Assessment I
How can you quickly identify all WLAN BSSIDs seen in a trace file?
Open Statistics | WLAN Traffic
In the trace file shown above, Wireshark's time display format is set to Seconds Since Beginning of Capture. Which statement about this trace file is correct? [https://century.learn.minnstate.edu/content/2020/4643127-20203001086/ppg/examview/Wireshark_101/00001_res/mc022-1.jpg?_&d2lSessionVal=uAyOnm9yUzWzB5YVx0kgrlu0Q]
Packet 11 arrived 0.053866 seconds later than Packet 6.
Which statement about the Coloring Rules configuration shown above is correct? [https://century.learn.minnstate.edu/content/2020/4643127-20203001086/ppg/examview/Wireshark_101/00001_res/mc015-1.jpg?_&d2lSessionVal=uAyOnm9yUzWzB5YVx0kgrlu0Q]
The Clear button will restore the coloring rules to the default set.
Which statement about the TCP stream shown above is correct? [https://century.learn.minnstate.edu/content/2020/4643127-20203001086/ppg/examview/Wireshark_101/00001_res/mc010-1.jpg?_&d2lSessionVal=uAyOnm9yUzWzB5YVx0kgrlu0Q]
The HTTP client sent an HTTP GET request for the default page
Changing the Filter display max. list entries value in Wireshark's Preferences window enables you to alter the number of recently created display filters that Wireshark shows in the drop-down list.
True
Columns can be right or left aligned by right clicking on their heading in the Packet List pane
True
Comparison and logical operators enable you to combine multiple display filters to further define the traffic of interest
True
Custom columns can be added to and rearranged in the Packet List pane
True
Display filters applied to a trace file before opening the Protocol Hierarchy Statistics window are automatically applied to the Protocol Hierarchy results displayed.
True
Display filters can be created based on the contents of fields that do not actually exist in a packet such as the Time Since Referenced or First Packet field.
True
ICMP Type 3/Code 4 packets (Destination Unreachable/Fragmentation Needed, but Don't Fragment Bit was Set) may indicate that a router along a path cannot forward a packet.
True
If you want to view decrypted SSL/TLS traffic, a valid RSA key setting is required prior to using Follow SSL Stream.
True
Network analyzers may cause security concerns because they can be used maliciously to listen in on unencrypted network traffic.
True
Packet timestamps are saved inside pcap and pcap-ng files so the packet timestamps can be displayed when the file is opened again.
True
Several dissectors may be applied to a single packet.
True
The Conversations window shown above includes 239.255.255.250 as an endpoint. [https://century.learn.minnstate.edu/content/2020/4643127-20203001086/ppg/examview/Wireshark_101/00001_res/tf044-1.jpg?_&d2lSessionVal=uAyOnm9yUzWzB5YVx0kgrlu0Q]
True
The Frame section of a packet always indicates which coloring rule has been applied to the packet
True
The MAC name resolution process resolves the first 3 bytes of the MAC address to the OUI value contained in Wireshark's manuf file.
True
The cfilters file can be shared with other WireShark users by copying the file into another host's personal preferences folder
True
The filter shown above will display all ARP packets as well as all TCP packets seen by Wireshark. [https://century.learn.minnstate.edu/content/2020/4643127-20203001086/ppg/examview/Wireshark_101/00001_res/tf056-1.jpg?_&d2lSessionVal=uAyOnm9yUzWzB5YVx0kgrlu0Q]
True
The location of Wireshark personal preference files is listed under Help | About Wireshark | Folders.
True
When you disable the TCP protocol decoding process, applications that use TCP (such as HTTP and FTP) will not be decoded.
True
Wireshark contains several pre-defined columns that can be quickly added to the Packet List pane by right-clicking on a field in the Packet Details pane
True
Wireshark's .pcapng format enables meta data to be saved with a trace file.
True
Wireshark's Status Bar indicates the number of packets shown after a display filter is applied.
True
Wireshark's default set of display filters are saved in a file called dfilters in the global configuration directory.
True
Wireshark's network name resolution process references Wireshark's hosts file before generating inverse DNS queries to resolve IP addresses to host names.
True
Wireshark's pcapng format enables meta data to be saved with a trace file
True
Wireshark's services file contains a list of port numbers and application/protocol names.
True
You can reorder the filters contained in the dfilters file by manually editing the dfilters text file.
True
You can use Wireshark's Expressions to build display filters.
True
Multicasts and broadcasts are not listed in the Endpoints window because they cannot be assigned to a host.
False
NAT devices perform routing functions as well as name resolution functions.
