🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
GCIA
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
GCIA GIAC Certifications Coming Soon

GCIA

The GCIA certification program teaches advanced TCP/IP, packet analysis, network traffic inspection, IDS operation, application-layer protocols, and evasion techniques, enabling professionals to detect, dissect, and respond to sophisticated intrusions.

240
Minutes
106
Questions
68.3/100
Passing Score
$979
Exam Cost

Who Should Take This

Security analysts, incident responders, and network engineers with three to five years of hands‑on experience in network security pursue the GCIA to validate their deep protocol knowledge and packet‑analysis skills. They aim to enhance their ability to identify covert threats, fine‑tune IDS configurations, and lead advanced intrusion investigations.

What's Covered

1 Domain 1: TCP/IP Protocols and Packet Analysis
2 Domain 2: Network Traffic Analysis
3 Domain 3: Intrusion Detection Systems
4 Domain 4: Application Layer Protocols
5 Domain 5: Fragmentation and Evasion
6 Domain 6: Network Forensics Fundamentals

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

61 learning goals
1 Domain 1: TCP/IP Protocols and Packet Analysis
4 topics

IP Protocol Analysis

  • Identify all IPv4 header fields including version, IHL, DSCP, total length, identification, flags, fragment offset, TTL, protocol, and checksum and describe each field's role in packet processing.
  • Analyze IPv4 packet headers in hex dump format to extract source and destination addresses, protocol type, TTL values, and identify anomalies such as invalid header lengths.
  • Describe IPv6 header structure including flow label, traffic class, hop limit, and extension headers and identify security implications of IPv6 transition mechanisms.
  • Apply IP protocol number identification to determine the encapsulated protocol including TCP (6), UDP (17), ICMP (1), GRE (47), and ESP (50) from packet captures.

TCP Protocol Analysis

  • Describe TCP header fields including source and destination ports, sequence and acknowledgment numbers, data offset, flags, window size, urgent pointer, and options.
  • Analyze TCP three-way handshake sequences and connection teardown processes to identify normal connection establishment and detect anomalous patterns such as half-open connections.
  • Apply TCP sequence number analysis to reconstruct data streams, detect retransmissions, and identify out-of-order packet delivery in network captures.
  • Evaluate TCP flag combinations to identify scan types including SYN scan, FIN scan, XMAS scan, NULL scan, and ACK scan and determine the scanning tool's likely objective.

UDP and ICMP Protocol Analysis

  • Describe UDP header structure and connectionless communication characteristics and identify security-relevant UDP services including DNS, DHCP, SNMP, TFTP, and NTP.
  • Analyze ICMP message types and codes including echo request/reply, destination unreachable, time exceeded, and redirect to identify reconnaissance and tunneling activity.
  • Apply UDP traffic analysis to detect amplification attacks, DNS exfiltration, and covert channel communication using non-standard port and payload patterns.

Packet Capture Tools and Techniques

  • Apply Berkeley Packet Filter syntax to construct targeted capture filters for tcpdump and Wireshark that isolate specific hosts, ports, protocols, and flag combinations.
  • Configure Wireshark display filters, protocol dissectors, and follow-stream features to reconstruct application-layer conversations and extract transferred files.
  • Describe packet capture architecture including network TAPs, SPAN ports, inline capture, and full packet capture storage considerations for enterprise-scale monitoring.
2 Domain 2: Network Traffic Analysis
3 topics

Traffic Pattern Analysis

  • Apply network baseline analysis to establish normal traffic patterns including protocol distribution, top talkers, connection rates, and bandwidth utilization for anomaly detection.
  • Analyze NetFlow and IPFIX records to identify suspicious traffic patterns including unusual port usage, high-volume data transfers, and connections to known malicious infrastructure.
  • Describe statistical traffic analysis methods including entropy calculation, frequency analysis, and periodicity detection for identifying beaconing and covert channels.

Encrypted Traffic Analysis

  • Describe TLS handshake analysis techniques including ClientHello fingerprinting using JA3 hashes, certificate inspection, and cipher suite negotiation patterns.
  • Analyze encrypted traffic metadata including connection timing, packet sizes, server name indication values, and certificate properties to detect malicious communications.
  • Identify TLS interception and decryption techniques including SSL/TLS proxy deployment, key logging via SSLKEYLOGFILE, and the security implications of breaking encryption for inspection.

