- Which of the following statements is true regarding Wireshark?
|Wireshark is probably the most widely used packet capture and analysis software in the world.|
|The expense of Wireshark makes it cost-prohibitive for most organizations.|
|Compared to similar commercial products, Wireshark has the most sophisticated diagnostic tools.|
|Wireshark saves frame details in a format that is incompatible and unusable by other software tools.|
- The main screen of Wireshark includes several shortcuts. Which shortcut category displays a list of the network interfaces, or machines, that Wireshark has identified, and from which packets can be captured and analyzed?
- Which of the following enables Wireshark to capture packets destined to any host on the same subnet or virtual LAN (VLAN)?
- The top pane of the Wireshark window, referred to as the __________, contains all of the packets that Wireshark has captured, in time order, and provides a summary of the contents of the packet in a format close to English.
- The middle pane of the Wireshark window, referred to as the __________, is used to display the packet structure and contents of fields within the packet.
- The bottom pane of the Wireshark window, referred to as the __________, displays all of the information in the packet in hexadecimal and in decimalwhen possible.
- Wireshark can be used in a variety of ways, however the most common configuration for Wireshark, and the configuration that you ran in the lab, has the software running:
|in a peer-to-peer configuration.|
|from a probe or hub.|
|on a local area network.|
|on a local host.|
- In the simplest terms, Wireshark is used to capture all packets:
|from a computer workstation to the Wireshark application window.|
|to and from a computer workstation and the Wireshark application window.|
|to and from a computer workstation and the server.|
|to and from the Wireshark Network Analyzer and the Capture section of the Wireshark application window.|
- Which of the following statements is true regarding how Wireshark works?
|Where packets are captured and how they are captured does not have any impact on how the packets are analyzed.|
|By running the Wireshark software on the same computer that generates the packets, the capture is specific to that machine.|
|Wireshark has no impact on the operation of the machine itself or its applications.|
|No timing information is provided when using a network probe or hub device, or the capture port of a LAN switch.|
- Which of the following statements is true regarding how Wireshark handles time?
|Clock time may or may not be the same as the system time of the device or devices used to run Wireshark and capture packets.|
|The timestamp used by Wireshark is the current local time in the time zone where the machine resides.|
|Any discrepancies regarding time are insignificant when capturing packets from high-speed interfaces.|
|In order to overcome time zone mismatches, a common best practice is to use the Eastern Time Zone.|
- When examining a frame header, a difference between bytes on the wire and bytes captured can indicate that:
|all packets are being captured effectively.|
|partial or malformed packets might be captured.|
|the interface speed is low and the computer cannot keep up with Wireshark.|
|the computer is infected with some form of malware.|
- In the lab, the Ethernet II detail of the provided packet capture file indicated that Wireshark had determined that the __________ was Intel Core hardware.
|type of traffic carried in the next layer|
- In the lab, the Ethernet II detail of the provided packet capture file indicated that Wireshark had determined that the __________ was Internet Protocol (IP).
|type of traffic carried in the next layer|
- In the lab, the Ethernet II detail of the provided packet capture file indicated that Wireshark had determined that the __________ was IPv4 multicast.
|type of traffic carried in the next layer|
- The __________ IP address is the IP address of the local IP host (workstation) from which Wireshark captures packets.
- Which of the following statements is true regarding filtering packets in Wireshark?
|Filters are not a particularly useful tool in Wireshark.|
|Filters allow a complex set of criteria to be applied to the captured packets and only the result is displayed.|
|Filter expressions must be built with the Filter Edit dialog window and cannot be typed directly into the Filter field.|
|Once packets have been filtered, they are lost and cannot be restored.|
- Selecting a TCP flow in the Flow Graph Analysis tool tells Wireshark that you wanted to see all of the elements in a TCP three-way handshake, which are:
|SYN, SYN-ACK, and ACK.|
|SYN, ACK-SYN, and PSH.|
|ACK, ACK-PSH, and PSH-ACK.|
|PSH-ACK, ACK, and PSH-ACK.|
- In the center pane of the __________, the direction of each arrow indicates the direction of the TCP traffic, and the length of the arrow indicates between which two addresses the interaction is taking place.
|Wireshark frame header|
|Flow Graph Analysis results|
|Frame Summary pane|
|Ethernet II frame detail|
- Within the frame detail pane, what does it mean when the DNS Flags detail specifies that recursion is desired?
|DNS will continue to query higher level DNSs until it is able to resolve the address.|
|DNS will continue to query lower level DNSs until it is able to resolve the address.|
|DNS will discontinue querying other DNSs in attempts to resolve the address.|
|DNS will be guaranteed show the response “No such name.”|
- Within the frame detail pane, the DNS Flags detail response to the query for issaseries.org was “No such name,” indicating that the:
|issaseries.org domain never existed.|
|issaseries.org domain existed at one time but no longer exists.|
|issaseries.org is not known to any of the Domain Name Servers that were searched.|
|search was ineffective or unsuccessful.|
- Which of the following statements is true?
