20417D ENU Companion

Wireshark Certified Network Analyst
Official Exam Prep Guide

Second Edition
Exam WCNA-102.x
2nd Edition (Version 2.1a)
Laura Chappell
Founder, Chappell University
Founder, Wireshark University
This book is intended to provide practice quiz questions based on the thirty-
three areas of study defined for the Wireshark Certified Network Analyst Exam.
This Official Exam Prep Guide offers a companion to Wireshark Network
Analysis: The Official Wireshark Certified Network Analyst Study Guide
Second Edition (ISBN10: 1-893939-94-4; ISBN13: 978-1-893939-94-3;
www.wiresharkbook.com)
Available in hardcopy and digital format. Visit www.amazon.com for more
details.
Wireshark Certified Network Analyst
Official Exam Prep Guide
Second Edition
Exam WCNA-102.x
2nd Edition (Version 2.1a)
Copyright 2012, Protocol Analysis Institute, Inc., dba Chappell University. All rights reserved. No part of this book, or related
materials, including interior design, cover design or contents of the referenced book website, www.wiresharkbook.com, may be
reproduced or transmitted in any form, by any means (electronic, photocopying, recording or otherwise) without the prior written
permission of the publisher.
To arrange bulk purchase discounts for sales promotions, events, training courses, or other purposes, please contact Chappell University
at the address and email listed on the next page.
Book URL: www.wiresharkbook.com

10-digit ISBN: 1-893939-90-1
13-digit ISBN: 978-1-893939-90-5
Distributed worldwide for Chappell University through Protocol Analysis Institute, Inc.
For general information on Chappell University or Protocol Analysis Institute, Inc., including information on corporate licenses, updates,
future titles or courses, contact the Protocol Analysis Institute, Inc. at 408/378 7841 or send email to info@chappellU.com.
For authorization to photocopy items for corporate, personal or educational use, contact Protocol Analysis Institute, Inc. at email to
info@chappellU.com.
Trademarks. All brand names and product names used in this book or mentioned in this book are trade names, service marks,
trademarks, or registered trademarks of their respective owners. Protocol Analysis Institute, Inc. is the exclusive developer for Chappell
University.
Limit of Liability/Disclaimer of Warranty. The author and publisher have used their best efforts in preparing this book and the related
materials used in this book. Protocol Analysis Institute, Inc., Chappell University and the author(s) make no representations or warranties
or merchantability or fitness for a particular purpose. Protocol Analysis Institute, Inc. and Chappell University assume no liability for any
damages caused by following instructions or using the techniques or tools listed in this book or related materials used in this book.
Protocol Analysis Institute, Inc., Chappell University and the author(s) make no representations or warranties that extend beyond the
descriptions contained in this paragraph. No warranty may be created or extended by sales representatives or written sales materials.
The accuracy or completeness of the information provided herein and the opinions stated herein are not guaranteed or warranted to
produce any particular result and the advice and strategies contained herein may not be suitable for every individual. Protocol Analysis
Institute, Inc., Chappell University and author(s) shall not be liable for any loss of profit or any other commercial damages, including
without limitation special, incidental, consequential, or other damages.
Always ensure you have proper authorization before you listen to and capture network traffic.
Copy Protection. In all cases, reselling or duplication of this book and related materials used in this book without explicit written
authorization is expressly forbidden. We will find you, ya know. So dont steal it, plagiarize or upload this book to the Internet.
Protocol Analysis Institute, Inc.

5339 Prospect Road, # 343
San Jose, CA 95129 USA
www.wiresharkbook.com
Also refer to Chappell University at the same address

info@chappellU.com
www.chappellU.com
Cover: Fractal image, Waves Envisioned during Late Nights at Work, by Scott Spicer - Created with Apophysis 2.09
Table of Contents
About This eBook
How Should You Use this eBook?
Whats Online at www.wiresharkbook.com?
Which Version of the Exam Does This Book Match?
Wireshark Certified Network Analyst Exam Objectives
Wireshark Certified Network Analyst Program Overview
Why Should I Pursue the Wireshark Certified Network Analyst Certification?
How Do I Earn the Wireshark Certified Network Analyst Status?
Wireshark University and Wireshark University Training Partners
Schedule Customized Onsite/Web-Based Training
Part 1: Practice Question Set 1-100
Part 1 Answer Key
Part 1 Answer Explanations
Part 2 Answer Key
Part 3 Answer Key
About This eBook
This book is intended to provide practice quiz questions based on the thirty-three areas of study
defined for the Wireshark Certified Network Analyst Exam. This Official Exam Prep Guide offers a
companion to Wireshark Network Analysis: The Official Wireshark Certified Network Analyst
Study Guide Second Edition.
ISBN10: 1-893939-94-4
ISBN13: 978-1-893939-94-3
Paperback: 986 pages
Website: www.wiresharkbook.com
Wireshark Certified Network Analyst Official Exam Prep Guide - Second Edition provides you
with over 300 practice questions to prepare you for the Wireshark Certified Network Analyst Exam.
Print the Answer Sheets located at www.wiresharkbook.com/epg. There is one Answer Sheet for
each of the three parts of this book.
The Answer Sheets enable you to take the tests in the book multiple times without marking up the
book and seeing previous answer selections. Answer Sheets are formatted to match the Answer Keys
for fast grading.
How Should You Use this eBook?
This book is separated into three parts. The following provides a recommendation of how to use this
book to effectively prepare for the Wireshark Certified Network Analyst Exam.
Key Area: The icon marks key topics to study in preparation for the Exam.
Step 1: Review the Study Guide
Each chapter in the Study Guide and each part of this Official Exam Prep Guide lists the
objectives covered in the Wireshark Certified Network Analyst Exam, Second Edition. Ensure
you have the knowledge and skills to master the objectives listed.
Step 2: Print Out the Answer Sheets

As an alternative to writing your answers directly in this book, you can download Answer
Sheets from www.wiresharkbook.com/epg. This saves you from the headache of flipping pages
from the questions to the Answer Key. The Answer Sheets are formatted to match the Answer
Key for each part of the book enabling faster self-grading.
Step 3: Answer the Book Practice Questions in Three Parts

The book is divided into three separate sections of approximately 100 questions each. Part 1
covers Sections 1-11 of the Wireshark Certified Network Analyst Exam while Parts 2 and 3
cover Sections 12-22 and Sections 23-33, respectively. We recommend that you answer Part 1
questions first and grade those answers before moving on to Part 2 and Part 3. Part 1 covers
more of the basic concepts and skills of analysis and basic Wireshark functionality.
Step 4: Grade Your Answers