False
Port numbers set in the HTTP Preferences window for HTTP or HTTPS traffic are temporary settings.
False
The Conversations window shown above indicates that there are two unique IP endpoints running over three Ethernet addresses. [https://century.learn.minnstate.edu/content/2020/4643127-20203001086/ppg/examview/Wireshark_101/00001_res/tf049-1.jpg?_&d2lSessionVal=uAyOnm9yUzWzB5YVx0kgrlu0Q]
False
The Protocol Hierarchies window lists all the protocols and applications dissected by Wireshark even if those protocols or applications were not seen in a trace file.
False
The Protocol Hierarchy Statistics window shown above indicates that 10.53% of the IP traffic is ARP. [https://century.learn.minnstate.edu/content/2020/4643127-20203001086/ppg/examview/Wireshark_101/00001_res/tf051-1.jpg?_&d2lSessionVal=uAyOnm9yUzWzB5YVx0kgrlu0Q]
False
The Time Reference setting is saved permanently with the trace file.
False
The first two packets of a single TCP handshake process can be used to determine the long term average round trip latency time between hosts.
False
The following capture filter will capture all FTP traffic on port 21 regardless of the destination or source host. host www.wiresharkbook.com and port 21
False
The ip.addr != 192.168.0.2 display filter shows all packets except ones that contain the address 192.168.0.2 in the source or destination IP address fields.
False
Time Reference packets are permanently set to a timestamp of 00:00:00 in a trace file.
False
UDP, TCP and ARP packets are counted in the IP Protocol Types statistic.
False
When you select Prepare a filter, the filter is immediately applied to the traffic.
False
Wireshark can playback encrypted VoIP conversations
False
Wireshark supports both capture filter macros and display filter macros
False
Wireshark's Epoch time display format is based on the time since January 1 00:00:00 of 2000.
False
Wireshark's HTTP packet counter lists the HTTP request types such as EHLO and RETR.
False
Wireshark's display filter syntax can be used for capture filters as well.
False
You can edit the services file to change Wireshark's OUI display value from one manufacturer name to another
False
You can sort the Time column to identify packets that have a large delay between them when you have set the Time column to Seconds Since Epoch.
False
What is the most efficient method for saving non-contiguous packets in a trace file?
Mark the packets and choose to save the marked packets.
Which statement about marked packets is true?
Marked packets are only temporarily marked.
Which feature is only available with promiscuous mode operation?
enables an interface to capture gratuitous ARP request packets
Which of the following methods can be used to avoid the "needle in a haystack issue" when analyzing network traffic?
place the analyzer appropriately
Which item can be saved with a Wireshark profile?
preference settings
Which of these filters can be used as either a capture filter or a display filter?
udp
Display filter macros can be shared by copying the dfilters file from one Wireshark system to another.
False
Display filters and capture filters can be interchanged because they use the same syntax.
False
Display filters cannot be applied during the capture process.
False
Your traffic contains many TCP retransmissions during an HTTP communication. Which of the coloring rules shown above would these packets match? [https://century.learn.minnstate.edu/content/2020/4643127-20203001086/ppg/examview/Wireshark_101/00001_res/mc023-1.jpg?_&d2lSessionVal=uAyOnm9yUzWzB5YVx0kgrlu0Q]
Bad TCP
Which format is used by capture filters?
Berkeley Packet Filtering (BPF) format
How do you determine which Profile is in use while you are capturing traffic?
Examine the Profile column in the Status Bar
A trace file that is captured on a Wireshark system in Sydney, Australia and emailed to a Wireshark system in London, England will appear with the same Date/Time of Day value to both analysts if both Wireshark systems have correct local time zone settings.
False
Aggregating taps capture bi-directional full-duplex traffic and forward each direction of traffic to separate outbound ports.
False
All WLAN adapters supported by WinPcap can go into monitor mode
False
Any display filters created and saved while viewing the trace file shown above will be saved in the "Default" profile directory. [https://century.learn.minnstate.edu/content/2020/4643127-20203001086/ppg/examview/Wireshark_101/00001_res/tf025-1.jpg?_&d2lSessionVal=uAyOnm9yUzWzB5YVx0kgrlu0Q]
False
Based on the image shown above, Wireshark's time display format is set to Seconds Since Beginning of Capture. [https://century.learn.minnstate.edu/content/2020/4643127-20203001086/ppg/examview/Wireshark_101/00001_res/tf040-1.jpg?_&d2lSessionVal=uAyOnm9yUzWzB5YVx0kgrlu0Q]
False
By default, Wireshark uses the Type of Service interpretation in the IP header instead of the DiffServ (Differentiated Services) interpretation.
