Back to Academy

VCA-NET-101: Networks and Packet Analysis

Virtus Academy · Foundation Stream

Networks demystified by reading actual packets, not by memorizing an OSI poster. Students learn the layers (physical, data-link, network, transport, application), the common protocols a practitioner encounters daily (DHCP, DNS, HTTP, TLS), and how to build a packet from scratch in Python and watch it leave the wire in Wireshark. The course assumes FND-102 Python fluency and produces graduates prepared for every subsequent Virtus course that touches network traffic.

Total time: ~93 hours (curriculum aligned to course mission, 2026-04-26)
Lecture: ~13 hr
Practical / lab: ~28 hr
Independent practice: ~52 hr
Position: After FND-102
Prereq: VCA-FND-102
Equipment: Laptop-only; primary tooling delivered in-browser via the academy workbench (Wireshark/tshark Wasm port + pcap filter-learning visualizer = TIR-1, in engineering; academy network simulator on GNS3/Containerlab/Mininet/netlab open-source substrate = TIR-2, in engineering); standard CLI (tcpdump, nmap, nc, dig, curl) in the academy lab Linux environment; Cisco Packet Tracer external-install for students with NetAcad accounts (see hardware platform · we update this as the kit firms up)
Credential: VCA-NET-101 Certificate of Completion
Register interest. We're not taking enrollments yet. Email interested@virtuscyberacademy.org.
Curriculum aligned to course mission; weekly schedule and lab manifest below are firm. The course is laptop-only, every tool is free and open-source (Wireshark, tcpdump, tshark, dig, traceroute, Python socket module, Python scapy for packet crafting). Students need only a Linux or macOS environment (or WSL2 on Windows) and a network connection. Detailed week-by-week assessment rubric publishes before the first cohort runs.

Course Overview

VCA-NET-101 teaches networks by taking them apart. Rather than memorizing the OSI layers, students capture real traffic on a shared lab network, decode the frames, and reconstruct the application behavior from the wire. By the end of the semester a student can look at a packet capture and explain what the user on the other end was doing. The course also introduces the Python socket API so students can emit what they have learned to read, closing the loop between protocol knowledge and programming capability.

NET-101 sits between two industry-standard reference points and earns its hour budget against both. On one side is CompTIA Network+ exam prep (~120 hr by CompTIA's own benchmark), broader in certification scope but lighter on packet capture and without socket programming. On the other side is Stanford CS144 Introduction to Computer Networking (~150 hr), advanced-undergraduate, that asks students to implement TCP from scratch. NET-101 is an introductory conceptual course - it goes deeper than Network+ on Wireshark and Python sockets, but stops well short of CS144's full-transport-implementation ambition. The narrower scope is intentional: a student leaves NET-101 with the ability to read what is on the wire, which is the central skill every subsequent Virtus course that touches networks (PEN-101, WIR-101, SEC-101, RE-101, ADV-101) assumes.

What Belt-3 Networking Track Graduates Recognize

NET-101 reads paired anchors at foundational depth: Stevens and Fall's TCP/IP Illustrated, Volume 1 (2nd ed., 2011) supplies the bottom-up wire-protocol depth (tcpdump captures, byte-by-byte header diagrams, listings of actual traffic), and Kurose and Ross's Computer Networking: A Top-Down Approach (9th ed., 2021) supplies the top-down architectural narrative with current SDN, 4G/5G NR, 5G Core, and QUIC coverage. Beej's Guide to Network Programming and Sanders's Practical Packet Analysis supplement the Python-sockets and Wireshark labs. Graduates leave able to discuss the OSI 7-layer / TCP-IP 4-layer / hybrid 5-layer comparison, TCP versus UDP versus QUIC, IPv4 versus IPv6 versus dual-stack, the three-way handshake as the minimal correct exchange, and the named tool families (Wireshark, tshark, tcpdump, nmap, nc, dig, curl, ssh, traceroute, Cisco Packet Tracer, GNS3, Suricata, Zeek).

