Network Analysis Tools

Question 1

purpose is to track usage, identify unusual traffic, and view the traffic in detail;
analyzes network traffic to understand a normal network baseline
decode streams of bits flowing across a network & shows them in a structured format

Answer 1

Protocol analysis / protocol analyzers

Question 2

Analyzes streams of protocol data and displays bits in a structured format

Answer 2

protocol analyzer

Question 3

**5 distinct functions of a protocol analyzer/protocol analysis;
5 STEPS

Answer 3

1) Data capture - locally (requires an interface & NIC) or remotely(remote analyzers, capture agents, remote control)
2) Network Monitoring
3) Data display
4) Notification Logging
5) Packet Generation

Question 4

a mechanism that collects information about a network;
network info that gets monitored and comes from various sensors;
where you’re collecting from, such as a NIC card or ethernet

Answer 4

sensor

Question 5

network traffic must pass thru this sensor, enabling it to have the ability to stop attacks by blocking network traffic

Answer 5

in-line sensors

Question 6

monitors a copy of the actual traffic;
deployed to monitor the DMZ

Answer 6

passive sensors

Question 7

a device that monitors and collects data about network activity, which can then be used for analysis and decision-making;
Sensors should be placed at the right place within the network

Answer 7

sensor

Question 8

After your network is installed, you should turn on _________, so that your NIC can also learn about packets that are not destined/routed to your machine;
___________ operate in promiscuous mode, which means they are able to view all traffic on the local media. This characteristic allows them to provide a wide range of statistics about what is happening at each layer of the OSI model

Answer 8

promiscuous mode;
analyzers

Question 9

what is used to capture data outside of your network?

Answer 9

analyzers

Question 10

capture traffic on segments that you cannot physically access

Answer 10

remote analyzer

Question 11

software drivers running on a computer that allow you to capture packets to and from the LAN interfaces

Answer 11

capture agent

Question 12

analyzers running on a machine being controlled by software that allow you to remote into a computer

Answer 12

Remote Control

Question 13

**what the normal performance standards are for a network so you know what it is capable of;
help you determine when something on the network is abnormal & if it can handle policies;
should be captured at normal peak running hours

Answer 13

network baseline

Question 14

What mode do analyzers operate in to view all traffic on the local media?

Answer 14

Promiscuous mode

Question 15

two methods of capturing data

Answer 15

locally and remotely

Question 16

**Approach that focuses on the needs and goals of the org;
starts at the top, and works its way in design down;
1. analyze requirements
2. design topology from a logical standpoint
3. Physical design from a physical standpoint
4. test designs, run baselines, and determine improvements

Answer 16

top-to-bottom monitoring (starts with the Application layer flowing down to the Physical Layer 1)

Question 17

building a network and determining if the network infrastructure is there;
making sure you have enough servers, computers, etc.

Answer 17

top-to-bottom networking

Question 18

gathering log data to track resource use, bugs, availability, load balancing issues, monitoring, and more;
provide alerts to live anomaly events;
Through _________, it provides a way of seeing which events form a casual chain that led to alerts across multiple services;
helps network run smoothly

Answer 18

app monitoring;
distributed tracing

Question 19

All of the following are parts of Application monitoring:
1) ______: evaluates the users experience; are tasks running as expected?
2) ______: traffic rates; how much info is being requested/sent?
3) ______: storage issues, excessive loads, hardware issues, etc
4) ______: is one resource being used too much that can lead to bottleneck issues?
5) ______: memory & storage capabilities
6) ______: is data being stored properly so that it is accessible?
7) ______: distributing data evenly across resources

Answer 19

*1) User experience
*2) App Traffic
*3) Physical & Virtual servers
4) App dependencies
5) Storage & resource capacity
6) Caching Layer Metrics
7) Load Balancing metrics

Question 20

the process of analyzing a packet;
it is done to gain insight on the devices and users sending data across a network;
3 tools used are Wireshark, OS Fingerprinting, & tcpdump(BPF filters);
1) plan 2) deploy 3) capture 4) analyze 5) refine
how is packet analysis conducted?

Answer 20

packet analysis;
packet capture (packet capture programs ‘capture’ the packets that go across a network)

Question 21

Wireshark is the most popular packet analysis tool that allows you to monitor your network in real time, at a small level. it’s 3 useful functions are:

Answer 21

1) Protocol Hierarchy
2) Conversations
3) Endpoints

Question 22

organizes protocols into layers based on the rules of communication

Answer 22

protocol hierarchy

Question 23

**two people involved in the conversation;
how many packets did i send to you, how many packets did i receive from you;
who was the most talkative?