False
Conversations colored using the right-click coloring method will remain colored when the trace file is opened on another Wireshark system.
False
Which communication can be used by a host to dynamically join a multicast group?
Internet Group Management Protocol (IGMP)
How do you quickly spot large gaps in time between packets in a trace file containing 10,000 packets?
Set the Time column to Seconds Since Previously Displayed Packet and sort the Time column
Which Wireshark feature provides an overview of saved or unsaved packets such as the time elapsed from the start to the end of the trace and total bytes in the trace file?
Summary Statistics
Which statement about the Coloring Rules configuration shown above is correct? [https://century.learn.minnstate.edu/content/2020/4643127-20203001086/ppg/examview/Wireshark_101/00001_res/mc039-1.jpg?_&d2lSessionVal=uAyOnm9yUzWzB5YVx0kgrlu0Q]
The UDP coloring rule will be applied to all normal DHCP traffic
Which statement about the highlighted capture filter shown above is correct? [https://century.learn.minnstate.edu/content/2020/4643127-20203001086/ppg/examview/Wireshark_101/00001_res/mc021-1.jpg?_&d2lSessionVal=uAyOnm9yUzWzB5YVx0kgrlu0Q]
The filter is based on the Berkeley Packet Filter (BPF) format.
AirPcap adapters can be used to expand Wireshark's ability to capture wireless network traffic in a Microsoft Windows environment.
True
By default, basic switches forward broadcasts and multicasts out all switch ports.
True
Which statement about the following display filter is true? eth.src[4:2] == 06:33
The number 2 indicates that Wireshark is looking for a two byte value.
Which statement about following TCP streams is correct?
This feature uses the TCP Stream Index value.
Which statement about the highlighted capture filter shown above is correct? [https://century.learn.minnstate.edu/content/2020/4643127-20203001086/ppg/examview/Wireshark_101/00001_res/mc014-1.jpg?_&d2lSessionVal=uAyOnm9yUzWzB5YVx0kgrlu0Q]
This filter is illogical.
A switch will forward traffic out all ports if it does not have a MAC table entry for the target.
True
Which statement about capture filters is correct?
Wireshark includes a default set of capture filters.
Which statement about the Preferences setting shown above is correct? [https://century.learn.minnstate.edu/content/2020/4643127-20203001086/ppg/examview/Wireshark_101/00001_res/mc007-1.jpg?_&d2lSessionVal=uAyOnm9yUzWzB5YVx0kgrlu0Q]
Wireshark may generate DNS PTR queries to resolve host names.
Which statement about the settings shown in the Preferences window above is correct? [https://century.learn.minnstate.edu/content/2020/4643127-20203001086/ppg/examview/Wireshark_101/00001_res/mc006-1.jpg?_&d2lSessionVal=uAyOnm9yUzWzB5YVx0kgrlu0Q]
Wireshark will only capture traffic to the local adapter's broadcast or multicast addresses
Which statement about the Capture Options window shown above is correct? [https://century.learn.minnstate.edu/content/2020/4643127-20203001086/ppg/examview/Wireshark_101/00001_res/mc013-1.jpg?_&d2lSessionVal=uAyOnm9yUzWzB5YVx0kgrlu0Q]
Wireshark will scroll to display the most recent packet captured.
Which display filter is used to view all DHCPv4 traffic?
bootp
Which traffic type may be seen when you connect Wireshark directly to a switch without configuring port spanning or port mirroring?
broadcast traffic
What is the default name of the capture filter file?
cfilters
Which Wireshark element can be created using the display filter syntax?
coloring rules
What is the purpose of creating Wireshark profiles?
customize Wireshark for more efficient analysis in specific environments
What is the purpose of the gratuitous ARP process?
identify duplicate IP addresses on the network
Which packet type may be transmitted by Wireshark when you enable network name resolution?
inverse DNS queries
Which filter can be used as a coloring rule?
ip.ttl < 20
Which link layer interface is used to capture wired network traffic when Wireshark is running on a Linux host?
libcap
What does Wireshark's UDP Multicast Streams burst measurement interval depict?
number of multicast packets within a specific number of milliseconds
Which address type can be mapped with Wireshark's GeoIP mapping services?
public IP addresses
Which traffic characteristic is commonly seen when analyzing database record transfers?
small packet sizes
Which capture filter would capture traffic to and from TCP ports 20 through 25?
tcp portrange 20-25
Which display filter shows all the TCP Expert Infos warnings and notes?
tcp.analysis.flags