The teaching method uses paired textbook readings with twelve to fifteen short passages across the fourteen weeks (each cited at chapter-page level), a personal Tool Journal kept as a Markdown file in the course Git repo, and per-chapter architecture-comparison sidebars surfacing the road-not-taken. The per-chapter reading guide is published as a separate handout (handouts/cross-chapter-net-101-anchor-reading-guide.md). NET-101 owns the canonical first-introduces for the network-track tool corpus; PEN-101, RE-101, and ADV-101 reference rather than re-introduce. Graduates carry the wire-versus-architecture pairing, the embedded-networking lineage that culminates in the SB6141 cable-modem RE target, and the contract-between-layers reading discipline into NET-201, NET-301, and the rest of the academy ladder.

Learning Objectives

Listed in Bloom's-taxonomy order. Each is measurable against a specific lab or written deliverable.

  1. Remember. State the seven OSI layers and the four-layer TCP/IP model; name the standard ports (DNS 53, HTTP 80, HTTPS 443, SMTP 25, IMAP 143/993, SSH 22, DHCP 67/68); recite the common DNS record types (A, AAAA, MX, TXT, CNAME, NS, SOA, PTR). (Assessed: closed-book quiz; Lab 1 layer-identification worksheet.)
  2. Understand. Explain why ARP exists, why DHCP is broadcast-based, why DNS uses UDP for queries but falls back to TCP for large responses, and why TCP's three-way handshake is three rather than two or four. (Assessed: written reflection D2; Lab 2 capture-walk explanation.)
  3. Understand. Distinguish capture filters (BPF syntax, applied at the kernel) from display filters (Wireshark syntax, applied to a loaded pcap), and explain when each is appropriate. (Assessed: Lab 3 filter-discipline exercise.)
  4. Apply. Capture live traffic with Wireshark or tcpdump, save it as a pcap, apply a display filter that isolates a specific conversation, follow the TCP stream, and extract the application-layer payload (an HTTP request body, a DNS response, a TLS ClientHello). (Assessed: Labs 4 and 5.)
  5. Apply. Build a working TCP client and a UDP listener in Python using the socket module; build a minimal HTTP/1.1 request-and-response tool from scratch (no requests library); confirm with Wireshark that the bytes the program emits match the bytes the protocol specifies. (Assessed: Lab 6 socket-programming exercise.)
  6. Analyze. Given a pcap of unknown traffic, identify the protocol(s) in use, the client and server endpoints, the application-layer purpose (web browse, email send, DNS lookup, file download), and any anomalies (unexpected ports, malformed headers, repeated retransmissions). (Assessed: Lab 7 mystery-pcap exercise.)
  7. Analyze. Trace a complete DNS resolution end-to-end (recursive resolver → root → TLD → authoritative → client) using dig +trace, and explain how DNS caching at each layer affects subsequent queries. Identify, from a pcap, whether a given query was served from cache or required full resolution. (Assessed: Lab 8 DNS-trace walkthrough.)
  8. Create. Produce a documented map of a real network (the student's home network or a supplied lab network), with every device identified, every observed protocol catalogued, a 24-hour traffic-volume profile, and a written analysis of anything surprising. (Assessed: Lab 9, the capstone.)

Week-by-Week Topic Flow

Fourteen weeks following the layer-by-layer structure that maps cleanly onto Wireshark's own protocol-decode hierarchy. One 55-minute lecture plus one 2-hour lab per week; capstone in Week 14-15.

