Network Monitoring, Analysis and Troubleshooting

Question 1

Typical network issues?

Answer 1

• physical connection
• connectivity
• configuration (ex. DNS)
• software
• traffic overload
• network IP

Question 2

When does the Destination Unreachable occur?

Answer 2

If datagram cannot be forwarded to its destination.

Question 3

When does the Time Exceeded occur?

Answer 3

When TTL expires/is decremented to 0

Question 4

Why could IP Parameter Problem occur?

Answer 4

Datagram could not be forwarded due to some type of error in the header.

Question 5

Is IP Parameter Problem messaged because of the destination host or network?

Answer 5

No, the cause is an error that prevents the datagram from being processed and delivered.

Question 6

What ICMP type isIP Parameter Problem

Answer 6

Type 12

Question 7

What is ICMP Type 3?

Answer 7

Destination unreachable

Question 8

What is ICMP Control Message?

Answer 8

• not a result of lost packet or error conditions
• informs hosts of conditions: network congestion, existence of better gateway

Question 9

What is ICMP Type 5?

Answer 9

Redirect

Question 10

What is one of the less obvious potential solution to network issues?

Answer 10

Change the Ethernet Adapter’s Duplex Settings.

Question 11

Different steps to troubleshoot physical connectivity issues

Answer 11

• Cable connectivity
• Faulty ports
• Traffic overload

Question 12

What tool can be used to troubleshoot routing problems?

Answer 12

traceroute

Question 13

How does traceroute works?

Answer 13

Sends sequential packets with incremental TTL, logs the routers along the way - helps determine faulty node.

Question 14

What nslookup is used for?

Answer 14

Lookup a specific IP address or multiple IP addresses associated with a domain name as a time.

Question 15

Which tool would you use to display both incoming and outgoing TCP/IP traffic?

Answer 15

netstat

Question 16

What tool would you use when traceroute doesn’t show any issues, and you suspect that one of the routers fails nondeterministic?

Answer 16

pathping

Question 17

What are hping2/hping3 used for?

Answer 17

Network scanning and packet crafting.

Question 18

What dig is used for?

Answer 18

(on -nix systems) query DNS servers and retrieve information about host addresses, name servers and mail exchanges.

Question 19

How to capture network traffic?

Answer 19

tcpdump

Question 20

ARP

Answer 20

Address Resolution Protocol

Question 21

What is network monitoring?

Answer 21

A Retrospective security approach that involves monitoring the network for abnormal activities.

Question 22

What is a network traffic signature?

Answer 22

Set of traffic characteristics such as IP address, ports, TCP flags, packet length, TTL and protocols

Question 23

Explain informational suspicious traffic signature.

Answer 23

Traffic behaves abnormally, but might not be malicious

Question 24

Explain reconnaissance suspicious traffic signature.

Answer 24

Traffic contains signatures that indicate an attempt to gain information

Question 25

What are different attack signature analysis techniques?

Answer 25

• Content-based (packet payload)
• Context-based (packet headers)
• Atomic-signature-based (single packet is sufficient to detect attack signature)
• Composite-signature-based (multiple)

Question 26

What are the important characteristics of logging that should be aimed for?

Answer 26

• timestamp synchronization of all sources
• prevent unauthorized access
• manageble and auditable

Question 27

What are the three primary event log types on Windows?

Answer 27

• Application
• Security
• System

Question 28

What are the available types of events on Windows?

Answer 28

• Error
• Warning
• Information
• Success Audit
• Failure Audit

Question 29

What is called the software that produces logs for the Linux system?

Answer 29

syslogd

Question 30

Where in Linux, by default, all logs are stored?

Answer 30

/var/log/

Question 31

What are the different severity levels of Linux logs?

Answer 31

Emergency, alert, critical, error, warning, notice, info and debug. Numbered from 0 to 7.

Question 32

What are the characteristics of syslog protocol?

Answer 32

• runs on UDP 514
• Windows has no native syslog tool