Network Administration
In the IP Header, the first four bits signify the IP version.
0100, 4, 0110, 6
Notice the six flags listed in the header, designated URG,ACK,PSH,RST,SYN,FIN. These represent Urgent, Acknowledge, Push, Reset, Synchronize and Finish. There are also two reserved bits in that byte, which are normally 0. What would be the value, in hex, associated with a SYN (only)?
0x02 . Correct. The bits (including the reserved) would be 0000 0010.
Notice the six flags listed in the header, designated URG,ACK,PSH,RST,SYN,FIN. These represent Urgent, Acknowledge, Push, Reset, Synchronize and Finish. There are also two reserved bits in that byte, which are normally 0. What would be the value, in hex, associated with a SYN-ACK?
0x12 .Correct. The bits (including the reserved) would be 0001 0010.
While doing an analysis in Wireshark, you come across these three packets. You recognize this as a TCP 3-way handshake (ask yourself how you would know that from this image). Which machine initiated the handshake?
10.0.2.6 The Source and Destination columns are the IP Addresses involved. 49468 -> 80 are the ports involved (source -> destination). All connections between two machines use a Source Address-Source Port and a Destination Address-Destination Port combination. This combination is called a Socket (covered in more detail later). This packet capture represents the initial packets establishing an HTTP connection (Port 80) to a server.
Which of the following could represent 1 Byte?
1010 0101 Remember that we use Hex characters because there is a direct relationship between 4 bits of binary and 1 hex character. This means that a single Byte, which is 8 bits, can be represented by 2 Hex characters. Thus 1010 0101 in binary is 0xA5 in Hex (0x at the beginning indicates Hex characters)
What is 0xFF in binary?
1111 1111
The loopback address is a very important address for computer communications. Which of the following is a loopback address?
127.0.0.1
A Class A network has the following format: network.host.host.host. That is, the network is the first octet. The host portion of the IP address is the last three octets and has the values 0-255.0-255.0-255. How many hosts are possible on a Class A network?
16,777,216 [256*256*256 = 16,777,216]
How many bits is 20 Bytes?
160 Bits ( 20 Bytes x 8 Bits/Byte = 160 Bits)
Which of the following is a valid IPv4 address?
192.168.10.50
How large is a TCP Segment Header?
20 Bytes
What port is typically used for SSH?
22
How many twisted pairs are in a typical Cat 5/6 cable?
4 pairs (8 wires)
The Hex digit immediately following the IP Version is the header size. What size is this header?
5 * 4 bytes = 20 bytes Remember that the first byte (2 hex characters) is the IP Version and the IHL (Internet Header Length). In this case, the first byte is 0x45. The 4 means it is IPv4 and has nothing directly to do with the header length. The 5 means that the header is 5 four byte groups. That is, it is 5 * 4 bytes = 20 bytes (160 bits).
How big is a MAC address? Hint: In HEX a MAC address might look like: 08:00:27:AC:64:0A
6 Bytes (48 Bits)
The Source Port and Destination Port are each 16 bits long. What is the largest port number in decimal?
65535. With 16 bits and 2 possibilities per bit (1 or 0), that means there are: 216=65,536 However, that is the total number of possibilities and they go from 0 - 65,535.
How large is a UDP Datagram Header?
8 Bytes
What is the IEEE standard that describes WiFi?
802.11
What is a VLAN?
A broadcast domain
What is a pcap file?
A saved Packet CAPture file that can be analyzed offline
In the following Frame header, the TCP flags have been highlighted. What type of TCP packet is this?
ACK
What is Trunking?
Allows switches to route traffic between VLANs
What does a bridge device do in networking?
Allows traffic from one network segment to be sent to another network segment
As a Cybersecurity tool, what does Wireshark allow us to do? Select the best answer!
Analyze data packets on the network
OSI model Layer 7
Application Layer
What is the decimal 192 in Hex?
C0
OSI model Layer 2
Data Link Layer
What is encapsulation?
