5a

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

tcpdump

- a non-GUI and strictly CLI based packet capture program - widely available on Linux OS distributions but can also be run on Windows OS machines

WireShark

- de facto standard for network protocol analyzers - GUI-based packet capture program - provides a functionality to examine entire frames in addition to the packets encapsulated inside of them

tshark

- non-GUI and strictly CLI based packet capture program - widely distributed alongside a GUI based program known as WireShark

Software that falls under the umbrella of being a packet capture is

- specifically designed to capture data between a packet header and packet footer known as the payload - designed to do this for traffic that is addressed to nodes on a computer network other than itself

The starting relative sequence number and acknowledge numbers are both ___ by default and increment in progression as you would expect

1

By default, there are ____ separate coloring rules for a display filter

20

When tcpdump is used as a packet capture, most of the output for the program will contain information that is related to primarily layer ___ and a little bit of layer ___

3; 4

when conversations between nodes using TCP initiate, they generate a random __-_____ initial sequence number to track it

4-byte

By default, most of the information from a tcpdump is presented in a non-human friendly manner and extremely technical in nature as either __________ or ___________ code values

ASCII; HEX

When utilizing the above programs, ___ _______ can be applied to the commands executed on the packet capture CLI to further specify results.

BPF syntax

By default, NICs on nodes for a computer network are programmed to only receive and forward frames up to the _________ __________ when the destination MAC address of the received frame matches either the...

Operating System (OS); MAC address of the receiving NIC or is a broadcast frame (FF:FF:FF:FF.FF:FF)

Often, network protocol analyzers are also referred to as __________ __________ programs

Packet Capture

By default, NICs on nodes for a computer network are programmed to only receive and forward frames up to the Operating System (OS) when the destination MAC address of the received frame matches either the MAC address of the receiving NIC or is a broadcast frame (FF:FF:FF:FF.FF:FF). However, this can be circumvented via enabling what is known as _________ ________ for an NIC

Promiscuous Mode

Primitives in BPF syntax are then followed by what are known as

Qualifiers

The random sequence numbers used in the TCP conversation are also assigned what is known as a ___________ ___________ ____________ and acknowledges a __________ _____________ ____________ to further assist in identifying the starting point of a conversation and how it progresses.

Relative Sequence Number; Relative Acknowledgment Number

There are additional levels of detail which can be increased beyond the default referred to as ___________ levels within the program

Verbose

A BPF syntax contains what is known as a Primitive which is a reference to

a field in a layer 3 PDU header to help with filtering

conversations view

a view option that allows viewing every conversation between a source and destination node that has been identified during a packet capture

protocol hierarchy view

a view option that allows viewing every protocol that has been identified during a packet capture and percentages related to their use

Berkley Packet Filter (BPF) Syntax

accomplishes packet capturing and presentation of the information to a human user

Stream

created when WireShark captures an individual conversation, organizes it, and assigns it (to a stream)

BPFs are meant to interface directly with the ______ ______ ______ of the OSI reference model to _________ frames and act as a filter to break up...

data link layer; capture; larger packet captures of traffic on a computer network into smaller more narrower results by filtering based on a specific type of traffic

in promiscuous mode, Once the node of an OS has been forwarded the frame, packet capture software can...

decapsulate the frame and analyze and extract information from the PDU headers and payload contained within.

When performing a packet capture, packets belonging to a specific individual conversation will naturally be __________ and ___________ due to the amount of traffic that is being captured.

dispersed; disorganized

WireShark introduces what is known as a ________ ________ in addition to the BPF that is built into the GUI program and referred to as the ______ _______

display filter; capture filter

Qualifiers help further

filter packet captures based on criteria such as protocols (for example: IPv4 or IPv6).

WireShark provides a functionality to examine entire frames in addition to the packets encapsulated inside of them. Because of this, this type of traffic analysis is sometimes referred to as a

frame capture

It is important to note that before a packet capture occurs and simply because a NIC has been configured in promiscuous mode

frames will not be automatically sent to the machine that is performing a packet capture

WireShark will not just simply provide details regarding packet traffic but will also provide what and why?

full protocol decodes that are being used in said traffic because WireShark is programmed to have a thorough understanding of most network related protocols that can be observed on a computer network

__________ ___________ __________ may be used when performing more thorough and in-depth analysis of a computer network's traffic

network protocol analyzer

It is important to note that before a packet capture occurs and simply because a NIC has been configured in promiscuous mode, frames will not be automatically sent to the machine that is performing a packet capture. An additional step that must be performed is known as _________ ____________ which will...

port mirroring; replicate traffic across a specific link to the Mirrored Port

When tcpdump is used as a packet capture, most of the output for the program will contain information that is related to

primarily layer 3 and a little bit of layer 4

packet sniffing/packet capturing

process of capturing data destined to another node on a computer network

display filter is purely for

separating and categorizing data that is presented to the user during a packet capture session (in WireShark)

You can specify either a ________ primitive or have ___________ primitives when creating a filter with BPF.

single, multiple

A primitive in the context of BPF syntax can be a ________ or ________ IP address for example

source; destination

WireShark will automatically perform the calculations necessary to determine the _______ and ________ of said conversation and assign it to a __________ that can be followed within the program.

start; finish; stream

The conversations view includes but is not limited to relevant information such as

total number of packets transmitted in the conversation, duration of the conversation, and total amount of bytes transmitted in the conversation

The protocol hierarchy view includes but is not limited to relevant information such as

total number of packets which utilized a specific protocol and total number of bytes transmitted in relation to said protocol

In contrast to tcpdump, tshark is much more granular in the level of detail which can be viewed because

tshark can be forced to print specific fields from captured packets versus an entire captured packet as observed in tcpdump.

Promiscuous Mode

will force a NIC on a node to forward all received frames regardless of the destination MAC address specified in the header of the frame up to the receiving node's OS.


Kaugnay na mga set ng pag-aaral

Chapter 38 - Disclosures & Stigmatized Properties

View Set

Study Guide: chapter 8: Lousiana from colony t territory to state

View Set

Chapter 20 - Seizures, Dizziness, and Fainting

View Set