Study Guide Questions Flashcards
(158 cards)
1
Q
What is the purpose of network analysis?
A
Identify performance problems, locate security breaches, analyze application behavior, and perform capacity planning
2
Q
Name at least three troubleshooting tasks that can be performed using network analysis.
A
- Locate faulty network devices
- Identify device or software misconfigurations
- Measure high delays along a path
- Locate the point of packet loss
- Identify network errors and service refusals
- Graph queuing delays
3
Q
Why is network analysis considered a security risk by some companies?
A
It involves tapping into network traffic and eavesdropping on communications potentially showing unencrypted communication.
4
Q
What is the purpose of WinPcap?
A
Windows port of the libpcap interface. Provides low-level network access and the Windows version of the libpcap API.
5
Q
What is the purpose of Wireshark’s dissectors?
A
Decode packets to display field contents and intepreted values, plugins provide special routines for dissection, display filters define which packets are displayed
6
Q
What is the purpose of the Wiretap library?
A
Enables Wireshark to ready a variety of trace file formats.
7
Q
If you connect a Wireshark host directly into a switch, what traffic can you expect to see by default?
A
By default, switches forward all broadcast packets, multicast packets (unless configured to block multicast forwarding), packets destined to the Wireshark host’s hardware address and packets destined to unknown hardware addresses.
8
Q
What is the difference between monitor mode and promiscuous mode?
A
In monitor mode, the driver doesn’t make the adapter a member of any service set. In this mode, an adapter and driver pass all packets of all SSIDs from the currently selected channel up to Wireshark. Promiscuous mode enables a network card and driver to capture traffic that is addressed to other devices on the network, not just to the local hardware address.
9
Q
What is the purpose of file sets?
A
File sets are contiguous files that can be individually opened and examined faster than single files.
10
Q
What is the difference between capture filters and display filters?
A
Capture filters limit the packets captured when you are on a busy network or are focusing on a specific type of traffic. Display filters limit the packets displayed from a full capture.
11
Q
What format is used by Wireshark’s capture filters?
A
Berkeley Packet Filtering (BPF)
12
Q
What is the purpose of the following capture filters?
ether dst 08:3f:3d:03:32:03
gateway rtrmain01
host www.espn.com
A
Captures all traffic sent to that MAC address.
Captures all traffic to or from the MAC address of that hostname. Must be able to resolve the hostname.
Captures all traffic sent to or from the IP belonging to www.espn.com.
13
Q
How does Wireshark’s network name resolution use DNS to associate an IP address with a host name?
A
Uses hosts file lookup or inverse DNS queries to resolve IPs to host names.
14
Q
Why would you want to alter Wireshark’s preference settings?
A
To customize Wireshark for your network environment. These settings include the panes displayed in the main Wireshark window, capture settings, the name resolution processes, individual dissector behavior, etc.
15
Q
What is the difference between a global preference and a personal preference setting?
A
Global preferences are system-wide preferences. Personal preferences define customized Wireshark behavior and override the global preferences.
16
Q
What is the difference between marking packets and applying a coloring rule?
A
Packet marking is a temporary designation that is cleared when you reload the trace file, open the trace file again or toggle the packet marking off. Coloring rules are automatically applied to the traffic each time you open the trace file.
17
Q
How do you share coloring rules with other Wireshark users?
A
Import/export out of the coloring rules window or copy the colorfilters file.
18
Q
You have created a coloring rule for ICMP Type 3 traffic as shown in the figure below. How can you ensure that ICMP Type 3 packets are colored with this new rule?
A
Coloring rules follow a top down logic. Make sure your rule is not being overridden by a higher rule.
19
Q
How can the time setting be used to identify the cause of network performance problems?
A
Set the Time column to Seconds since Previously Displayed Packet and look for large gaps in time in a conversation during what should be an automated streaming process.
20
Q
You have opened a trace file sent to you from another company. The timestamp only shows millisecond resolution. Why? Can you improve the timestamp resolution of the trace file?
A
The analyzer used to capture the trace file could not provide more precise timestamps. You cannot alter the timestamp resolution of captured trace files.
21
Q
You have opened a trace file that contains 5 separate conversations. How can Time Reference be used to measure the time elapsed in one of the conversations?
A
Set a Time Reference on the first packet of the conversation you are interested in and scroll to the end of the conversation. The Time column will indicate the time elapsed from the Time Reference packet and the last packet of the conversation.
