Network Forensics

Question 1

What is Wireshark?

Answer 1

A Network Protocol Analyser.
Its Open Source.
Allows TCPDumps.

Question 2

Why use Wireshark?

Answer 2

Troubleshoot Network Issues.
Examine security problems.
Debug protocols

Question 3

Why use capture filters?

Answer 3

Capture filters allow you to capture traffic that matches the filter. This saves disk space and prevents packet loss.

Question 4

What types of filters are there?

Answer 4

Capture filters
Display filter

Question 5

What is the display filter for?

Answer 5

To tweak appearance and reduce information shown to the investigator.

Question 6

What will filter “ip.addr == 10.0.0.1” do?

Answer 6

Sets a filter for any packet with 10.0.0.1 as either the source or destination.

Question 7

What will filter “ip.addr == 10.0.0.1 && ip.addr == 10.0.0.2” do?

Answer 7

Sets a conversation filter between the two defined IP addresses.

Question 8

What will filter “http or dns” do?

Answer 8

Sets a filter to display all http and dns.

Question 9

what will filter “tcp.port == 4000” do?

Answer 9

Sets a filter for any TCP packet with 4000 as a source or destination port.

Question 10

what will filter “tcp.flags.reset == 1” do?

Answer 10

Displays all TCP resets.

Question 11

What will filter “http.request” do?

Answer 11

Displays all HTTP GET requests.

Question 12

What will filter “tcp contains reviews” do?

Answer 12

Displays all TCP packets that contain the word “reviews”.

Question 13

What will filter “!(arp or icmp or dns)” do?

Answer 13

Masks out arp, icmp, dns or whatever other protocols may be background noise allowing to focus on traffic of interest.