Each chapter ends with an Answer Key and Answer Explanation section. Use the Answer Key to
quickly grade your answers. Refer to the Answer Explanation for details on the correct/incorrect
answers posed by each question. The Answer Explanation defines the Study Guide chapters that
cover the question topic.
Whats Online at www.wiresharkbook.com?
There are numerous references and resources related to this book and Wireshark Network Analysis:
The Official Wireshark Certified Network Analyst Study Guide, Second Edition, available at
www.wiresharkbook.com. These resources include:
Numerous trace files (.pcap/.pcapng files)
Chanalyzer recordings (.wsx files)
MaxMind GeoIP database files (.dat files)
PhoneFactor SSL/TLS vulnerabilities documents and trace files
Wireshark configurations
Practice Exam Blank Answer Sheets
Which Version of the Exam Does This Book Match?
This book and the practice questions and quizzes herein, match the Wireshark Certified Network
Analyst Exam version 102.x.
Wireshark Certified Network Analyst Exam Objectives
Each part in this book provides a list of exam objectives for the Wireshark Certified Network Analyst
program. For additional information regarding exam preparation, visit
www.wiresharktraining.com/certification.
Wireshark Certified Network Analyst Program Overview
The Wireshark Certified Network Analyst Exam is a globally-available, proctored exam to meet the
secure and widely available delivery requirements desired by candidates.
Visit www.wiresharktraining.com/certification for additional information on the Wireshark Certified
Network Analyst program. Questions regarding your Wireshark Certified Network Analyst status may
be directed to info@wiresharktraining.com.
Why Should I Pursue the Wireshark Certified Network Analyst Certification?
Successful completion of the Wireshark Certified Network Analyst Exam indicates you have the
knowledge required to capture network traffic, analyze the results and identify various anomalies
related to performance or security issues.
How Do I Earn the Wireshark Certified Network Analyst Status?
To earn the Wireshark Certified Network Analyst status, you must pass a single examthe WCNA-
102x exam.
Register for the proctored Wireshark Certified Network Analyst Exam online at
www.webassessor.com/pai. (PAI represents the Protocol Analysis Institute, the parent company of
Wireshark University and Chappell University). For more information on the Exam registration
process, visit www.wiresharktraining.com/certification.
Upon completion of the Wireshark Certified Network Analyst Exam, an individual will receive a
pass/fail score. Candidates who successfully pass the Wireshark Certified Network Analyst Exam
will receive their Wireshark Certified Network Analyst Confirmation package that contains the
candidates certificate and details on maintaining Wireshark Certified Network Analyst status. For
more information on the Wireshark Certified Network Analyst program, visit
www.wiresharktraining.com/certification.
Questions regarding your Wireshark Certified Network Analyst status may be directed to
info@wiresharktraining.com.
Wireshark University and Wireshark University Training Partners
Wireshark University was launched in March 2007.
The goal of Wireshark University is to provide education on how to analyze, troubleshoot, secure and
optimize network communications using Wireshark, the worlds most popular network analyzer
(www.wireshark.org).
Wireshark University is responsible for creating and maintaining the Wireshark Certified Network
Analyst Exam, the Wireshark Certified Network Analyst Members Program, Wireshark University
Certified Training Partner Program, Wireshark University Certified Instructor Program, and the
Wireshark University Certified Training Materials.
Currently, Wireshark University courses are offered throughout the world in instructor-led, self-paced
and online formats through Chappell University (www.chappellU.com) and various Wireshark
University Certified Training Partners.
For more information on Wireshark University, visit www.wiresharktraining.com or send email to
info@wiresharktraining.com.
Schedule Customized Onsite/Web-Based Training
If you are interested in training a team in a fast, effective, hands-on course environment, contact us
directly. Customized courses can be developed and delivered by Laura Chappell. Customized
courses can be based on your network traffic or previously captured traffic from numerous global
networks. Course lengths can run from 2 days to 10 days and even include a web-based delivery
option to meet the training needs of geographically dispersed students.
Contact us at info@chappellU.com or visit www.chappellU.com for more information on scheduling
customized training for your organization.
Part 1: Practice Question
Set 1-100
This practice question set covers sections 1-11 of the Wireshark Certified Network Analyst Exam
topic list.
Section 1: Network Analysis Overview
Section 2: Introduction to Wireshark
Section 3: Capture Traffic
Section 4: Create and Apply Capture Filters
Section 5: Define Global and Personal Preferences
Section 6: Colorize Traffic
Section 7: Define Time Values and Interpret Summaries
Section 8: Interpret Basic Trace File Statistics
Section 9: Create and Apply Display Filters
Section 10: Follow Streams and Reassemble Data
Section 11: Customize Wireshark Profiles
Section 1: Network Analysis Overview
Wireshark Certified Network Analyst Exam Objectives:
Define the Purpose of Network Analysis
List Troubleshooting Tasks for the Network Analyst
List Security Tasks for the Network Analyst
List Optimization Tasks for the Network Analyst
List Application Analysis Tasks for the Network Analyst
Define Legal Issues of Listening to Network Traffic
Overcome the "Needle in the Haystack" Issue
Understand General Network Traffic Flows
Review a Checklist of Analysis Tasks
Section 2: Introduction to Wireshark
Describe Wireshark's Purpose
Know How to Obtain the Latest Version of Wireshark
Compare Wireshark Release and Development Versions
Report a Wireshark Bug or Submit an Enhancement
Capture Packets on Wired or Wireless Networks
Open Various Trace File Types
Describe How Wireshark Processes Packets
Define the Elements of the Start Page
Identify the Nine GUI Elements
Navigate Wiresharks Main Menu
Use the Main Toolbar for Efficiency
Focus Faster with the Filter Toolbar
Make the Wireless Toolbar Visible
Access Options through Right-Click Functionality
Define the Functions of the Menus and Toolbars
Section 3: Capture Traffic
Know Where to Tap Into the Network
Know When to Run Wireshark Locally
Capture Traffic on Switched Networks
Use a Test Access Port (TAP) on Full-Duplex Networks
Define When to Set up Port Spanning/Port Mirroring on a Switch
Analyze Routed Networks
Analyze Wireless Networks
Define Options for Capturing at Two Locations Simultaneously (Dual Captures)
Identify the Most Appropriate Capture Interface
Capture on Multiple Adapters Simultaneously
Capture Traffic Remotely
Automatically Save Packets to One or More Files
Optimize Wireshark to Avoid Dropping Packets
Conserve Memory with Command-Line Capture
Section 4: Create and Apply Capture Filters
Describe the Purpose of Capture Filters
Build and Apply a Capture Filter to an Interface
Filter by a Protocol
Create MAC/IP Address or Host Name Capture Filters
Capture One Applications Traffic Only
Use Operators to Combine Capture Filters
Create Capture Filters to Look for Byte Values
Manually Edit the Capture Filters File
Share Capture Filters with Others
Section 5: Define Global and Personal Preferences
Find Your Configuration Folders
Set Global and Personal Configurations
Customize Your User Interface Settings
Define Your Capture Preferences
Define How Wireshark Automatically Resolve IP and MAC Names
Plot IP Addresses on a World Map with GeoIP
Resolve Port Numbers (Transport Name Resolution)
Resolve SNMP Information
Configure Filter Expressions [NEW}
Configure Statistics Settings
Define ARP, TCP, HTTP/HTTPS and Other Protocol Settings
Configure Protocol Settings with Right-Click
Section 6: Colorize Traffic
Use Colors to Differentiate Traffic
Disable One or More Coloring Rules
Share and Manage Coloring Rules
Identify Why a Packet is a Certain Color
Create a Butt Ugly Coloring Rule for HTTP Errors
Color Conversations to Distinguish Them
Temporarily Mark Packets of Interest
Section 7: Define Time Values and Interpret Summaries
Use Time to Identify Network Problems
Understand How Wireshark Measures Packet Time
Choose the Ideal Time Display Format
Identify Delays with Time Values
Create Additional Time Columns
Measure Packet Arrival Times with a Time Reference
Identify Client, Server and Path Delays
Calculate End-to-End Path Delays
Locate Slow Server Responses
Spot Overloaded Clients
View a Summary of Traffic Rates, Packet Sizes and Overall Bytes Transferred
Section 8: Interpret Basic Trace File Statistics
Launch Wireshark Statistics
Identify Network Protocols and Applications
Identify the Most Active Conversations
List Endpoints and Map Them on the Earth
Spot Suspicious Targets with GeoIP
List Conversations or Endpoints for Specific Traffic Types
Evaluate Packet Lengths
List All IPv4/IPv6 Addresses in the Traffic
List All Destinations in the Traffic
List UDP and TCP Usage
Analyze UDP Multicast Streams
Graph the Flow of Traffic
Gather Your HTTP Statistics
Examine All WLAN Statistics
Section 9: Create and Apply Display Filters
Understand the Purpose of Display Filters
Create Display Filters Using Auto-Complete
Apply Saved Display Filters
Use Expressions for Filter Assistance
Make Display Filters Quickly Using Right-Click Filtering
Filter on Conversations and Endpoints
Understand Display Filter Syntax
Combine Display Filters with Comparison Operators
Alter Display Filter Meaning with Parentheses
Filter on the Existence of a Field
Filter on Specific Bytes in a Packet
Find Key Words in Upper or Lower Case
Use Display Filter Macros for Complex Filtering
Avoid Common Display Filter Mistakes
Manually Edit the dfilters File
Section 10: Follow Streams and Reassemble Data
Follow and Reassemble UDP Conversations
Follow and Reassemble TCP Conversations
Follow and Reassemble SSL Conversations
Identify Common File Types
Section 11: Customize Wireshark Profiles
Customize Wireshark with Profiles
Create a New Profile
Share Profiles
Create a Troubleshooting Profile
Create a Corporate Profile
Create a WLAN Profile
Create a VoIP Profile
Create a Security Profile
Q-1. Which format is used by capture filters?
A. editcap format
B. libpcap format
C. color filter format
D. Berkeley Packet Filtering (BPF) format
Jump to the answer

Go to the next question*
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-2. You can use Wiresharks Expressions to build display filters.
True
False
Jump to the answer

Q-3. Which packet type may be transmitted by Wireshark when you enable network name
resolution?
A. DHCP requests
B. UDP multicasts
C. ping broadcasts
D. inverse DNS queries
Jump to the answer

Q-4. The location of Wireshark personal preference files is listed under Help | About Wireshark
| Folders.
True
False
Jump to the answer

Q-5. You can edit Wireshark's services file to change Wireshark's OUI display value from one
manufacturer name to another.
True
False
Jump to the answer

Q-6. Which statement about the settings shown in the Preferences window above is correct?
A. No interface is available.
B. The Protocol Hierarchy window will launch when the capture is started.
C. Wireshark will use inverse name queries to resolve local host addresses to IP addresses.
D. Wireshark will only capture traffic to the local adapter, broadcast or multicast addresses.
Jump to the answer

Q-7. The cfilters file can be shared with other Wireshark users by copying the file into another
host's personal preferences folder.
True
False
Jump to the answer

Q-8. Which feature is only available with promiscuous mode operation?
A. enables an interface to capture gratuitous ARP request packets
B. enables a WLAN adapter to capture packets regardless of the SSID value
C. enables an interface to capture packets that are sent to any MAC address
D. enables an interface to capture packets addressed to broadcast and multicast addresses
Jump to the answer

Q-9. AirPcap adapters can be used to expand Wireshark's ability to capture wireless network
traffic in a Microsoft Windows environment.
True
False
Jump to the answer

Q-10. Which statement about the Preferences setting shown above is correct?
A. Wireshark may generate DNS PTR queries to resolve host names.
B. Wireshark may generate port queries to ietf.org to resolve transport names.
C. Wireshark may generate OUI queries to ieee.org to resolve MAC addresses.
D. Wireshark may generate mDNS queries to resolve 500 host names simultaneously.
Jump to the answer

Q-11. Wiresharks Status Bar indicates the number of packets shown after a display filter is
applied.
True
False
Jump to the answer

Q-12. Custom columns can be added to and rearranged in the Packet List pane.
True
False
Jump to the answer

Q-13. Wireshark contains several pre-defined columns that can be quickly added to the Packet
List pane by right-clicking on a field in the Packet Details pane.
True
False
Jump to the answer

Q-14. Columns can be right, center or left aligned by right clicking on their heading in the
Packet List pane.
True
False
Jump to the answer

Q-15. Wireshark's pcap-ng format enables meta data to be saved with a trace file.
True
False
Jump to the answer

Q-16. What is the purpose of creating Wireshark profiles?
A. dynamically create a hosts file based on saved trace files
B. create a manageable database of packets for use in third-party programs
C. discover and test WEP/WPA keys and pass phrases for traffic decryption
D. customize Wireshark for more efficient analysis in specific environments
Jump to the answer

Q-17. What is the default name of the capture filter file?
A. cfilters
B. cformat
C. capture.txt
D. capturefilters.txt
Jump to the answer

Q-18. Which statement about the TCP stream shown above is correct?
A. The HTTP client will load the page from cache.
B. The HTTP server refused the client's TCP connection attempt.
C. The HTTP server redirected the clients request to another server.
D. The HTTP client sent an HTTP GET request for the default page.
Jump to the answer

Q-19. The MAC name resolution process resolves the first 3 bytes of the MAC address to the
OUI value contained in Wiresharks manuf file.
True
False
Jump to the answer

Q-20. Aggregating taps capture bi-directional full-duplex traffic and forward the traffic to
separate outbound ports.
True
False
Jump to the answer