22
Q
How can you use the Protocol Hierarchy window to identify a breached host?
A
After capturing traffic to and from the host, open the Protocol Hierarchy window to look for unusual applications such as TFTP, IRC, etc. You can apply a display filter for the conversation from inside the Protocol Hierarchy window and then follow the TCP or UDP stream to reassemble the communications and identify commands or information exchanged.
23
Q
Your trace file contains over 100 TCP connections. How can you identify the most active (bytes/second) TCP connections?
A
Open the Statistics | Conversations window and select the TCP tab. Sort the information by the Bytes column. You can now right-click and apply a filter based on the most active conversation for further analysis.
24
Q
What is the purpose of GeoIP?
A
GeoIP maps IP addresses in the Endpoints window to an OpenStreetMap view of the world.
25
What syntax type is used by Wireshark display filters?
Wireshark specific syntax
26
Why is the display filter arp && bootp incorrect?
You will never have packets that are both ARP and DHCP/BOOTP.
27
What is the difference between Prepare a Filter and Apply as Filter?
Prepare a Filter creates the filter and displays it in the Display Filter window. Apply as Filter applies the filter immediately.
28
What is the difference between the following filters?
(ip. src==192.168.0.1 and udp.port==53) or tcp.port==80
ip. src==192.168.0.1 and (udp.port==53 or tcp.port==80)
The first filter displays DNS/port 53 traffic from 192.168.0.105 plus all HTTP/port 80 traffic on the network. The second filter displays DNS/port 53 or HTTP/port 80 traffic from 192.168.0.105.
29
You have selected a packet in the Packet List pane, but Follow TCP Stream, Follow UDP Stream and Follow SSL Stream are not available. Why not?
The packet does not have a TCP/UDP header and is not SSL communication. ARP for example.
30
What is the syntax of the display filter created when you choose Follow TCP Stream?
tcp.stream eq
31
How can you determine the type of file transferred over an FTP connection when you use Follow TCP Stream?
You can look at the file name in the command channel or look for a file identifier inside the file itself.
32
Why would the Stream window be empty when you select Follow SSL Streams?
You did not apply decryption keys to the SSL stream.
33
What elements can you customize using Wireshark profiles?
You can customize your preferences (such as name resolution, columns, stream coloring and protocol dissection settings), capture filters, display filters, coloring rules, etc.
34
How can you move a custom profile to another Wireshark system?
You can copy the entire profile directory to the other Wireshark system's profiles directory.
35
Which file should you be cautious of sharing when copying a custom profile to another Wireshark system?
The preferences file may contain settings that are specific to the original Wireshark system. This file contains configurations such as the default directory setting for opening new trace files and the default capture device
36
How can you quickly view all the packet comments in a trace file?
Open the Expert Infos window and select the Packet Comments tab.
37
What save options are available when you only want to save a subset of packets contained in a trace file?
When you select File | Export Specified Packets, you can choose to save displayed packets, selected packets, marked packets, first to last marked packet or a packet range.
38
What export format could you use if you are going to import information from the Packet List pane into a spreadsheet program?
CSV
39
Which Wireshark feature should you use if you want to save a TCP header as a text file?
Expand the TCP header in a packet and choose File | Export Packet Dissections and choose as "Plain Text" file. Select Packet Details: As displayed in the Packet Format section.
40
What is the fastest way to launch the Expert Infos window?
Click on the Expert Info button on Wireshark’s Status Bar.
41
How can you make specific Expert Info elements stand out in the Packet List pane?
By default, Wireshark colors all Expert Info elements with a black background and red foreground. You can make Expert Info elements stand out by creating a coloring rule for the element (e.g., tcp.analysis.retransmission) and placing it above the Bad TCP coloring rule.
42
How can you filter on all packets that trigger TCP Expert notifications?
Apply a display filter for tcp.analysis.flags.
43
What file is referenced to determine the port to use in a communication when the application does not explicitly specify a port?
etc/services file
44
What can you assume when a client does not generate a DNS query to resolve a target’s IP address?
The client either has the target’s IP address in cache or the client has a hosts file.
45
What configuration fault might cause a host to ARP for a remote target?
The client might have a subnet mask that is too short.
46
What is the purpose of DNS?
Resolve hostnames to IP addresses.
47
When does DNS traffic use TCP as the transport?
Zone transfers and requests larger than 512 bytes.
