Classroom Public page

VCA-NET-101: Networks and Packet Analysis, Course Outline (v0.1)

1,627 words

Network-track entry course. Prerequisite: FND-101 (or equivalent shell and hex-literacy). ~132 hours total across 12 weeks. Audience: FND-101 graduates, career changers, adults with computing foundations.

Course mission

You start NET-101 able to ping a host and run curl. You end it able to open a packet capture, read every layer of every frame, write display filters that isolate the traffic you care about, and explain precisely what happened on the wire during a DNS lookup, a TCP connection, an HTTP exchange, and a TLS handshake. This is the skill that separates a practitioner who "knows networking" from one who can see networking.

The north star: "A student who finishes NET-101 can open an unfamiliar packet capture, identify the protocols present, trace a specific conversation from handshake to teardown, and explain what each layer contributed to the exchange. Not by guessing, and not by reading field names. By model."

Who this course is for

  • FND-101 graduates who want to understand the network layer beneath the applications they use
  • Career changers and adults targeting network, security, or infrastructure roles
  • Anyone who can navigate a Linux or macOS shell, read a hex dump, and use Git to commit files
  • Students who have basic computer literacy but have not yet worked inside a packet capture

You do NOT need prior networking experience. You need a laptop with a browser (for the academy pcap-tools workbench), a terminal (bash or zsh), and roughly 11 hours per week across 12 weeks.

Where NET-101 sits in the pipeline

Prerequisite for this course: FND-101 (Digital Foundations). Specifically: hex-dump literacy, Linux shell fluency, and basic familiarity with IP addresses and ports (covered in FND-101 week 11).

What NET-101 gates (take these next):

  • NET-201: Advanced Network Analysis (packet capture at scale; BGP; IPv6; advanced Wireshark scripting)
  • PEN-101: Penetration Testing Foundations (needs TCP/IP model + Wireshark fluency from NET-101)
  • SEC-101: Cybersecurity Principles (needs networking model + protocol familiarity from NET-101)
  • ADV-101: Adversarial Analysis (needs TLS + NSM from NET-101)

What you will know at the end

After completing NET-101, you will be able to:

Protocol model:

  • Explain the OSI and TCP/IP layering models and map real protocols to specific layers
  • Describe the role of each layer: how Ethernet frames carry IP packets, which carry TCP segments, which carry HTTP requests
  • Explain why "headers all the way down" is a literal description of how data travels on the wire

Ethernet and ARP:

  • Read an Ethernet frame header (destination MAC, source MAC, EtherType) from a packet capture
  • Explain the ARP request-reply pattern and why it exists
  • Recognize an ARP storm as an anomaly in a packet capture

IP:

  • Read the key IPv4 header fields (source, destination, TTL, protocol, flags, fragment offset) from a capture
  • Explain CIDR notation and subnet masks well enough to say whether two addresses are on the same subnet
  • Explain what TTL is, what decrements it, and what happens when it reaches zero

ICMP:

  • Explain ping and traceroute at the packet level: what ICMP type codes are sent and received for each
  • Trace a traceroute through its TTL-exhaustion mechanics, hop by hop

UDP:

  • Explain what UDP provides and does not provide versus TCP
  • Read a DNS query and response from a capture: transaction ID, flags, question section, answer section

TCP:

  • Trace the TCP three-way handshake from SYN to SYN-ACK to ACK using real sequence and acknowledgment numbers from a capture
  • Trace a TCP connection teardown (FIN/ACK sequence)
  • Explain what flow control and congestion control do at a conceptual level
  • Write a Wireshark display filter that isolates a specific TCP stream

DNS:

  • Explain the recursive-resolver + authoritative-nameserver architecture
  • Distinguish an A record, AAAA record, MX record, NS record, and CNAME from each other
  • Use dig to trace a DNS lookup step by step

HTTP:

  • Read an HTTP/1.1 GET request and a 200 OK response from a packet capture
  • Explain the status-code classes (2xx, 3xx, 4xx, 5xx) and what each means
  • Use curl to inspect HTTP request and response headers without a browser

TLS:

  • Explain the TLS handshake sequence: ClientHello, ServerHello, Certificate, key exchange, Finished
  • Identify the SNI field in a ClientHello in a packet capture
  • Explain why TLS application data is opaque to a passive observer without the session key
  • Describe what happened in the Wireshark RCE CVE quartet at the vocabulary level

Packet analysis:

  • Write and apply Wireshark display filters across protocol fields (ip.addr, tcp.port, dns.qry.name, http.request.method, tls.handshake.type)
  • Use the academy pcap-tools workbench to load, filter, and analyze packet captures in the browser
  • Read the academy Snort 3 and Suricata rule handouts and explain what each rule detects

Capstone:

  • Capture traffic from a controlled lab network, annotate it by protocol and conversation, identify at least one anomaly, and write a structured Network Snapshot report committed to Git