Q-21. Wireshark's services file contains a list of port numbers and application/protocol names.
True
False
Jump to the answer

Q-22. Which link layer interface is used to capture wired network traffic when Wireshark is
running on a Linux host?
A. libpcap
B. WinPcap
C. AirPcap
D. dumpcap
Jump to the answer

Q-23. Wireshark can playback encrypted VoIP conversations.
True
False
Jump to the answer

Q-24. Which display filter shows all the TCP Expert Infos warnings and notes?
A. expert.all
B. tcp.errors
C. tcp.analysis.flags
D. expert.info.composite
Jump to the answer

Q-25. Any display filters created and saved while viewing the trace file shown above will be
saved in the "Default" profile directory.
True
False
Jump to the answer

Q-26. Wireshark's network name resolution process references Wiresharks hosts file before
generating inverse DNS queries to resolve IP addresses to host names.
True
False
Jump to the answer

Q-27. Which statement about the Capture Options window shown above is correct?
A. Wireshark will resolve IP addresses to host names.
B. Wireshark will scroll to display the most recent packet captured.
C. Wireshark will attempt to resolve OUI values for all MAC addresses.
D. Wireshark will automatically stop capturing packets after two files have been saved.
Jump to the answer

Q-28. Display filters applied to a trace file before opening the Protocol Hierarchy Statistics
window are automatically applied to the Protocol Hierarchy results displayed.
True
False
Jump to the answer

Q-29. Which statement about the highlighted capture filter shown above is correct?
A. This filter is illogical.
B. DNS PTR queries will not be captured.
C. Only UDP packets will be captured using this filter.
D. ARP packets to or from the DNS server will not be captured.
Jump to the answer

Q-30. Which statement about the Coloring Rules configuration shown above is correct?[1]
A. All the coloring rules listed are based on capture filters.
B. The Clear button will restore the coloring rules to the default set.
C. HTTP packets with the reset bit set on will be colored based on the HTTP coloring rule.
D. UDP packets containing checksum errors will be displayed based on the UDP coloring rule.
Jump to the answer

Q-31. Port numbers set in the HTTP Preferences window for HTTP or HTTPS traffic are
temporary settings.
True
False
Jump to the answer

Q-32. Display filters and capture filters can be interchanged because they use the same syntax.
True
False
Jump to the answer

Q-33. By default, Wireshark uses the Type of Service interpretation in the IP header instead of
the DiffServ (Differentiated Services) interpretation.
True
False
Jump to the answer

Q-34. The Frame section of a packet always indicates which coloring rule has been applied to
the packet.
True
False
Jump to the answer

Q-35. Which display filter is used to view all DHCPv4 traffic?
A. bootp
B. dhcpv4
C. tcp.port==68
D. ip.addr==[address_of_dhcp_server]
Jump to the answer

Q-36. Which filter can be used as a coloring rule?
A. ip.ttl < 20
B. udp port 161
C. portrange 21-25
D. tcp port 25
Jump to the answer

Q-37. Conversations colored using the right-click coloring method will remain colored when the
trace file is opened on another Wireshark system.
True
False
Jump to the answer

Q-38. Which statement about marked packets is true?
A. Marked packets are only temporarily marked.
B. Marked packets can be used to generate display filters.
C. Marked packets can be created using coloring rule settings.
D. Marked packets are automatically saved in a temporary file.
Jump to the answer

Q-39. Display filter macros can be shared by copying the dfilters file from one Wireshark
system to another.
True
False
Jump to the answer

Q-40. Wireshark's Epoch time display format is based on the time since January 1 00:00:00 of
2000.
True
False
Jump to the answer

Q-41. Which traffic type may be seen when you connect Wireshark directly to a switch without
configuring port spanning or port mirroring?
A. broadcast traffic
B. noise and interference
C. DNS queries from all hosts
D. frames that contain CRC errors
Jump to the answer

Q-42. Wireshark's HTTP packet counter lists the HTTP request types such as EHLO and
RETR.
True
False
Jump to the answer

Q-43. Changing the Filter display max. list entries value in Wireshark's Preferences window
enables you to alter the number of recently created display filters that Wireshark shows in the
drop-down list.
True
False
Jump to the answer

Q-44. A trace file that is captured on a Wireshark system in Sydney, Australia and emailed to a
Wireshark system in London, England will appear with the same Date/Time of Day value to
both analysts if both Wireshark systems have correct local time zone settings.
True
False
Jump to the answer

Q-45. How do you quickly spot large gaps in time between packets in a trace file containing
10,000 packets?
A. Open and examine the Notes section of Wireshark's Expert Infos window.
B. Set the Time column to Seconds Since Epoch and scroll through the trace file.
C. Set the Time column to Seconds Since Previously Displayed Packet and sort the Time
column.
D. Sort the packets based on the Time Since Reference or First Frame in the frame details
section.
Jump to the answer

Q-46. You can sort the Time column to identify packets that have a large delay between them
when you have set the Time column to Seconds Since Epoch.
True
False
Jump to the answer

Q-47. Wireshark supports both capture filter macros and display filter macros.
True
False
Jump to the answer

Q-48. Which statement about the highlighted capture filter shown above is correct?
A. The filter will only capture local broadcast traffic.
B. The filter is using Wiresharks display filter syntax.
C. The filter will capture all traffic to and from D4:85:64:A7:BF:A3.
D. The filter is based on the Berkeley Packet Filter (BPF) format.
Jump to the answer

Q-49. Based on the image shown above, Wireshark's time display format is set to Seconds Since
Beginning of Capture.
True
False
Jump to the answer

Q-50. The Protocol Hierarchies window lists all the protocols and applications dissected by
Wireshark even if those protocols or applications were not seen in a trace file.
True
False
Jump to the answer

Q-51. In the trace file shown above, Wiresharks time display format is set to Seconds Since
Beginning of Capture. Which statement about this trace file is correct?
A. The Time column has been sorted.
B. Packet 5 arrived 0.034876 seconds before Packet 6.
C. The timestamps of Packet 1 through Packet 5 are invalid.
D. Packet 11 arrived 0.053866 seconds later than Packet 6.
Jump to the answer

Q-52. Time Reference packets are permanently set to a timestamp of 00:00:00 in a trace file.
True
False
Jump to the answer

Q-53. The first two packets of a single TCP handshake process can be used to determine the
long term average round trip latency time between hosts.
True
False
Jump to the answer

Q-54. The Conversations window shown above includes 239.255.255.250 as an endpoint.
True
False
Jump to the answer

Q-55. Packet timestamps are saved inside pcap and pcap-ng files so the packet timestamps can
be displayed when the file is opened again.
True
False
Jump to the answer

Q-56. Multicasts and broadcasts are not listed in the Endpoints window because they cannot be
assigned to a host.
True
False
Jump to the answer

Q-57. If you want to view decrypted SSL/TLS traffic, a valid RSA key setting is required prior
to using Follow SSL Stream.
True
False
Jump to the answer

Q-58. Your traffic contains many TCP retransmissions during an HTTP communication. Which
of the coloring rules shown above would these packets match?
A. HTTP
B. Bad TCP
C. TCP RST
D. WLAN Retries
Jump to the answer

Q-59. What is the most efficient method for saving non-contiguous packets in a trace file?
A. Mark the packets and choose to save the marked packets.
B. Apply a capture filter for each packet and save all colored packets.
C. Open each packet in a new window and save them under the same file name.
D. Right click and copy the packets individually to a new instance of Wireshark.
Jump to the answer

Q-60. Which address type can be mapped with Wireshark's GeoIP mapping services?
A. public IP addresses
B. MAC and IP addresses
C. broadcast and multicast addresses
D. private IP addresses
Jump to the answer

Q-61. Which of these filters can be used as either a capture filter or a display filter?
A. dns
B. udp
C. dhcp
D. broadcast
Jump to the answer

Q-62. Wireshark's default set of display filters are saved in a file called dfilters in the global
configuration directory.
True
False
Jump to the answer

Q-63. Which capture filter would capture traffic to and from TCP ports 20 through 25?
A. tcp port 20-25
B. tcp portrange 20-25
C. tcp.port > 19 && tcp.port < 26
D. tcp port gt 19 and tcp port lt 26
Jump to the answer

Q-64. The Conversations window shown above indicates that there are two unique IP endpoints
running over three Ethernet addresses.
True
False
Jump to the answer

Q-65. UDP, TCP and ARP packets are counted in the IP Protocol Types statistic.
True
False
Jump to the answer

Q-66. The Protocol Hierarchy Statistics window shown above indicates that 10.53% of the IP
traffic is ARP.
True
False
Jump to the answer

Q-67. Which traffic characteristic is commonly seen when analyzing database record transfers?
A. multicast responses
B. small packet sizes
C. large delays between transmissions
D. separate connections for each record
Jump to the answer

Q-68. ICMP Type 3/Code 4 packets (Destination Unreachable/Fragmentation Needed, but
Don't Fragment Bit was Set) may indicate that a router along a path cannot forward a packet.
True
False
Jump to the answer

Q-69. Which communication can be used by a host to dynamically join a multicast group?
A. Multicast DNS (mDNS)
B. Open Shortest Path First (OSPF)
C. Protocol Independent Multicast (PIM)
D. Internet Group Management Protocol (IGMP)
Jump to the answer

Q-70. When you select Prepare a filter, the filter is immediately applied to the traffic.
True
False
Jump to the answer

Q-71. When you disable the TCP protocol decoding process, applications that use TCP (such as
HTTP and FTP) will not be decoded.
True
False
Jump to the answer

Q-72. What does Wireshark's UDP Multicast Streams burst measurement interval depict?
A. total time length of a burst set of multicasts
B. timing between separate multicast burst sets
C. number of multicast packets within a specific number of milliseconds
D. number of different multicasts groups seen within a specific number of milliseconds
Jump to the answer

Q-73. How can you quickly identify all WLAN BSSIDs seen in a trace file?
A. Open Statistics | WLAN Traffic
B. Sort on the MAC header type field value
C. Open Statistics | Summary
D. Apply a wlan display filter
Jump to the answer

