Module 3 - Analyzing Network Traffic

Question 1

WireShark Source

Answer 1

www.wireshark.org

Question 2

WireShark Installation Prerequisite

Answer 2

WinPcap

Question 3

WireShark Filters and View Columns

Answer 3

• IP addresses (Source and Destination)
• Protocols
• Info (includes GET commands and paths)

Question 4

Analyzing Streams in WireShark

Answer 4

“Follow TCP Stream”

Question 5

Exporting Files in WireShark

Answer 5

File - Export - Objects - HTTP

Question 6

WireShark Filters

Answer 6

Use Filters box

“Expression” button shows syntax.

Question 7

WireShark Time Reference

Answer 7

• Display format must be “Seconds Since Beginning of Capture”.
• Edit - Time Reference
• Not saved when file is closed.

Question 8

Transmissions work due to __________

Answer 8

encapsulation

Question 9

Ethernet Frame Characteristics

Answer 9

• Size: 1526 bytes
• Contain source and destination MAC addresses
• Payload contains IP datagram

Question 10

IP Data gram contains __________

Answer 10

source and destination IP addresses

Question 11

What is used to parse frames and datagrams?

Answer 11

Packet sniffers

Question 12

Name a Packet Sniffer Tool

Answer 12

tcpdump

Question 13

Characteristics of tcpdump

Answer 13

• open source packet sniffer
• command line
• recent version: 4.2.1 (01/2012)
• www.tcpdump.org
• Replaying requires “tcpreplay or tcpopera”

Question 14

Solutions to capture traffic

Answer 14

• Packet Sniffer (tcpdump)
• Hubs
• Network Tap
• Port Mirroring

Question 15

Hubs for Capturing Traffic

Answer 15

• No logic
• Low Cost
• Rebroadcast traffic to all connected ports
• can be easily used to sniff traffic between computers on the same hung
  (usually a security concern).

Question 16

What is a network tap?

Answer 16

• hardware device that provides a way to access the data flowing across a computer network.
• intercepts data flowing through a cable
• Has at least three ports - A port, B port, monitor port
• pass traffic through unimpeded, but copies data to the monitor port

Question 17

What use-cases are network taps used for?

Answer 17

• network intrusions systems
• VOIP recording
• network probes
• RMON probes
• packet sniffers

Question 18

Why are network taps used?

Answer 18

• non-obtrusive
• not detectable (no physical or logical address)
• can deal with full duplex and non-shared networks,
• pass traffic even if it stops working or loses power

Question 19

What is Port Mirroring?

Answer 19

• Used on network switch
• Sends copy of all network packets seenon one switch port (or an entire VLAN) to a network monitoring connection on another switch port.

Question 20

What use-case for Port Mirroring?

Answer 20

• network appliances that require monitoring of network traffic, such as IDS

Question 21

Names for Port Mirroring on common switches

Answer 21

Cisco Systems: Switched Port Analyzer (SPAN)

3Com: Roving Port Analysis (RAP)