CVF 1085 Assessment Questions
In the trace file shown above, Wireshark's time display format is set to Seconds Since Beginning of Capture. Which statement about this trace file is correct? The Time column has been sorted. Packet 5 arrived 0.034876 seconds before Packet 6. The timestamps of Packet 1 through Packet 5 are invalid. Packet 11 arrived 0.053866 seconds later than Packet 6.
Packet 11 arrived 0.053866 seconds later than Packet 6.
Which statement about the Coloring Rules configuration shown above is correct? All the coloring rules listed are based on capture filters. The Clear button will restore the coloring rules to the default set. HTTP packets with the reset bit set on will be colored based on the HTTP coloring rule. UDP packets containing checksum errors will be displayed based on the UDP coloring rule
The Clear button will restore the coloring rules to the default set.
Comparison and logical operators enable you to combine multiple display filters to further define the traffic of interest
True
Custom columns can be added to and rearranged in the Packet List pane
True
Several dissectors may be applied to a single packet. True False
True
The Conversations window shown above includes 239.255.255.250 as an endpoint.
True
The MAC name resolution process resolves the first 3 bytes of the MAC address to the OUI value contained in Wireshark's manuf file.
True
You can use Wireshark's Expressions to build display filters.
True
NAT devices perform routing functions as well as name resolution functions.
False
Port numbers set in the HTTP Preferences window for HTTP or HTTPS traffic are temporary settings.
False
The UDP header checksum calculation is required for all UDP-based communications.
False
The first two packets of a single TCP handshake process can be used to determine the long term average round trip latency time between hosts.
False
The following capture filter will capture all FTP traffic on port 21 regardless of the destination or source host. host www.wiresharkbook.com and port 21
False
When you select Prepare a filter, the filter is immediately applied to the traffic.
False
Wireshark supports both capture filter macros and display filter macros
False
Which statement about marked packets is true? Marked packets can be used to generate display filters. Marked packets are automatically saved in a temporary file Marked packets are only temporarily marked. Marked packets can be created using coloring rule settings.
Marked packets are only temporarily marked.
Which item can be saved with a Wireshark profile? preference settings most recent IO Graph settings services file editcap scripts
preference settings
Which of these filters can be used as either a capture filter or a display filter? dns udp dhcp broadcast
udp
Network analyzers may cause security concerns because they can be used maliciously to listen in on unencrypted network traffic.
True
Packet timestamps are saved inside pcap and pcap-ng files so the packet timestamps can be displayed when the file is opened again.
True
The Frame section of a packet always indicates which coloring rule has been applied to the packet
True
The cfilters file can be shared with other WireShark users by copying the file into another host's personal preferences folder
True
The filter shown above will display all ARP packets as well as all TCP packets seen by Wireshark.
True
The location of Wireshark personal preference files is listed under Help | About Wireshark | Folders.
True
When you disable the TCP protocol decoding process, applications that use TCP (such as HTTP and FTP) will not be decoded.
True
Wireshark can playback encrypted VoIP conversations
True
Wireshark contains several pre-defined columns that can be quickly added to the Packet List pane by right-clicking on a field in the Packet Details pane
True
Wireshark's .pcapng format enables meta data to be saved with a trace file.
True
Wireshark's Status Bar indicates the number of packets shown after a display filter is applied.
True
Wireshark's default set of display filters are saved in a file called dfilters in the global configuration directory.
True
Wireshark's network name resolution process references Wireshark's hosts file before generating inverse DNS queries to resolve IP addresses to host names.
True
Wireshark's pcapng format enables meta data to be saved with a trace file
True
You can reorder the filters contained in the dfilters file by manually editing the dfilters text file.
True
Which capture filter would capture traffic to and from TCP ports 20 through 25? tcp port 20-25 tcp.port > 19 && tcp.port < 26 tcp port gt 19 and tcp port lt 26 tcp portrange 20-25
tcp portrange 20-25
Which display filter shows all the TCP Expert Infos warnings and notes? expert.all tcp.errors tcp.analysis.flags expert.info.composite
tcp.analysis.flags
Display filters cannot be applied during the capture process.
False
Multicasts and broadcasts are not listed in the Endpoints window because they cannot be assigned to a host.
False
The Conversations window shown above indicates that there are two unique IP endpoints running over three Ethernet addresses.
False
The Protocol Hierarchies window lists all the protocols and applications dissected by Wireshark even if those protocols or applications were not seen in a trace file.
False
The Protocol Hierarchy Statistics window shown above indicates that 10.53% of the IP traffic is ARP.
False
The Time Reference setting is saved permanently with the trace file.
False
The ip.addr != 192.168.0.2 display filter shows all packets except ones that contain the address 192.168.0.2 in the source or destination IP address fields.
False
Time Reference packets are permanently set to a timestamp of 00:00:00 in a trace file.
False
UDP, TCP and ARP packets are counted in the IP Protocol Types statistic.
False
Wireshark's Epoch time display format is based on the time since January 1 00:00:00 of 2000.
False
Wireshark's HTTP packet counter lists the HTTP request types such as EHLO and RETR.
