Study Guide Questions Flashcards

Question 1

Q

What is the purpose of network analysis?

Answer

A

Identify performance problems, locate security breaches, analyze application behavior, and perform capacity planning

Question 2

Q

Name at least three troubleshooting tasks that can be performed using network analysis.

Answer

A

Locate faulty network devices
Identify device or software misconfigurations
Measure high delays along a path
Locate the point of packet loss
Identify network errors and service refusals
Graph queuing delays

Question 3

Q

Why is network analysis considered a security risk by some companies?

Answer

A

It involves tapping into network traffic and eavesdropping on communications potentially showing unencrypted communication.

Question 4

Q

What is the purpose of WinPcap?

Answer

A

Windows port of the libpcap interface. Provides low-level network access and the Windows version of the libpcap API.

Question 5

Q

What is the purpose of Wireshark’s dissectors?

Answer

A

Decode packets to display field contents and intepreted values, plugins provide special routines for dissection, display filters define which packets are displayed

Question 6

Q

What is the purpose of the Wiretap library?

Answer

A

Enables Wireshark to ready a variety of trace file formats.

Question 7

Q

If you connect a Wireshark host directly into a switch, what traffic can you expect to see by default?

Answer

A

By default, switches forward all broadcast packets, multicast packets (unless configured to block multicast forwarding), packets destined to the Wireshark host’s hardware address and packets destined to unknown hardware addresses.

Question 8

Q

What is the difference between monitor mode and promiscuous mode?

Answer

A

In monitor mode, the driver doesn’t make the adapter a member of any service set. In this mode, an adapter and driver pass all packets of all SSIDs from the currently selected channel up to Wireshark. Promiscuous mode enables a network card and driver to capture traffic that is addressed to other devices on the network, not just to the local hardware address.

Question 9

Q

What is the purpose of file sets?

Answer

A

File sets are contiguous files that can be individually opened and examined faster than single files.

Question 10

Q

What is the difference between capture filters and display filters?

Answer

A

Capture filters limit the packets captured when you are on a busy network or are focusing on a specific type of traffic. Display filters limit the packets displayed from a full capture.

Question 11

Q

What format is used by Wireshark’s capture filters?

Answer

A

Berkeley Packet Filtering (BPF)

Question 12

Q

What is the purpose of the following capture filters?
ether dst 08:3f:3d:03:32:03
gateway rtrmain01
host www.espn.com

Answer

A

Captures all traffic sent to that MAC address.
Captures all traffic to or from the MAC address of that hostname. Must be able to resolve the hostname.
Captures all traffic sent to or from the IP belonging to www.espn.com.

Question 13

Q

How does Wireshark’s network name resolution use DNS to associate an IP address with a host name?

Answer

A

Uses hosts file lookup or inverse DNS queries to resolve IPs to host names.

Question 14

Q

Why would you want to alter Wireshark’s preference settings?

Answer

A

To customize Wireshark for your network environment. These settings include the panes displayed in the main Wireshark window, capture settings, the name resolution processes, individual dissector behavior, etc.

Question 15

Q

What is the difference between a global preference and a personal preference setting?

Answer

A

Global preferences are system-wide preferences. Personal preferences define customized Wireshark behavior and override the global preferences.

Question 16

Q

What is the difference between marking packets and applying a coloring rule?

Answer

A

Packet marking is a temporary designation that is cleared when you reload the trace file, open the trace file again or toggle the packet marking off. Coloring rules are automatically applied to the traffic each time you open the trace file.

Question 17

Q

How do you share coloring rules with other Wireshark users?

Answer

A

Import/export out of the coloring rules window or copy the colorfilters file.

Question 18

Q

You have created a coloring rule for ICMP Type 3 traffic as shown in the figure below. How can you ensure that ICMP Type 3 packets are colored with this new rule?

Answer

A

Coloring rules follow a top down logic. Make sure your rule is not being overridden by a higher rule.

Question 19

Q

How can the time setting be used to identify the cause of network performance problems?

