wireshark

Ace your homework & exams now with Quizwiz!

Additional metadata stored in the capture file

Using the PCAPNG format when saving a trace file will have what benefit over the PCAP format?

pREFERENCES

Which setting can be stored in your profile, and is not common to all profiles?

Router

You are troubleshooting a problem with an application where clients cannot connect. In Wireshark you see several ICMP messages from IP 10.0.1.1 with Type:3 Destination Unreachable Code:4 Fragmentation Needed. Most likely, what kind of device is sending this message?

150 ms

You decide to capture an issue on the network infrastructure between the client and the server endpoints. In the TCP handshake, the SYN - SYN/ACK delta time is 100ms. The SYN/ACK - ACK delta time is 50 ms. From this information, what is the total network roundtrip time between the two endpoints?

The first file that was saved will be overwritten.

You enabled the "Ring Buffer" feature in the Capture Options and set it to 10 files. The "Start a new file automatically" setting is set to 100 MB. After starting a capture you notice that you quickly have 10 files in the folder where you are saving these files. What will happen when the 11th file is saved to this folder?

Enable TCP Window Scaling

You notice that there are several TCP Window Full flags in a packet trace on traffic from a server to a client. You check the TCP Handshake for enabled options and you see the following in both directions: MSS = 1460, SACK enabled, and TCP Timestamps. What step could you take to reduce or eliminate the number of Window Full events that you see?

The client needs to send SYN requests multiple times before a connection can be established.

You suspect that a server supporting a business-critical application is under-resourced for the client load. What is a symptom you could look for in the packet traces to determine if a server is busy?

The analyst who captured the trace file was slicing packets.

You would like to export an object such as a .jpg from a Wireshark trace. The protocol is HTTP so the image is not encrypted. You enabled reassembly so that Wireshark could assemble and export the complete image. However, the export objects feature does not show any objects that have been reassembled. You checked a few of the packets that are carrying the image data and you notice that Wireshark is displaying "1400 bytes on wire, 200 bytes captured". Why is reassembly and export not working?

Change "smb.response.time" to "smb2.time"

You would like to see the maximum response times for SMB2 replies in the I/O graph. You create a new line in the I/O graph with a display filter of "smb". You select MAX(Y Field) to be plotted as a line graph. You set "smb.response.time" for the Y Field, but nothing gets plotted. What did you do wrong?

The TCP Sequence number is used to identify each segment in a TCP stream of data in one direction.

How would you define a TCP Sequence number?

This allows the interface to capture every frame it sees, regardless of whether it is the source or destination.

. What is achieved by putting a capture interface in "Promiscuous" mode?

Right-Click. Decode As. Configure the port and HTTP

As you are scanning through a TCP packet trace, you notice in the Hex/Ascii view that there is a 200 OK message coming back from a server over port 7000. What is the fastest way to decode this traffic with the correct dissector?

The client side application is under-resourced and cant keep up with ingress data.

During a file transfer, the client is not able to keep up processing the ingress data, so its receive window buffer fills. The client advertises that its receive window is zero. After a few seconds, the client alerts the server that the receive buffer has cleared and data transfer can again resume. What can cause the client receive window to go to zero?

0X0800

What EtherType is used to indicate that the next layer header is IP?

Profiles

What allows you to use more than one set of preferences and configurations?

Discover, Offer, Request, Acknowledgement

What are the four steps of the standard DHCP process?

Some packets take a different network path and arrive out of sequence

What is a common cause of out-of-order packets?

Desired traffic may not meet the filter and be captured.

What is a downside of using capture filters?

Opening and analyzing very large trace files in Wireshark can take a long time.

What is an advantage of using a ring buffer and smaller capture files to catch a problem rather than collecting just one huge trace file?

The ability to embed packet capture comments in the trace file.

What is an advantage of using the PCAPNG format instead of PCAP?

Observe client-side dependencies such as Domain Name System (DNS).

What is one advantage of capturing a problem at the client end rather than the server end?

The increase of sequence numbers over time.

What is represented by the Stevens graph?

pcapng

What is the default capture file format for dumpcap command?

65535 Bytes

What is the maximum value of the receive window (without window scaling)?

To simplify sequence number analysis by starting the byte count at zero.

What is the purpose of relative sequence numbers?

It is used for adding notes about an entire capture.

What is true about the comment icon in the bottom left of the Wireshark interface when a capture file is open?

iOS

What operating system is not supported for Wireshark installation?

ARP request

What type of Address Resolution Protocol (ARP) is shown?

Traffic levels often exceed the capture capability.

When running security forensics on a network, what is one reason why a packet capture alone may not be enough data to thoroughly investigate a breach?

The capture device was not able to keep up with the ingress traffic, so packets were dropped at the interface.

When troubleshooting a performance problem in a data center, you notice that the trace file has several packets marked "Previous Packet Not Captured". Following these packets, you do not see any retransmissions, duplicate acknowledgements, or other indicators of true packet loss or TCP flags. What is a possible reason for these errors?

Enable Preferences | Name Resolution | Resolve network (IP) addresses

Where can you configure Wireshark to dynamically use Host/DNS names instead of IP addresses in the Source and Destination columns?

Npcap

Which display filter allows you to view standard HTTPS traffic in Wireshark?

tcp.port==443

Which display filter allows you to view standard HTTPS traffic in Wireshark?

tcp.analysis.flags

Which filter would you utilize in the I/O Graph to show when TCP events happen? (retransmissions, out-of-orders, duplicate acks)

Decode As

Which functionality allows you to temporarily divert specific protocol dissections?

Bits

Which of the following is a measurement setting for the Y axis in the I/O graph?

A packet was lost and retransmitted

You are analyzing a file transfer with the tcptrace graph. At one point, there is a gap in the line indicating the sequence numbers. A short time after this gap, you see an I-bar below and to the right of the sequence number line. You also notice red lines coming down from the sequence number line. What happened to cause this?

Overprovisioning the SPAN port

You are analyzing a slow application in a data center. The closest you can get to the virtual server environment for packet capture is on a core switch where the ESX hosts are connected. All connections in this environment are 10Gps. You want to capture as much as possible so you setup a SPAN to monitor the top 5 busiest ESX hosts. What problem are you likely to run into in capturing this traffic?

Wireshark has detected a duplicate selective acknowledgement in a TCP connection.

You are analyzing a trace file with the help of the Expert Information feature. You notice a Warning labeled "D-SACK Sequence". What does this warning mean?

Enable session key logging on the client

You are capturing traffic on a Windows client using a Chrome browser that is having performance problems with an HTTPs based application. The application is using TLS 1.2 for encryption. You have full access to the client machine. What is a simple way that you could decrypt the trace file from this vantage point?


Related study sets

Milady Chapter 19: Advanced topics and treatments

View Set

PHYSIO: chapter 7 practice questions

View Set