False
You can edit the services file to change Wireshark's OUI display value from one manufacturer name to another
False
You can sort the Time column to identify packets that have a large delay between them when you have set the Time column to Seconds Since Epoch.
False
Display filters can be created based on the contents of fields that do not actually exist in a packet such as the Time Since Referenced or First Packet field.
True
ICMP Type 3/Code 4 packets (Destination Unreachable/Fragmentation Needed, but Don't Fragment Bit was Set) may indicate that a router along a path cannot forward a packet.
True
If you want to view decrypted SSL/TLS traffic, a valid RSA key setting is required prior to using Follow SSL Stream.
True
Which link layer interface is used to capture wired network traffic when Wireshark is running on a Linux host? WinPcap AirPcap dumpcap libcap
libcap
Your traffic contains many TCP retransmissions during an HTTP communication. Which of the coloring rules shown above would these packets match? HTTP Bad TCP TCP RST WLAN Retries
Bad TCP
Which format is used by capture filters? Berkeley Packet Filtering (BPF) format libpcap format color filter format editcap format
Berkeley Packet Filtering (BPF) format
How can you quickly identify all WLAN BSSIDs seen in a trace file? Open Statistics | WLAN Traffic Sort on the MAC header type field value Open Statistics | Summary Apply a wlan display filter
Open Statistics | WLAN Traffic
How do you determine which Profile is in use while you are capturing traffic? Examine the Wireshark Title Bar. Open and examine Preferences | Interface. Examine the Profile column in the Status Bar Expand and examine the Frame information.
Examine the Profile column in the Status Bar
All WLAN adapters supported by WinPcap can go into monitor mode
Fals
A trace file that is captured on a Wireshark system in Sydney, Australia and emailed to a Wireshark system in London, England will appear with the same Date/Time of Day value to both analysts if both Wireshark systems have correct local time zone settings.
False
Aggregating taps capture bi-directional full-duplex traffic and forward each direction of traffic to separate outbound ports.
False
Any display filters created and saved while viewing the trace file shown above will be saved in the "Default" profile directory.
False
Based on the image shown above, Wireshark's time display format is set to Seconds Since Beginning of Capture.
False
By default, Wireshark uses the Type of Service interpretation in the IP header instead of the DiffServ (Differentiated Services) interpretation.
False
Conversations colored using the right-click coloring method will remain colored when the trace file is opened on another Wireshark system.
False
Display filter macros can be shared by copying the dfilters file from one Wireshark system to another.
False
Display filters and capture filters can be interchanged because they use the same syntax.
False
Which communication can be used by a host to dynamically join a multicast group? Multicast DNS (mDNS) Open Shortest Path First (OSPF) Internet Group Management Protocol (IGMP) Protocol Independent Multicast (PIM)
Internet Group Management Protocol (IGMP)
What is the most efficient method for saving non-contiguous packets in a trace file? Mark the packets and choose to save the marked packets. Apply a capture filter for each packet and save all colored packets. Right click and copy the packets individually to a new instance of Wireshark. Open each packet in a new window and save them under the same file name.
Mark the packets and choose to save the marked packets.
How do you quickly spot large gaps in time between packets in a trace file containing 10,000 packets? Sort the packets based on the Time Since Reference or First Frame in the frame details section Set the Time column to Seconds Since Epoch and scroll through the trace file. Open and examine the Notes section of Wireshark Expert Infos window Set the Time column to Seconds Since Previously Displayed Packet and sort the Time column
Set the Time column to Seconds Since Previously Displayed Packet and sort the Time column
Which Wireshark feature provides an overview of saved or unsaved packets such as the time elapsed from the start to the end of the trace and total bytes in the trace file? IO Graphs Flow Graphs Summary Statistics Expert Info Composite
Summary Statistics
Which statement about the TCP stream shown above is correct? The HTTP client will load the page from cache. The HTTP client sent an HTTP GET request for the default page The HTTP server refused the client's TCP connection attempt. The HTTP server redirected the client's request to another server
The HTTP client sent an HTTP GET request for the default page
Which statement about the Coloring Rules configuration shown above is correct? The HTTP coloring rule will identify HTTP and SSL/TLS traffic. The UDP coloring rule will be applied to all normal DHCP traffic TCP packets with incorrect checksums will be colorized based on the Checksum Errors coloring rule. The TCP SYN/FIN coloring rule will identify packets that have both the SYN and FIN bits set to 0 in a packet
The UDP coloring rule will be applied to all normal DHCP traffic
Which statement about the highlighted capture filter shown above is correct? The filter will only capture local broadcast traffic. The filter is based on the Berkeley Packet Filter (BPF) format. The filter will capture all traffic to and from D4:85:64:A7:BF:A3. The filter is using Wireshark's display filter syntax
The filter is based on the Berkeley Packet Filter (BPF) format.
Which statement about the following display filter is true? eth.src[4:2] == 06:33 The number 2 indicates that Wireshark is looking for a two byte value. The number 4 indicates that Wireshark is looking at the first four bytes of the Ethernet header. The value 06:33 indicates that Wireshark is looking for Ethernet source addresses starting with 06:33. The value 06:33 indicates that Wireshark is looking six bytes into the Ethernet header for the value 33.
