Objective 3.1 Flashcards
3.1 Given a scenario, use appropriate statistics and sensors to ensure network availability. (20 cards)
What are “Runts” in the context of Ethernet frames?
Runts are Ethernet frames that are smaller than the minimum required size of 64 bytes.
They are considered malformed or incomplete frames.
On the Job: Seeing runt errors on a switch port is a major clue. It almost always points to a Physical Layer (Layer 1) problem like a faulty Network Interface Card (NIC), a bad cable/connector, or signal collisions.
What are “Giants” in the context of Ethernet frames?
Giants are Ethernet frames that are larger than the maximum standard size of 1518 bytes (or 1522 bytes if it includes a VLAN tag).
On the Job: Giants are typically caused by a misconfigured device, like a server or switch with “jumbo frames” enabled when the rest of the network doesn’t support it, or a faulty NIC that is creating oversized frames.
What does a CRC (Cyclic Redundancy Check) error indicate?
A CRC error indicates that a frame was corrupted during transmission.
The receiving device calculates its own checksum for the frame, and if it doesn’t match the checksum included in the frame’s trailer (the FCS), it flags a CRC error and discards the frame.
On the Job: This is a classic indicator of a Layer 1 problem. Investigate for bad cables, loose connections, or sources of electromagnetic interference (EMI) near the network cable.
What is the difference between a local collision and a late collision?
- Local Collision: Occurs within the first 64 bytes of transmission. These are normal on old hub-based networks or in half-duplex communication.
- Late Collision: Occurs after the first 64 bytes of transmission. These are a serious problem and should never occur on a properly configured switched network.
On the Job: Late collisions are a smoking gun for a duplex mismatch (one device is full-duplex, the other is half-duplex) or an Ethernet cable that exceeds the maximum length standard (100 meters)
What are “discarded packets”?
Packets that a network device, like a router or switch, intentionally drops.
The device makes a decision to not forward the packet.
On the Job: Discards happen for a reason. Check the device’s configuration. Common causes include a full buffer (the device is too busy), a Quality of Service (QoS) policy dropping low-priority traffic, or an Access Control List (ACL) rule blocking the packet.
Define “Latency” and “Round-Trip Time (RTT)”.
- Latency: The time it takes for a single packet to travel from a source to a destination (one-way delay).
-
RTT: The total time for a packet to travel from a source to a destination and for a response to return to the source (two-way delay). The
pingcommand measures RTT.
What is “Jitter”?
Jitter is the variation in the latency of received packets.
It measures the inconsistency of packet arrival times.
On the Job: High jitter is devastating for real-time applications. It’s the reason VoIP calls sound choppy and video conferences freeze or stutter. Packets arriving out of order or with inconsistent delays are hard for these applications to process smoothly.
Explain the relationship between Bandwidth, Throughput, and Utilization.
Bandwidth (Capacity): The maximum theoretical data rate of a link (e.g., 1 Gbps).
Throughput: The actual measured data rate over that link, which is almost always lower than the bandwidth.
Utilization: The percentage of the link’s bandwidth that is currently being used. (Utilization = Throughput / Bandwidth).
What is the formula for calculating network “Availability”?
Availability is the percentage of time a system is operational.
The formula is: Availability = (Total Uptime / (Total Uptime + Total Downtime)) * 100
What is the purpose of “Link Speeds and Feeds”?
“Speeds and Feeds” refers to the data rate (e.g., 100 Mbps, 1 Gbps) and duplex settings (half, full) of a network interface.
On the Job: Verifying these settings is a fundamental troubleshooting step. A speed or duplex mismatch between two connected devices (e.g., a laptop and a switch port) is a common cause of poor performance and errors like late collisions.
What is the function of SNMP?
SNMP is a protocol used by network administrators to monitor, manage, and gather data from network devices (like routers, switches, and servers) from a central location called an SNMP Manager.
What is a MIB (Management Information Base)?
A MIB is a hierarchical database that resides on an SNMP-managed device (agent).
It contains variables, known as Object Identifiers (OIDs), that define the device’s properties and statistics (e.g., interface status, CPU usage, error counts).
Explain the SNMP commands: get, walk, and trap.
-
get: A request from the SNMP Manager to an agent to retrieve the value of one specific OID. -
walk: A request from the Manager that uses a sequence of get-next requests to retrieve a whole range of OIDs from a MIB branch. -
trap: An unsolicited, asynchronous message sent from the agent to the manager to report a significant event, like a link failure or device reboot.
What is the role of an API in network operations?
An API (Application Programming Interface) allows different software systems to communicate and exchange data programmatically.
In modern networking, APIs are essential for network automation, configuration management, and pulling monitoring data without manual logins.
Define REST and JSON in the context of network APIs.
- REST (Representational State Transfer): An architectural style for building APIs that uses standard HTTP methods (GET, POST, etc.). It’s popular because it’s stateless and flexible.
- JSON (JavaScript Object Notation): A lightweight, human-readable format for structuring and transporting data. It is the most common data format used by REST APIs.
What is YANG?
YANG (Yet Another Next Generation) is a data modeling language. Its purpose is to create a standardized, predictable way to model the configuration data and operational state of a network device. Protocols like NETCONF use YANG models.
What is the purpose of LLDP (Link-Layer Discovery Protocol)?
LLDP is a vendor-neutral Layer 2 protocol that allows network devices to advertise their identity, capabilities, and port information to their directly connected neighbors.
On the Job: LLDP is incredibly useful for creating accurate network diagrams and for quickly identifying which switch port a server or other device is plugged into without having to trace cables physically.
What are Protocol Analyzers (e.g., Wireshark, tcpdump) used for?
They are tools used to capture, decode, and analyze network traffic in real-time.
They show you the individual packets and the contents of their headers.
On the Job: For a SOC Analyst, this is like a microscope for network traffic. It’s essential for deep-dive troubleshooting (e.g., “Why is this application failing?”) and for security forensics (e.g., “What data did this malware actually send?”).
What is Flow Data (e.g., NetFlow)?
Flow data is metadata about network conversations, not the full packet content. A “flow” is a sequence of packets between a specific source and destination. The record includes source/destination IPs, ports, protocol, and total bytes.
On the Job: Flow data is perfect for getting a high-level view of “who is talking to whom” across the network. It’s less storage-intensive than full packet capture and is a primary data source for SIEMs to detect anomalies like data exfiltration or scanning activity.
Explain the roles of Syslog and a SIEM.
- Syslog: A standard protocol for devices to send their log messages to a central server.
- SIEM (Security Information and Event Management): A system that acts as the “brain.” It collects logs from ALL sources (Syslog, NetFlow, firewalls, servers), correlates the data to find patterns, and generates alerts for potential security incidents.