Answer

A

Set the Time column to Seconds since Previously Displayed Packet and look for large gaps in time in a conversation during what should be an automated streaming process.

Question 20

Q

You have opened a trace file sent to you from another company. The timestamp only shows millisecond resolution. Why? Can you improve the timestamp resolution of the trace file?

Answer

A

The analyzer used to capture the trace file could not provide more precise timestamps. You cannot alter the timestamp resolution of captured trace files.

Question 21

Q

You have opened a trace file that contains 5 separate conversations. How can Time Reference be used to measure the time elapsed in one of the conversations?

Answer

A

Set a Time Reference on the first packet of the conversation you are interested in and scroll to the end of the conversation. The Time column will indicate the time elapsed from the Time Reference packet and the last packet of the conversation.

Question 22

Q

How can you use the Protocol Hierarchy window to identify a breached host?

Answer

A

After capturing traffic to and from the host, open the Protocol Hierarchy window to look for unusual applications such as TFTP, IRC, etc. You can apply a display filter for the conversation from inside the Protocol Hierarchy window and then follow the TCP or UDP stream to reassemble the communications and identify commands or information exchanged.

Question 23

Q

Your trace file contains over 100 TCP connections. How can you identify the most active (bytes/second) TCP connections?

Answer

A

Open the Statistics | Conversations window and select the TCP tab. Sort the information by the Bytes column. You can now right-click and apply a filter based on the most active conversation for further analysis.

Question 24

Q

What is the purpose of GeoIP?

Answer

A

GeoIP maps IP addresses in the Endpoints window to an OpenStreetMap view of the world.

Question 25

Q

What syntax type is used by Wireshark display filters?

Answer

A

Wireshark specific syntax

Question 26

Q

Why is the display filter arp && bootp incorrect?

Answer

A

You will never have packets that are both ARP and DHCP/BOOTP.

Question 27

Q

What is the difference between Prepare a Filter and Apply as Filter?

Answer

A

Prepare a Filter creates the filter and displays it in the Display Filter window. Apply as Filter applies the filter immediately.

Question 28

Q

What is the difference between the following filters?

(ip. src==192.168.0.1 and udp.port==53) or tcp.port==80
ip. src==192.168.0.1 and (udp.port==53 or tcp.port==80)

Answer

A

The first filter displays DNS/port 53 traffic from 192.168.0.105 plus all HTTP/port 80 traffic on the network. The second filter displays DNS/port 53 or HTTP/port 80 traffic from 192.168.0.105.

Question 29

Q

You have selected a packet in the Packet List pane, but Follow TCP Stream, Follow UDP Stream and Follow SSL Stream are not available. Why not?

Answer

A

The packet does not have a TCP/UDP header and is not SSL communication. ARP for example.

Question 30

Q

What is the syntax of the display filter created when you choose Follow TCP Stream?

Answer

A

tcp.stream eq

Question 31

Q

How can you determine the type of file transferred over an FTP connection when you use Follow TCP Stream?

Answer

A

You can look at the file name in the command channel or look for a file identifier inside the file itself.

Question 32

Q

Why would the Stream window be empty when you select Follow SSL Streams?

Answer

A

You did not apply decryption keys to the SSL stream.

Question 33

Q

What elements can you customize using Wireshark profiles?

Answer

A

You can customize your preferences (such as name resolution, columns, stream coloring and protocol dissection settings), capture filters, display filters, coloring rules, etc.

Question 34

Q

How can you move a custom profile to another Wireshark system?

Answer

A

You can copy the entire profile directory to the other Wireshark system’s profiles directory.

Question 35

Q

Which file should you be cautious of sharing when copying a custom profile to another Wireshark system?

Answer

A

The preferences file may contain settings that are specific to the original Wireshark system. This file contains configurations such as the default directory setting for opening new trace files and the default capture device

Question 36

Q

How can you quickly view all the packet comments in a trace file?