The number 2 indicates that Wireshark is looking for a two byte value.
Display filters applied to a trace file before opening the Protocol Hierarchy Statistics window are automatically applied to the Protocol Hierarchy results displayed.
True
Which statement about following TCP streams is correct? You must filter on a TCP conversation before following the stream. You must capture the TCP handshake process to follow a TCP stream An endpoint filter is created when you follow any stream This feature uses the TCP Stream Index value.
This feature uses the TCP Stream Index value.
Which statement about the highlighted capture filter shown above is correct? This filter is illogical. DNS PTR queries will not be captured. Only UDP packets will be captured using this filter ARP packets to or from the DNS server will not be captured
This filter is illogical.
A switch will forward traffic out all ports if it does not have a MAC table entry for the target.
True
AirPcap adapters can be used to expand Wireshark's ability to capture wireless network traffic in a Microsoft Windows environment.
True
By default, basic switches forward broadcasts and multicasts out all switch ports.
True
Changing the Filter display max. list entries value in Wireshark's Preferences window enables you to alter the number of recently created display filters that Wireshark shows in the drop-down list.
True
Columns can be right or left aligned by right clicking on their heading in the Packet List pane
True
Which statement about capture filters is correct? Capture filters are used for coloring rules. Wireshark includes a default set of capture filters. Capture filters can be applied after the capture process begins. Capture filters can be applied while you are opening a trace file.
Wireshark includes a default set of capture filters.
mc007-1.jpgWhich statement about the Preferences setting shown above is correct? Wireshark may generate DNS PTR queries to resolve host names. Wireshark may generate port queries to ietf.org to resolve transport names. Wireshark may generate OUI queries to ieee.org to resolve MAC addresses. Wireshark may generate mDNS queries to resolve 500 host names simultaneously
Wireshark may generate DNS PTR queries to resolve host names.
Which statement about the settings shown in the Preferences window above is correct? The Protocol Hierarchy window will launch when the capture is started Wireshark will only capture traffic to the local adapter's broadcast or multicast addresses Wireshark will use inverse name queries to resolve local host addresses to IP addresses No interface is available.
Wireshark will only capture traffic to the local adapter's broadcast or multicast addresses
Which statement about the Capture Options window shown above is correct? Wireshark will resolve IP addresses to host names Wireshark will scroll to display the most recent packet captured. Wireshark will attempt to resolve OUI values for all MAC addresses. Wireshark will automatically stop capturing packets after two files have been saved
Wireshark will scroll to display the most recent packet captured.
Which display filter is used to view all DHCPv4 traffic? bootp dhcpv4 tcp.port==68 ip.addr==[address_of_dhcp_server]
bootp
Which traffic type may be seen when you connect Wireshark directly to a switch without configuring port spanning or port mirroring? noise and interference broadcast traffic frames that contain CRC errors DNS queries from all hosts
broadcast traffic
What is the default name of the capture filter file? capture.txt capturefilters.txt cfilters cformat
cfilters
Which Wireshark element can be created using the display filter syntax? ACL rules capture filters coloring rules reference packets
coloring rules
What is the purpose of creating Wireshark profiles? dynamically create a hosts file based on saved trace files create a manageable database of packets for use in third-party programs discover and test WEP/WPA keys and pass phrases for traffic decryption customize Wireshark for more efficient analysis in specific environments
customize Wireshark for more efficient analysis in specific environments
Which feature is only available with promiscuous mode operation? enables an interface to capture packets that are sent to any MAC address enables an interface to capture packets addressed to broadcast and multicast addresses enables a WLAN adapter to capture packets regardless of the SSID value enables an interface to capture gratuitous ARP request packets
enables an interface to capture gratuitous ARP request packets
What is the purpose of the gratuitous ARP process? perform connectivity tests at periodic intervals offer multicast MAC address resolution services broadcast the local MAC address to local routers identify duplicate IP addresses on the network
identify duplicate IP addresses on the network
Which packet type may be transmitted by Wireshark when you enable network name resolution? DHCP requests UDP multicasts ping broadcasts inverse DNS queries
inverse DNS queries
Which filter can be used as a coloring rule? tcp port 25 portrange 21-25 udp port 161 ip.ttl < 20
ip.ttl < 20
What does Wireshark's UDP Multicast Streams burst measurement interval depict? total time length of a burst set of multicasts timing between separate multicast burst sets number of multicast packets within a specific number of milliseconds number of different multicasts groups seen within a specific number of milliseconds
number of multicast packets within a specific number of milliseconds
Which of the following methods can be used to avoid the "needle in a haystack issue" when analyzing network traffic? span all ports of a core switch use Tshark to capture to file sets place the analyzer appropriately only capture traffic on wired networks
place the analyzer appropriately
Which address type can be mapped with Wireshark's GeoIP mapping services? public IP addresses MAC and IP addresses broadcast and multicast addresses private IP addresses
public IP addresses
Which traffic characteristic is commonly seen when analyzing database record transfers? multicast responses small packet sizes large delays between transmissions separate connections for each record
small packet sizes