Q-74. Wireshark's display filter syntax can be used for capture filters as well.
True
False
Jump to the answer

Q-75. The filter shown above will display all ARP packets as well as all TCP packets seen by
Wireshark.
True
False
Jump to the answer

Q-76. Display filters can be created based on the contents of fields that do not actually exist in a
packet such as the Time Since Referenced or First Packet field.
True
False
Jump to the answer

Q-77. The following capture filter will capture all FTP traffic on port 21 regardless of the
destination or source host.
host www.wiresharkbook.com and port 21
True
False
Jump to the answer

Q-78. The Time Reference setting is saved permanently with the trace file.
True
False
Jump to the answer

Q-79. Which Wireshark feature provides an overview of saved or unsaved packets such as the
time elapsed from the start to the end of the trace and total bytes in the trace file?
A. IO Graphs
B. Flow Graphs
C. Summary Statistics
D. Expert Info Composite
Jump to the answer

Q-80. Network analyzers may cause security concerns because they can be used maliciously to
listen in on unencrypted network traffic.
True
False
Jump to the answer

Q-81. Which Wireshark element can be created using the display filter syntax?
A. ACL rules
B. capture filters
C. coloring rules
D. reference packets
Jump to the answer

Q-82. Comparison and logical operators enable you to combine multiple display filters to further
define the traffic of interest.
True
False
Jump to the answer

Q-83. Which statement about the following display filter is true?
eth.src[4:2] == 06:33
A. The number 2 indicates that Wireshark is looking for a two byte value.
B. The number 4 indicates that Wireshark is looking at the first four bytes of the Ethernet
header.
C. The value 06:33 indicates that Wireshark is looking for Ethernet source addresses starting
with 06:33.
D. The value 06:33 indicates that Wireshark is looking six bytes into the Ethernet header for
the value 33.
Jump to the answer

Q-84. Display filters cannot be applied during the capture process.
True
False
Jump to the answer

Q-85. The ip.addr != 192.168.0.2 display filter shows all packets except ones that
contain the address 192.168.0.2 in the source or destination IP address fields.
True
False
Jump to the answer

Q-86. You can reorder the filters contained in the dfilters file by manually editing the dfilters
text file.
True
False
Jump to the answer

Q-87. Coloring Rules are temporary settings maintained in the cfilters file.
True
False
Jump to the answer

Q-88. Only one TCP conversation in the trace file shown above can use the TCP Stream Index
value of 0.
True
False
Jump to the answer

Q-89. Which statement about following TCP streams is correct?
A. This feature uses the TCP Stream Index value.
B. An endpoint filter is created when you follow any stream.
C. You must filter on a TCP conversation before following the stream.
D. You must capture the TCP handshake process to follow a TCP stream.
Jump to the answer

Q-90. File identifiers indicate the application used to create or open a file.
True
False
Jump to the answer

Q-91. All WLAN adapters supported by WinPcap can go into monitor mode.
True
False
Jump to the answer

Q-92. How do you determine which Profile is in use while you are capturing traffic?
A. Examine the Wireshark Title Bar.
B. Open and examine Preferences | Interface.
C. Examine the Profile column in the Status Bar.
D. Expand and examine the Frame information.
Jump to the answer

Q-93. When using the oroperator in an inclusion capture filter, a packet that matches one or
more sides of the operator will pass through the filter and be captured.
True
False
Jump to the answer

Q-94. Which of the following methods can be used to avoid the "needle in a haystack issue"
when analyzing network traffic?
A. span all ports of a core switch
B. use Tshark to capture to file sets
C. place the analyzer appropriately
D. only capture traffic on wired networks
Jump to the answer

Q-95. Which item can be saved with a Wireshark profile?
A. services file
B. editcap scripts
C. preference settings
D. most recent IO Graph settings
Jump to the answer

Q-96. Which statement about the Coloring Rules configuration shown above is correct?
A. The HTTP coloring rule will identify HTTP and SSL/TLS traffic.
B. The UDP coloring rule will be applied to all normal DHCP traffic.
C. TCP packets with incorrect checksums will be colorized based on the Checksum Errors
coloring rule.
D. The TCP SYN/FIN coloring rule will identify packets that have both the SYN and FIN bits
set to 0 in a packet.
Jump to the answer

Q-97. Which statement about capture filters is correct?
A. Capture filters are used for coloring rules.
B. Wireshark includes a default set of capture filters.
C. Capture filters can be applied after the capture process begins.
D. Capture filters can be applied while you are opening a trace file.
Jump to the answer

Q-98. In the trace file shown above, the time display setting is defined as Seconds Since
Previously Displayed Packet. Packet 11 arrived .020238 seconds after packet 9.
True
False
Jump to the answer

Q-99. By default, Wireshark maintains your existing personal settings during the installation
process, but overrides the global settings such as the default manuf file.
True
False
Jump to the answer

Q-100. Disabling promiscuous mode limits your ability to capture local multicast traffic.
True
False
That's the end of Part 1.
Jump to the answer
or go to next page to view the Part 1 Answer Key. Download the Answer Sheet from
www.wiresharkbook.com/epg to fill out your answers on paper and grade with the matching Answer
Key.
Part 1 Answer Key
A-1: D
A-2: True
A-3: D
A-4: True
A-5: False
A-6: D
A-7: True
A-8: C
A-9: True
A-10: A
A-11: True
A-12: True
A-13: True
A-14: True
A-15: False
A-16: D
A-17: A
A-18: D
A-19: True
A-20: False
A-21: True
A-22: A
A-23: False
A-24: C
A-25: False
A-26: True
A-27: B
A-28: True
A-29: A
A-30: B
A-31: False
A-32: False
A-33: False
A-34: True
A-35: A
A-36: A
A-37: False
A-38: A
A-39: False
A-40: False
A-41: A
A-42: False
A-43: True
A-44: False
A-45: C
A-46: False
A-47: False
A-48: D
A-49: False
A-50: False
A-51: D
A-52: False
A-53: False
A-54: True
A-55: True
A-56: False
A-57: True
A-58: B
A-59: A
A-60: A
A-61: B
A-62: True
A-63: B
A-64: False
A-65: False
A-66: False
A-67: B
A-68: True
A-69: D
A-70: False
A-71: True
A-72: C
A-73: A
A-74: False
A-75: True
A-76: True
A-77: False
A-78: False
A-79: C
A-80: True
A-81: C
A-82: True
A-83: A
A-84: False
A-85: False
A-86: True
A-87: False
A-88: True
A-89: A
A-90: True
A-91: False
A-92: C
A-93: True
A-94: C
A-95: C
A-96: B
A-97: B
A-98: True
A-99: True
A-100: False
Indicates the related chapter in Wireshark Network Analysis: The Official Wireshark Certified
Network Analyst Study Guide (Second Edition)
A-1 Details: D
Capture filters use the Berkeley Packet Filtering (BPF) format (also referred to as the tcpdump
format). Due to the fact that capture filters use this format and display filters use Wiresharks own
filtering format, the two are not interchangeable. Some capture filters, such as ip, udp and tcp, just
happen to use the same format as display filters. At times people mistakenly believe they are using the
same format. Editcap is a command-line tool and libpcap is a link-layer interface they are not
involved in creating or applying any type of filters. Color filters use the display filter format.
Chapter 4: Create and Apply Capture Filters

Return to Q-1
Continue to Question Q-2
A-2 Details: True
You can use Wiresharks Expressions to build display filters. Expressions are available from the
button to the right of the display filter area and offer a great way to create display filters when you
dont know the syntax for a particular filter. For example, if you wanted to create a filter for Mobile
IP traffic, you can open the Expressions window and scroll down to Mobile IP. In addition, you can
examine the field names and options that are broken down for Mobile IP filters and apply operators.
If you use is present then Wireshark will simply create a display filter looking for that protocol or
application without detailed field filtering.
Chapter 9: Create and Apply Display Filters

Return to Q-2
A-3 Details: D
Inverse DNS queries (also referred to as reverse DNS queries) may be transmitted by Wireshark
when you enable network name resolution. These queries are also referred to as Pointer (PTR)
queries and are used to obtain the host name for an IP address. Whereas the most common use of DNS
is to obtain an IP address for a host name, an inverse DNS query does the opposite. Wireshark uses
your local DNS server setting during the inverse DNS query process. This feature in Wireshark can
cause performance problems when the DNS server is slow to respond or is not on the local network.
The reason why this question states that Wireshark may transmit packets is because the name may be
located in Wiresharks hosts file in your Wireshark global configuration or personal configuration
directory. Wireshark does not generate DHCP requests, UDP multicasts or ping broadcasts to resolve
network names.
Chapter 5: Define Global and Personal Preferences

Return to Q-3
A-4 Details: True
The location of Wireshark personal preference files is listed under Help | About Wireshark |
Folders. The Folders listing also contains links to open the directories listed. Although we are
accustomed to avoiding the Help button at all times (as it is typically not very helpful), Wiresharks
Help enables us to quickly access the program file and configuration file folders. When you want to
share some configuration files, such as color filters or host files you can quickly locate and open the
appropriate folder.

Return to Q-4
A-5 Details: False
You can edit the services file, but this is not the file that contains Wiresharks OUI list used when you
perform MAC address resolution. The manuf file (located in the Wireshark program file directory)
contains a list of the OUI values (first three bytes of a hardware address) and the manufacturers
names. If you want to change Wireshark's OUI display value from one manufacturer name to another,
you will need to edit the manuf file. The services file contains a list of port numbers and
application/protocol names.
Chapter 2: Introduction to Wireshark

Return to Q-5
A-6 Details: D
Wireshark will only capture traffic to the local adapter, broadcast or multicast addresses because the
Capture Packets in Promiscuous Mode setting is disabled. You need to have this enabled in order
to capture traffic destined to other MAC addresses on the network. There is an interface available as
shown in the image. The Protocol Hierarchy window will not launch when the capture is started
this is not an option in the Capture preferences window. Based on the capture preferences shown, we
cannot tell if Wireshark will use inverse name queries to resolve any host addresses to IP addresses
that option is in the Name Resolution preferences area.
Chapter 3: Capture Traffic

Return to Q-6
A-7 Details: True
The cfilters file can be shared with other Wireshark users by simply copying the file into another
host's personal preferences folder. If you are sharing an entire profile that contains special capture
filters, simply copy the entire profiles directory to the other Wireshark system. (If you want the
details on how Wireshark creates files when you build profiles, see Chapter 11 of Wireshark
Network Analysis-Second Edition.) The cfilters file is just a simple text file and has no link to the
local system configuration so it can be moved about freely.

