Module 3 - Analyzing Network Traffic Flashcards Preview

Network And Cloud Forensics > Module 3 - Analyzing Network Traffic > Flashcards

Flashcards in Module 3 - Analyzing Network Traffic Deck (21)
Loading flashcards...
1
Q

WireShark Source

A

www.wireshark.org

2
Q

WireShark Installation Prerequisite

A

WinPcap

3
Q

WireShark Filters and View Columns

A
  • IP addresses (Source and Destination)
  • Protocols
  • Info (includes GET commands and paths)
4
Q

Analyzing Streams in WireShark

A

“Follow TCP Stream”

5
Q

Exporting Files in WireShark

A

File - Export - Objects - HTTP

6
Q

WireShark Filters

A

Use Filters box

“Expression” button shows syntax.

7
Q

WireShark Time Reference

A
  • Display format must be “Seconds Since Beginning of Capture”.
  • Edit - Time Reference
  • Not saved when file is closed.
8
Q

Transmissions work due to __________

A

encapsulation

9
Q

Ethernet Frame Characteristics

A
  • Size: 1526 bytes
  • Contain source and destination MAC addresses
  • Payload contains IP datagram
10
Q

IP Data gram contains __________

A

source and destination IP addresses

11
Q

What is used to parse frames and datagrams?

A

Packet sniffers

12
Q

Name a Packet Sniffer Tool

A

tcpdump

13
Q

Characteristics of tcpdump

A
  • open source packet sniffer
  • command line
  • recent version: 4.2.1 (01/2012)
  • www.tcpdump.org
  • Replaying requires “tcpreplay or tcpopera”
14
Q

Solutions to capture traffic

A
  • Packet Sniffer (tcpdump)
  • Hubs
  • Network Tap
  • Port Mirroring
15
Q

Hubs for Capturing Traffic

A
  • No logic
  • Low Cost
  • Rebroadcast traffic to all connected ports
  • can be easily used to sniff traffic between computers on the same hung
    (usually a security concern).
16
Q

What is a network tap?

A
  • hardware device that provides a way to access the data flowing across a computer network.
  • intercepts data flowing through a cable
  • Has at least three ports - A port, B port, monitor port
  • pass traffic through unimpeded, but copies data to the monitor port
17
Q

What use-cases are network taps used for?

A
  • network intrusions systems
  • VOIP recording
  • network probes
  • RMON probes
  • packet sniffers
18
Q

Why are network taps used?

A
  • non-obtrusive
  • not detectable (no physical or logical address)
  • can deal with full duplex and non-shared networks,
  • pass traffic even if it stops working or loses power
19
Q

What is Port Mirroring?

A
  • Used on network switch
  • Sends copy of all network packets seenon one switch port (or an entire VLAN) to a network monitoring connection on another switch port.
20
Q

What use-case for Port Mirroring?

A
  • network appliances that require monitoring of network traffic, such as IDS
21
Q

Names for Port Mirroring on common switches

A

Cisco Systems: Switched Port Analyzer (SPAN)

3Com: Roving Port Analysis (RAP)