48
What is the difference between recursive and iterative DNS queries?
Recursive will allow the DNS server to query another DNS server if it does not have the record locally. Iterative only allows the DNS server to look at its local database.
49
What are the four sections of DNS queries and answers?
- Questions
- Answer Resource Records
- Authority Resource Records
- Additional Resource Records
50
What is the purpose of ARP?
Obtain the hardware address of a target host or gateway.
51
What configuration problem can cause a host to ARP for a remote host?
Subnet mask is too short.
52
Why can’t ARP packets cross routers?
No IP header
53
What is the syntax of capture and display filters for ARP traffic?
arp
| arp
54
What is the purpose of IPv4/IPv6?
Provides datagram delivery services for networked system as well as fragmentation and reassembly for low MTU networks
55
Which three IPv4 header fields are used with IP fragmentation?
Don’t Fragment bit, the More Fragments bit and Fragment Offset field.
56
What should an IPv4 router do when a packet to be forwarded arrives with a TTL value of one?
Discard the packet
57
What is the purpose of the Differentiated Services field?
The Differentiated Services field can be used to prioritize traffic along a path.
58
What is the syntax for capture and display filters for IPv4 and IPv6 traffic?
Capture filter: ip or ip6
| Display filter: ip or ipv6
59
What is the format of an IPv6 6to4 packet?
An IPv6 header is preceded by an IPv4 header. The IPv4 Protocol field is set to 41 (IPv6).
60
What is the purpose of ICMP?
ICMP is used as a messaging system for errors, alerts, and general notifications on an IP network.
61
What type of device might generate an ICMP Type 3, Code 13 (Destination Unreachable, Communication Administratively Prohibited) packet?
This packet might be generated by a verbose firewall. Many firewalls will silently discard blocked packets rather than send this packet.
62
You have captured only ICMP packets on your network. How can you determine what triggered the ICMP Type 3 (Destination Unreachable) packets on your network?
ICMP Type 3 packets contain the IP header and at least the next 8 bytes of the packet that triggered this response. Examine the IP header and bytes following the ICMP portion to determine why this packet was sent.
63
Which ICMPv4 and ICMPv6 packets are used for the standard ICMP-based ping process?
ICMP Type 8 (Echo Request) and ICMP Type 0 (Echo Reply) packets.
64
What should a host do when it receives an ICMP Type 5, Code 0 (Redirection, Redirect Datagram for the Network/Subnet) packet?
It should update its routing tables with the dateway address included in the ICMP packet.
65
What is the syntax for capture and display filters for ICMPv4 and ICMPv6 traffic?
Capture filter: icmp or icmp6
| Display filter: icmp or icmpv6
66
What ICMPv6 packet is used to check for duplicate IP address assignment?
ICMPv6 Neighbor Solicitation (ICMP Type 135)
67
What is the purpose of UDP?
Provides connectionless transport services
68
How does a UDP-based application recover from packet loss?
It doesn't
69
Why would a UDP packet contain a checksum value of 0x0000?
Checksum not used
70
What is the purpose of TCP?
TCP offers connection-oriented transport, data sequencing and acknowledgment and automatic recovery for lost packets.
71
What three packets establish a TCP connection?
SYN, SYN/ACK and ACK.
72
What is the purpose of the Sequence Number field? What is the purpose of the Acknowledgment Number field?
The Sequence Number field is used to uniquely track each TCP segment. The Sequence Number field value increments based on the number of data bytes sent. The Acknowledgment Number field indicates the next expected sequence number from the other TCP host on the connection.
73
How does a TCP host refuse a connection request?
TCP hosts set the Reset (RST) bit in a response to a TCP SYN packet
74
How does a TCP-based application recover from packet loss?
If the sender times out waiting for an acknowledgment, it generates a retransmission. If a receiver notices a missing segment, it sends duplicate acknowledgments to the TCP host it is connected to. Upon receipt of three identical acknowledgments the TCP sender generates a retransmission.
75
What is the maximum value that can be used in the TCP Window field?
65,535
76
How much of a packet is counted when plotting an IO Graph?
The entire packet including payload and headers is counted in IO Graphs.
77
What is the likely cause of an empty graph?
Most likely the graph is unidirectional and you have selected a packet traveling in the wrong traffic direction before building the graph.
78
How can you use an IO Graph to plot overall traffic compared to a single conversation?