Network Scanning and Enumeration Detection

  • Describe network scan detection signatures including sequential port access, high connection rates from single sources, and response patterns indicating open, closed, and filtered ports.
  • Analyze packet captures to differentiate between Nmap scan types including SYN, connect, UDP, and version detection scans based on traffic patterns and flag combinations.
  • Apply service enumeration detection techniques to identify banner grabbing, protocol probing, and authentication brute force attempts in network traffic logs.
3 Domain 3: Intrusion Detection Systems
3 topics

Snort and Suricata Rule Development

  • Describe Snort rule syntax including rule header fields (action, protocol, addresses, ports, direction) and rule options (content, pcre, flow, sid, rev, classtype).
  • Create Snort rules using content matching, byte_test, byte_jump, and regular expressions to detect specific attack payloads, protocol anomalies, and malicious patterns.
  • Apply Suricata-specific features including multi-threading configuration, EVE JSON logging, file extraction capabilities, and protocol-aware keyword matching.
  • Evaluate IDS rule effectiveness by analyzing detection rates, false positive ratios, and performance impact and recommend rule optimizations for improved accuracy.

Zeek Network Security Monitor

  • Describe Zeek architecture including the event engine, policy script layer, log framework, and connection-oriented logging model for HTTP, DNS, SSL, and file analysis.
  • Apply Zeek log analysis using conn.log, dns.log, http.log, ssl.log, and files.log to investigate network activity and identify indicators of compromise.
  • Analyze Zeek notice and intelligence framework outputs to correlate network observations with threat intelligence feeds and prioritize investigation actions.

IDS Deployment and Operations

  • Describe IDS sensor placement strategies including inline, passive, and hybrid deployments and identify optimal positions for maximum network visibility at chokepoints.
  • Configure IDS performance tuning including rule set management, preprocessor configuration, memory allocation, and packet processing optimization for high-throughput environments.
  • Evaluate IDS alert output to distinguish between true positive detections and false positives and assess the operational impact of alert volume on analyst workload.
4 Domain 4: Application Layer Protocols
4 topics

HTTP and Web Protocol Analysis

  • Describe HTTP request and response structure including methods, status codes, headers, and body content and identify security-relevant headers such as Content-Security-Policy and HSTS.
  • Analyze HTTP traffic to identify web application attacks including SQL injection attempts, cross-site scripting payloads, command injection, and directory traversal in request parameters.
  • Apply HTTP traffic reconstruction to extract requested URLs, submitted form data, uploaded files, and response content from packet captures for forensic analysis.

DNS Protocol Analysis

  • Describe DNS protocol structure including query and response formats, record types (A, AAAA, CNAME, MX, TXT, NS, SOA), and the recursive resolution process.
  • Analyze DNS traffic to detect tunneling activity including abnormal query lengths, high TXT record query volumes, and entropy analysis of subdomain labels.
  • Apply DNS traffic inspection to identify cache poisoning attempts, fast flux domain usage, domain generation algorithm patterns, and unauthorized zone transfers.

Email and SMTP Protocol Analysis

  • Describe SMTP protocol commands and responses including HELO, MAIL FROM, RCPT TO, DATA, and authentication extensions and identify email header fields for source tracing.
  • Analyze email headers and SMTP session captures to trace message routing, identify spoofed sender information, and validate SPF, DKIM, and DMARC authentication results.
  • Apply SMTP traffic analysis to identify spam relay abuse, open relay exploitation, and unauthorized bulk email originating from compromised internal hosts.

SMB and NetBIOS Analysis

  • Describe SMB protocol versions including SMBv1, SMBv2, and SMBv3 and identify security vulnerabilities including EternalBlue, relay attacks, and null session enumeration.
  • Analyze SMB traffic captures to identify lateral movement activity including remote file access, service creation, named pipe connections, and NTLM authentication exchanges.
  • Describe Kerberos protocol network traffic patterns including AS-REQ, AS-REP, TGS-REQ, and TGS-REP exchanges and identify Kerberoasting indicators in packet captures.
5 Domain 5: Fragmentation and Evasion
3 topics

IP Fragmentation

  • Describe IP fragmentation mechanics including fragment offset calculation, More Fragments flag, reassembly algorithms, and the relationship between MTU and fragmentation requirements.
  • Analyze fragmented packet captures to manually reassemble fragments, detect overlapping fragment attacks, and identify tiny fragment evasion techniques.
  • Describe fragment-based attacks including the Ping of Death, teardrop attack, and Rose attack and identify how modern operating systems and IDS handle overlapping fragments.

