Wireshark Network Analysis
The Official Wireshark Certified Network Analyst Study Guide

Wireshark is the world's most popular network analyzer tool with over 500,000 downloads per month. This book provides insider tips and tricks to spot performance issues fast - no more finger pointing because the packets never lie! From "Death by Database" to "Troubleshooting Time Syncing," 49 case studies offer insight into performance and security situations solved with Wireshark. Learn to customize Wireshark for faster and more accurate analysis of your network traffic. Build graphs to identify and expose issues such as packet loss, receiver congestion, slow server response, network queuing and more.

This book is the Official Study Guide for the Wireshark Certified Network Analyst program. This Second Edition includes an introduction to IPv6, ICMPv6 and DHCPv6 analysis, updated Wireshark functionality and new trace files. Refer to the Preview Pages at right to view the index, table of contents and more.

Download the What's Changed (PDF) document for a list of additions/changes in this Second Edition.

Who is this Book For?

This book offers an ideal reference for information technologists responsible for key network tasks including:

- identify poor network performance due to high path latency
- locate internetwork devices that drop packets
- validate optimal configuration of network hosts
- analyze application functionality and dependencies
- optimize application behavior for best performance
- learn how TCP/IP networks function
- analyze network capacity before application launch
- verify application security during launch, log in and data transfer
- identify unusual network traffic indicating potentially compromised hosts
- study for the Wireshark Certified Network Analyst Exam

Book Details

Author: Laura Chappell, Founder of Wireshark University
Foreword: Gerald Combs, Creator of Wireshark
Contributors: Numerous
Cover Art: Scott Spicer, Nyetitall
Paperback: 986 pages
Publisher: Protocol Analysis Institute, dba “Chappell University”
Language: English
ISBN-10: 1-893939-94-4
ISBN-13: 978-1-893939-94-3
Product Dimensions: 7.44 x 9.69 inches
Shipping Weight: 4.0 pounds
Contact: info@wiresharkbook.com or +1 408-378-7841
Book/Exam Version: Version 2 (WCNA-102x Exam - available July 2012)
Exam Information: www.wiresharktraining.com/certification.html

Purchasing Options

Available on Amazon and any book seller that uses the Ingram Book Distribution System.

Bulk purchases (over 50 books) can be ordered directly from Chappell University. Email your bulk purchase quantity request to info@chappellU.com.


Last-minute changes to Wireshark 1.8.0 (and later) File menu item: use File | Export Specified Packets and File | Export Packet Dissections in place of File | Save As. This change affects Figure 20, Figure 23, and pages 45, 188, 193, 316, 665, 692.

The File | Export options are listed directly on the main File Menu drop down list. For example, rather than using File | Export | Objects | HTTP, you now use File | Export Objects | HTTP (one level was removed). This change affects pages 287, 289, 290, 311, 313, 320, 558, 574, 576, 860.

Lab 10 and Wireshark Bug: In Lab 10 you are instructed to create File Sets. Unfortunately, we've found that the 32-bit version Wireshark 1.10.x won't create more than a single file. You must use the 64-bit version of Wireshark 1.10.x or regress back to 1.8.x. Unfortunately, this bug still shows up in the 32-bit version of Wireshark 1.11.3.

Legal Stuff

You agree to indemnify and hold Protocol Analysis Institute and its subsidiaries, affiliates, officers, agents, employees, partners and licensors harmless from any claim or demand, including reasonable attorneys' fees, made by any third party due to or arising out of your use of the included trace files, your violation of the TOS, or your violation of any rights of another.


You may not reproduce, duplicate, copy, sell, trade, resell or exploit for any commercial purposes, any of the trace files available on this site.

Study Guide Cover

All Access Pass (AAP)

Purchase a one-year subscription for online, on-demand training. You may access courses as many times as you like anytime, anywhere with an Internet connection. Train online on your own schedule.

All Access Pass members are invited to join Laura Chappell for special live online events, as well. These events highlight new products, tools and techniques in network analysis.

The AAP Portal offers a tracking and CPE credit system to indicate where you are in a course and the number of CPE credits achieved.

Purchase an AAP Subscription

Price: $699 single-seat license. For quantity discount pricing, visit Chappell University's Pricing Page (Online Option) or contact us.


Preview Pages

Table of Contents


Table of Contents/Index/Tips (Single Searchable PDF)
(Misc. Pages)

Looking at Link Aggregation Taps for Wireshark, Snort and Suricata traffic examination/capture
(Page 112)

Using the new Filter Expression buttons to speed up troubleshooting and security analysis tasks
(Page 170)

Creating a "butt-ugly" coloring rule to detect HTTP errors faster
(Page 185)

Finding the most active conversations in a trace file
(Page 226)

Finding network problems quickly using the properly defined tcp.analysis.flags Filter Expression button
(Page 326)

Examining a web browsing session startup on a dual-stack host (IPv4/IPv6)
(Page 348)

Examining packet loss detected by a host sending data - RTO timeout
(Page 467)

Detecting unusual packet formation that indicates Nmap is running against our host
(Page 729)

Examining malicious traffic using a non-standard port number and forcing a decode on the traffic
(Page 779)