Embedding the layer above as the payload, so that the data can be handled by the current layer
What is a packet?
Encapsulated data sent on Layer 3.
Why is TCP better than UDP?
Ensures there are no errors in the transmission of data.
Which is the most dominant technology for wireless and wired networking?
Ethernet
A 10Mbps (Megabit per second) device cannot communicate with a 1Gbps (Gigabit per second) device
False
Using a pcap file can help us spot an adversary in real time.
False
Wireshark can be used to view network traffic on any network in the world.
False. Wireshark can only view traffic on a local NIC or from a saved pcap file. We cannot view traffic beyond our network.
While examining packets in Wireshark, you come across 4 packets that have the following IP addresses and flags set: What just happened?
IP1 initiated a TCP Shutdown
This is a Hex dump of an Ethernet Frame. The IP header is highlighted in blue. Is this IPv4 or IPv6?
IPv4
What does the OID (Organizational IDentifier) portion of a MAC address (Media Access Control) do?
Identifies the Vendor or Manufacturer. This is also referred to as the OUI (Organizationally Unique Identifier)
Why was IPv6 introduced?
Lack of available IPv4 addresses
What is a CRC (Cyclical Redundancy Check)?
Layer 1/2 detection of errors in a frame and drops the frame if an error occurs
Which Layer does Ethernet primarily work on?
Layer 2
Which layer of the OSI model is the end user mostly likely to be interact with directly?
Layer 7, Application
What does MAC stand for?
Media Access Control
What does NIC stand for?
Network Interface Card
OSI model Layer 3
Network Layer
TCP Model Layers to OSI Layers (Internet Layer)
Network Layer
Frame Method: Broadcast
One node communicating to all destinations on a broadcast domain
Frame Method: Unicast
One node communicating with one destination
Frame Method: Mulicast
One node communicating with one or more specific nodes on a network
OSI model Layer 1
Physical Layer
TCP Model Layers to OSI Layers (Network Access Layer)
Physical and Data Link Layers
OSI model Layer 6
Presentation Layer
Why is the Spanning Tree Protocol necessary?
Prevents loops on Layer 2
What is the connector typically used by Cat 5/6 cables?
RJ45
Which of the following would be a Layer 1 Physical medium?
RJ45
What is a TCP three way handshake?
SYN - SYN/ACK - ACK packets
OSI model Layer 5
Session Layer
TCP Model Layers to OSI Layers (Application Layer)
Session, Presentation and Application Layers
What does the command ip a do?
Shows the IP Addresses associated with all the NICs
What does a repeater do?
Strengthens weak signals to allow for a greater distance between nodes
OSI model Layer 4
Transport Layer
TCP Model Layers to OSI Layers (Transport Layer)
Transport Layer
Data gets encapsulated from Layer 7 in the OSI model down to Layer 1.
True
Ethernet speed can be affected by Layer 1 media
True
Cat 5, 5e, 6 and 6e are types of what kind of cable?
Twisted Pair
What does the ping command do?
Verifies connectivity between two systems using the ICMP protocol.
What does Wireshark allow us to do?
View the actual bits on the wire so we can analyze the frames, packets, etc.
When would UDP be better than TCP?
When you need a faster connection, but you're not worried about every packet arriving
You use the cat command on an /etc/hosts files and see the following entry: 127.0.0.1 google.com What will happen if you ping google.com?
You will get a successful ping result, but it will be coming from the local computer
Wireshark
a tool often used by Network Administrators, cybersecurity professionals and others needing to view the actual information on the wire.
The last eight bytes of the IP header contain the Source Address and Destination address (if there are no options or padding present). Remember that two hex characters is one byte. In the following header, there are no options or padding. What is the Source and Destination addresses (look only in the blue highlighted IP header)?
acd9020a or ac d9 02 0a ; c0a8005a or c0 a8 00 5a
Which of the following would give 1 ping only to the specified address?
ping -c 1 192.168.10.50