IDS Evasion Techniques

  • Describe IDS evasion techniques including payload obfuscation, protocol-level evasion, TTL manipulation, TCP segmentation attacks, and polymorphic shellcode encoding.
  • Apply evasion-resistant IDS rule writing techniques including normalized content matching, protocol-aware inspection, and proper flow and state tracking directives.
  • Evaluate IDS configurations to identify evasion vulnerabilities including missing preprocessors, incomplete protocol normalization, and inadequate reassembly policies.

TCP Stream Reassembly Attacks

  • Describe TCP stream reassembly attacks including overlapping segment injection, RST injection, and desynchronization techniques that exploit differences between IDS and endpoint processing.
  • Analyze packet captures to identify TCP reassembly evasion attempts by examining sequence number manipulation, TTL discrepancies, and inconsistent segment overlap handling.
6 Domain 6: Network Forensics Fundamentals
3 topics

Network Evidence Collection

  • Describe network forensics evidence types including full packet captures, NetFlow records, IDS alerts, proxy logs, and firewall logs and their respective evidentiary value.
  • Apply network evidence collection procedures including packet capture integrity verification, timestamp validation, and chain of custody documentation for forensic analysis.
  • Configure continuous packet capture systems using tools such as Moloch/Arkime, Stenographer, or netsniff-ng for retrospective network analysis and incident investigation.

Session Reconstruction and Analysis

  • Apply session reconstruction techniques to reassemble TCP streams, extract transferred files, and recover application-layer content from full packet capture archives.
  • Analyze reconstructed network sessions to build an attack timeline including initial access, command execution, data staging, and exfiltration activities.
  • Describe network-based artifact extraction including carved files, decoded payloads, credential material, and command sequences for malware and intrusion analysis.

Correlation and Reporting

  • Apply multi-source correlation by combining IDS alerts, Zeek logs, packet captures, and NetFlow records to construct a comprehensive view of a network intrusion.
  • Evaluate network forensic evidence to determine the scope of an intrusion including compromised hosts, data accessed, lateral movement paths, and persistence mechanisms observed in traffic.

Scope

Included Topics

  • All domains in the GIAC Certified Intrusion Analyst (GCIA) certification aligned to SANS SEC503: TCP/IP Protocols and Packet Analysis, Network Traffic Analysis, Intrusion Detection Systems, Application Layer Protocols, Fragmentation and Evasion, and Network Forensics Fundamentals.
  • Deep packet analysis skills including TCP/IP header inspection, protocol dissection, traffic pattern recognition, and artifact extraction using tools such as Wireshark, tcpdump, tshark, and NetworkMiner.
  • Intrusion detection system configuration and tuning using Snort, Suricata, and Zeek including rule writing, alert analysis, threshold tuning, performance optimization, and detection logic development for custom threats.
  • Network forensics including full packet capture analysis, session reconstruction, file extraction from network streams, timeline correlation, and evidence preservation for legal proceedings.
  • Protocol-level attack detection including TCP session hijacking, IP fragmentation attacks, DNS abuse, HTTP smuggling, TLS interception, and covert channel identification.

Not Covered

  • Host-based forensics including disk imaging, file system analysis, memory forensics, and registry analysis beyond network-visible artifacts.
  • Exploit development, reverse engineering, and binary analysis beyond understanding network-level exploitation signatures.
  • Enterprise SIEM deployment and configuration, security orchestration and automated response platforms, and SOC operations management.
  • Wireless protocol analysis beyond 802.11 frame inspection relevant to network intrusion detection.
  • Cloud-native network security monitoring, container network policies, and service mesh traffic analysis.

Official Exam Page

Learn more at GIAC Certifications

Visit

GCIA is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

GIAC® is a registered trademark of Global Information Assurance Certification (a subsidiary of the SANS Institute). GIAC does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.