Return to Q-7
A-8 Details: C
Promiscuous mode operation enables an interface to capture packets that are sent to any MAC
address. If promiscuous mode is disabled, you will only capture traffic that would normally be
picked up by the adapter and processed. This includes broadcast packets, multicast packets and
packets to your own MAC address. To be an effective analyst, you will want to keep this setting
enabled. If, however, you simply want to quickly capture all traffic to/from your own system without
setting up a capture filter, you can use this setting. Promiscuous mode does not enable a WLAN
adapter to capture packets regardless of the SSID valuethat is monitor mode. Promiscuous mode
does not simply enable an interface to capture gratuitous ARP request and response packetsit does
much more. Promiscuous mode does not enable an interface to capture packets addressed to
broadcast and multicast addressesyou already have that capability without promiscuous mode
enabled.

Return to Q-8
A-9 Details: True
AirPcap adapters can be used to expand Wireshark's ability to capture wireless network traffic in a
Windows environment. AirPcap adapters were created by CACE Technologies (which was
purchased by Riverbed). The AirPcap adapters can go into monitor mode (not join any SSID in order
to capture traffic on all WLANs seen) and the adapters will pass up the 802.11 management, control
and data frames. In addition, AirPcap adapters can place a Radiotap or PPI header in front of the
802.11 header. These additional headers provide channel and signal information at the moment the
packet was captured. You may be able to capture WLAN traffic using your native adapter, but there is
a good chance that your 802.11 header will be replaced with an Ethernet II header. The adapter strips
the 802.11 header off the packet and Wireshark puts in a fake Ethernet II header so you have some
addressing information to work with. Multiple AirPcaps can be connected to a Windows host
allowing capture on multiple channels simultaneously (with the use of the AirPcap aggregating
driver).

Return to Q-9
A-10 Details: A
Wireshark may generate DNS PTR queries to resolve host names because the Enable network name
resolution preference is enabled. The DNS PTR queries are used to resolve a host name for a
provided IP address. In addition, Wireshark will send the queries concurrently, making the process
faster. Keep in mind, however, that a slow DNS server may negatively affect your performance.
Wireshark does not generate port queries to any place to resolve transport namesit uses the
Wireshark services file for that. Wireshark does not generate OUI queries to any place to resolve
MAC addressesit references the manuf file for that. Wireshark does not use multicast DNS to
resolve 500 host names simultaneouslyeach DNS PTR query is sent to the local hosts DNS
servers IP address.

Return to Q-10
A-11 Details: True
Wiresharks Status Bar indicates the number of packets shown after a display filter is applied. The
Status Bar also indicates the location and size of the temporary file being created during a live
capture process, the number of dropped packets, the load time (when opening saved trace files) and
the profile that is currently in use.

Return to Q-11
A-12 Details: True
There are two ways to create and rearrange custom columns through Preferences | Columns and
by right clicking on a field in the Packet Detail pane and choosing Add As Column.

Return to Q-12
A-13 Details: True
Wireshark contains several pre-defined columns that can be added easily to the Packet List pane
using the Preferences | Columns setting. There are many pre-defined columns that you select from a
drop-down list. This is the old way of adding columns. Sometimes, however, you have to use this
method if you dont have a packet that contains the fields you want to add as a column.

Return to Q-13
A-14 Details: True
Columns can be right, left or center aligned by right clicking on their heading in the Packet List pane.
You can also rename columns and alter column preferences by right clicking on a column heading.

Return to Q-14
A-15 Details: True
Pcap-ng format is the default trace file format as of Wireshark 1.8 as long as Capture packets in
pcap-ng format is enabled. Pcap-ng format offers extended timestamp information, capture statistics,
name resolution information and more. For more details on pcap-ng, visit
wiki.wireshark.org/Development/PcapNg.

Return to Q-15
A-16 Details: D
Wireshark profiles enable you to customize Wireshark settings for more efficient analysis in specific
environments such as VoIP or WLAN environments. Chapter 11 of Wireshark Network Analysis-
Second Edition includes a list of items you may want to include in various profile configurations.
Wireshark profiles do not create a hosts file dynamically based on saved trace files or create a
manageable database of packets for use in third-party programs. In addition, Wireshark profiles do
not discover and test WEP/WPA keys and pass phrases for traffic decryptiontheir primary purpose
is to set up a customized Wireshark environment.
Chapter 11: Customize Wireshark Profiles

Return to Q-16
A-17 Details: A
The default name of the capture filter file is cfilters. A default version of the cfilters file is located in
the global preferences directory. Additional copies may be found in the personal preferences folder
or various profile directories.

Return to Q-17
A-18 Details: D
The HTTP client sent an HTTP GET request to the HTTP server. The first line of this reassembled
web browsing session shows the GET request (which is only sent out from HTTP clients, not HTTP
serversHTTP servers respond with numerical codes). The HTTP client requested the default page
/, but did not include IF-MODIFIED-SINCE that would indicate the client has the information in
cache. The server did not respond with a NOT MODIFIED indication, so the page will not be loaded
from cache. The HTTP server did not refuse the client's TCP connection attemptit sent a 200 OK
response code.
Chapter 10: Follow Streams and Reassemble Data

Return to Q-18
A-19 Details: True
The MAC name resolution process resolves the first 3 bytes of the MAC address to the OUI value
contained in Wiresharks manuf file. When you install Wireshark, a default copy of this file is placed
in the global preferences folder. You can edit this simple text file to change the OUI value associated
with the beginning of a MAC address.

Return to Q-19
A-20 Details: False
Aggregating taps capture bi-directional full-duplex traffic and forward the traffic out to a single port.
Non-aggregating taps send traffic out separate outbound ports and require multiple analyzers or
multiple adapters to capture the traffic. Reassembly needs to be done outside the tap.

Return to Q-20
A-21 Details: True
Wireshark's global services file contains a list of port numbers and application/protocol names. Your
host contains a separate services file used by the TCP/IP stack. Wiresharks services file is a text file
that can be edited to display a different application/protocol name. This doesnt change Wiresharks
dissection process, however.

Return to Q-21
A-22 Details: A
The libpcap link layer interface is used to capture wired network traffic when Wireshark is running
on a Linux host. WinPcap is used on Windows hosts. AirPcap extends the capabilities for wireless
capture on Windows hosts. Dumpcap is a command-line packet capture tool.

Return to Q-22
A-23 Details: False
Wireshark cannot playback encrypted VoIP conversations. There is no capability to decrypt VoIP
traffic at this time. If you are troubleshooting encrypted VoIP traffic and you need to play back traffic,
you would need to disable encryption before capturing the traffic.

Return to Q-23
A-24 Details: C
The display filter tcp.analysis.flags shows all the TCP Expert Infos warnings and notes. In
order to use this filter, Analyze TCP Sequence Numbers must be enabled. The other filters listed in
this question are invalid. This is an important display filter to understand for troubleshooting
purposes.

Return to Q-24
A-25 Details: False
Any display filters created and saved while viewing this trace file will be saved in the
"Troubleshooting" profile directory. The current profile in use is listed in the bottom right corner of
the Wireshark window (the third column of the Status Bar). Besides display filters, any capture
filters, coloring rules, columns or preferences that you set while working in this profile will also be
saved in the Troubleshooting profile directory.

Return to Q-25
A-26 Details: True
Wireshark's network name resolution process references Wiresharks hosts file before generating
inverse DNS queries to resolve IP addresses to host names. A TCP/IP host running with Wireshark
might have a separate hosts file used by other applications such as web browsers. The hosts file kept
in the Wireshark global or personal preferences directory is referenced first before Wireshark
performs network name resolution (if Wireshark is configured to perform network name resolution).

Return to Q-26
A-27 Details: B
Based on the Capture Options window shown, Wireshark will scroll to display the most recent
packet captured. This may be surprisingly useless on very busy networks as packets fly by too quickly
to watch. This feature is better suited to a capture on a low packet rate network or when you are using
a capture filter to reduce the number of packets captured or a display filter to reduce the number of
packets shown. In the Capture Options window shown, Wireshark is not configured to resolve IP
addresses to host names (Enable network name resolution is disabled) or resolve OUI values for
all MAC addresses (Enable MAC name resolution is disabled). The configuration shown does not
indicate Wireshark is set to automatically stop capturing packets after two files have been saved
(Stop capture after is not defined).

Return to Q-27
A-28 Details: True
Display filters applied to a trace file before opening the Protocol Hierarchy Statistics window are
automatically applied to the results displayed. This is a handy feature if you are focusing on the
various protocols/applications transmitted to or from a particular hostyou can apply an ip.addr
display filter before opening the Protocol Hierarchies window.

Return to Q-28
A-29 Details: A
The capture filter highlighted in the image is illogical as the title indicates the purpose is to filter out
ARP and DNS packets. The filter is configured with the or operator, however. Packets only need to
match one side of the or operatorboth ARP and DNS packets would be displayed. For example, if
this capture filter is applied to a DNS packet it would be displayed because that packet is not an ARP
packet. In general, this capture filter wont have any effect on the network traffic. The correct filter
would be not arp and not dns. Wireshark includes a number of sample capture filters that
show how to filter out various types of traffic.