  1. Week 1. Why the OSI and TCP/IP models exist. What "a packet" means physically. First Wireshark capture: ping a known host, identify the layers in the resulting frames. Lab 1. Layer identification worksheet.
  2. Week 2. Ethernet and the data-link layer. MAC addressing, frame format, collision domains, the switch-vs-hub distinction. ARP as the link between IP and MAC. Lab 2. Capture and explain ARP request-reply.
  3. Week 3. IPv4. Addressing, subnetting, CIDR, routing tables. NAT and why home networks have private addresses. A light touch of IPv6 (address format, why it exists, current adoption). Lab 3. Trace a packet through a NAT boundary; observe address rewriting.
  4. Week 4. ICMP. Ping, traceroute, the meaning of TTL. Why traceroute is built on TTL exhaustion rather than a dedicated protocol. Lab walk, traceroute to three different geographic regions; identify the path divergence.
  5. Week 5. UDP. The simplest transport. Datagram format. Why DNS uses UDP. Why broadcast and multicast are UDP-only. Lab 4. Capture DNS-over-UDP traffic; identify request and response.
  6. Week 6. TCP I, the three-way handshake. SYN, SYN-ACK, ACK. Sequence numbers and acknowledgement numbers. Connection establishment from the perspective of both endpoints. Lab 5. Capture a complete TCP conversation; annotate the handshake byte-by-byte.
  7. Week 7. TCP II. Flow control and congestion control. Window scaling, retransmission timers, fast retransmit, slow start (concepts only, no full implementation). What a degraded connection looks like in Wireshark. Lab walk. Force packet loss with tc netem; observe TCP's response in capture.
  8. Week 8. Python sockets. The socket module. TCP client, UDP listener, the byte-order primitives htonl/htons. Building from scratch what high-level libraries hide. Lab 6. Minimal HTTP/1.1 client without the requests library.
  9. Week 9. DNS deeply. Recursive vs. authoritative resolvers, caching, record types, TTLs. dig +trace as the diagnostic tool. DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) as the modern privacy-preserving variants. Lab 8, DNS-trace walkthrough; identify cache hits.
  10. Week 10. DHCP. The Discover-Offer-Request-Acknowledge dance. Lease management. Why your laptop's IP changes when you switch networks. Lab walk. Capture DHCP at boot on a home or lab network.
  11. Week 11. HTTP/1.1 and HTTP/2. Request/response anatomy. Headers. Status codes. Why HTTP/2 is binary while HTTP/1.1 is text. The HTTP/3 (QUIC) forward-pointer. Lab walk. Manual HTTP request via nc; compare against browser capture.
  12. Week 12. TLS at an operational level. The ClientHello, the certificate exchange, why TLS is opaque to packet capture once the handshake completes. SNI and how it leaks the destination hostname even on encrypted traffic. Lab walk. Capture and identify a TLS handshake; observe SNI in cleartext.
  13. Week 13. SMTP / IMAP mail flow. Why email has so many protocols. Mystery-pcap exercise: a captured trace of unknown traffic; the student identifies what was happening. Lab 7. Mystery-pcap forensic exercise.
  14. Week 14. Capstone delivery: the home-network map. Lab 9 due.

Lab Manifest

Nine numbered labs across the course. Labs 1-8 are graded on correctness and lab-notebook quality; Lab 9 is the capstone, two-tier-graded against the rubric below. Several lab walks (instructor-led demos with student replication) supplement the graded labs without adding to the graded workload.

  • Lab 1. Layer identification. Given a captured ping, label every layer of the resulting frames; identify the source and destination at each layer.
  • Lab 2. ARP capture and explanation. Capture a fresh ARP exchange on a lab network; explain who is asking what of whom and why.
  • Lab 3. NAT-boundary trace. Capture from inside and outside a NAT; show that the inside-source-IP is rewritten to the NAT's external IP; identify the port-mapping table's effect.
  • Lab 4. DNS-over-UDP capture. A real DNS query; identify request, response, record types in the response, and the TTL on each record.
  • Lab 5. TCP three-way-handshake annotation. Capture a complete TCP conversation; annotate every byte of the handshake; explain the relationship between SEQ and ACK numbers across the three packets.
  • Lab 6. Minimal HTTP/1.1 client in Python. ~50 lines of code, no requests library; emit a GET, parse the response, confirm with Wireshark that the bytes-on-wire match RFC 7230.
  • Lab 7. Mystery-pcap forensic exercise. The instructor supplies a pcap of unknown traffic; the student identifies the protocol(s), the conversation participants, the application-layer purpose, and any anomalies. Written report.
  • Lab 8. DNS-trace walkthrough. Run dig +trace example.com; capture concurrently; explain what each step queries and why.
  • Lab 9, Capstone. Documented home-network map. See Capstone section below for full rubric.