Answer

A

Open the Expert Infos window and select the Packet Comments tab.

Question 37

Q

What save options are available when you only want to save a subset of packets contained in a trace file?

Answer

A

When you select File | Export Specified Packets, you can choose to save displayed packets, selected packets, marked packets, first to last marked packet or a packet range.

Question 38

Q

What export format could you use if you are going to import information from the Packet List pane into a spreadsheet program?

Question 39

Q

Which Wireshark feature should you use if you want to save a TCP header as a text file?

Answer

A

Expand the TCP header in a packet and choose File | Export Packet Dissections and choose as “Plain Text” file. Select Packet Details: As displayed in the Packet Format section.

Question 40

Q

What is the fastest way to launch the Expert Infos window?

Answer

A

Click on the Expert Info button on Wireshark’s Status Bar.

Question 41

Q

How can you make specific Expert Info elements stand out in the Packet List pane?

Answer

A

By default, Wireshark colors all Expert Info elements with a black background and red foreground. You can make Expert Info elements stand out by creating a coloring rule for the element (e.g., tcp.analysis.retransmission) and placing it above the BadTCP coloring rule.

Question 42

Q

How can you filter on all packets that trigger TCP Expert notifications?

Answer

A

Apply a display filter for tcp.analysis.flags.

Question 43

Q

What file is referenced to determine the port to use in a communication when the application does not explicitly specify a port?

Answer

A

etc/services file

Question 44

Q

What can you assume when a client does not generate a DNS query to resolve a target’s IP address?

Answer

A

The client either has the target’s IP address in cache or the client has a hosts file.

Question 45

Q

What configuration fault might cause a host to ARP for a remote target?

Answer

A

The client might have a subnet mask that is too short.

Question 46

Q

What is the purpose of DNS?

Answer

A

Resolve hostnames to IP addresses.

Question 47

Q

When does DNS traffic use TCP as the transport?

Answer

A

Zone transfers and requests larger than 512 bytes.

Question 48

Q

What is the difference between recursive and iterative DNS queries?

Answer

A

Recursive will allow the DNS server to query another DNS server if it does not have the record locally. Iterative only allows the DNS server to look at its local database.

Question 49

Q

What are the four sections of DNS queries and answers?

Answer

A

Questions
Answer Resource Records
Authority Resource Records
Additional Resource Records

Question 50

Q

What is the purpose of ARP?

Answer

A

Obtain the hardware address of a target host or gateway.

Question 51

Q

What configuration problem can cause a host to ARP for a remote host?

Answer

A

Subnet mask is too short.

Question 52

Q

Why can’t ARP packets cross routers?

Answer

A

No IP header

Question 53

Q

What is the syntax of capture and display filters for ARP traffic?

Question 54

Q

What is the purpose of IPv4/IPv6?

Answer

A

Provides datagram delivery services for networked system as well as fragmentation and reassembly for low MTU networks

Question 55

Q

Which three IPv4 header fields are used with IP fragmentation?

Answer

A

Don’t Fragment bit, the More Fragments bit and Fragment Offset field.

Question 56

Q

What should an IPv4 router do when a packet to be forwarded arrives with a TTL value of one?

Answer

A

Discard the packet

Question 57

Q

What is the purpose of the Differentiated Services field?

Answer

A

The Differentiated Services field can be used to prioritize traffic along a path.

Question 58

Q

What is the syntax for capture and display filters for IPv4 and IPv6 traffic?

Answer

A

Capture filter: ip or ip6

Display filter: ip or ipv6

Question 59

Q

What is the format of an IPv6 6to4 packet?

Answer

A

An IPv6 header is preceded by an IPv4 header. The IPv4 Protocol field is set to 41 (IPv6).

Question 60

Q

What is the purpose of ICMP?

Answer

A

ICMP is used as a messaging system for errors, alerts, and general notifications on an IP network.

Question 61

Q

What type of device might generate an ICMP Type 3, Code 13 (Destination Unreachable, Communication Administratively Prohibited) packet?

