WireShark Exam Questions and Answers Graded A+

Status Bar - Bottom right corner displays how many packets have been captured and are displayed dfilters - File for custom used display filters Aggregation Taps - Aggregation/regeneration network TAPs are used to capture 100% full duplex network traffic; the traffic can then be sent to multiple monitoring appliances to analyze your network. Manuf file - Used to store the first 3 blocks of mac address for name resolution Services File - Contains list of all ports and services WinPcap - WinPcap consists of a driver, that extends the operating system to provide low-level network access, and a library that is used to easily access the low-level network layers. This library also contains the Windows version of the well known libpcap Unix API. Promiscuous mode - Enables a network card and driver to capture traffic that is addressed to other devices on the network, not just to the local hardware address TCP Backoff Algorithm - Exponential backoff is an algorithm that uses feedback to multiplicatively decrease the rate of some process, in order to gradually find an acceptable rate. TCP Syn - SYN - (Synchronize) Initiates a connection IPv4 total length - This 16-bit field defines the entire packet size, including header and data, in bytes. The minimum-length packet is 20 bytes (20-byte header + 0 bytes data) and the maximum is 65,535 bytes — the maximum value of a 16-bit word. All hosts are required to be able to reassemble datagrams of size up to 576 bytes, but most modern hosts handle much larger packets. Sometimes subnetworks impose further restrictions on the packet size, in which case datagrams must be fragmented. Fragmentation is handled in either the host or router in IPv4. IPv4 Data Link Padding - Proxy ARP - Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network. The ARP Proxy is aware of the location of the traffic's destination, and offers its own MAC address as (ostensibly final) destination. TCP Retransmission Timeout - Retransmissions are the result of packet loss and are triggered when the sender's TCP retransmission timeout (RTO) timer expires or a receiver sends Duplicate Acknowledgments to request a missing segment Monitor Mode - In order to capture all traffic that the adapter can receive, the adapter must be put into "monitor mode", sometimes called "rfmon mode". In this mode, the driver doesn't make the adapter a member of any service set. TCP Stream Index - the Stream Index value in TCP conversations begins at 0 and counts up by 1 for each TCP conversation seen in the tra Routing Overview - Pg. 32 Initial Sequence Number - The SYN packets synchronize the sequence numbers to ensure both sides know each other's starting sequence numbers (the Initial Sequence Number, or ISN). This is how they will keep track of the sequence of data exchanged between them. - Packets have been flagged with TCP issues or notifications (will not work if Analyze TCP Sequence Numbers is disabled in the TCP preferences) Total Length Field - This field defines the length of the IP header and any valid data (this does not include any data link padding). In the example shown in Figure 203, the total length field value is 1500 bytes. The first 20 bytes of that is the IP header—this indicates that the remaining packet length (not including any data link padding) is 1480 bytes. Unusual IP addresses - The IP source address cannot be the loopback address (127.0.0.0/8), a multicast address or a broadcast address. Display BOOTP-DHCP Statistics - The BOOTP-DHCP statistics window summarizes the DHCPv4 message types in the trace file. As of Wireshark 1.7.2 this feature does not support DHCPv6. TCP window size field - When a host advertises a small size or zero, network performance can be severely impacted. TCP Throughput Graphs - are unidirectional—if you do not see anything plotted when you open a Throughput graph, you might be looking at the wrong side of the communication. Highlight a packet going in the reverse direction and load the graph again.