Bridge to PEN-101 / WIR-101 / SEC-101 / RE-101: the Network-Analysis Skill Set

NET-101's deliberate forward-pointer is the cross-course position of network analysis as a central skill. By the end of NET-101 the student has read packets in cleartext, identified conversations from pcaps, and built a Python program that emits protocol-conformant bytes. Every subsequent Virtus course that touches networks pulls on those skills:

  • VCA-PEN-101 (penetration testing). The pentester reads pcaps as their primary diagnostic instrument: was the exploit's payload accepted? did the reverse shell connect back? what did the target echo? NET-101's Wireshark fluency becomes the table-stakes technique that makes pentest work tractable.
  • VCA-WIR-101 (wireless penetration testing). 802.11 frames, four-way-handshake captures, WPA2/WPA3 challenge-response analysis, all are Wireshark work at the data-link layer. NET-101 introduces the discipline; WIR-101 deepens it onto wireless silicon.
  • VCA-SEC-101 (cybersecurity principles). The picoCTF network-forensics challenges require exactly the protocol-identification-and-payload-extraction skill Lab 7 grades. NET-101 graduates land SEC-101 with the network track already familiar.
  • VCA-RE-101 (reverse engineering of embedded systems). The SB6141 cable modem's console UART, its DOCSIS upstream, its TR-069 management traffic, all are network protocols that RE-101 students inspect. Furthermore, RE-101's firmware-extraction phase often involves capturing TFTP or HTTP traffic from the modem during boot. NET-101's pcap-reading discipline is the substrate.
  • VCA-ADV-101 (adversarial techniques). CVE reproduction frequently involves capturing the proof-of-concept traffic, correlating it with the disclosed vulnerability, and building a payload that triggers the same condition in a controlled environment. The Wireshark-and-Python-sockets combination NET-101 builds is exactly the toolset.
  • The Part-II networking electives (vca-net-201 / vca-net-301). NET-201 deepens NET-101's protocol fluency at intermediate depth: routing (BGP / OSPF / IS-IS / RIP), switching (VLAN / STP / trunking), TLS / encryption (Rescorla anchor), DNS deep-dive (DNSSEC / DoH / DoT), NAT / IPv6 transition, SDN fundamentals (OpenFlow / P4), network monitoring (Wireshark deep-dive / Suricata / Zeek), performance tuning (bufferbloat / TCP variants / QUIC), cloud networking, and connections to the RE / PT / SB6141 lab-target work. NET-301 takes the carrier / WAN / datacenter / automation / network-forensics lineage (MPLS / Segment Routing / VXLAN-EVPN, eBPF/XDP, Suricata clustering, Zeek-script-as-pipeline, Wireless 802.11 deep-dive, modern protocols). NET-101 is the prerequisite for both.
  • The SB6141 embedded-networking lab-target pipeline. NET-201 + vca-arm-201 + vca-emb-201 together prepare students for the SB6141 cable-modem teardown that VCA-RE-101 capstones on (Findings §22). The DOCSIS / TR-069 / SNMP / DHCP traffic the SB6141 emits during boot is exactly the protocol family NET-101 introduces. Students who reach RE-101 having taken NET-101 + NET-201 + ARM-201 + EMB-201 can read the modem's wire behaviour as a witness to its architecture, not as a stream of mysterious bytes.

Topical mini-module cross-cut: VCA-MINI-WIRESHARK-CVES-2026-05 (Wireshark RCE quartet, May 2026). NET-101 references CVE-2026-5402 at the Week 8 TLS introduction as a 2026-currency anchor for "trusting wire-format length fields," and CVE-2026-5403 at the Week 11 RTP / VoIP introduction in passing. The capture-file-sandboxing discipline NET-101 introduces is exactly the practice the four CVEs reinforce: .pcapng files of unknown provenance go in a disposable container, never into the analyst's primary Wireshark workstation. The mini-module catalog page distils the vocabulary; the deep walkthrough lives in the companion handout.

The course's closing message: every subsequent Virtus course that mentions a network expects you to read what is on the wire. NET-101 builds that expectation into a daily-practice skill.

Tool Journal: NET-101 Originating Entries

The Tool Journal is a per-student Markdown file the student maintains in their course Git repository, with one paragraph per practitioner tool the first time it is met. NET-101's entries are the diary's networking-side roots; HW-101 originated the bench-electronics tools, FND-102 originated the Python and shell tools, and CSA-101 will originate the toolchain-build tools. Per the academy's first-introduce-track-ownership rule, the network-track tool corpus is canonically introduced here; subsequent courses reference rather than re-introduce these entries.