Course shape

Week Theme Lab focus
1 What is a network? OSI + TCP/IP models Layer identification worksheet on live capture
2 Ethernet and ARP ARP request-reply + storm anomaly
3 IPv4 Header field inspection in pcap-tools
4 ICMP: ping and traceroute Trace TTL-exhaustion mechanics
5 UDP: DNS, DHCP, and datagram services DHCP four-step + DNS query/response
6 TCP I: handshake, sequence numbers, ports Three-way handshake trace; connection teardown
7 TCP II: flow control and congestion control Window-size inspection in a real session
8 DNS deep-dive: resolvers, records, dig Multi-capture DNS analysis
9 HTTP: request/response and the pcap-tools workbench HTTP GET trace + full pcap-tools tour
10 TLS: handshake and the CVE quartet TLS ClientHello trace; Wireshark CVE mini-module
11 NSM + Wireshark display filters Write 5 filters; Snort/Suricata rule mapping
12 Capstone and bridge Network Snapshot report; closing lecture
Protocol-layer encapsulation onion. Four nested rectangles labelled from innermost out: Application layer (HTTP payload, amber-highlighted, Week 9); Transport layer (TCP segment, Weeks 5, 6, 7) with a dashed TCP header rectangle alongside; Internet layer (IPv4 packet, Week 3) with a dashed IPv4 header rectangle; Link layer (Ethernet frame, Week 2) with dashed Ethernet header and trailer rectangles. A caption note instructs the reader to read inside-out: each lower layer prepends a header and Ethernet appends a trailer, and the receiver strips them in reverse.

Figure 0.1. The picture every NET-101 week returns to. The amber inner payload is what your application wrote; every outer rectangle is a header (or, on the outside, a trailer) that the host's network stack prepended on the way out. Weeks 2-9 walk the rings outward-to-inward: Ethernet first (because the frame is what the NIC sees), then IP, then TCP, then HTTP. Each lab opens the next ring's header and asks what the fields mean.

Per-week time budget

Each week runs approximately 11 hours total:

Activity Time per week
Lecture (2 x 55 min) 1 hr 50 min
Lab (1 x 90 min, some weeks 2 labs) 1 hr 30 min
Independent practice ~7 hr
Reading ~30-60 min
Reflection journaling ~30 min
Total per week ~11 hr

12 weeks x 11 hr = 132 hr (close to the published ~135 hr; minor variation per cohort pace).

Anchor reading

Primary pair: Richard Stevens, TCP/IP Illustrated, Volume 1: The Protocols (Addison-Wesley) and James Kurose + Keith Ross, Computer Networking: A Top-Down Approach (Pearson).

Stevens is the canonical reference at the protocol-byte level. Kurose-Ross is the narrative complement that explains why the protocols are shaped the way they are. Both are widely available at public libraries. The per-chapter reading guide is published as a separate handout (handouts/cross-chapter-net-101-anchor-reading-guide.md) with chapter-level reading assignments and page ranges.

Supplemental (all free online):

  • Julia Evans networking zines (https://jvns.ca/): plain English explanations of DNS, TCP, and packet analysis
  • Beej's Guide to Network Programming (https://beej.us/guide/bgnet/): referenced for the Python socket labs
  • The academy's pcap-tools workbench at /pcap-tools/: in-browser Wireshark + display-filter learning environment
  • The academy's cross-chapter pcap fundamentals walkthrough at handouts/cross-chapter-pcap-walkthrough-fundamentals.md
  • Wireshark CVE Quartet handout at handouts/cve-lab-wireshark-rce-quartet-2026-05.md
  • Snort 3 rules reference at handouts/cve-snort3-rules-reference-wireshark-quartet-2026-05.md
  • Suricata rules reference at handouts/cve-suricata-rules-reference-wireshark-quartet-2026-05.md

Capstone

The NET-101 capstone is a Network Snapshot report. You capture traffic from a controlled lab network (your home network or a class-provided lab environment, with permission), annotate the capture by protocol and conversation, identify at least one anomaly or unexpected pattern, and write a structured report committed to a Git repository.

Full specification in CAPSTONE.md.

Labs

Sixteen graded labs across 12 weeks, anchored on academy pcap fixtures from the curated catalog at /pcap-tools/.

Lab Title
2-1 Ethernet and ARP
3-1 IPv4 Header Fields
4-1 ICMP: Ping and Traceroute
5-1 DHCP Handshake
5-2 DNS Query and Response
6-1 TCP Three-Way Handshake
6-2 TCP Connection Teardown
7-1 TCP Window and Flow Control
8-1 DNS Deep-Dive
9-1 HTTP GET Trace
9-2 pcap-tools Workbench Tour
10-1 TLS Handshake
10-2 Wireshark CVE Mini-Module
11-1 Display Filters
11-2 Snort and Suricata Rules
12-1 Capstone Lab

Setup before week 1

See SETUP.md for the full checklist. Requirements are minimal: a browser for pcap-tools and the academy workbench; a terminal with Wireshark or tshark optionally installed for live-capture labs. Windows students need WSL2 for the tcpdump labs.

Pedagogy

NET-101 teaches protocols from the wire up. Every concept is grounded in something visible in a packet capture: a specific byte offset, a specific field value, a specific display filter that matches the packet you care about and none of the others. You do not take the protocol stack on faith. You see it.

The academy pcap-tools workbench ships curated packet captures you can load and analyze in the browser without installing anything. The fundamentals captures (DNS, HTTP, TCP, ICMP, ARP, DHCP) are academy-original: every byte is intentional. The CVE quartet captures are also academy-original: crafted to show what a malformed protocol field looks like before and after a patch. Real anomalies look like deviations from the clean baseline; this course builds the baseline.

Course outline v0.1 prepared 2026-05-10. Iteration after first pilot cohort runs.