Final Review
The ephemeral port group is from ____________. A) 1024 through 65535 B) 1024 through 65536 C) 0 through 65536 D) 1023 through 65535
A) 1024 through 65535
Latency can be measured as only one-way (from a single source to a destination) and not as round-trip (from a source to a destination and back to the original source) A) True B) False
B) False
Packet analysis is not a very dynamic process, the methods used to analyze each scenario is always the same and the only important thing is that the results of the analysis solves a problem. A) True B) False
B) False
Statistics are the bread and butter of analysis and one of the best ways to get a summary overview of a data set. A) True B) False
B) False
Displays a packet in its raw, unprocessed form as it travels across the wire. A) Packet List Pane B) Packet Details Pane C) TCP Port Pane D) Packet Bytes Pane
D) Packet Bytes Pane
Has columns containing the packet number, the relative time the packet was captured, the source and destination of the packet, the packet's protocol, and some general information found in the packet. A) Packet Port Pane B) Status Bar C) Packet Bytes Pane D) Packet List Pane
D) Packet List Pane
At the data link layer, an endpoint will have a IP address A) True B) False
B) False
Wireshark's Endpoints window shows several helpful statistics for each endpoint including the following _______________________. (choose all that apply) A) bytes transmitted B) the address C) bytes dropped D) number of packets
A) bytes transmitted B) the address D) number of packets
The protocols at different layers of the OSI model pass data between each other with the aid of __________________. Each layer in the stack is responsible for adding a header or footer information that allow the layers to communicate the data being transferred. A) data encapsulation B) data compression C) data encryption D) data duplication
A) data encapsulation
The ability of a host to ____________ packets is one of TCP's most fundamental error-recovery features that is designed to combat packet loss. A) re-transmit B) forward C) assign port numbers to D) delay
A) re-transmit
Hubs are full-duplex devices that can send and receive data synchronously. A) True B) False
B) False
When the client receives a packet with a window size of __________, it will halt any data transmission but will sometimes keep the connection to the server open with the transmission of keep-alive packets. A) 5 B) 0 C) 10 D) 32
B) 0
What are the minimum recommended system requirements to run Wireshark? (select all that apply) A) 128 MB of RAM B) 300MB of storage space C) A 32-bit x86 or 64-bit CPU D) A non-promiscuous NIC E) WinPcap/libpcap capture driver
B) 300MB of storage space C) A 32-bit x86 or 64-bit CPU E) WinPcap/libpcap capture driver
The maximum number of re-transmission attempts depends on the value configured in the transmitting operating system and by default, Windows hosts make a maximum of ____________ re-transmission attempts. A) 4 B) 5 C) 3 D) 7
B) 5
When creating capture filters you can use logical operators to combine primitives to create more advanced expressions, what are the three logical operators? A) Exor operator OR (|V|) B) Alternation operator OR (||) C) Concatenation operator AND (&&) D) Negation operator NOT (!)
B) Alternation operator OR (||) C) Concatenation operator AND (&&) D) Negation operator NOT (!)