NET-101 originates the following diary entries:

  • Wireshark. First met Week 1. The standard-issue protocol analyzer for every networking and security practitioner. Display filters, the protocol decode tree, the Follow-TCP-Stream view. Delivered in-browser via the academy workbench (TIR-1; tshark-Wasm + custom pcap filter-learning visualizer in engineering); referenced canonically here, reused in PEN-101, WIR-101, RE-101, ADV-101.
  • tcpdump. First met Week 2. The command-line capture engine; runs anywhere; the tool a remote-shell session uses when the student does not have a GUI. BPF capture-filter syntax.
  • tshark. First met Week 4. Wireshark's command-line cousin; reads pcaps and prints decoded fields. The tool of choice for scripted pcap processing. Same Wasm delivery as Wireshark above.
  • nmap. First met Week 5. Port-scan reconnaissance. Pedagogical scan-visualization variant runs in-browser via workbench (pcap-replay, no raw-socket); production CLI installs in the academy lab Linux env. Canonical introduction here per first-introduce-track rule; PT-track (PEN-101, ADV-101) references rather than re-introduces.
  • dig. First met Week 9. The DNS query tool; +trace, +short, +norecurse, @server, the four flags every DNS-curious practitioner memorizes.
  • traceroute. First met Week 4. Path discovery via TTL exhaustion. The tool that makes the routed Internet feel real.
  • ping. First met Week 1. The simplest reachability test. Surprisingly, also a diagnostic tool for path-MTU and packet-loss observation when used carefully.
  • nslookup. First met Week 9. The legacy DNS lookup tool. Mentioned for completeness; dig is preferred.
  • Python socket module. First met Week 8. The lowest-level network programming surface in the standard library. The same API every higher-level Python networking library is built on top of. Anchored in Beej's Guide to Network Programming (free; beej.us/guide/bgnet).
  • nc (netcat). First met Week 11. The Swiss-army knife: TCP/UDP client, listener, port scanner, banner grabber, file transfer. The tool every practitioner reaches for to test "does this port respond?"
  • curl. First met Week 11. HTTP from the command line. The tool that lets the student inspect HTTP responses without a browser's caching and rendering complications.
  • Cisco Packet Tracer. First met Week 3 (NetAcad-aligned topology lab). Network simulation environment bundled with Cisco NetAcad. External-install for students with NetAcad accounts; the academy network simulator (TIR-2; built on GNS3 / Containerlab / Mininet / netlab open-source substrate, in engineering) provides the equivalent in-browser delivery for students without NetAcad access.
  • GNS3. First met Week 6 (multi-router topology lab). Open-source network simulation; runs real Cisco IOS images for advanced topology work. Foundation of the academy network simulator (TIR-2). Continues into vca-net-201 for full multi-vendor labs.
  • Suricata / Zeek (NSM). First met Week 13 (mystery-pcap forensic exercise). Two complementary network-security-monitoring engines: Suricata for signature/anomaly intrusion detection; Zeek (formerly Bro) for protocol-aware logging and scripting. Anchored in Bejtlich's Practice of Network Security Monitoring (No Starch 2013). Re-introduced at depth in vca-net-301.

Approximately thirteen tool entries originate in NET-101. PEN-101 adds burpsuite, masscan, Metasploit; WIR-101 adds aircrack-ng, hcxdumptool, kismet; RE-101 adds scapy (for crafting custom packets) and mitmproxy. The diary is the personal reference document the student opens when an unfamiliar engagement requires a familiar tool.

Recommended Readings & Practitioner Training

The academy does not ship NET-101 with a required textbook. Lecture and lab material are self-contained. The following are the canonical references the chapter prose draws from; the academy library carries institutional copies, and the handouts/cross-chapter-net-101-anchor-reading-guide.md handout maps each weave to a specific chapter and page.

Primary anchor pair (down-to-earth narrative)

  • W. Richard Stevens and Kevin Fall, TCP/IP Illustrated, Volume 1: The Protocols, 2nd ed. Addison-Wesley, 2011 (ISBN 978-0-321-33631-6). Bottom-up byte-level wire-protocol depth. The household-name reference; the closest analogue the networking discipline has to Petzold's CODE. Library-acquire or paperback ~$80-90.
  • James Kurose and Keith Ross, Computer Networking: A Top-Down Approach, 9th ed. Pearson, 2021 (ISBN 978-0-13-592861-5). Top-down pedagogical narrative; current SDN, 4G/5G NR, 5G Core, and QUIC coverage (9e adds 5G RAN, 5G Core/UPF, 5G mobility, and 5G AKA over 8e). Widely-adopted internationally. Library-acquire or paperback ~$90-200.