Answer 23

conversation

Question 24

**machine with a MAC address that is the source of something

Answer 24

endpoint

Question 25

a file that contains packet captures

Answer 25

PCAP

Question 26

Header: info about the packet such as, source & destination IP addresses & protocol type Payload: actual data being transmitted Trailer: checksums for data integrity

Answer 26

packet

Question 27

search for specific patterns or keywords within packet; filters by either 1, 2, or 4 bytes

Answer 27

BPF

Question 28

filters packets from kernel to userspace; 5 headers you can filter with

Answer 28

Berkeley Packet Filters (BPF’s); 1) Ether 2) IP, IP6 3) ICMP 4) TCP 5) UDP

Question 29

What protocols can be used with BPF filters?

Answer 29

all but Application layer 7

Question 30

BPF's are only in ___, not Wireshark

Answer 30

tcpdump

Question 31

An Ethernet frame of Layer 2 is made of 3 sections

Answer 31

1) MAC Header - Destination MAC Add, Source MAC Add, Ether Type; 14 bytes 2) Data - Payload; 46 bytes 3) CRC Checksum; 4 bytes

Question 32

analyzes data packets that originate from a network to later be used in attacks; Determines the OS of devices; by knowing what OS devices are using, hackers can better determine known vulnerabilities to a system; NMAP is most popular tool for this

Answer 32

OS Fingerprinting

Question 33

attackers will send the victim a packet and wait for them to analyze the contents of a TCP packet

Answer 33

Active OS Fingerprinting

Question 34

attackers acts more as a sniffer/sensor that makes no actions against the network; better, but takes longer

Answer 34

Passive OS fingerprinting

Question 35

**command that writes to a file called capture_file using -w switch

Answer 35

tcpdump port 80 -w capture_file

Question 36

**command to read files using a switch

Answer 36

tcpdump -r capture_file

Question 37

sudo p0f -r ip_packet.pcap 'host 192.168.75.138' Program -read “filename” ‘what ip we’re looking at to fingerprint’

Answer 37

OS Fingerprinting example

Question 38

To best perform OS Fingerprinting, look at _____ & _____ in the IP header of the first packet in a TCP session

Answer 38

TCP window size & Time to Live (TTL)

Question 39

What is the TCPDump syntax to filter by source IP 10.10.10.10?

Answer 39

tcpdump src 10.10.10.10

Question 40

window into network history over a period, and can retrieve, examine, archive, and analyze packets user is not at all involved with the debug of a network issue; used to debug incidents even further

Answer 40

Continuous packet capture

Question 41

Tells you what the next layer is

Answer 41

ethertype

Question 42

A way to continuously monitor a network other than Wireshark?

Answer 42

dumpcap

Question 43

Where in Wireshark would you set up a continuous traffic?

Answer 43

Capture>Options>Output

Question 44

protocol analyzer that analyzes data from the wire or a packet capture and allows you to view application layer headers

Answer 44

Wireshark

Question 45

command necessary to run to get results for new pcap file

Answer 45

md5sum

Question 46

command that determines to OS of a device

Answer 46

sudo p0f -r ip_packet.pcap 'host 192.168.75.138'

Question 47

command to write BPF filters with tcpdump

Answer 47

tcpdump -r ip_packets.pcap 'ip[8]>64' |wc -l (TTL of 64) tcpdump -r ip_packets.pcap 'ip[8]>=64' |wc -l (TTL of 64 or greater)

Question 48

arp.opcode==1

Answer 48

request

Question 49

arp.opcode==2

Answer 49

reply

Question 50

Capture everything on interface eth0

Answer 50

tcpdump -i eth0

Question 51

Capture all icmp traffic Capture all udp traffic Capture all ip traffic

Answer 51

tcpdump icmp tcpdump udp tcpdump ip

Question 52

Capture everything from a specific host

Answer 52

tcpdump host 1.1.1.1

Question 53

Capture traffic from a specific host Capture traffic going to a specific host

Answer 53

tcpdump src 1.1.1.1 tcpdump dst 1.1.1.1

Question 54

Capture everything to a specific port Capture everything from a specific port

Answer 54

tcpdump port 3829 tcpdump src port 3829

Question 55

what command do we use with tcpdump to determine how many packets are in a pcap file?

Answer 55

tcpdump -r ip_packet.pcap | wc -l

Question 56

tcpdump command to write to, or capture a file tcpdump command to write to, or capture a file that has a port number of 80

Answer 56

tcpdump -w ip_packet.pcap tcpdump port 80 -w ip_packet.pcap

Question 57

tcpdump command to read a file

Answer 57

tcpdump -r ip_packet.pcap

Question 58

OS Fingerprinting command (analyzes data packets originating from a network

Answer 58

sudo p0f -r ip_packet.pcap 'host 192.168.17.7'

Question 59

tcpdump for continuous capture of traffic

Answer 59

tcpdump -s0 -W 20 -C 10 -w /tmp/capfile

Question 60

dumpcap command that outputs the interfaces on your system

Answer 60

dumpcap -D