When you subtract the Ethernet, IP, and TCP headers from an Ethernet frame, you are left with _______ bytes that can be used for the transmission of a layer 7 protocol header or for data. A) 2048 B) 1518 C) 1460 D) 1024
C) 1460
The response code of ____________ is a common means of redirection in the HTTP. A) 123 B) 404 C) 302 D) 201
C) 302
When you send a message, it's sent from your MUA to a MTA, but if the email being sent is being sent to another domain, the MTA must use __________ to find the location address of the recipient mail server, then transmit the message to it. A) POP3 B) NTP C) DNS D) HTTP
C) DNS
Packet analysis can help with the following:(choose all that apply) A) Restarting network transmissions B) Resolving URIs into MAC addresses C) Determining who or what is utilizing available bandwidth D) Identifying peak network usage times E) Identifying malicious activity F) Finding unsecured and bloated applications
C) Determining who or what is utilizing available bandwidth D) Identifying peak network usage times E) Identifying malicious activity F) Finding unsecured and bloated applications
To find packets that match a particular criteria use the _____________ bar by pressing CTRL-F. A) Display Filter B) Capture Filter C) Find Packet D) Search
C) Find Packet
The sequence number that is to be expected in the next packet from the other device taking part in the communication. A) Sequence B) IPv4 C) Port D) Acknowledgment
D) Acknowledgment
The ___________ field is used for identifying the type of TCP packet being transmitted. A) Options B) Sequence Number C) Checksum D) Flags
D) Flags
__________ is the delivery mechanism of the World Wide Web, allowing web browsers to connect to web servers to view web pages and in most organizations represents the highest percentage of traffic seen going across the wire.Question 8 options: A) FTP B) SNMP C) SMTP D) HTTP
D) HTTP
What feature can Wireshark employ when displaying packet data to make analysis easier? A) Capture filters B) Subnetting C) ASCII D) Name Resolution
D) Name Resolution
One of Wireshark's most useful analysis features is its ability to reassemble data from multiple packets into a consolidated, easily readable format known as a ____________. A) Protocol Hierarchy B) Packet measurement C) Packet Dissection D) Packet transcript
D) Packet transcript
When dealing with unfamiliar capture files, you'll sometimes need to determine the distribution of traffic by what percentage of a capture is TCP, IP, DHCP, what window would you employ? A) Packet Statistics B) Conversations C) Endpoint Statistics D) Protocol Hierarchy Statistics
D) Protocol Hierarchy Statistics
____________ operate at layer 3 of the OSI model, where they are responsible for forwarding packets between two or more networks. A) Switches B) Firewalls C) Bridges D) Routers
D) Routers
___________ is considered a connection-oriented protocol because it establishes a formal connection before transmitting data, tracks packet delivery, and usually attempts to formally close communication channels when transmission is complete. A) IP B) UDP C) PPP D) TCP
D) TCP
Designed to work on Unix-based sysems, ______________ is by far the most popular command line packet analysis application. A) Wireshark B) TShark C) Winpcap D) TCPDump
D) TCPDump
DNS relies on ___________ as its primary layer 4 protocol A) IP B) HDLC C) TCP D) UDP
D) UDP
When packets take a significant amount of time to travel between a source and destination, the communication is said to have _______________ A) low delay B) high throughput C) low reliability D) high latency
D) high latency
Which of the following expressions will result in a filter that displays only the ARP messages from the host at 192.168.1.10? A) dst host 192.168.1.10 && ether src host ff:ff:ff:ff:ff:ff && !udp && !tcpNOT B) dst host 192.168.1.10 && ether dst host ff:ff:ff:ff:ff:ff && !udp && !tcpNOT C) src host 192.168.1.10 || ether dst host ff:ff:ff:ff:ff:ff && !udp && !tcp D) src host 192.168.1.10 && ether dst host ff:ff:ff:ff:ff:ff && !udp && !tcp
D) src host 192.168.1.10 && ether dst host ff:ff:ff:ff:ff:ff && !udp && !tcp
When comparing packet data from multiple devices, you need be sure that the devices are synchronized with the same time source, especially when performing forensic analysis or troubleshooting. To ensure this, you can use _____________ to ensure network devices are synced. A) the Virtual LAN Trunking Protocol (VTP) B) the Real-Time Protocol (RTP) C) the Spanning Tree Protocol (STP) D) the Network Time Protocol (NTP)
D) the Network Time Protocol (NTP)
When all else fails, your network baseline can be one of the most crucial pieces of data you have when troubleshooting slowness on the network. A) True B) False
A) True
When analyzing a large number of packets in a capture, you can print packets for easy reference. A) True B) False
A) True
What are some situations in which a command line tool might be used instead of Wireshark? (choose all that apply) A) If you are dealing with a server and don't have access to a graphical tool B) You are analyzing a Wifi network C) You can limit displayed information to only pertinent data D) Filtering a packet capture file and providing the results directly to another tool using Unix pipes.
A) If you are dealing with a server and don't have access to a graphical tool C) You can limit displayed information to only pertinent data D) Filtering a packet capture file and providing the results directly to another tool using Unix pipes.
