Home > Articles > Cisco > CCIE

Understanding Protocol Analysis

📄 Contents

  1. The Protocol Analysis Certification Landscape
  2. Understanding the Protocol Analysis Certifications
  • Print
  • + Share This
Protocol analysts know how to employ esoteric hardware and/or software tools to examine traffic in motion across a network. Furthermore, they know how to decode and understand the implications of what they see in that data stream, where network pathologies, outside or inside attacks, poorly designed applications, and strange network layouts, among many other causes, can make life interesting. Author and columnist Ed Tittel explains why such esoterica may not only be of interest, but also of great value to your career as he explores certifications available in this essential technical field.
Editor's Note: Content updated on April 28, 2003.

Also note Ed's more recent (2011) article, Working with Protocol Analyzers and Related Certifications.
Like this article? We recommend


Before I can wax too eloquent on the various certifications that relate to protocol analysis, it’s probably a good idea to explain and explore the subject matter for such credentials. To that end, let me offer the following definition: “Protocol analysis consists of employing proper software and/or hardware tools to capture, decode, interpret, and react to the contents of data packets as they transit a network’s media.”

A fundamental tool for protocol analysis is something called a protocol analyzer. As the preceding definition implies, such tools come in software-only and hardware/software flavors. Some of this software is Open Source, available to anyone who wants to download it at no charge; other software is commercial and can cost as much as several thousand dollars. Special hardware/software combinations can cost $10,000 or more. In fact, where interfaces to high-speed media like ATM or SONET place high demands on hardware processing capability, speed, buffering, and so forth, high-end, high-speed protocol analyzers can cost upwards of $25,000.

The bodies of knowledge relevant to protocol analysis span the ISO/OSI Reference Model from Layer 1 (hardware, connections, and so forth) all the way through Layer 7 (application interfaces). But the primary emphasis in this field—except when working with software developers to test or debug code—falls from layers 2 (Data Link) through 5 (Session). Nevertheless, a strong background in networking fundamentals is a must for would-be protocol analysts, especially in the layers most relevant to designing and implementing physical networks. The following topics are entirely germane to this kind of work (and thus, to related certifications):

  • Networking hardware. Cables, connectors, interfaces, hubs, bridges, routers, and other networking devices
  • Network topology and design. How to deploy and employ networking technologies from 10 Mbps up to 1 Gbps and beyond
  • Network addressing and routing. How to design, implement and troubleshoot common network addressing, subnetting and supernetting, and name resolution services
  • Common network protocol suites. Includes some or all of TCP/IP, IPX/SPX, NetBEUI, frame relay, ATM, X.25, and so forth
  • Common network services. Includes protocol-related request-reply sequences, traffic patterns, related packet formats, and so forth
  • Network attack and pathology signatures. Includes common attacks (Denial of Service, Distributed Denial of Service, Ping of Death, etc.) and misbehaviors (broadcast storms, excessive errors, etc.)

It’s not at all unreasonable to think of protocol analysis as a kind of cap to one’s career as a network professional. By extension, this make a protocol analysis certification likely to fall rather later than earlier in one’s career, and itself to be a kind of capstone for other, less formidable certifications.

The Protocol Analysis Certification Landscape

As is true for so many other kinds of IT certifications, protocol analysis credentials come in both vendor-neutral and vendor-specific sorts. For the former, this means a more general, catholic approach to the tools used for analysis as well as to the protocol suites subject to analysis; for the latter, it means focusing on specific analytical tools, but also usually implies a rather more open view on protocol suites and related services. Table 1 provides a list of useful credentials that can serve as warm-ups to protocol analysis certifications; Table 2 covers the small number of “pure” protocol analysis certifications currently available.

Table 1—Protocol Analysis Certifications


Title (Acronym)




IP Routing & Switching

General IP and routing concepts



Networking Monitoring

General network monitoring, management & protocols



LAN/WAN Communications

Covers LAN/WAN protocols & architectures (general)


Cisco Systems

Certified Internetwork Professional (CCIP)

For individuals who work in Cisco-intensive environments; concentrations in IP routing, IP multicast, cable, IP telephony, or DSL will lead nicely into protocol analysis.



