Which of the following statements is true regarding how Wireshark works?
Finally, write a conclusion (or a summary) that ties it all together.
August 5, 2017Analyze international business strategy to identify human resource requirements and formulate supporting HRM plans that can improve productivity and contribute to the firm’s competitiveness.
August 5, 2017Question 1
- Which of the following statements is true regarding Wireshark?
| Wireshark is probably the most widely used packet capture and analysis software in the world. | ||
| The expense of Wireshark makes it cost-prohibitive for most organizations. | ||
| Compared to similar commercial products, Wireshark has the most sophisticated diagnostic tools. | ||
| Wireshark saves frame details in a format that is incompatible and unusable by other software tools. |
5 points
Question 2
- The main screen of Wireshark includes several shortcuts. Which shortcut category displays a list of the network interfaces, or machines, that Wireshark has identified, and from which packets can be captured and analyzed?
| Capture Help | ||
| Capture | ||
| Files | ||
| Online |
5 points
Question 3
- Which of the following enables Wireshark to capture packets destined to any host on the same subnet or virtual LAN (VLAN)?
| Capture Help | ||
| Host mode | ||
| Subnet mode | ||
| Promiscuous mode |
5 points
Question 4
- The top pane of the Wireshark window, referred to as the __________, contains all of the packets that Wireshark has captured, in time order, and provides a summary of the contents of the packet in a format close to English.
| byte summary | ||
| byte data | ||
| frame detail | ||
| frame summary |
5 points
Question 5
- The middle pane of the Wireshark window, referred to as the __________, is used to display the packet structure and contents of fields within the packet.
| byte summary | ||
| byte data | ||
| frame detail | ||
| frame summary |
5 points
Question 6
- The bottom pane of the Wireshark window, referred to as the __________, displays all of the information in the packet in hexadecimal and in decimalwhen possible.
| byte summary | ||
| byte data | ||
| frame detail | ||
| frame summary |
5 points
Question 7
- Wireshark can be used in a variety of ways, however the most common configuration for Wireshark, and the configuration that you ran in the lab, has the software running:
| in a peer-to-peer configuration. | ||
| from a probe or hub. | ||
| on a local area network. | ||
| on a local host. |
5 points
Question 8
- In the simplest terms, Wireshark is used to capture all packets:
| from a computer workstation to the Wireshark application window. | ||
| to and from a computer workstation and the Wireshark application window. | ||
| to and from a computer workstation and the server. | ||
| to and from the Wireshark Network Analyzer and the Capture section of the Wireshark application window. |
5 points
Question 9
- Which of the following statements is true regarding how Wireshark works?
| Where packets are captured and how they are captured does not have any impact on how the packets are analyzed. | ||
| By running the Wireshark software on the same computer that generates the packets, the capture is specific to that machine. | ||
| Wireshark has no impact on the operation of the machine itself or its applications. | ||
| No timing information is provided when using a network probe or hub device, or the capture port of a LAN switch. |
5 points
Question 10
- Which of the following statements is true regarding how Wireshark handles time?
| Clock time may or may not be the same as the system time of the device or devices used to run Wireshark and capture packets. | ||
| The timestamp used by Wireshark is the current local time in the time zone where the machine resides. | ||
| Any discrepancies regarding time are insignificant when capturing packets from high-speed interfaces. | ||
| In order to overcome time zone mismatches, a common best practice is to use the Eastern Time Zone. |
5 points
Question 11
- When examining a frame header, a difference between bytes on the wire and bytes captured can indicate that:
| all packets are being captured effectively. | ||
| partial or malformed packets might be captured. | ||
| the interface speed is low and the computer cannot keep up with Wireshark. | ||
| the computer is infected with some form of malware. |
5 points
Question 12
- In the lab, the Ethernet II detail of the provided packet capture file indicated that Wireshark had determined that the __________ was Intel Core hardware.
| frame type | ||
| source | ||
| destination | ||
| type of traffic carried in the next layer |
5 points
Question 13
- In the lab, the Ethernet II detail of the provided packet capture file indicated that Wireshark had determined that the __________ was Internet Protocol (IP).
| frame type | ||
| source | ||
| destination | ||
| type of traffic carried in the next layer |
5 points
Question 14
- In the lab, the Ethernet II detail of the provided packet capture file indicated that Wireshark had determined that the __________ was IPv4 multicast.