Sequence Number In + Bytes of Data Received = __________ Out A) Acknowledgment Number B) Segment Number C) Port Number D) Protocol Number
A) Acknowledgment Number
The _______________ window is similar to the Endpoints window, but it shows two addresses per line to represent communication between two endpoints, as well as the packets and bytes transmitted to and from each device. A) Conversations B) Packet Details C) Chats D) Protocols
A) Conversations
__________ servers store a database of resource records of IP address-to- name mappings. A) DNS B) FTP C) HTTP D) DHCP
A) DNS
The DHCP initialization process uses four types of DHCP packets, ___________, ___________, ____________, and ____________. (select all that apply) A) Discover B) Request C) Offer D) Reply E) Open F) Acknowledgment
A) Discover B) Request C) Offer F) Acknowledgment
You can export your Wireshark capture data into several formats for viewing in other media or for importing into other packet analysis tools. The formats include __________________. (select all that apply) A) Extensible Markup Language (XML) B) PostScript C) Hypertext Markup Language (HTML) D) Dotted Decimal E) Plaintext F) Comma-separated values (CSV)
A) Extensible Markup Language (XML) B) PostScript E) Plaintext F) Comma-separated values (CSV)
Given the following information, what would the link-local address be for this host using EUI-64?FE80:0000:0000:0000 - prefixMAC Address - 1C-66-DA-07-B2-92Question 10 options: A) FE80::1E66:DAFF:FE07:B292 B) FE80::1 C) FE8::1C66:DAFF:FE7:B292 D) FE80::1C66:DAFF:FE07:B292
A) FE80::1E66:DAFF:FE07:B292
The Capture Interfaces dialog has been designed to give you more flexibility while capturing packets and is divided into three tabs. What are the tabs called? A) Input B) Options C) Output D) Advance
A) Input B) Options C) Output
______________ is the utility protocol of TCP/IP, responsible for providing information regarding the availability of devices, services, or routes on a TCP/IP network. A) Internet Control Message Protocol (ICMP) B) Telnet C) Secure Shell (SSH) D) Address Resolution Protocol (ARP)
A) Internet Control Message Protocol (ICMP)
The _______ is a 32 bit long number that identifies which part of the IP address belongs to the network portion and which part belongs to the host portion. Eevery bit that is set to a 1 identifies the part that is reserved for the network portion, while the remaining bits are set to 0 to identify the host portion.Question 14 options: A) Netmask B) Layer 4 number C) EUI-32 D) MAC address
A) Netmask
DHCPv6 accomplishes the same goal as DHCP, but DHCPv6 replaces DORA with ___________. A) SARR B) BILL C) DAVE D) SAU
A) SARR
In a Gratuitous ARP, what fields will have the same bits set? A) Sender IP address and Target IP address B) Hardware type and Protocol type C) Sender hardware address and Sender IP address D) Target hardware address and Target IP address E) Sender hardware address and Target hardware address
A) Sender IP address and Target IP address
You need to consider a number of factors when selecting a packet sniffer, including the following:(choose 3 answers) A) Supported protocols B) Program size C) User friendliness D) Operating system support
A) Supported protocols C) User friendliness D) Operating system support
There are several types of streams are available to follow within a Wireshark capture:(choose all that apply) A) TCP stream B) HTTP stream C) UDP stream D) ICMP stream
A) TCP stream B) HTTP stream C) UDP stream
What type of message would the following capture expression return, icmp[0:2] == 0x0b00 A) TTL exceeded in transit B) Subnet unreachable C) Echo reply D) Echo request
A) TTL exceeded in transit
A key decision for effective packet analysis is where to physically position a packet sniffer to appropriately capture the data. A) True B) False
A) True
A major difference between global and personal configuration directories is that any changes made to the global configuration files will affect every Wireshark user on a system unlike changes made to the personal configuration files which only affect a specific Wireshark user. A) True B) False
A) True
An IPv6 address has a network portion, often called a network prefix.Question 5 options: A) True B) False
A) True
Endpoints are identified by multiple addresses, which are assigned at different layers of the OSI model. A) True B) False
A) True
Packet analysis, often referred to as packet sniffing or protocol analysis. A) True B) False
A) True
TCP's error-recovery features are our best tools for locating, diagnosing, and eventually repairing high latency on a network. A) True B) False
A) True
The DHCP offer packet, is reply message type. A) True B) False
A) True
To avoid fragmentation, a device transmitting IPv6 packets is expected to perform a process called maximum transmission unit (MTU) discovery to determine the maximum size of packets it can send before actually sending them. A) True B) False
A) True
DHCP uses _________ ports ________ and ________ when employing a dynamic method to assign IP addressing information for IPv4. (select all that apply) A) UDP B) 53 C) 67 D) 69 E) 80 F) TCP G) 68 H) 161
A) UDP C) 67 G) 68
