Protocol analysis involves examining the traffic traversing some particular network medium (cable segment, broadcast domain, VLAN, and so forth) to determine exactly what kinds of packets are in motion at any given moment. The right tools—primarily software, though certain standalone devices also provide packet traces—enable informed users to characterize network traffic, perform security checks, capture attack signatures, and debug network communications. Still, you need to learn and know a lot about the protocols involved in network communication to make complete sense of what's happening, which is why protocol analysis is both a difficult subject to master and a valuable skill to possess. Read on to learn more about available tools and related IT certifications in this exciting technical specialty.
When I wrote the article "Understanding Protocol Analysis" in March 2003, the landscape of available tools and certifications was very different than it is today. The summary of the field in that article remains entirely relevant and accurate, though some of the pricing information has changed. There's still a strong emphasis on networking fundamentals, and an equally strong need to understand and master the packet formats and layouts for TCP/IP protocols from the data-link layer, such as point-to-point protocol (PPP) and point-to-point protocol over Ethernet (PPPoE), all the way up to the application layer (for example, for well-known services such as email, file transfer, name resolution, and so forth). And certainly it's essential to understand the key network and transport layer protocols—such as IP, TCP, and UDP—fully and completely. (For more information on the general background for this subject matter, refer to the opening section of that earlier story.)
Protocol Analysis Certifications Circa 2011
Table 1 recites protocol analysis certifications per se. (For a more general look at the certs that include protocol analysis in their coverage, see Table 1 in the earlier story.)
Table 1
Certifications Specific to Protocol Analysis
|
Vendor or Organization |
Title (Abbreviation) |
Description |
|
AirMagnet |
Certified to use AirMagnet WiFi Analyzer to plan, troubleshoot, and maintain wireless networks |
|
|
Certified to use AirMagnet Survey (or the Professional version) to survey wireless network devices, security, and configurations |
||
|
NetScout |
Current incarnation of the base-level Sniffer protocol analysis cert |
|
|
nGenius Certified Expert (nCE) |
Advanced protocol analysis certification |
|
|
nGenius Certified Master (nCM) |
SME-level certification for network and application troubleshooting |
|
|
Wireshark University |
Base-level protocol analysis certification built around the freeware Wireshark Network Protocol Analyzer |
Please note that the landscape has altered significantly since 2003, including the departure of the NetAnalyst program (though its chief architect and developer indicates that NetAnalyst may be subject to a restart by mid-2012), and the retirement of the various WildPackets credentials (AATech, PAS, and NAX, as documented in the earlier story). WildPackets still offers instructor-led and online versions of its product training classes, however. On the other hand, AirMagnet elements included in Table 1 represent new additions to the protocol-analysis certification fold, with a focus on wireless network communications in particular.
Protocol Analysis Certs, Revisited and Reimagined
The biggest change to the landscape has been a switchover from Ethereal, the former leading freeware protocol analyzer, to Wireshark, its current reigning replacement. Wireshark has en entirely creditable certification program, supported with classroom and online training.
Though the various nGenius successors to the Sniffer program are also great credentials, they require access to and knowledge of the NetScout products, whereas Wireshark will run on any Windows PC for which a suitable network driver is available. Some form of the Windows Promiscuous mode capture (WinPcap) driver is needed to enable Wireshark to do its packet-capture thing. NetScout is touting this new program as a replacement for and successor to the Sniffer Certified Professional (SCP) program, offering discounted upgrade paths to holders of Sniffer credentials, as well as entry-level training and certification and its own certification ladder for nGenius users who lack prior Sniffer credentials.
Finally, the AirMagnet certifications are likely to be of interest to anyone who uses those products for wireless network survey, analysis, and troubleshooting tasks. Interestingly, both Wireshark and AirMagnet products use the AirPCap driver to permit protocol traces to be captured from wireless network traffic. With wireless communications occupying an increasingly important portion of general networking, familiarity with wireless protocols and related topics (survey, security, monitoring, and analysis) is likewise moving to center stage for those interested in protocol analysis work.
Lots of Tools, Lots of Choices
As a quick look at the Wikipedia article "Comparison of packet analyzers" will attest, many more protocol analysis tools exist than do certifications to support them. As of this writing, the table lists 26 tools, but only 14 of those are free and widely available to the general population. The granddaddy of them all, the venerable tcpdump, is still being maintained, and remains widely used worldwide. Six commercial products are listed, including some of the underlying NetScout products that support the nGenius certifications.
Outside the three toolsets that support protocol analysis certifications, lots of options are available for interested IT professionals to consider or try. Most of the commercial products (at least those that remain commercially available today) are also subjects for professional training courses—mostly in the classroom, but some in online or self-paced forms as well. You can look for books on some of these tools, both free and commercial, and find a surprising number of offerings available in the aftermarket as well.
Bottom Line: Protocol Analysis Is Good for Professional Development
It's inarguable that a working knowledge of protocol analysis extends the depth and reach of any IT professional's networking knowledge. It also provides a powerful and useful toolbox for troubleshooting network issues or difficulties, with the ability to gather evidence (protocol traces) to document errors, bugs, and a whole host of problems that can bedevil and occasionally even stymie network communications. Anybody who works with networks can benefit from some basic knowledge of this subject. Anyone who wants to be recognized as a bona fide networking expert must go beyond the basics of protocol analysis to take a deep dive into this topic. That's where the certifications covered in this article can be relevant, and they can add value and cachet to any serious networking professional's career development and job options. Be sure to check them out!
Ed Tittel is a long-time networking professional who's best known for creating the Exam Cram series of IT certification preparation books. He also blogs on enterprise Windows desktop and IT career development topics for TechTarget, and for PearsonITCertification.com. His upcoming revision to his college TCP/IP textbook (written with Laura Chappell) is also built around the Wireshark protocol analyzer.