Answer

A

This packet might be generated by a verbose firewall. Many firewalls will silently discard blocked packets rather than send this packet.

Question 62

Q

You have captured only ICMP packets on your network. How can you determine what triggered the ICMP Type 3 (Destination Unreachable) packets on your network?

Answer

A

ICMP Type 3 packets contain the IP header and at least the next 8 bytes of the packet that triggered this response. Examine the IP header and bytes following the ICMP portion to determine why this packet was sent.

Question 63

Q

Which ICMPv4 and ICMPv6 packets are used for the standard ICMP-based ping process?

Answer

A

ICMP Type 8 (Echo Request) and ICMP Type 0 (Echo Reply) packets.

Question 64

Q

What should a host do when it receives an ICMP Type 5, Code 0 (Redirection, Redirect Datagram for the Network/Subnet) packet?

Answer

A

It should update its routing tables with the dateway address included in the ICMP packet.

Answer 63

A

Capture filter: icmp or icmp6

Display filter: icmp or icmpv6

Answer 64

A

ICMPv6 Neighbor Solicitation (ICMP Type 135)

Answer 65

A

Provides connectionless transport services

Answer 66

A

It doesn’t

Answer 67

A

Checksum not used

Answer 68

A

TCP offers connection-oriented transport, data sequencing and acknowledgment and automatic recovery for lost packets.

Answer 69

A

SYN, SYN/ACK and ACK.

Answer 70

A

The Sequence Number field is used to uniquely track each TCP segment. The Sequence Number field value increments based on the number of data bytes sent. The Acknowledgment Number field indicates the next expected sequence number from the other TCP host on the connection.

Answer 71

A

TCP hosts set the Reset (RST) bit in a response to a TCP SYN packet

Answer 72

A

If the sender times out waiting for an acknowledgment, it generates a retransmission. If a receiver notices a missing segment, it sends duplicate acknowledgments to the TCP host it is connected to. Upon receipt of three identical acknowledgments the TCP sender generates a retransmission.

Answer 73

A

The entire packet including payload and headers is counted in IO Graphs.

Answer 74

A

Most likely the graph is unidirectional and you have selected a packet traveling in the wrong traffic direction before building the graph.

Answer 75

A

Apply a conversation filter on a second graph line.

Answer 76

A

This calculation counts up the value of a field or characteristic (such as tcp.len) for the tick interval defined and plots the value on the graph.

Answer 77

A

Wireshark calculates and plots the time between a data packet and the corresponding ACK packet.

Answer 78

A

The ideal TCP Time-Sequence graph pattern is a steep slope from the lower left corner to the upper right corner.

Answer 79

A

DHCP enables clients to obtain their IP addresses and configuration information in a dynamic manner.

Answer 80

A

Discover—Offer—Request—Acknowledge.

Answer 81

A

This DHCP packet is sent from a DHCP client to DHCP server to indicate that the offered network address is already in use.

Answer 82

A

A DHCP client enters the rebinding phase when the renewal process is unsuccessful.

Answer 83

A

DHCPv4 capture filter: port 67 or port 68
DHCPv4 Display filter: bootp
DHCPv6 capture filter: port 546 or port 547
DHCPv6 Display filter: dhcpv6

Answer 84

A

IPv6 Solicit packets are sent to ff02::1:2 which is the multicast address for All_DHCP_Relay_Agents_and_Servers.

Answer 85

A

This response is categorized as a client error.

Answer 86

A

Look for the If-Modified-Since request modifier from the client or a response code 304 Not Modified.

Answer 87

A

The http display filter will not display the TCP handshake or the TCP ACKs during the session. Consider using tcp.port==80 to view the entire HTTP conversation.

Answer 88

A

HTTP clients use POST to send data up to an HTTP server.

Answer 89

A

Capture filter: tcp port http

Display filter: http.

Answer 90

A

To add port 444 as an SSL/TLS port, select Edit | Preferences | Protocols | HTTP and add port 444 in the SSL/TLS ports section.

