100+ Free WCNA Practice Questions

Pass your Wireshark Certified Network Analyst (WCNA) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Which of the following best describes the primary purpose of network analysis with Wireshark?

Replacing network management systems for production monitoring

Capturing and decoding network traffic to troubleshoot, baseline, and investigate communications

Encrypting traffic between hosts to prevent eavesdropping

Configuring routers and switches over the network

to track

2026 Statistics

Key Facts: WCNA Exam

100

Exam Questions

120 minutes

$299

Exam Fee

Per sitting

80-120 hrs

Study Time

Recommended

Pass/fail

Grading

Statistically set

3 years

Certification Valid

Chappell University

DoD 8570

U.S. Army Approved

Since 2009

WCNA is a vendor-neutral packet analysis certification from Chappell University that validates expertise with Wireshark and TCP/IP troubleshooting. The closed-book exam has 100 multiple-choice and true/false questions in 120 minutes for $299 USD. It covers capture configuration, display filters, TCP/IP, application protocols, wireless and VoIP, performance baselining, forensics, and CLI tools (tshark, dumpcap, editcap). The WCNA has been DoD 8570 certified by the U.S. Army since 2009 and is held by analysts in 90+ countries. Recertification is required every three years.

Sample WCNA Practice Questions

Try these sample questions to test your WCNA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which of the following best describes the primary purpose of network analysis with Wireshark?

A.Replacing network management systems for production monitoring

B.Capturing and decoding network traffic to troubleshoot, baseline, and investigate communications

C.Encrypting traffic between hosts to prevent eavesdropping

D.Configuring routers and switches over the network

Explanation: Wireshark is a passive protocol analyzer used to capture and decode traffic for troubleshooting performance, baselining normal behavior, and performing security or forensic investigations. It does not encrypt traffic or configure devices, and it complements rather than replaces production monitoring systems.

2Where should you place the analyzer to capture traffic between two hosts on a switched Ethernet network when neither host is the analyzer?

A.Anywhere on the same VLAN, since switches flood all traffic

B.On a SPAN/mirror port, network TAP, or hub between the hosts

C.On a dedicated routing interface

D.On any random switch access port

Explanation: Modern switches forward unicast traffic only to the destination port, so a passive analyzer plugged into an arbitrary access port will not see traffic between two other hosts. Capturing between two hosts requires a SPAN/mirror port, a network TAP inline with the link, or (rarely) a hub.

3Which file format is the modern, default capture file format used by Wireshark?

A.pcap (libpcap)

B.pcapng

C.cap (Microsoft Network Monitor)

D.snoop

Explanation: Wireshark's default save format is pcapng (PCAP Next Generation), which supports multiple interfaces, per-packet comments, name resolution blocks, and richer metadata than legacy pcap. Wireshark can still read and write classic pcap as well.

4Which Wireshark display filter shows only traffic to or from IP address 10.1.1.5?

A.host 10.1.1.5

B.ip.addr == 10.1.1.5

C.ip.address = 10.1.1.5

D.tcp.host == 10.1.1.5

Explanation: Wireshark display filters use field names with == as the equality operator. The correct expression is ip.addr == 10.1.1.5, which matches packets where either the source or destination IPv4 address equals that value. 'host 10.1.1.5' is BPF capture-filter syntax, not display-filter syntax.

5Which of the following is a valid Wireshark BPF capture filter?

A.ip.addr == 192.168.1.1

B.host 192.168.1.1

C.tcp.port eq 80

D.frame.len > 100

Explanation: Capture filters use Berkeley Packet Filter (BPF) syntax with primitives such as host, net, port, and tcp/udp. 'host 192.168.1.1' is a valid BPF expression. The other options are Wireshark display-filter expressions, which use field names like ip.addr, tcp.port, and frame.len with == or eq operators and cannot be used as capture filters.

6On a switched network, what does enabling promiscuous mode on the analyzer's NIC accomplish?

A.It causes switches to flood all traffic to the analyzer

B.It tells the NIC to hand all received frames up to the OS, even those not addressed to it

C.It encrypts the captured traffic

D.It puts the wireless adapter into monitor mode

Explanation: Promiscuous mode instructs the NIC to pass every frame it sees up to the operating system rather than discarding frames whose destination MAC does not match the local NIC. It does not change switch forwarding behavior, so on a switched network you still need a SPAN port or TAP to see other hosts' traffic.

7Which display filter shows only TCP SYN packets (not SYN-ACK)?

A.tcp.flags == 0x02

B.tcp.flags.syn == 1 and tcp.flags.ack == 1

C.tcp.syn == 1

D.tcp.flags.ack == 1

Explanation: A pure SYN segment has only the SYN flag set, which is binary 0x02 in the TCP flags byte. The display filter tcp.flags == 0x02 matches segments whose entire flags field equals SYN-only. Filtering on tcp.flags.syn == 1 alone would also match SYN-ACKs, which have both SYN and ACK set.

8In Wireshark's Statistics menu, which feature lets you see a hierarchical breakdown of how much traffic each protocol contributes to the capture?

A.Conversations

B.Endpoints

C.Protocol Hierarchy

D.IO Graphs

Explanation: Statistics > Protocol Hierarchy displays a tree of every protocol detected in the trace along with packet and byte counts and percentages. Conversations and Endpoints show talker pairs and individual hosts, and IO Graphs visualize traffic over time but do not break down protocols hierarchically.

9Which three messages, in order, make up the standard TCP three-way handshake?