Secondary anchors (supplementary)

  • Brian "Beej" Hall, Beej's Guide to Network Programming. Free PDF online (beej.us/guide/bgnet) or paperback ~$15. ~15-year canonical socket-programming intro; supplements Lab 6.
  • Chris Sanders, Practical Packet Analysis, 3rd ed. No Starch, 2017. Wireshark practitioner narrative; supplements Labs 4-7 and the capstone's capture-discipline section.
  • Richard Bejtlich, The Practice of Network Security Monitoring. No Starch, 2013 (ISBN 978-1-59327-509-9). Canonical NSM with Zeek and Suricata; primary anchor for the future vca-net-301.

Practitioner training (parallel credential pathway)

  • Cisco Networking Academy (NetAcad), CCNAv7. netacad.com. Multi-module structured-progression course (Networking Essentials → Network Fundamentals → CCNA Switching/Routing/Wireless); free for students with a NetAcad-instructor account, ~$200-300 self-paced. The industry-standard entry-level networking credential pathway. NET-101 covers the substantive Networking Essentials and Network Fundamentals territory at greater depth on Wireshark and Python sockets; students who complete NET-101 can sit CCNA with the additional Cisco-specific switching/routing modules.
  • Wireshark University / Laura Chappell training. chappell-university.com. The canonical Wireshark instructor; multiple generations of network engineers trained since the early 2000s. Lab-driven; ~$60-300 per course, with substantial free-tier sample-capture corpus. Pairs with NET-101's Wireshark labs as a deeper practitioner reference.
  • CompTIA Network+ (vendor-neutral alternative). Already named in the Certification Alignment section below.

Capstone: Documented Map of a Real Network

The course capstone. The student selects a real network they have authority to observe (their own home network is the canonical choice; a supplied lab network is offered as an alternative for students without a suitable home environment) and produces a complete documented map: every device identified, every protocol observed, a 24-hour traffic-volume profile, and a written analysis of anything surprising.

Required artifacts

  • A network diagram identifying every device on the network, with IP, MAC, and inferred role (router, laptop, phone, smart-TV, IoT thermostat, etc.).
  • A protocol catalogue listing every observed application-layer protocol (HTTP, HTTPS, DNS, mDNS, NTP, DHCP, IMAP, etc.) with a one-line description of what each protocol was doing on the network.
  • A 24-hour traffic-volume observation: bytes per protocol, peak-hour identification, idle-hour identification.
  • The pcap files (or summary statistics if the full pcaps are too large to commit) supporting every claim in the report.
  • A 4-6 page lab-notebook report covering: capture methodology, devices identified and how, surprising observations, one anomaly the student investigated and what they found, and an explicit privacy-and-ethics statement (the student observed only their own network or a supplied lab; no observation of third-party traffic).

Two-tier grading rubric

First, your project must work. The capstone covers a real network with at least 5 devices, at least 6 application-layer protocols identified, and at least 24 hours of capture. Reports below this threshold do not pass. No rubric scoring is performed on insufficient data.

Then we score the report on three dimensions. Once the capstone passes Tier 1, the report is scored on three dimensions:

  • Investigation discipline (40%). Did the student identify devices systematically (DHCP traffic, mDNS, manual discovery) rather than guessing? Are role inferences justified by observed traffic?
  • Analytic depth (30%). Is the "something surprising" section honest and substantive? A perfect-network report scores low on this dimension. Either the student found nothing interesting (implausible) or omitted what they found (a worse fault).
  • Privacy-and-ethics discipline (30%). Is the consent-and-authorization statement explicit? Did the student avoid any traffic that violated privacy norms (e.g., decrypting TLS, capturing visitors' traffic without consent)?

There is no curve. There is no participation credit. This is the student's first long-form network-forensics deliverable, the structural precursor to the SEC-101 CVE explainer, the PEN-101 engagement report, and every subsequent reporting deliverable in the curriculum. The ethics-and-consent discipline established here is the same discipline every professional pentest engagement begins and ends with.