| frame type | ||
| source | ||
| destination | ||
| type of traffic carried in the next layer |
5 points
Question 15
- The __________ IP address is the IP address of the local IP host (workstation) from which Wireshark captures packets.
| origination | ||
| destination | ||
| host | ||
| source |
5 points
Question 16
- Which of the following statements is true regarding filtering packets in Wireshark?
| Filters are not a particularly useful tool in Wireshark. | ||
| Filters allow a complex set of criteria to be applied to the captured packets and only the result is displayed. | ||
| Filter expressions must be built with the Filter Edit dialog window and cannot be typed directly into the Filter field. | ||
| Once packets have been filtered, they are lost and cannot be restored. |
5 points
Question 17
- Selecting a TCP flow in the Flow Graph Analysis tool tells Wireshark that you wanted to see all of the elements in a TCP three-way handshake, which are:
| SYN, SYN-ACK, and ACK. | ||
| SYN, ACK-SYN, and PSH. | ||
| ACK, ACK-PSH, and PSH-ACK. | ||
| PSH-ACK, ACK, and PSH-ACK. |
5 points
Question 18
- In the center pane of the __________, the direction of each arrow indicates the direction of the TCP traffic, and the length of the arrow indicates between which two addresses the interaction is taking place.
| Wireshark frame header | ||
| Flow Graph Analysis results | ||
| Frame Summary pane | ||
| Ethernet II frame detail |
5 points
Question 19
- Within the frame detail pane, what does it mean when the DNS Flags detail specifies that recursion is desired?
| DNS will continue to query higher level DNSs until it is able to resolve the address. | ||
| DNS will continue to query lower level DNSs until it is able to resolve the address. | ||
| DNS will discontinue querying other DNSs in attempts to resolve the address. | ||
| DNS will be guaranteed show the response “No such name.” |
5 points
Question 20
- Within the frame detail pane, the DNS Flags detail response to the query for issaseries.org was “No such name,” indicating that the:
| issaseries.org domain never existed. | ||
| issaseries.org domain existed at one time but no longer exists. | ||
| issaseries.org is not known to any of the Domain Name Servers that were searched. | ||
| search was ineffective or unsuccessful. |
Question 1
- Which of the following statements is true?
| The Wireshark protocol analyzer has limited capabilities and is not considered multi-faceted. | ||
| Wireshark is used to find anomalies in network traffic as well as to troubleshoot application performance issues. | ||
| Both Wireshark and NetWitness Investigator are expensive tools that are cost-prohibitive for most organizations. | ||
| NetWitness Investigator is available at no charge while Wireshark is a commercial product. |
5 points
Question 2
- Wireshark capture files, like the DemoCapturepcap file found in this lab, have a __________ extension, which stands for packet capture, next generation.
| .packcng | ||
| .paccapnextg | ||
| .pcnextgen | ||
| .pcapng |
5 points
Question 3
- The Wireless Toolbar (View > Wireless Toolbar) is used only:
| when using a pre-captured file. | ||
| when capturing live traffic. | ||
| when reviewing wireless traffic. | ||
| in a virtual lab environment. |
5 points
Question 4
- In the frame detail pane, which of the following was a field unique to wireless traffic, confirming that it is a wireless packet?
| The Encapsulation type: Per-Packet Information header | ||
| The Arrival time: May 11, 2007 15:30:37 041165000 Pacific Daylight Time | ||
| The Capture Length: 181 bytes | ||
| The Epoch Time: 1178922637.041165000 seconds |
5 points
Question 5
- Which of the following tools provides information about the antennae signal strengths, noise ratios, and other antennae information during a captured transmission?
| Windows Explorer | ||
| DemoCapture | ||
| Wireshark | ||
| NetWitness |
5 points
Question 6
- Which of the following can be used to map who is able to communicate with whom, the measured strength of signals, and what frequencies are used, as well as be used for jamming certain frequencies and for determining which devices were likely used to set off remote bombs and Improvised Explosive Devices (IEDs)?
| MAC+PHY (MAC and Physical Layer) | ||
| IEEE Layer | ||
| Flags fields | ||
| Quality of Service information |
5 points
Question 7
- In the IEEE 802.11 Quality of Service information and Flags fields, Wireshark displays information about the __________, which enables the network administrator to determine which Media Access Control (MAC) addresses match each of them.