A.SYN, ACK, SYN-ACK

B.SYN, SYN-ACK, ACK

C.SYN, FIN, ACK

D.SYN, RST, ACK

Explanation: A TCP connection is established with SYN from the initiator, SYN-ACK from the responder, and ACK from the initiator. FIN is used during graceful close, and RST is used for abrupt teardown or to reject a segment, so neither belongs in normal connection setup.

10Which protocol resolves an IPv4 address to a MAC address on the local Ethernet segment?

A.DNS

B.ARP

C.ICMP

D.DHCP

Explanation: ARP (Address Resolution Protocol) maps an IPv4 address to a MAC address on the same broadcast domain. DNS resolves names to IP addresses, ICMP carries control and error messages, and DHCP assigns IP configuration. ARP runs directly over Ethernet (EtherType 0x0806) and is critical to investigate when local connectivity fails.

About the WCNA Exam

The WCNA is the industry-recognized certification for packet and protocol analysts. It validates skills in Wireshark capture and configuration, BPF capture filters, display filter syntax, TCP/IP and application protocol analysis, wireless and VoIP analysis, performance baselining, network forensics, and command-line tools (tshark, dumpcap, editcap). DoD 8570 certified by the U.S. Army since 2009.

Questions

100 scored questions

Time Limit

120 minutes

Passing Score

Pass/fail (statistically set)

Exam Fee

$299 (Chappell University / WCNA Certification)

WCNA Exam Content Outline

10%

Network Analysis & Wireshark Fundamentals

Analyzer placement, capture point selection, and defining analysis purpose

10%

Capture Configuration & Customization

BPF capture filters, global preferences, time display, and ring buffers

12%

Statistics & Display Filters

Wireshark display filter syntax, Expert Info, IO graphs, and conversations

10%

TCP/IP Protocol Analysis

IPv4/IPv6 headers, ICMP, ARP, fragmentation, and TTL

12%

Transport Layer Analysis

TCP handshake, retransmissions, RST/FIN, window scaling, SACK, and UDP

12%

Application Protocol Analysis

HTTP/HTTPS, DNS, DHCP, FTP/SMB, and TLS handshake

Wireless & VoIP Analysis

WLAN frame types, monitor mode, RTP/RTCP/SIP, jitter, and MOS

Performance Analysis & Baselining

Baselining normal traffic and identifying performance bottlenecks

10%

Network Forensics & Security

Port scans, SYN floods, Follow Stream, and byte/string searches

Command-Line Tools & Advanced Features

tshark, dumpcap, editcap, mergecap, capinfos, text2pcap, reordercap

How to Pass the WCNA Exam

What You Need to Know

Passing score: Pass/fail (statistically set)
Exam length: 100 questions
Time limit: 120 minutes
Exam fee: $299

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

WCNA Study Tips from Top Performers

1Memorize the difference between Wireshark display filter syntax (ip.addr == 10.0.0.1, tcp.flags.syn == 1) and BPF capture filter syntax (host 10.0.0.1, tcp[13] & 2 != 0)

2Practice the TCP three-way handshake byte-by-byte — know which flags are set, sequence number behavior, and what RST vs FIN look like

3Master the Expert Info dialog — recognize warnings like 'Previous segment not captured,' 'Duplicate ACK,' 'Retransmission,' and 'Fast retransmission'

4Get hands-on with tshark, dumpcap, editcap, mergecap, and capinfos — know which tool does what and the common flags (-r, -w, -Y, -f, -c)

5Use the official Chappell University Exam Prep Guide and analyze the included sample pcap files; reading questions is no substitute for opening real captures

6Use our AI tutor to walk through trace files and explain Expert Info findings line by line

Frequently Asked Questions

What is the WCNA exam?

The Wireshark Certified Network Analyst (WCNA) is a vendor-neutral certification from Chappell University that validates skills in packet capture, protocol analysis, network troubleshooting, performance baselining, and network forensics using Wireshark. The closed-book exam has 100 multiple-choice and true/false questions, runs 120 minutes, and costs $299 per sitting.

How hard is the WCNA exam?

WCNA is considered an intermediate-to-advanced exam. Candidates must distinguish Wireshark display filter syntax (uses == and &&) from BPF capture filter syntax (uses host, port, net) and decode TCP behavior at the byte level. Most candidates spend 80-120 hours studying, including extensive hands-on time analyzing real pcap files.

What jobs can I get with WCNA certification?

WCNA is recognized for roles including: Network Analyst ($75-110K), SOC Analyst ($70-100K), Network Forensics Investigator ($85-130K), Network Engineer with troubleshooting focus ($80-120K), and Performance Engineer ($85-115K). The WCNA is DoD 8570 approved by the U.S. Army, making it valuable for federal and defense contractor roles.

Is WCNA certification worth it in 2026?

Yes — packet analysis remains a foundational skill for network engineering, security operations, and forensics. Wireshark is the de facto industry-standard analyzer, and WCNA is the only widely recognized certification specifically for it. With increasing focus on encrypted traffic analysis and cloud network observability, deep protocol expertise continues to be in high demand.

How is WCNA different from CCNA or Network+?

CCNA and Network+ are broad networking certifications covering routing, switching, and infrastructure. WCNA goes deeper into a narrower domain: how packets actually look on the wire, how to filter and decode them, and how to identify anomalies. Many engineers earn CCNA or Network+ first for breadth, then add WCNA for protocol analysis depth.