5a
tcpdump
- a non-GUI and strictly CLI based packet capture program - widely available on Linux OS distributions but can also be run on Windows OS machines
WireShark
- de facto standard for network protocol analyzers - GUI-based packet capture program - provides a functionality to examine entire frames in addition to the packets encapsulated inside of them
tshark
- non-GUI and strictly CLI based packet capture program - widely distributed alongside a GUI based program known as WireShark
Software that falls under the umbrella of being a packet capture is
- specifically designed to capture data between a packet header and packet footer known as the payload - designed to do this for traffic that is addressed to nodes on a computer network other than itself
The starting relative sequence number and acknowledge numbers are both ___ by default and increment in progression as you would expect
1
By default, there are ____ separate coloring rules for a display filter
20
When tcpdump is used as a packet capture, most of the output for the program will contain information that is related to primarily layer ___ and a little bit of layer ___
3; 4
when conversations between nodes using TCP initiate, they generate a random __-_____ initial sequence number to track it
4-byte
By default, most of the information from a tcpdump is presented in a non-human friendly manner and extremely technical in nature as either __________ or ___________ code values
ASCII; HEX
When utilizing the above programs, ___ _______ can be applied to the commands executed on the packet capture CLI to further specify results.
BPF syntax
By default, NICs on nodes for a computer network are programmed to only receive and forward frames up to the _________ __________ when the destination MAC address of the received frame matches either the...
Operating System (OS); MAC address of the receiving NIC or is a broadcast frame (FF:FF:FF:FF.FF:FF)
Often, network protocol analyzers are also referred to as __________ __________ programs
Packet Capture
By default, NICs on nodes for a computer network are programmed to only receive and forward frames up to the Operating System (OS) when the destination MAC address of the received frame matches either the MAC address of the receiving NIC or is a broadcast frame (FF:FF:FF:FF.FF:FF). However, this can be circumvented via enabling what is known as _________ ________ for an NIC
Promiscuous Mode
Primitives in BPF syntax are then followed by what are known as
Qualifiers
The random sequence numbers used in the TCP conversation are also assigned what is known as a ___________ ___________ ____________ and acknowledges a __________ _____________ ____________ to further assist in identifying the starting point of a conversation and how it progresses.
Relative Sequence Number; Relative Acknowledgment Number
There are additional levels of detail which can be increased beyond the default referred to as ___________ levels within the program
Verbose
A BPF syntax contains what is known as a Primitive which is a reference to
a field in a layer 3 PDU header to help with filtering
conversations view
a view option that allows viewing every conversation between a source and destination node that has been identified during a packet capture
protocol hierarchy view
a view option that allows viewing every protocol that has been identified during a packet capture and percentages related to their use
Berkley Packet Filter (BPF) Syntax
accomplishes packet capturing and presentation of the information to a human user
Stream
created when WireShark captures an individual conversation, organizes it, and assigns it (to a stream)
BPFs are meant to interface directly with the ______ ______ ______ of the OSI reference model to _________ frames and act as a filter to break up...
data link layer; capture; larger packet captures of traffic on a computer network into smaller more narrower results by filtering based on a specific type of traffic
in promiscuous mode, Once the node of an OS has been forwarded the frame, packet capture software can...
decapsulate the frame and analyze and extract information from the PDU headers and payload contained within.
When performing a packet capture, packets belonging to a specific individual conversation will naturally be __________ and ___________ due to the amount of traffic that is being captured.
dispersed; disorganized
WireShark introduces what is known as a ________ ________ in addition to the BPF that is built into the GUI program and referred to as the ______ _______
display filter; capture filter
Qualifiers help further
filter packet captures based on criteria such as protocols (for example: IPv4 or IPv6).
WireShark provides a functionality to examine entire frames in addition to the packets encapsulated inside of them. Because of this, this type of traffic analysis is sometimes referred to as a
frame capture
It is important to note that before a packet capture occurs and simply because a NIC has been configured in promiscuous mode
frames will not be automatically sent to the machine that is performing a packet capture
WireShark will not just simply provide details regarding packet traffic but will also provide what and why?
full protocol decodes that are being used in said traffic because WireShark is programmed to have a thorough understanding of most network related protocols that can be observed on a computer network
__________ ___________ __________ may be used when performing more thorough and in-depth analysis of a computer network's traffic
network protocol analyzer
It is important to note that before a packet capture occurs and simply because a NIC has been configured in promiscuous mode, frames will not be automatically sent to the machine that is performing a packet capture. An additional step that must be performed is known as _________ ____________ which will...
port mirroring; replicate traffic across a specific link to the Mirrored Port
When tcpdump is used as a packet capture, most of the output for the program will contain information that is related to
primarily layer 3 and a little bit of layer 4
packet sniffing/packet capturing
process of capturing data destined to another node on a computer network
display filter is purely for
separating and categorizing data that is presented to the user during a packet capture session (in WireShark)
You can specify either a ________ primitive or have ___________ primitives when creating a filter with BPF.
single, multiple
A primitive in the context of BPF syntax can be a ________ or ________ IP address for example
source; destination
WireShark will automatically perform the calculations necessary to determine the _______ and ________ of said conversation and assign it to a __________ that can be followed within the program.
start; finish; stream
The conversations view includes but is not limited to relevant information such as
total number of packets transmitted in the conversation, duration of the conversation, and total amount of bytes transmitted in the conversation
The protocol hierarchy view includes but is not limited to relevant information such as
total number of packets which utilized a specific protocol and total number of bytes transmitted in relation to said protocol
In contrast to tcpdump, tshark is much more granular in the level of detail which can be viewed because
tshark can be forced to print specific fields from captured packets versus an entire captured packet as observed in tcpdump.
Promiscuous Mode
will force a NIC on a node to forward all received frames regardless of the destination MAC address specified in the header of the frame up to the receiving node's OS.