Answer 91

A

You must obtain the decryption key and copy it to your Wireshark system. Next you must configure Wireshark’s SSL preferences RSA Key List setting with the proper syntax.

Answer 92

A

The HTTPS client offers a list of acceptable cipher suites and the HTTPS server selects the cipher suite to use for the communication.

Answer 93

A

Used to transfer files over TCP

Answer 94

A

FTP communications use one connection as a command channel and a second connection as a data channel.

Answer 95

A

The PORT command is used by the client to establish an active mode FTP connection.

Answer 96

A

The PASV command is used by the client to establish a passive mode FTP connection.

Answer 97

A

Its not. All cleartext

Answer 98

A

Capture filter: tcp port 21

Display filter: ftp

Answer 99

A

POP is an application used to retrieve email. SMTP is used to send email.

Answer 100

A

The POP client issues an RETR command to the POP server to request emails.

Answer 101

A

The two POP response codes are +OK and –ERR.

Answer 102

A

A HELO initiates a standard SMTP session, whereas EHLO indicates the client supports SMTP with mail service extensions.

Answer 103

A

Capture filter: tcp port 110

Display filter: pop

Answer 104

A

Capture filter: tcp port 25

Display filter: smtp

Answer 105

A

The access point strips off the 802.11 header and applies an Ethernet header before forwarding the packet on.

Answer 106

A

A spectrum analyzer, such as Wi-Spy and Chanalyzer Pro, offer an insight into RF interference and RF energy.

Answer 107

A

In monitor mode, an adapter does not associate with any SSID—all packets from all SSIDs on the selected channel are captured.

Answer 108

A

If an adapter does not support promiscuous mode, you will not be able to listen to traffic destined to other hardware addresses. You must capture traffic directly on the host in which you are interested.

Answer 109

A

To verify access point availability you can create an IO Graph and add a filter for beacon frames.

Answer 110

A

The Radiotap header contains the radiotap.channel.freq field. Prepending this header on the packets enables you to filter on the WLAN channel.

Answer 111

A

The three WLAN traffic types are data, management and control.

Answer 112

A

Association request and response frames are sent by stations to synchronize with the access point and exchange capability information.

Answer 113

A

signaling protocol used for call setup and teardown.

Answer 114

A

Carries the voice call itself.

Answer 115

A

Tryto Decode RTP Outside of Conversations in Edit | Preferences | Protocols | RTP.

Answer 116

A

Jitter is a variance in the packet rate.

Answer 117

A

Packet loss or packets that are out of order will trigger the wrong sequence number indication in the RTP Stream Analysis window.

Answer 118

A

By default, SIP uses port 5060 (over UDP or TCP). The SIP packet media attribute section indicates the port number that the RTP stream should run over.

Answer 119

A

If you use this filter you would capture all SIP client errors, server errors and global failures.

Answer 120

A

To identify possible QoS issues, add a DSCP column to examine the priority settings of VoIP call setup and call data traffic.

Answer 121

A

You can use the capture filter udp port 5060 to capture all SIP traffic running over UDP. If your VoIP solution uses SIP over TCP, use the capture filter tcp port 5060 to capture all SIP traffic running over TCP.

Answer 122

A

Baselining is the process of creating a set of trace files that depict “normal” communications on the network. Compare unusual traffic patterns to your baseline to identify anomalies.

Answer 123

A

You cannot obtain a boot up baseline on the actual host you are analyzing. You must tap into an existing network connection (as close as possible to the client preferably), start capturing and then boot up the baseline host.

Answer 124

A

Watching the traffic flowing to and from a host during idle time (when no one is using the host) helps identity background traffic that automatically occurs.

Answer 125

A

To spot large gaps in time between packets of a conversation set the Time column to Seconds since Previous Displayed Packet, filter on a single conversation and then sort the Time column so the largest values are at the top.