The primary mechanism for determining whether the re-transmission of a packet is necessary is the _____________ and is responsible for maintaining a value called the _________________. A) re-transmission timeout (RTO) B) packet tranmission timeout (PTO) C) re-transmission timer D) delay timer
A) re-transmission timeout (RTO) C) re-transmission timer
The _____________ is a value specified by the data recipient and stored in the TCP header (in bytes) that tells the transmitting device how much data the recipient is willing to store in its TCP buffer space. A) receive window B) reserved C) checksum D) urgent pointer
A) receive window
Which command will start the process of capturing packets from a network interface and dumping them on screen in your terminal window within TShark A) tshark B) tcpdump C) runtcp D) startcap
A) tshark
What are the types of messages/traffic supported by IPv6? (choose all that apply) A) Overcast B) Anycast C) Unicast D) Broadcast E) Multicast
B) Anycast C) Unicast E) Multicast
The DHCP initialization process is often referred to as the ______ process because it uses four types of DHCP packets. A) DANY B) DORA C) BILL D) DONA
B) DORA
A good portion of packet analysis will happen during traffic capture. A) True B) False
B) False
Filtering in TShark and tcpdump is very flexible, as TShark can use Wireshark BPF capture filters at capture time or while displaying already captured packets. A) True B) False
B) False
The TCP header is much smaller and simpler than the UDP header. A) True B) False
B) False
The display filter udp.dstport==53 || udp.dstport==67 will only display DNS queries or DHCP Request. A) True B) False
B) False
The physical address of a host on a network segment is also called an IPv4 or IPv6 address. A) True B) False
B) False
When a user complains of slow access to the Internet but no one else seems affected, the first place to began a capture is at the router (default gateway). A) True B) False
B) False
When troubleshooting slowness on the network analyzing UDP packets is better than TCP packets due to it's reliability features (acknowledgements). A) True B) False
B) False
When the Type fields used in a DNS query or response has a value of 252, what does that indicate about the resource record type that the query or response is for A) Incremental zone transfer B) Full zone transfer C) Canonical name for an alias D) Authoritative Name server
B) Full zone transfer
_____________ is a common practice when comparing two data streams of the same traffic that were captured separately. A) Applying color rules to specific packets B) Merging captures C) Using capture filtering D) Printing captures
B) Merging captures
In place of ARP, what does IPv6 use to resolve local logical addresses to physical A) Traceroute B) Neighbor Solicitation C) Neighbor Advertisement D) Router SolicitationE) Router Advertisement
B) Neighbor Solicitation C) Neighbor Advertisement
There are four primary ways to capture this traffic: A) DNS poisoning B) bridging across C) port mirroring D) ARP cache poisoning E) network tapping F) hubbing out
C) port mirroring D) ARP cache poisoning E) network tapping F) hubbing out
In an ARP header, the _________ field is primarily responsible for identifying whether or not the ARP message is a reply or a request. A) Sender hardware B) Operation C) Hardware type D) Target hardware
B) Operation
DHCPv6 accomplishes the same goal as DHCP using the following messages ___________, ____________, ____________, and ___________. (select all that apply) A) Acknowledgment B) Request C) Discover D) Advertise E) Offer F) Reply G) Echo H) Solicit
B) Request D) Advertise F) Reply H) Solicit
____________ is the standard for sending email. A) POP3 B) SMTP C) Gmail D) IMAP
B) SMTP
What are the several configurable options related to time supplied by Wireshark for packet captures? (select four) A) Seconds since previous analysis B) Seconds since beginning of capture C) Date and time of day D) Mean time to failure E) PST date and time of day F) EST date and time of day G) UTC date and time of day H) Seconds since epoch
B) Seconds since beginning of capture C) Date and time of day G) UTC date and time of day H) Seconds since epoch
The ____________ for TCP isn't incredibly important and can be selected randomly. A) Sequence number B) Source port C) Acknowledgment number D) Destination port
B) Source port
In most situations, _____________ taps are preferred because they require less cabling and don't need two NICs on your sniffer computer. A) half-duplex B) aggregated C) non-aggregated
B) aggregated
Network traffic can be classified as one of three types:(choose all the apply) A) simulcast B) broadcast C) multicast D) unicast
B) broadcast C) multicast D) unicast
In an packet header, if the flag field is set then that means that the packet has been ___________.Question 7 options: A) forwarded B) fragmented C) replied to D) dropped
B) fragmented
The display filter to capture HTTP request being made to a remote server is _______________Question 12 options: A) http.request.method == "POST" B) http.request.method == "GET" C) http.method == "POST" D) http.method == "GET"
B) http.request.method == "GET"
When a new TCP connection is established, one of the most important pieces of information exchanged during the handshake process is an ____________. A) acknowledgement number (ACKN). B) initial sequence number (ISN) C) window number (WIN). D) protocol number (PN).
