ False

The first two packets of a single TCP handshake process can be
used to determine the long term average round trip latency time
between hosts.

__ True
__ False

The display filter tcp.analysis.flags shows all packets that
have the TCP Reset bit set to 1.

__ True
__ False

ICMP Destination Unreachable messages sent in response to an
FTP connection attempt indicate the FTP port is likely firewalled.

__ True
__ False

Which TCP setting must be enabled in order to use the
tcp.analysis.flags display filter?

__ A. Try Heuristic Subdissectors First
__ B. Analyze TCP Sequence Numbers
__ C. Allow Subdissector to Reassemble TCP Streams
__ D. Window Scaling and Relative Sequence Numbers

Which Calc value is best suited to graphing the IO rate using
__ A. SUM(*)
__ B. MIN(*)
__ C. LOAD(*)
__ D. MAX(*)

Answers: True (that's the purpose of the manuf file), False (you need more than
just a single SYN, SYN/ACK to figure out the long-term average RTT), False (this
filter shows packets marked as retransmissions, window zero, checksum errors,
etc. - not TCP reset packets), True (if the port were open, we'd see a SYN/ACK, if it
were closed we'd see a RST - an ICMP response indicates a likely firewall
fantastic Wireshark display filter), A (you want to count up all the TCP data - not
just know the minimum or maximum values for the time period - the LOAD(*) is
used for time values).