Return to Q-29
A-30 Details: B
The clear button will restore the coloring rules to the default set. You can also edit or delete rules in
the Coloring Rules window. This question has a footnote that addresses the issue of color in the
Wireshark Certified Network Analyst Exam. The Exam displays full color graphics, but the Exam
does not ask about colors other than black and white. This addresses issues that color blind
candidates may face. Coloring rules are based on display filters, not capture filters. HTTP packets
with the reset bit set on will be colored based on the TCP RST rule because it is listed before the
HTTP coloring rulecoloring rules are processed in order as stated at the top of the Coloring Rules
window. UDP packets containing checksum errors will be displayed based on Checksum Errors
coloring rule because the UDP coloring rule is listed below the Checksum Errors coloring rule.
Chapter 6: Colorize Traffic

Return to Q-30
A-31 Details: False
Port numbers set in the HTTP Preferences window for HTTP or HTTPS traffic are permanent settings
and will be used again when you restart Wireshark. All settings in the Preferences window are
permanent settings. If you want a temporary setting consider creating a separate profile and switch
between the profiles to use different settings.

Return to Q-31
A-32 Details: False
Display filters and capture filters cannot be interchanged because they use a different syntax with very
few exceptions. If you make a mistake creating a display filter, Wiresharks display filter error
checking mechanism will, in most cases, alert you to this fact by applying a red background to the
display filter area or yellow to indicate possible problems.
Chapter 4: Create and Apply Capture Filters and Chapter 9: Create and Apply Display Filters
Return to Q-32
A-33 Details: False
By default, Wireshark uses the DiffServ (Differentiated Services) interpretation in the IP header
instead of the Type of Service interpretation. You can change this setting by disabling Decode IPv4
TOS field as DiffServ field in the IP preferences. For details on how the Differentiated Services
field works, refer to Chapter 17 of Wireshark Network Analysis-Second Edition.

Return to Q-33
A-34 Details: True
The Frame section of a packet always indicates which coloring rule has been applied to the packet in
the Coloring Rule Name and Coloring Rule String sections. You can right click on this field and
select Apply as Filter to view all packets that match the coloring rule.

Return to Q-34
A-35 Details: A
The correct Wireshark display filter to display all DHCP traffic is bootp although many people try
dhcp. DHCP is based on BOOTP. When you analyze DHCP traffic you will notice that a BOOTP
section follows the UDP header. The filter tcp.port==68 wont work because DHCP does not
use TCP. The filter ip.addr==[address_of_dhcp_server] wont work because DHCP
traffic from DHCP clients may be sent to the broadcast address.
Return to Q-35
A-36 Details: A
The filter ip.ttl < 20 can be used as a coloring rule. Remember, coloring rules use the syntax of
display filtersthe other filters shown (udp port 161, portrange 21-25 and tcp port
25) are capture filters.

Return to Q-36
A-37 Details: False
Conversations colored using the right-click coloring method are temporarythey will not be
maintained when the trace file is opened on another Wireshark system. If you are interested in
creating permanent conversation coloring, create a coloring rule based on the IP addresses and port
numbers or MAC addresses of the conversation and add that coloring rule to the other Wireshark
system.

Return to Q-37
A-38 Details: A
Marked packets are only temporarily marked. When you click the reload button or reopen the trace
file the packet marking will be gone. Marked packets cannot be used to generate display filters and
they cannot be created using coloring rule settings. Marked packets are not saved in a temporary file
either. If you want to filter on all marked packets, use the display filter frame.marked==1. If you
want to change the default color of marked packets, select Preferences | Colors.

Return to Q-38
A-39 Details: False
Copying the dfilters file wont copy your display filter macros. Display filter macros are saved in the
dfilter_macros file, not the dfilters file. The dfilter_macros file can be easily shared by copying the
file from one Wireshark system to another.

Return to Q-39
A-40 Details: False
Epoch time is based on the time since January 1 00:00:00 of 1970, not 2000. Epoch time is also
referred to as UNIX time.
Chapter 7: Define Time Values and Interpret Summaries

Return to Q-40
A-41 Details: A
Broadcast traffic can be seen when you connect Wireshark directly to a switch without configuring
port spanning or port mirroring. In addition, you can see multicast traffic (if the switch is set to
forward multicasts), traffic to unknown MAC addresses (which the switch will forward to all ports in
hopes of discovering where a host is located) and traffic to the MAC address of the host on that
switch port. Noise and interference (which are not actual packets and reside in the WLAN
environment) are not forwarded by switches. DNS queries from all other hosts wont be forwarded
down the unspanned/unmirrored switch port as the switch is forwarding based on the destination
MAC address and the local host is not the DNS server. Frames that contain CRC errors are not
forwarded by switcheskeeping invalid packets off the network is a key role of switches.

Return to Q-41
A-42 Details: False
Wireshark's HTTP packet counter lists the HTTP request types such as GET and POST. EHLO and
RETR are not HTTP requests.
Chapter 8: Interpret Basic Trace File Statistics

Return to Q-42
A-43 Details: True
Changing the Filter display max. list entries value in Wireshark's Preferences window enables you
to alter the number of recently-created display filters that Wireshark lists. This seems like a really
easy question with the answer placed directly in the stem, doesnt it?
Return to Q-43
A-44 Details: False
A trace file that is captured on a Wireshark system in Sydney, Australia and emailed to a Wireshark
system in London, England will appear with different Date/Time of Day values to each analyst if both
Wireshark systems have correct local time zone settings. In Chapter 7 of Wireshark Network
Analysis-Second Edition, Figure 115 shows the timestamp difference of a trace file captured in the
Pacific Time zone and opened in London, England. This issue with timezones is often not an issue as
most troubleshooting is based on time between packets or the total time in the trace file regardless of
the actual time/date stamp of the packets.

Return to Q-44
A-45 Details: C
Setting the Time column to Seconds Since Previously Displayed Packet and sorting the Time
column will enable you to quickly identify large gaps in time between packets in a trace file
containing 10,000 packets. You really dont want to be scrolling through 10,000 packets to look for
big gaps in time with a Seconds Since Epoch settingthis method enables you to sort the Time
column from high deltas to low deltas. The Notes section of Wireshark's Expert Infos window does
not have any information regarding large gaps in time between packets. Sorting the packets based on
the Time Since Reference or First Frame in the frame details section wont help you hereagain
you are going to have to manually determine the time between packets.

Return to Q-45
A-46 Details: False
If you sort the Time column that is set to Seconds Since Epoch you will see the same type information
shown by default when the Time column is set to Seconds Since Beginning of Capture except the
time reference will be different.

Return to Q-46
A-47 Details: False
Wireshark only supports display filter macrosWireshark does not support capture filter macros.
Display filter macros are used to simplify very complex filters. Chapter 9 of Wireshark Network
Analysis-Second Edition shows a display filter macro used to examine traffic sent to a variety of non-
contiguous ports: tcp.dstport == $1 or tcp.dstport == $2 or tcp.dstport
== $3 or tcp.dstport == $4 or tcp.dstport == $5 where $1 represents
destination port 5600, $2 represents destination port 5603, $3 represents destination port 6400, $4
represents destination port 6500 and $5 represents destination port 6700.

Return to Q-47
A-48 Details: D
The filter shown is a capture filter which is based on the Berkeley Packet Filter (BPF) format. The
filter will capture all traffic except traffic to or from the MAC address D4:85:64:A7:BF:A3.

Return to Q-48
A-49 Details: False
The time setting cannot be Seconds Since Beginning of Capture in the image shown because the
packet number is increasing while the time values are often decreasing.

Return to Q-49
A-50 Details: False
The Protocol Hierarchies window lists only the protocols and applications actually seen in a trace
file or during a live captureit does not show all protocols and applications dissected by Wireshark
(there are way too many to list and be useful).

Return to Q-50
A-51 Details: D
In the trace file shown, Packet 11 arrived 0.053866 seconds later than Packet 6. As the question
states, Wiresharks time display format is set to Seconds Since Beginning of Capture. This should
be obvious as Wireshark will change the time setting to this when you create a time reference. Packet
6 is a time reference packet and the time shown for packets 7-11 are relative to the arrival time of
packet 6. The Time column has not been sorted as you can tell by the values in that field. The time
between Packet 5 and Packet 6 cannot be determined using the Time column because Packet 6 is set
as a time reference packet. The timestamps of Packet 1 through Packet 5 are valid and based on the
difference between the arrival time of Packet 1 and each of the following four packets.

Return to Q-51
A-52 Details: False
Time Reference packets are temporarily set to a timestamp of 00:00:00 in a trace file. When you
toggle off the time reference setting, the original timestamp value is restored. When you reopen the
trace file the original timestamp value is restored as well.

Return to Q-52
A-53 Details: False
The first two packets (SYN, SYN/ACK) of a single TCP handshake process can only be used to
determine a snapshot of the round trip latency time between hosts. The next handshake may have
significantly different roundtrip times as network conditions change. If the roundtrip latency time
during a handshake is high, you should watch for continued latency issues.

Return to Q-53
A-54 Details: True
The Conversations window shown in the image includes 239.255.255.250 as an endpoint. Although
multicasts and subnet/network broadcast addresses cannot be assigned to hosts, these addresses can
be listed as the endpoint of conversations. Even IP address 0.0.0.0 (seen during DHCP address
assignment processes) shows up as an endpoint.

Return to Q-54
A-55 Details: True
Packet timestamps are saved inside pcap and pcap-ng files so the packet timestamps can be displayed
when the file is opened again. Every trace file contains timestamp information in a record header for
each packet. The record header defines the difference between the packet arrival time and epoch
time.

Return to Q-55
A-56 Details: False
Multicasts and broadcasts can be listed as endpoints in Wireshark even though they cannot be
assigned to a host.

Return to Q-56
A-57 Details: True
If you want to view decrypted SSL/TLS traffic, you will need to define an RSA key in the SSL
preferences setting prior to using Follow SSL Stream. If the SSL stream is not decrypted, Follow SSL
Stream will not be available.

Return to Q-57
A-58 Details: B
Based on the Coloring Rules window shown, HTTP retransmissions will be colorized by the Bad
TCP coloring rule. This rule is located above the HTTP rule and coloring rules are processed in
order. Even if the retransmissions have the TCP reset bit set, they will be colorized by Bad TCP
because of the order of the coloring rules. WLAN retries are different than HTTP retransmissions so
the WLAN Retries coloring rule will not affect them.