|The Wireshark protocol analyzer has limited capabilities and is not considered multi-faceted.|
|Wireshark is used to find anomalies in network traffic as well as to troubleshoot application performance issues.|
|Both Wireshark and NetWitness Investigator are expensive tools that are cost-prohibitive for most organizations.|
|NetWitness Investigator is available at no charge while Wireshark is a commercial product.|
- Wireshark capture files, like the DemoCapturepcap file found in this lab, have a __________ extension, which stands for packet capture, next generation.
- The Wireless Toolbar (View > Wireless Toolbar) is used only:
|when using a pre-captured file.|
|when capturing live traffic.|
|when reviewing wireless traffic.|
|in a virtual lab environment.|
- In the frame detail pane, which of the following was a field unique to wireless traffic, confirming that it is a wireless packet?
|The Encapsulation type: Per-Packet Information header|
|The Arrival time: May 11, 2007 15:30:37 041165000 Pacific Daylight Time|
|The Capture Length: 181 bytes|
|The Epoch Time: 1178922637.041165000 seconds|
- Which of the following tools provides information about the antennae signal strengths, noise ratios, and other antennae information during a captured transmission?
- Which of the following can be used to map who is able to communicate with whom, the measured strength of signals, and what frequencies are used, as well as be used for jamming certain frequencies and for determining which devices were likely used to set off remote bombs and Improvised Explosive Devices (IEDs)?
|MAC+PHY (MAC and Physical Layer)|
|Quality of Service information|
- In the IEEE 802.11 Quality of Service information and Flags fields, Wireshark displays information about the __________, which enables the network administrator to determine which Media Access Control (MAC) addresses match each of them.
|antennae and signal strength|
|transmitters and receivers of the data|
|payload and frame information|
|Domain System and Internet Protocol version|
- In the lab, Wireshark displayed the transmitter/receiver address in both full hexadecimal (00:14:a5:cd:74:7b) and a kind of shorthand, which was:
- Matching the __________ to their appropriate transmitter and receiver addresses can provide the needed forensic evidence of which devices are involved in a particular communication.
- Which of the following statements is true regarding the fields displayed in Wireshark?
|There are hundreds of fields of data available and there are many different ways to interpret them.|
|There are a few dozen fields of data available but there are many different ways to interpret them.|
|There are very few fields of data available and most administrators will interpret them in the same or a similar way.|
|Although there are very few fields of data available, most administrators will interpret them differently.|
- Which of the following is a packet capture add-on that is frequently installed with Wireshark that enables the capture of more wireless information?
- Regardless of whether the packet is sent through the air or on a wire, the ultimate payload in an investigation is:
|information regarding the transmitters and receivers of the data.|
|detail about the Internet Protocol version.|
|a Domain Name System query.|
|evidence of any suspicious activity.|
- In the lab, the DNS query indicated an IP address of __________ for www.polito.it.
- What is the actual Web host name to which www.polito.it is resolved?
- In order to use NetWitness Investigator to analyze the same packets that you analyzed with Wireshark, you first had to save the DemoCapturepcap.pcapng file in the older __________ format.
- Which of the following statements is true regarding NetWitness Investigator?
|NetWitness Investigator is available for free so it is only used for some initial analysis.|
|NetWitness Investigator is often used only by skilled analysts for specific types of analysis.|
|Investigators with little training typically can capture needed information using NetWitness Investigator.|
|Wireshark provides a more in-depth, security-focused analysis than NetWitness Investigator.|
- Which of the following statements is true regarding NetWitness Investigator reports?
|NetWitness reports contain only low-level wireless information, such as command and control.|
|NetWitness reports do not provide the kind of sophisticated analysis that is found within Wireshark.|
|NetWitness and Wireshark both provide the same information but the two tools differ in how that information is displayed.|
|NetWitness is unable to provide information about the geographic location of the transmitter and receiver.|
- Which of the following tools displays the MAC address and IP address information and enables them to be correlated for a given capture transmission?
|Both Wireshark and NetWitness Investigator|
- When you were using NetWitness Investigator in the lab, the Destination City report indicated that the Destination Organization of www.polito.it was recorded as:
|Politecnico de Tourino.|
|Republic of Italia.|
- Which of the following statements is true regarding the information in the Destination City report?
|The Top Level Domain (TLD) “.it” belongs to Italy.|
|The Top Level Domain (TLD) “.it” is proofthat the Web site is physically located in Italy.|
|The Top Level Domain (TLD) was actually registered in the United States.|
|It indicates that it will be impossible to determine the actual physical location of the server.|