Apply a conversation filter on a second graph line.
79
What is the purpose of the SUM(*) calculation in an advanced IO Graph?
This calculation counts up the value of a field or characteristic (such as tcp.len) for the tick interval defined and plots the value on the graph.
80
On what data is the Round Trip Time graph based?
Wireshark calculates and plots the time between a data packet and the corresponding ACK packet.
81
What is an ideal pattern to see in a TCP Time-Sequence graph?
The ideal TCP Time-Sequence graph pattern is a steep slope from the lower left corner to the upper right corner.
82
What is the purpose of DHCP?
DHCP enables clients to obtain their IP addresses and configuration information in a dynamic manner.
83
What is the DHCP traffic sequence when a DHCP client boots up outside of its lease time?
Discover—Offer—Request—Acknowledge.
84
What is the purpose of a DHCP Decline packet?
This DHCP packet is sent from a DHCP client to DHCP server to indicate that the offered network address is already in use.
85
Why would a DHCP client enter the rebinding phase?
A DHCP client enters the rebinding phase when the renewal process is unsuccessful.
86
What is the syntax for capture and display filters for IP traffic?
DHCPv4 capture filter: port 67 or port 68
DHCPv4 Display filter: bootp
DHCPv6 capture filter: port 546 or port 547
DHCPv6 Display filter: dhcpv6
87
What is the IPv6 destination address used for DHCPv6 Solicit messages?
IPv6 Solicit packets are sent to ff02::1:2 which is the multicast address for All_DHCP_Relay_Agents_and_Servers.
88
You are analyzing an HTTP session as a user browses a new website. What HTTP response code indicates the page was found locally?
200
89
How is an HTTP 404 Not Found categorized?
This response is categorized as a client error.
90
How can you determine that a client is loading web pages out of cache?
Look for the If-Modified-Since request modifier from the client or a response code 304 Not Modified.
91
What display filter should you avoid if you want to view the TCP handshake and TCP ACKs during a web browsing session?
The http display filter will not display the TCP handshake or the TCP ACKs during the session. Consider using tcp.port==80 to view the entire HTTP conversation.
92
What is the HTTP request method used to send data up to an HTTP server?
HTTP clients use POST to send data up to an HTTP server.
93
What is the syntax for capture and display filters for HTTP traffic running over port 80?
Capture filter: tcp port http
| Display filter: http.
94
How can you configure Wireshark to always recognize port 444 as an SSL/TLS port?
To add port 444 as an SSL/TLS port, select Edit | Preferences | Protocols | HTTP and add port 444 in the SSL/TLS ports section.
95
What steps are required to decrypt HTTPS traffic with Wireshark?
You must obtain the decryption key and copy it to your Wireshark system. Next you must configure Wireshark’s SSL preferences RSA Key List setting with the proper syntax.
96
Which side of an HTTPS communication offers a list of acceptable cipher suites and which side of the HTTPS communication selects the desired cipher suite to use?
The HTTPS client offers a list of acceptable cipher suites and the HTTPS server selects the cipher suite to use for the communication.
97
What is the purpose of FTP?
Used to transfer files over TCP
98
What are the two connections used for in FTP communications?
FTP communications use one connection as a command channel and a second connection as a data channel.
99
What is the purpose of the FTP PORT command?
The PORT command is used by the client to establish an active mode FTP connection.
100
What is the purpose of the FTP PASV command?
The PASV command is used by the client to establish a passive mode FTP connection.
101
How secure is FTP traffic?
Its not. All cleartext
102
What is the syntax for capture and display filters for FTP command traffic running over port 21?
Capture filter: tcp port 21
| Display filter: ftp
103
What is the purpose of POP? What is the purpose of SMTP?
POP is an application used to retrieve email. SMTP is used to send email.
104
What command is used by a POP client to request that the POP server download emails to the client?
The POP client issues an RETR command to the POP server to request emails.
105
What are the two POP response codes?
The two POP response codes are +OK and –ERR.
106
What is the difference between an SMTP EHLO and HELO message?
A HELO initiates a standard SMTP session, whereas EHLO indicates the client supports SMTP with mail service extensions.
107
What is the syntax for capture and display filters for POP communications?
Capture filter: tcp port 110
| Display filter: pop
108
What is the syntax for capture and display filters for SMTP communications?
Capture filter: tcp port 25
| Display filter: smtp
109
What does an Access Point do with the 802.11 header when it forwards a packet onto an Ethernet network?
