I was reading Ivan’s blog as I often do when I came across this post about why certifications suck.

The author Robert Graham had a sample question from the GIAC Penetration Tester (GPEN) exam. The question looked like this:

By default, which protocol do Linux systems use to transmit packets for tracing a network path?

a) UDP
b) TCP
d) TTL

Obviously being a networking expert I have my networking glasses on but I have to respectfully disagree with these gentlemen that I don’t think this is such a bad question at all. Trust me, I’ve seen much worse.

So traceroute works differently on different operating systems. If you work with penetration testing I would argue that you need to have a good understanding of different operating systems. You should know how they behave, what their characteristics are and how you can fingerprint them. The correct answer here is UDP. Linux systems and Cisco devices normally use UDP to send packets for a traceroute while Windows systems use ICMP when doing a traceroute. TCP is not the right answer since it’s not used by default but as my edit below shows it’s possible to use it. ICMP is the only really other viable answer so if you pick between UDP and ICMP you have a 50/50 shot. The TTL is a field in the IP header and not a protocol although Robert argues about the semantics what a protocol is. I don’t agree with his conclusion there. Echo is probably in there because people recognize echo since we use it when pinging but it should say echo request or echo reply in that case.

Edit: As Carlos pointed out in the comments it’s definitely possible to do traceroute with TCP packets. As long as we have an IP header the payload that we carry isn’t that important. By using TCP it is possible to do traceroute even for devices that filter ICMP. We don’t actually need to complete a three way handshake. We can just wait for SYN/ACK to come back and ignore it or wait for RST to come back. There are also other useful tools like MTR.

I don’t consider this knowledge to be trivia. In fact when I interview a person asking them about traceroute is a very good gauge of their overall networking knowledge. When asking that question I’m not looking for a binary answer. I’m checking to see if they know that traceroute can use both UDP and ICMP depending on the operating system. Are the familiar with the TTL? Do they know that the TTL is incremented for each hop? What kind of packet is sent back by the destination IP we are tracing? Do they know that ICMP packets could be filtered? Do they know that packets coming back may take another path than packets going there(asymmetry)? Asking a simple question like this can really open up to a much bigger discussion.

I would therefore argue that this question is not irrelevant and a person that gets this question correct is likely to have a pretty good general networking knowledge in my opinion.

I’ve taken my fair share of tests over the years and for example the CCIE RS written has been less than stellar lately. So what is the problem with certifications and why aren’t they better?


An exam like the CCNA is taken by likely thousands of people every day. While most of us agree that an interview process is more accurate and likely to stop cheaters this just doesn’t scale to the number of people taking the test. Not to mention that the vendor would need a massive force of proctors all around the world. At the scale of an exam like the CCNA there’s pretty much only one way of doing a test unfortunately and that is the format we use today.

Large pool of questions

Every exam gets dumped. It’s a fact of life. There are always people willing to take shortcuts. It would be much easier to have a pool of 200 really good quality questions for a test consisting of 60-70 questions. In reality the tests must have pools consisting of probably thousands of questions which dilutes the quality. It’s really difficult writing this amount of questions and still keeping the quality high.

Writing content is hard

Have you ever written a test for someone else to take? How was it? Was it easy? Now try writing 200 questions instead of 20. Not so easy any longer? Writing quality content is very very difficult, especially at scale. You want to ask a question that is relevant and then offer some options. The difficult part is writing the options. One answer should be correct obviously but the other ones should be feasible so that it isn’t obvious which one is the correct one without having the actual knowledge. It’s often easy to come up with a 2nd option which is almost correct but coming up with 1 or 2 more is a lot more difficult.


We all have a bias. The test takers have a bias. The content development team have a bias. By this I mean that we all work on different technologies in our jobs. Depending on what we work with this becomes our reality. Anyone else having another reality is seen as having the wrong reality. “Why are they asking me on technology X?!” “Noone uses technology X!”. Trust me. I had the same feeling when I took the CCIE lab but ended up working with some of those technologies later. We have to accept that the test takers come from a large geographical area where everyone has a different reality.

Refresh cycles

Most exams are refreshed every 2-3 years. This was fine earlier when technology was not moving at such a rapid pace. A technology from 3 years ago may be almost obsolete today. Which is why people react when they see what they consider to be old or outdated technologies. I know that this is being acknowledged within vendors and we will start to see more rapid refresh cycles soon where minor updates are coming out every few months instead of a major refresh every 2-3 years.

We can make them better

A lot of people openly complain about exams but how many of us are willing to get involved in making the exam better? There are often subject matter expert (SME) programs where people that are certified can get involved in creating exam content. There are also advisory boards where you can help form the future of the certification. What technologies should be added? What technologies should be removed? When people have complained about an exam in the past I have asked why they don’t join a SME program. The response has usually been something like “I don’t work for free for profit organizations”. While I can fully understand why someone would feel like this if we all took that stance then exams would never get better.

Certification exams aren’t great but writing a good test is very difficult. It takes a lot of time and effort. Always give feedback about a test and if you are really serious about making a test better, join a SME program. Good luck in your studies!

General – Why Are Certification Exams Not Higher Quality?
Tagged on:             

6 thoughts on “General – Why Are Certification Exams Not Higher Quality?

  • October 26, 2016 at 11:52 am

    You can also add that even being a CCIE, you might not have a clear idea of such a seemingly simple topic. Case in point, TCP is used to do traceroutes (look for tcptraceroute command) and is quite usefull because it does work even if the “security” admin decides to filter icmp/udp echo.
    (You don’t do the 3 way, just wait for the SYN/ACK or more in point, for the unreachable that you get along the way).

    In any case, certification exams are a pain.

    • October 26, 2016 at 12:19 pm

      I forgot about the tcptraceroute. That’s true. As long as we have an IP header we don’t really care if it’s UDP, TCP or ICMP.

      There are also other useful tools like MTR.

  • October 26, 2016 at 3:54 pm

    “Do they know that the TTL is incremented for each hop?” Hmm, interesting… I always thought it was reduced by one at each hop (decremented).

    • October 26, 2016 at 3:56 pm

      What I meant was that for the traceroute to reach a step further it must increase the TTL. The TTL is decremented on the router receiving the packet. The TTL is set so that it becomes 0 and the router sends ICMP unreachable back to the source.

  • December 18, 2016 at 9:48 pm

    A really good interview question is how traceroute is working in MPLS environment.
    In regards of UDP/ICMP/TCP traceroutes, if there is some type of overlay implemented on top of the network, for instance WAN accelerators (tunneling) and traffic redirected to them via WCCP it’s common that ICMP is no being redirected to the WAN accelerators, hence ICMP traceroute will display the underlay path, compared to overlay path shown by UDP/TCP traceroute’s output.

  • Pingback:Learning The Network

Leave a Reply

Your email address will not be published. Required fields are marked *