Return to Q-58
A-59 Details: A
Based on the answer options provided, the most efficient method for saving non-contiguous packets in
a trace file is to mark the packets and choose to save the marked packets. The trick is dealing with
non-contiguous packets. A display filter would have been a good option if the packets have a common
trait, but it was not listed.

Return to Q-59
A-60 Details: A
Public IP addresses are mapped with Wireshark's GeoIP mapping services. This question may seem
obvious as the answer is listed in the stem. If you arent familiar with the purpose of GeoIP mapping,
however, you might think it can do something with MAC addresses (it cant) or private IP addresses
(it wont). Broadcasts and multicasts cannot be mapped to a target location.

Return to Q-60
A-61 Details: B
The udp filter can be used as either a capture filter or a display filter. Interestingly this filter happens
to use the same syntax for both capture and display filters. The dns filter can only be used as a display
filter whereas the dhcp and broadcast filters offered are invalid.

Return to Q-61
A-62 Details: True
Wireshark's default set of display filters are saved in a file called dfilters in the global configuration
directory. When you create new display filters using the default profile, a new dfilters file is saved in
the personal configuration folder. When you create new display filters using another profile, a new
dfilters file is saved in the profiles folder.

Return to Q-62
A-63 Details: B
The capture filter tcp portrange 20-25 would capture traffic to and from TCP ports 20
through 25. Each of the other filter options are invalid capture filters.

Return to Q-63
A-64 Details: False
The Conversations window shown indicates that there are two unique IP conversations (not
endpoints) running over three Ethernet addresses. To determine the number of unique endpoints, you
can open the IP Conversations window and count them or open the Endpoints window.

Return to Q-64
A-65 Details: False
UDP and TCP packets are counted in the IP Protocol Types statistic because they both contain an IP
header. ARP statistics are not counted in the IP Protocol Types statistic because they do not have an
IP headerARP packets consist of a data link header followed by the ARP fields. The data link
header contains the value 0x0806 to indicate the packet is an ARP packet.

Return to Q-65
A-66 Details: False
The Protocol Hierarchy Statistics window shown indicates that 10.53% of the Ethernet traffic is
ARP. ARP is not IP-based traffic even if it is used to resolve local MAC addresses for IP hosts.

Return to Q-66
A-67 Details: B
Small sized packets is a common characteristic of database record transfers. Unlike full file transfers,
database communications often transfer smaller pieces of information hence the small packet sizes.
Multicast responses are quite unusual on a network (multicast requests are not, however) and large
delays do not affect packet sizes. Separate connections would add very little small packet overhead
with just some additional TCP handshakes and ACKs (if TCP is used).

Return to Q-67
A-68 Details: True
ICMP Type 3/Code 4 packets (Destination Unreachable/Fragmentation Needed, but Don't Fragment
Bit was Set) may indicate that a router along a path cannot forward a packet. When a packet arrives
that is too large to be forwarded to the next link, a router will respond with this ICMP packet. The
packet defines the allowed MTU size so smaller packets can be generated by the originator.

Return to Q-68
A-69 Details: D
Internet Group Management Protocol (IGMP) can be used by a host to dynamically join or leave a
multicast group. Multicast DNS (mDNS) is used in zero configuration networks and has no relation to
multicasts on the network. Open Shortest Path First (OSPF) is a link state routing protocol. Protocol
Independent Multicast (PIM) is used to manage multicast communication (not memberships) on a
network.

Return to Q-69
A-70 Details: False
When you select Prepare a filter, the filter is shown in the display filter area, but it is not applied to
the traffic until you click Apply. This allows you to examine the filter and, if desired, alter or add to
the filter before applying it.

Return to Q-70
A-71 Details: True
Any time you disable the decoding process for a protocol, the higher layer applications and protocols
will not be decoded either. In this case, disabling the TCP protocol decoding process will also
disable HTTP and FTP decoding.

Return to Q-71
A-72 Details: C
Wireshark's UDP Multicast Streams burst measurement interval depicts the number of multicast
packets within a specific number of milliseconds. The default burst measurement interval is 100 ms.
This interval is used as the time measurement for the burst alarm threshold.

Return to Q-72
A-73 Details: A
Opening Statistics | WLAN Traffic enables you to quickly identify all WLAN BSSIDs seen in a
trace file. The WLAN Traffic Statistics window also indicates the BSSID, channel, SSID and a
breakdown of the traffic in percentage and WLAN packet type such as beacons, data packets, probe
requests, probe responses, authorization and deauthorization packets, etc. Applying a WLAN display
filter is useful when you capture on both wired and wireless adapters simultaneously.

Return to Q-73
A-74 Details: False
Wireshark's display filter syntax cannot be used for capture filters as each filter type supports a
different syntax. Wireshark display filters use a Wireshark-specific syntax while capture filters use
the Berkeley Packet Filtering (BPF) syntax.

Return to Q-74
A-75 Details: True
The filter shown will display all ARP packets seen by Wireshark as well as all TCP packets seen by
Wireshark. Although the filter name is All ARP and All TCP, the filter string must use the || (or)
operator. If you create a display filter arp && tcp, no packets would match the filter as it is
impossible for a packet to be both ARP and TCP.

Return to Q-75
A-76 Details: True
Display filters can be created based on the contents of fields that do not actually exist in a packet such
as the Time Since Referenced or First Packet field. There are numerous frame fields displayed that
are not actually contained in the true packet. For example, if you open up the Frame section of a
packet you will see fields for the time values, packet marking and coloring. Right clicking on any of
these fields enables you to apply or prepare display filters on these values.

Return to Q-76
A-77 Details: False
The capture filter host www.wiresharkbook.com and port 21 will not capture all FTP
traffic on port 21 regardless of the destination or source host. Since the and operator was used, a
packet must match the criteria on both sides of the operator in order to be captured. A packet sent to
ftp.wireshark.org on port 21 would not be captured because it does not match the host portion in
this filter.

Return to Q-77
A-78 Details: False
The Time Reference setting is only a temporary settingit is not saved permanently with the trace
file.

Return to Q-78
A-79 Details: C
The Summary Statistics window provides an overview of saved or unsaved packets such as the time
elapsed from the start to the end of the trace and total bytes in the trace file. IO Graphs, Flow Graphs
and the Expert Infos window do not provide these details. If you apply a display filter to your traffic
and mark certain packets, the Summary window compares all the packets to the displayed packets and
the marked packets.

Return to Q-79
A-80 Details: True
Network analyzers may cause security concerns because they can be used maliciously to listen in on
unencrypted network traffic. Some companies may restrict the use of network analyzers for fear some
unencrypted traffic may be captured. This is a nave method of securing the networkthe company
should know which traffic is unencrypted and, if the content is confidential, set up an encryption plan
to protect against eavesdropping by untrusted parties.
Chapter 1: Network Analysis Overview

Return to Q-80
A-81 Details: C
Coloring rules can be created using the display filter syntax. ACL rules and capture filters use
entirely different formats. Reference packets are temporarily marked in a trace filethere is no
discernable format used on those packets.

Return to Q-81
A-82 Details: True
Comparison and logical operators enable you to combine multiple display filters to further define the
traffic of interest. The most commonly used operators are the and and or operators. If the and
operator is used, packets must match criteria on BOTH sides of the operator. If the or operator is
used, packets must match criteria on EITHER side of the operator.

Return to Q-82
A-83 Details: A
In the display filter eth.src[4:2] == 06:33, the number 2 indicates that Wireshark is looking
for a two byte value. This offset filter indicates that Wireshark is looking at the Ethernet Source
Address field (MAC address). Wireshark will look over at the fifth byte (start counting at 0) for a 2-
byte value of 06:33. These are the last two bytes of the Ethernet Source Address field.

Return to Q-83
A-84 Details: False
Display filters can be applied during or after the capture process. Capture filters, on the other hand,
cannot be applied after you begin the capture process.

Return to Q-84
A-85 Details: False
The ip.addr != 192.168.0.2 display filter contains one of the most common display filter
mistakes. There are two IP address fields that will be examined. The condition must be met for both
fields in order to remove these packets from view. This filter will have no affect on the trace file. The
correct filter would be !ip.addr == 192.168.0.2.

Return to Q-85
A-86 Details: True
You can reorder the filters contained in the dfilters file by manually editing the dfilters text file. After
you manually edit the file you will need to restart Wireshark to use the new version of the file.
Remember to include a line feed after the last filter in the text file or the last display filter will not
appear in your display filter window.

Return to Q-86
A-87 Details: False
Coloring Rules are maintained in the colorfilters file. They are not temporary settingsthey will be
in use anytime you enable packet coloring.

Return to Q-87
A-88 Details: True
Every TCP conversation will have a unique TCP Stream Index value. This value is used when you
follow a TCP stream. In addition, you can filter on this value.

Return to Q-88
A-89 Details: A
Following TCP streams uses the TCP Stream Index value. When you follow a TCP stream, you will
see a display filter tcp.stream eq x applied to the traffic where x indicates the stream number.
Endpoint filters are not created when you follow a stream as you want to see both sides of a
conversation. You do not need to filter on a conversation before following a streamfollowing a
stream will create and apply that filter for you. Wireshark does not need to capture the TCP
handshake process to follow a TCP streamstreams (and the stream indexes) are based on
source/destination IP address/port pairs.

Return to Q-89
A-90 Details: True
File identifiers are typically contained near the beginning of a file to indicate the application used to
create or open a file. Wireshark Network Analysis-Second Edition provides numerous examples of
file identifiers in Chapter 10.

Return to Q-90
A-91 Details: False
Unfortunately, not all WLAN adapters supported by WinPcap can go into monitor mode. Monitor
mode enables an adapter to refrain from being a member of any particular SSID thereby allowing it to
capture traffic from any WLAN.

Return to Q-91
A-92 Details: C
Examine the Profile column in the Status Bar to determine which Profile is in use while you are
capturing traffic. You can also click on the Profile listed in use to switch profiles. The profile
information is not contained in the Title Bar or in the Preferences | Interface area. Profile
information is not linked to a packet so there is no profile information in the Frame information of a
packet.