The access point strips off the 802.11 header and applies an Ethernet header before forwarding the packet on.
110
What tool can be used to identify RF interference and RF energy?
A spectrum analyzer, such as Wi-Spy and Chanalyzer Pro, offer an insight into RF interference and RF energy.
111
What is monitor mode?
In monitor mode, an adapter does not associate with any SSID—all packets from all SSIDs on the selected channel are captured.
112
What are your capture limitations if the WLAN adapter does not support promiscuous mode?
If an adapter does not support promiscuous mode, you will not be able to listen to traffic destined to other hardware addresses. You must capture traffic directly on the host in which you are interested.
113
What graph can you create to verify access point availability?
To verify access point availability you can create an IO Graph and add a filter for beacon frames.
114
What is the advantage of prepending a Radiotap header to your 802.11 traffic?
The Radiotap header contains the radiotap.channel.freq field. Prepending this header on the packets enables you to filter on the WLAN channel.
115
What are the three WLAN traffic types used to transport data, establish MAC-layer connectivity and enable delivery of frames?
The three WLAN traffic types are data, management and control.
116
What is the purpose of Association frames on a WLAN?
Association request and response frames are sent by stations to synchronize with the access point and exchange capability information.
117
What is the default interval of WLAN beacon frames?
100ms
118
What is the purpose of SIP?
signaling protocol used for call setup and teardown.
119
What is the purpose of RTP?
Carries the voice call itself.
120
What configuration change can you make if Wireshark does not see the SIP traffic and can’t identify a VoIP call?
Try to Decode RTP Outside of Conversations in Edit | Preferences | Protocols | RTP.
121
What is jitter?
Jitter is a variance in the packet rate.
122
What causes a wrong sequence number indication in Wireshark’s RTP Stream Analysis window?
Packet loss or packets that are out of order will trigger the wrong sequence number indication in the RTP Stream Analysis window.
123
What is the default port used by SIP traffic? Where is the RTP port number defined?
By default, SIP uses port 5060 (over UDP or TCP). The SIP packet media attribute section indicates the port number that the RTP stream should run over.
124
What types of packets are displayed using the filter sip.Status-Code > 399?
If you use this filter you would capture all SIP client errors, server errors and global failures.
125
What is a useful column to add to the Packet List pane when looking for QoS issues in handling VoIP traffic?
To identify possible QoS issues, add a DSCP column to examine the priority settings of VoIP call setup and call data traffic.
126
What capture filter can be used to capture all SIP traffic?
You can use the capture filter udp port 5060 to capture all SIP traffic running over UDP. If your VoIP solution uses SIP over TCP, use the capture filter tcp port 5060 to capture all SIP traffic running over TCP.
127
What is the purpose of a baseline?
Baselining is the process of creating a set of trace files that depict "normal" communications on the network. Compare unusual traffic patterns to your baseline to identify anomalies.
128
How can you obtain a baseline of a boot up sequence?
You cannot obtain a boot up baseline on the actual host you are analyzing. You must tap into an existing network connection (as close as possible to the client preferably), start capturing and then boot up the baseline host.
129
Why should you baseline traffic during idle times?
Watching the traffic flowing to and from a host during idle time (when no one is using the host) helps identity background traffic that automatically occurs.
130
How can you quickly spot large gaps in time between packets of a conversation?
To spot large gaps in time between packets of a conversation set the Time column to Seconds since Previous Displayed Packet, filter on a single conversation and then sort the Time column so the largest values are at the top.
131
What are the steps involved in finding the source of packet loss during a TCP-based file transfer process?
Move the analyzer along the path to determine the point when you see the original packet and the retransmission—packet loss has not occurred yet—the device that is dropping packets is downstream (closer to the receiver) than you are located.
132
Which graph can you create to display small packet sizes during a file transfer process?
Graph the AVG(*)tcp.len value in an Advanced IO Graph.
133
What condition occurs when a TCP receiver has no buffer space available?
When a TCP receiver runs out of buffer space, it advertises a window zero condition.
134
When analyzing a trace file of a file transfer process you notice over 100 error responses during the file location process. Can you assume this will always cause a delay that is noticeable by the client?
No. You must analyze the total amount of delay incurred by the errors before stating that they are causing a noticeable effect.
135
What is the purpose of network forensics?