B) initial sequence number (ISN)
You needed to capture continuous high-volumes of network traffic within an enterprise, which method would be best employed? A) ARP cache poisoning B) network tapping C) hubbing out D) port mirroring
B) network tapping
The best alternatives to hubs in production and high-density networks are _________. A) routers B) switches C) servers D) firewalls
B) switches
When the recipient receives an ___________, it assumes that a packet has been lost in transit. A) unexpected port number B) unexpected sequence number C) unexpected acknowledgement number D) unexpected ISN number
B) unexpected sequence number
What should the display filter !rip.version do? NOT A) Display all the routing information protocol advertisements on a network. NOT B) Display everything except the version of RIPng in use on a network. C) Display everything except the version of routing information protocol in use on a network. D) Display the RIPng advertisements on a network.
C) Display everything except the version of routing information protocol in use on a network.
The directory that contains all of the default settings for Wireshark and is where the default profile stores its setting. NOT A) Personal configuration NOT B) Basic configuration C) Global configuration D) Custom configuration
C) Global configuration
All TCP-based communication must begin with a ___________ between two hosts. A) ICMP Echo B) IP address C) Handshake D) Sequence number
C) Handshake
What 7 layer model is represented by the following diagram: A) TCP B) IP C) OSI D) IEEE
C) OSI
___________ defines the type of query contained in the DNS message. A) RCode B) DNS ID Number C) OpCode D) QR
C) OpCode
Allows you to quickly differentiate between various protocols and can be based on Wireshark filters. A) Berkley Packet Filters B) Name Resolution C) Packet Color Coding D) Filter Expressions
C) Packet Color Coding
What will the following command line command do, tshark -r packets.pcap -Y "tcp.dstport == 80"? A) Start TShark and capture HTTPS traffic B) Start TShark and open a capture named packets and display only HTTPS traffic C) Start TShark and open a capture named packets and display only HTTP traffic D) Start TShark and capture HTTP traffic
C) Start TShark and open a capture named packets and display only HTTP traffic
To reduce the risk of clouding your packet file or of unwittingly communicating with an attacker, disable the ___________________________. A) Only use the profile "hosts" file B) Use an internal network name resolver option C) Use an external network name resolver option D) Use the ability to force name resolution on a temporary, on-demand basis.
C) Use an external network name resolver option
A _____________ is a TCP packet sent from a recipient when that recipient receives packets that are out of order. A) PSH B) duplicate RST C) duplicate ACK D) Re-Sequence
C) duplicate ACK
When a client with an IP address in-lease reboots, it must perform a truncated version of the DORA process in order to reclaim its IP address which is called ___________. A) end-of-lease renewal B) out-of-lease renewal C) in-lease renewal D) expired-lease renewal
C) in-lease renewal
When communication between devices is fast, and the amount of time it takes a packet to get from one point to another is low, the communication is said to have __________ A) high jitter B) high bandwidth C) low lattency D) high reliability
C) low lattency
If you suspect that you are the victim of __________ on the server side, consider attempting to capture traffic from the client (if possible) so that you can see whether re-transmission packets are present.Question 20 options: A) packet delay B) a broadcast storm C) packet loss D) packet spoofing
C) packet loss