Network Monitoring, Analysis and Troubleshooting Flashcards
Typical network issues?
- physical connection
- connectivity
- configuration (ex. DNS)
- software
- traffic overload
- network IP
When does the Destination Unreachable occur?
If datagram cannot be forwarded to its destination.
When does the Time Exceeded occur?
When TTL expires/is decremented to 0
Why could IP Parameter Problem occur?
Datagram could not be forwarded due to some type of error in the header.
Is IP Parameter Problem messaged because of the destination host or network?
No, the cause is an error that prevents the datagram from being processed and delivered.
What ICMP type isIP Parameter Problem
Type 12
What is ICMP Type 3?
Destination unreachable
What is ICMP Control Message?
- not a result of lost packet or error conditions
- informs hosts of conditions: network congestion, existence of better gateway
What is ICMP Type 5?
Redirect
What is one of the less obvious potential solution to network issues?
Change the Ethernet Adapter’s Duplex Settings.
Different steps to troubleshoot physical connectivity issues
- Cable connectivity
- Faulty ports
- Traffic overload
What tool can be used to troubleshoot routing problems?
traceroute
How does traceroute works?
Sends sequential packets with incremental TTL, logs the routers along the way - helps determine faulty node.
What nslookup is used for?
Lookup a specific IP address or multiple IP addresses associated with a domain name as a time.
Which tool would you use to display both incoming and outgoing TCP/IP traffic?
netstat
What tool would you use when traceroute doesn’t show any issues, and you suspect that one of the routers fails nondeterministic?
pathping
What are hping2/hping3 used for?
Network scanning and packet crafting.
What dig is used for?
(on -nix systems) query DNS servers and retrieve information about host addresses, name servers and mail exchanges.
How to capture network traffic?
tcpdump
ARP
Address Resolution Protocol
What is network monitoring?
A Retrospective security approach that involves monitoring the network for abnormal activities.
What is a network traffic signature?
Set of traffic characteristics such as IP address, ports, TCP flags, packet length, TTL and protocols
Explain informational suspicious traffic signature.
Traffic behaves abnormally, but might not be malicious
Explain reconnaissance suspicious traffic signature.
Traffic contains signatures that indicate an attempt to gain information
What are different attack signature analysis techniques?
- Content-based (packet payload)
- Context-based (packet headers)
- Atomic-signature-based (single packet is sufficient to detect attack signature)
- Composite-signature-based (multiple)
What are the important characteristics of logging that should be aimed for?
- timestamp synchronization of all sources
- prevent unauthorized access
- manageble and auditable
What are the three primary event log types on Windows?
- Application
- Security
- System
What are the available types of events on Windows?
- Error
- Warning
- Information
- Success Audit
- Failure Audit
What is called the software that produces logs for the Linux system?
syslogd
Where in Linux, by default, all logs are stored?
/var/log/
What are the different severity levels of Linux logs?
Emergency, alert, critical, error, warning, notice, info and debug. Numbered from 0 to 7.
What are the characteristics of syslog protocol?
- runs on UDP 514
- Windows has no native syslog tool