| antennae and signal strength | ||
| transmitters and receivers of the data | ||
| payload and frame information | ||
| Domain System and Internet Protocol version |
5 points
Question 8
- In the lab, Wireshark displayed the transmitter/receiver address in both full hexadecimal (00:14:a5:cd:74:7b) and a kind of shorthand, which was:
| IEEE 802.11. | ||
| GemtekTe_IEEE. | ||
| GemtekTe_00:14:a5. | ||
| GemtekTe_cd:74:7b. |
5 points
Question 9
- Matching the __________ to their appropriate transmitter and receiver addresses can provide the needed forensic evidence of which devices are involved in a particular communication.
| MAC addresses | ||
| IP addresses | ||
| brand names | ||
| IEEE numbers |
5 points
Question 10
- Which of the following statements is true regarding the fields displayed in Wireshark?
| There are hundreds of fields of data available and there are many different ways to interpret them. | ||
| There are a few dozen fields of data available but there are many different ways to interpret them. | ||
| There are very few fields of data available and most administrators will interpret them in the same or a similar way. | ||
| Although there are very few fields of data available, most administrators will interpret them differently. |
5 points
Question 11
- Which of the following is a packet capture add-on that is frequently installed with Wireshark that enables the capture of more wireless information?
| 3Com | ||
| QoS | ||
| GemtekTE | ||
| AirPcap |
5 points
Question 12
- Regardless of whether the packet is sent through the air or on a wire, the ultimate payload in an investigation is:
| information regarding the transmitters and receivers of the data. | ||
| detail about the Internet Protocol version. | ||
| a Domain Name System query. | ||
| evidence of any suspicious activity. |
5 points
Question 13
- In the lab, the DNS query indicated an IP address of __________ for www.polito.it.
| 172.30.0.100 | ||
| 130.192.73.1 | ||
| 177.390.13.6 | ||
| 172.30.121.1 |
5 points
Question 14
- What is the actual Web host name to which www.polito.it is resolved?
| web01.polito.gov | ||
| web01.polito.it | ||
| web01.polito.com | ||
| www.polito.com |
5 points
Question 15
- In order to use NetWitness Investigator to analyze the same packets that you analyzed with Wireshark, you first had to save the DemoCapturepcap.pcapng file in the older __________ format.
| .libpcap | ||
| .tcpdump-libcap | ||
| .pcapng | ||
| .pcap |
5 points
Question 16
- Which of the following statements is true regarding NetWitness Investigator?
| NetWitness Investigator is available for free so it is only used for some initial analysis. | ||
| NetWitness Investigator is often used only by skilled analysts for specific types of analysis. | ||
| Investigators with little training typically can capture needed information using NetWitness Investigator. | ||
| Wireshark provides a more in-depth, security-focused analysis than NetWitness Investigator. |
5 points
Question 17
- Which of the following statements is true regarding NetWitness Investigator reports?
| NetWitness reports contain only low-level wireless information, such as command and control. | ||
| NetWitness reports do not provide the kind of sophisticated analysis that is found within Wireshark. | ||
| NetWitness and Wireshark both provide the same information but the two tools differ in how that information is displayed. | ||
| NetWitness is unable to provide information about the geographic location of the transmitter and receiver. |
5 points
Question 18
- Which of the following tools displays the MAC address and IP address information and enables them to be correlated for a given capture transmission?
| DemoCapture | ||
| Wireshark | ||
| NetWitness Investigator | ||
| Both Wireshark and NetWitness Investigator |
5 points
Question 19
- When you were using NetWitness Investigator in the lab, the Destination City report indicated that the Destination Organization of www.polito.it was recorded as:
| Turin Polytechnic. | ||
| Politecnico de Tourino. | ||
| Republic of Italia. | ||
| Turin, Italy. |
5 points
Question 20
- Which of the following statements is true regarding the information in the Destination City report?
| The Top Level Domain (TLD) “.it” belongs to Italy. | ||
| The Top Level Domain (TLD) “.it” is proofthat the Web site is physically located in Italy. | ||
| The Top Level Domain (TLD) was actually registered in the United States. |
