Wireshark Class
I recently had the opportunity to attend a Wireshark class and wanted to share some of my observations. I scheduled the course for myself (IT Manager/Planner) and one of my Information Assurance Marines. I’ve never been formally trained on protocol analysis before, but after teaching networking for the last three years I understand the theoretical side of protocol interaction. I’ve used Wireshark before to solve a couple of simple network problems and built it into a Voice over IP (VoIP) class to verify Quality of Service markings. I was looking to get two main things out of the course: be able to use Wireshark to troubleshoot more efficiently, and see actual protocol interaction with explanation on the how and why.
The class was instructor-led training and I attended in person. The course was taught using the Wireshark University curriculum. We were provided a course textbook (which was really just given as a reference manual), a lab manual, and a bunch of .pcapng files covering several scenarios for each chapter in the curriculum. We were required to bring our own laptops with Wireshark installed. The course included a certification voucher, but unlike many other courses I have taken, we did not test on the final day. I wasn’t sure how I would like this when the course started, but in the end I was happy we had the additional time to learn Wireshark.
The instructor, Betty DuBois, was very good. Her quirks and relevant “Wireshark stories” kept the material fresh and the class interested to continue to learn more. The instructor used PowerPoint (Keynote), but I think the maximum number of slides we ever made it through before going back to Wireshark was two. When I used to teach networking, I would lecture off of PowerPoint for a couple of hours (BGP took a whopping six hours just for the basics) before we would turn to labs. That worked for me and it worked for networking, but I was really concerned how Wireshark would translate to this style. Thankfully, we never had to worry about that. The instructor smartly chose to use the slides as a quick jumping off into demo using Wireshark. I really responded well to this style. There are so many buttons and unusual terms, if we were not going back and forth from the slides to Wireshark, I would have been completely lost. I would conservatively estimate 20% of the time on slides, 80% of the time either being shown the content of the slides using Wireshark or working through labs. The instructor also used a tactic I have almost never seen, which is openly admitting to not being concerned with the certification. Students were given a couple of recommendations to prepare themselves (which I will cover later), but the focus was knowing Wireshark.
The course material was top notch. Not because the material is super professional looking, but because the content was just so technically relevant. It is refreshing to see the decision be made to spend your time and energy making sure your content is accurate and relevant. Not only was the content relevant, but the course was engineered so that when you leave you have Wireshark profiles setup and ready for use. The lab exercises are .pcapng files designed to reenforce the material learned from the chapter and are all clearly well thought-out.
The instructor recommended that if we wanted to take the cert, to purchase “Wireshark Certified Network Analyst Exam Preparation Guide (Second Edition)”. I went through this guide once and made myself a couple of flash cards (using MentalCase which is a great study program). This was easily enough to prepare for the exam. To be honest, the book is probably not absolutely necessary because the course really is that good. Out of the 100 questions on the certification exam, I felt like less than 10 were material I did not see in the class (and that could be high given I tend to forget things and my attention drifts… ohhhh a squirrel)… The one caveat is networking knowledge. If you do not really understand layer 2, 3, and 4 protocols quite well, the certification will be very challenging. I don’t think it is the instructor’s job to explain how ARP (or any other protocol Wireshark observes) behaves, but you, as a potential test taker, need to understand that you need to know more than just where you would click in Wireshark.