Network forensics is the process of examining network traffic for evidence of unusual or unacceptable traffic. This traffic may include reconnaissance (discovery) processes, phone-home behavior, denial of service attacks, man-in-the-middle poisoning, bot commands, etc.
136
What is one of the traffic patterns that can make a Wireshark system visible to others?
If network name resolution is enabled, Wireshark may generate a large number of DNS PTR queries to resolve IP addresses to host names.
137
Why should you capture your own traffic when doing research with reconnaissance and attack tools?
Capture your own traffic when doing research with these tools to identify the signatures in their traffic and create defense mechanisms to block these tools from being used successfully on your network.
138
How can you make unusual traffic easier to locate in Wireshark?
Consider creating coloring rules for unusual packets so you can identify them faster in the Packet List pane.
139
What is the purpose of discovery and reconnaissance processes?
Discovery and reconnaissance processes are used to identify hosts on the network, locate network services, learn operating system versions running on hosts and any other information on network devices.
140
What is the limitation of ARP scanning?
Because ARP is a non-routable protocol, ARP scanning can only find local devices. The advantage of ARP scanning is that the process can locate devices that block ICMP pings through firewall use.
141
What are the two reasons someone may run a TCP port scan?
TCP port scans can be used to identify TCP-based services running on a target or they can be used simply to determine which hosts are running on a network.
142
How can you differentiate between a TCP full connect scan and a TCP half-open scan?
A TCP full connect scan completes the three-way TCP handshake when an open port is found. The packet sequence is SYN, SYN/ACK, ACK. A TCP half-open scan does not complete the three-way TCP handshake. The packet sequence is SYN, SYN/ACK.
143
What type of device may send an ICMP Destination Unreachable response to a TCP connection attempt?
If a TCP connection attempt receives an ICMP Destination Unreachable response you can assume the target is behind a local or network firewall that is generating the ICMP response.
144
What process can be detected by an unusual number of IP packets that contain a low TTL value?
A traceroute process generates a high number of packets that have a low TTL value.
145
What are the two distinct functions of application mapping?
Application mapping relies on two distinct functions –probing and matching. Probes are proactively sent to a target to generate responses. Responses are matched to predefined responses to identify the service discovered.
146
What is the advantage of performing passive OS fingerprinting with Wireshark?
Passive OS fingerprinting relies on silently listening to network traffic and does not generate any traffic and cannot be detected by IDS devices. Active OS fingerprinting generates packets to trigger responses that allows identification of the target.
147
What is "suspect traffic?"
Suspect traffic is traffic that is considered unusual on the network.
148
How can name resolution vulnerabilities affect network security?
If the name resolution process is breached, an attacker can redirect hosts to communicate with systems other than the intended ones.
149
What is a maliciously malformed packet?
A maliciously malformed packet is a packet that is intentionally created to take advantage of protocol or application vulnerabilities.
150
What is a ‘Dark’ destination address?
A ‘dark’ destination address is an address that falls within the network address range in use but is not currently assigned to a host.
151
What is a key signature of a packet that is looping a switched network?
A packet that is looping on a switched network will contain the same IP ID value.
152
Which Wireshark feature can help you spot unusual protocols and applications on the network?
Wireshark’s Protocol Hierarchy window helps identify unusual protocols and applications.
153
What are two redirection processes that can facilitate man-in-the-middle attacks?
ARP poisoning and ICMP redirection are two redirection processes that can facilitate man-in-the-middle attacks.
154
How can you determine the complete payload of TCP splicing traffic?
Use TCP reassembly to view the reconstructed TCP payload when the traffic has been spliced.
155
What is the primary purpose of Tshark?
Tshark’s primary purpose is to offer command line packet capture. Tshark is preferred over the GUI capture because it requires fewer resources than the GUI Wireshark.exe.
156
Which command line tool can be used to change the packet timestamps on a trace file?
Editcap can be used to change packet timestamps using the –t parameter.
157
Which command line tool can be used to display the capture file type, the number of packets and the capture duration of a trace file?
Capinfos can be used to display numerous statistics about a trace file, but not information about protocols and applications contained in the trace file. For information about the protocols and applications in a trace file, use Tshark with the –z parameter.
158
You are working on a system that is low on memory and a network that is saturated with packets. Would you rather use tcpdump or Tshark to capture traffic?
Between tcpdump and Tshark, tcpdump uses fewer system resources but does not offer as many capture configuration options.