Prerequisite Map

What NET-101 depends on, and what depends on NET-101:

  • Depends on: VCA-FND-102 (Python and command-line fluency, the socket-programming labs assume the student can write a 50-line Python program comfortably; the Wireshark/tcpdump/dig/traceroute work assumes shell fluency).
  • Feeds into VCA-SEC-101: The picoCTF network-forensics challenges assume Wireshark fluency; the "what is on the wire" intuition is central for SEC-101's threat-modeling work.
  • Feeds into VCA-PEN-101: Pentest engagements are pcap-reading work; NET-101 graduates land PEN-101 with the diagnostic instrument already in hand.
  • Feeds into VCA-WIR-101: Wireless work is data-link-layer analysis on RF instead of Ethernet; NET-101's frame-decoding habits transfer.
  • Feeds into VCA-RE-101: Embedded-device reverse engineering frequently involves capturing the device's network traffic during boot, configuration, and operation; the SB6141 lab target's DOCSIS, TR-069, and SNMP traffic is read with NET-101 tooling.
  • Feeds into VCA-ADV-101: CVE reproduction is often network-protocol work; the Python-socket fluency NET-101 builds is the toolset.
  • Feeds into future vca-net-201 and vca-net-301: The two Part-II networking electives (per Findings §22.5) extend NET-101 in two directions. Net-201 deepens the protocol-and-tooling lineage; net-301 takes the wireless-and-RF lineage. NET-101 is the prerequisite for both.

Certification Alignment

CompTIA Network+ Cisco CCST Networking

Primary: CompTIA Network+, VCA-NET-101 covers the substantive domains at greater depth than the exam requires on Wireshark, packet capture, and Python sockets, and at comparable depth on the protocol catalogue. Students who want the credential should sit Network+ within three months of completion. The current N10-009 exam version (released 2024) is the relevant cycle.

Alternative: Cisco CCST Networking. A less-expensive ($125) entry-level credential appropriate for students who want an earlier cert milestone before Security+ or PenTest+. Adoption in industry is lower than Network+, but the credential is increasingly recognized for early-career hires at Cisco-aligned shops.

Forward-pointer: NET-101 is also the prerequisite-skill base for any subsequent networking-track certification, CCNA (~250 hr study) or CompTIA CySA+ (~120 hr study). Students who continue into the future vca-net-201 elective will be positioned for those credentials.

Format Prescriptions

Hour budget: ~13 lec hr + ~28 lab hr + ~52 indep hr (= ~93 hr total).

Live (standard cadence)

2 sessions/wk × 90 min each (45 min lecture + 45 min hands-on per session) + 30 min stay-after office time. 14 weeks total. Best for college-elective + adult-learning + homeschool-co-op cadence.

Night class (working-adult cadence)

1-2 sessions/wk in evenings; spread over ~28 weeks. Best for community-college + vocational-tech students with day jobs.

Bootcamp

8 hr/day × 5 days/wk = 40 hr/wk; total ~3 weeks. Foundationals (≤ 80 hr) fit in 2 weeks; NET-101's 93 hr lands at ~2.5 weeks. Best for adults / age-irrelevant students with prereq comfort + dedicated learning time.

Async self-paced

Lecture hours via recorded video; lab hours via monthly-block billing with shared lab-network access; indep hours = student pace. Includes Discord-group access (1-2 days/wk instructor-advertised availability). AI-assistant tier add-on. Live 1:1 tutoring premium tier add-on.

High school / homeschool co-op

Adapted live cadence over a school year (~18 weeks at typical school cadence) OR semester (14 weeks at college cadence). Detailed per-syllabus planning available on request.

Classroom

Full course content (weekly modules, labs, capstone packet, instructor guide) lives in the Virtus Cyber Academy classroom, which is in active build. The public preview is on the way.

Open in classroom

Interested in VCA-NET-101?

Email interested@virtuscyberacademy.org with your background and interest.

Email interested@virtuscyberacademy.org

Virtus Academy is the educational arm of Virtus Cybersecurity, LLC. An SDVOSB. Virtus Academy is an independent program; no affiliation with any government academy or university is claimed or implied.