Cisco Security Specialist

Focuses on Cisco systems and tools, but provides thorough training in protocol structures and attack signatures.



Certified Internetwork Expert (CCIE)

Cisco’s premier certification requires protocol knowledge and some analysis skills (mostly at Layers 2 and 3).


Global Knowledge

TCP/IP Network Analyst

To demonstrate IP management expertise, including IP internetworking, trouble-shooting, and management.



Telecommunications Analyst

To demonstrate expertise in DSL, ATM, and Frame Relay; includes coverage of telecomm fundamentals I and II, plus converging voice and data networks.



VoIP Engineer

To demonstrate expertise on structure, components, and architecture of voice and data networks, including ATM, Frame Relay, plus explicit VoIP protocols and designs


Learning Tree

Local Area Networks Certified Professional

To identify individuals qualified to work as network managers, systems analysts, engineers, planners, IS and IT professionals, or support technicians involved in day-to-day network planning, operations, and management.



TCP/IP Certified Professional

To identify individuals qualified to work as network or system administrators, network planners or support personnel, or system analysts in environments where TCP/IP protocols and services are in use.


Lucent Tech

Lucent Certified Technical Expert (LCTE)

Lucent offers associate and specialist credentials in ATM, Frame Relay, internetworking, DSL, VoIP, and VPNs that should all provide good preparation for protocol analysis.



Senior Network Specialist (NSNS)

Identifies advanced networking and telecom specialists with good knowledge of network design, protocols, services, and troubleshooting.



Telecom Technician Level 1/2 (NTT1, NTT2)

Identifies beginning (L2) and advanced (L1) expertise in servicing, troubleshooting, and repairing voice and data networks.


Remember, the intent of including these warm-up certifications for protocol analysis is to identify programs where protocols and services receive enough attention and coverage to help individuals prepare for the items covered in Table 2. None of the credentials covered in Table 1 would qualify an individual who attained them as a “protocol analyst” (this is especially true of the CCIE which, despite its profound cachet and market value, does not mold truly well-rounded protocol analysts).

Table 2—"Pure" Protocol Analysis Certifications


Title (Acronym)



Pine Mtn Group

Certified NetAnalyst-Cross Technology

Formerly the NetAnalyst Level I, this credential focuses on general protocol analysis and identifies those who seek to design, manage, and troubleshoot production networks, LANs, and WANs.



Certified NetAnalyst-Architect

Formerly the NetAnalyst Level II, this credential focuses on more advanced network analysis concepts, techniques, and technologies.


Sniffer Tech

Sniffer Certified Professional (SCP)

Identifies individuals with good working knowledge of Sniffer Pro Network analyzer to detect and troubleshoot common network problems.



Sniffer Certified Expert (SCE)

Identifies individuals who’ve obtained SCP credentials, and passed any two exams on topics and technologies that include RMON, Ethernet, WAN, ATM, Windows, TCP/IP, or wireless analysis and troubleshooting topics.



Sniffer Certified Master (SCM)

Identifies individuals who’ve obtained SCE credentials, and have passed three additional topic/technology exams.


WildPackets, Inc.

Applied Analysis Technician (AATech)

Identifies individuals with strong basic grounding in protocol analysis concepts and knowledge of related tools.



Protocol Analyzer Specialist (PAS)

Identifies individuals with advanced topics and expertise in capturing and interpreting protocol analysis trace files and performance statistics.



Network Analysis Expert (NAX)

Identifies individuals who’ve passed the PAS, then go on to take additional Data Link and Area of Specialty knowledge exams, plus write a technical white paper. Knowledge exams include Ethernet, Wireless, TCP/IP, and Apple Networking topics.


  • + Share This
  • 🔖 Save To Your Account