Answer 126

A

Move the analyzer along the path to determine the point when you see the original packet and the retransmission—packet loss has not occurred yet—the device that is dropping packets is downstream (closer to the receiver) than you are located.

Answer 127

A

Graph the AVG(*)tcp.len value in an Advanced IO Graph.

Answer 128

A

When a TCP receiver runs out of buffer space, it advertises a window zero condition.

Answer 129

A

No. You must analyze the total amount of delay incurred by the errors before stating that they are causing a noticeable effect.

Answer 130

A

Network forensicsis the process of examining network traffic for evidence of unusual or unacceptable traffic. This traffic may include reconnaissance (discovery) processes, phone-home behavior, denial of service attacks, man-in-the-middle poisoning, bot commands, etc.

Answer 131

A

If network name resolution is enabled, Wireshark may generate a large number of DNS PTR queries to resolve IP addresses to host names.

Answer 132

A

Capture your own traffic when doing research with these tools to identify the signatures in their traffic and create defense mechanisms to block these tools from being used successfully on your network.

Answer 133

A

Consider creating coloring rules for unusual packets so you can identify them faster in the Packet List pane.

Answer 134

A

Discovery and reconnaissance processes are used to identify hosts on the network, locate network services, learn operating system versions running on hosts and any other information on network devices.

Answer 135

A

Because ARP is a non-routable protocol, ARP scanning can only find local devices. The advantage of ARP scanning is that the process can locate devices that block ICMP pings through firewall use.

Answer 136

A

TCP port scans can be used to identify TCP-based services running on a target or they can be used simply to determine which hosts are running on a network.

Answer 137

A

A TCP full connect scan completes the three-way TCP handshake when an open port is found. The packet sequence is SYN, SYN/ACK, ACK. A TCP half-open scan does not complete the three-way TCP handshake. The packet sequence is SYN, SYN/ACK.

Answer 138

A

If a TCP connection attempt receives an ICMP Destination Unreachable response you can assume the target is behind a local or network firewall that is generating the ICMP response.

Answer 139

A

A traceroute process generates a high number of packets that have a low TTL value.

Answer 140

A

Application mapping relies on two distinct functions –probing and matching. Probes are proactively sent to a target to generate responses. Responses are matched to predefined responses to identify the service discovered.

Answer 141

A

Passive OS fingerprinting relies on silently listening to network traffic and does not generate any traffic and cannot be detected by IDS devices. Active OS fingerprinting generates packets to trigger responses that allows identification of the target.

Answer 142

A

Suspect traffic is traffic that is considered unusual on the network.

Answer 143

A

If the name resolution process is breached, an attacker can redirect hosts to communicate with systems other than the intended ones.

Answer 144

A

A maliciously malformed packet is a packet that is intentionally created to take advantage of protocol or application vulnerabilities.

Answer 145

A

A ‘dark’ destination address is an address that falls within the network address range in use but is not currently assigned to a host.

Answer 146

A

A packet that is looping on a switched network will contain the same IP ID value.

Answer 147

A

Wireshark’s Protocol Hierarchy window helps identify unusual protocols and applications.

Answer 148

A

ARP poisoning and ICMP redirection are two redirection processes that can facilitate man-in-the-middle attacks.

Answer 149

A

Use TCP reassembly to view the reconstructed TCP payload when the traffic has been spliced.

Answer 150

A

Tshark’s primary purpose is to offer command line packet capture. Tshark is preferred over the GUI capture because it requires fewer resources than the GUI Wireshark.exe.

Answer 151

A

Editcap can be used to change packet timestamps using the –t parameter.

Answer 152

A

Capinfos can be used to display numerous statistics about a trace file, but not information about protocols and applications contained in the trace file. For information about the protocols and applications in a trace file, use Tshark with the –z parameter.

Answer 153

A

Between tcpdump and Tshark, tcpdump uses fewer system resources but does not offer as many capture configuration options.

Brainscape's Knowledge GenomeTM

Study Guide Questions Flashcards

Brainscape's Knowledge Genome^TM