Return to Q-92
A-93 Details: True
When using the or operator in inclusion capture filters, a packet that matches one or more sides of
the operator will pass through the filter and be captured. When using the and operator in inclusion
capture filters, each packet must match both sides of the operator to pass through the filter and be
captured.

Return to Q-93
A-94 Details: C
Placing the analyzer appropriately can help avoid the "needle in a haystack issue" when analyzing
network traffic. Rather than placing the analyzer off a spanned port of a core switch and being
overwhelmed with traffic rates, consider placing the analyzer close to a client system. Capturing to
Tshark file sets will not reduce the traffic you are capturing, but it will separate the packets into a set
of files for faster navigation. Capturing only wired network traffic does not address the needle in a
haystack issue at all.

Return to Q-94
A-95 Details: C
Preference settings can be saved with a Wireshark profile. The services file is a global preference
used by all profiles. Editcap scripts or other scripts you write can be saved in any directory, but that
does not associate them with a particular profile. You cannot save IO Graph settings.

Return to Q-95
A-96 Details: B
In the image shown, the UDP coloring rule would be applied to all normal DHCP traffic which
always uses UDP as the transport protocol. The HTTP coloring rule will only identify HTTP traffic,
not SSL/TLS traffic. TCP packets with incorrect checksums will not be colorized based on the
Checksum Errors coloring rule because that rule is disabled. The TCP SYN/FIN coloring rule will
not identify packets that have both the SYN and FIN bits set to 0 in a single packetit is looking for
either the SYN bit set to 1 (and no other flags set to 1) or any packets with the FIN bit set to 1.

Return to Q-96
A-97 Details: B
Wireshark includes a default set of capture filters. In addition, Wireshark also includes a default set
of display filters. Both filter files are located in the Wireshark global preferences folder. Display
filters are used for coloring rules. Capture filters must be applied before the capture start and cannot
be applied to saved trace files.

Return to Q-97
A-98 Details: True
Considering that the time display setting is defined as Seconds Since Previously Displayed Packet,
it is true that Packet 11 arrived .020238 seconds after packet 9. Adding the time listed for Packet 10
and Packet 11 gives you the time between the arrival of Packet 9 and Packet 11.
(0.000911+0.19327=0.020238)
Return to Q-98
A-99 Details: True
By default, Wireshark maintains your personal settings during the installation process, but overrides
the global settings such as the default manuf file. Wireshark allows you to override your personal
settings and keep global settings during the installation process, if desired.

Return to Q-99
A-100 Details: False
Disabling promiscuous mode does not limit your ability to capture local multicast traffic. You dont
need promiscuous mode enabled to capture broadcasts or multicasts on a network.

Return to Q-1
Continue to Question Q-101 or view the Exam topics covered in Section 2
Set 101-206
topic list.
Section 12: Annotate, Save, Export and Print Packets
Section 13: Use Wiresharks Expert System
Section 14: TCP/IP Analysis Overview
Section 15: Analyze Domain Name System (DNS) Traffic
Section 16: Analyze Address Resolution Protocol (ARP) Traffic
Section 17: Analyze Internet Protocol (IPv4/IPv6) Traffic
Section 18: Analyze Internet Control Message Protocol (ICMPv4/ICMPv6) Traffic
Section 19: Analyze User Datagram Protocol (UDP) Traffic
Section 20: Analyze Transmission Control Protocol (TCP) Traffic
Section 21: Graph IO Rates and TCP Trends
Section 22: Analyze Dynamic Host Configuration Protocol (DHCPv4/DHCPv6) Traffic
Section 12: Annotate, Save, Export and Print Packets
Annotate a Packet or an Entire Trace File
Save Filtered, Marked and Ranges of Packets
Export Packet Contents for Use in Other Programs
Export SSL Keys
Save Conversations, Endpoints, I/O Graphs and Flow Graph Information
Export Packet Bytes
Section 13: Use Wiresharks Expert System
Launch Expert Info Quickly
Colorize Expert Info Elements
Filter on TCP Expert Information Elements
Define TCP Expert Information
Section 14: TCP/IP Analysis Overview
Define Basic TCP/IP Functionality
Follow the Multistep Resolution Process
Define Port Number Resolution
Define Network Name Resolution
Define Route Resolution for a Local Target
Define Local MAC Address Resolution for a Target
Define Route Resolution for a Remote Target
Define Local MAC Address Resolution for a Gateway
Section 15: Analyze Domain Name System (DNS) Traffic
Define the Purpose of DNS
Analyze Normal DNS Queries/Responses
Analyze DNS Problems
Dissect the DNS Packet Structure
Filter on the DNS/MDNS Traffic
Section 16: Analyze Address Resolution Protocol (ARP) Traffic
Define the Purpose of ARP Traffic
Analyze Normal ARP Requests/Responses
Analyze Gratuitous ARP
Analyze ARP Problems
Dissect the ARP Packet Structure
Filter on ARP Traffic
Section 17: Analyze Internet Protocol (IPv4/IPv6) Traffic
Define the Purpose of IP
Analyze Normal IPv4 Traffic
Analyze IPv4 Problems
Dissect the IPv4 Packet Structure
Filter on IPv4/IPv6 Traffic
Sanitize IPv4 Addresses in a Trace File
Set Your IP Protocol Preferences
Section 18: Analyze Internet Control Message Protocol (ICMPv4/ICMPv6) Traffic
Define the Purpose of ICMP
Analyze Normal ICMP Traffic
Analyze ICMP Problems
Dissect the ICMP Packet Structure
Filter on ICMP and ICMPv6 Traffic
Section 19: Analyze User Datagram Protocol (UDP) Traffic
Define the Purpose of UDP
Analyze Normal UDP Traffic
Analyze UDP Problems
Dissect the UDP Packet Structure
Filter on UDP Traffic
Section 20: Analyze Transmission Control Protocol (TCP) Traffic
Define the Purpose of TCP
Analyze Normal TCP Communications
Define the Establishment of TCP Connections
Define How TCP-based Services Are Refused
Define How TCP Connections are Terminated
Track TCP Packet Sequencing
Define How TCP Recovers from Packet Loss
Improve Packet Loss Recovery with Selective Acknowledgments
Define TCP Flow Control
Analyze TCP Problems
Dissect the TCP Packet Structure
Filter on TCP Traffic
Set TCP Protocol Parameters
Section 21: Graph IO Rates and TCP Trends
Use Graphs to View Trends
Generate Basic I/O Graphs
Filter I/O Graphs
Generate Advanced I/O Graphs
Compare Traffic Trends in I/O Graphs
Graph Round Trip Time
Graph Throughput Rates
Graph TCP Sequence Numbers over Time
Interpret TCP Window Size Issues
Interpret Packet Loss, Duplicate ACKs and Retransmissions
Section 22: Analyze Dynamic Host Configuration Protocol (DHCPv4/DHCPv6) Traffic
Define the Purpose of DHCP
Analyze Normal DHCP Traffic
Analyze DHCP Problems
Dissect the DHCP Packet Structure
Filter on DHCPv4/DHCPv6 Traffic
Display BOOTP-DHCP Statistics
Q-101. What is the purpose of the gratuitous ARP process?
A. perform connectivity tests at periodic intervals
B. identify duplicate IP addresses on the network
C. offer multicast MAC address resolution services
D. broadcast the local MAC address to local routers
Jump to the answer

Q-102. IP routers apply a new MAC header to packets before forwarding them on to the next
network.
True
False
Jump to the answer

Q-103. The TCP backoff algorithm is used to determine the number of retransmission attempts
before giving up on a TCP connection.
True
False
Jump to the answer

Q-104. The ARP packet shown above is a request to identify the MAC address of 10.64.0.164.
True
False
Jump to the answer

Q-105. TCP peers increment their sequence numbers by 1 during the handshake process even
though no data is contained in the SYN or SYN/ACK packets.
True
False
Jump to the answer

Q-106. Which statement about the TCP recovery process is true?
A. A single duplicate ACK can trigger a retransmission.
B. TCP hosts attempt two retransmissions before terminating the connection.
C. Retransmitted packets use the same sequence number as the original lost packet.
D. Packet loss recovery is always started by the TCP host who initiated the connection.
Jump to the answer

Q-107. A high number of Duplicate ACKs seen before a TCP retransmission may be a sign of
high latency along a path.
True
False
Jump to the answer

Q-108. Which Advanced IO Graph Calc function would be best for graphing the frequency of
tcp.analysis.retransmission packets?
A. MIN(*)
B. SUM(*)
C. LOAD(*)
D. COUNT(*)
Jump to the answer

Q-109. Why can't ARP packets be routed?
A. All ARP packets are IP broadcasts.
B. ARP packets do not have an IP header.
C. ARP packets have a Time to Live value of 0.
D. ARP packets are smaller than the minimum packet size allowed.
Jump to the answer

Q-110. The UDP header checksum calculation is required for all UDP-based communications.
True
False
Jump to the answer

Q-111. The IO Graph shown above compares all traffic to packets that trigger Wireshark's
TCP analysis flags.
True
False
Jump to the answer

Q-112. Which pattern would be seen during a failed TCP connection attempt?
A. SYN, RST/ACK
B. SYN, SYN/RST
C. SYN, ACK, RST
D. SYN, SYN/ACK, ACK, RST
Jump to the answer

Q-113. If a DHCP clients renewal and rebinding process fails, the DHCP client must release its
IP address and send a DHCP Discover broadcast to locate a DHCP server or Relay Agent.
True
False
Jump to the answer

Q-114. Which condition could cause you to see ARP queries, but not ARP responses in a trace?
A. Wireshark is not capturing in .pcap-ng format.
B. You have applied a capture filter for UDP traffic.
C. You are connected to a switch port that is not spanned.
D. You must enable Update List of Packets in Real Time in Wiresharks capture
preferences.
Jump to the answer

Q-115. You can enable Wireshark's duplicate IP address detection mechanism in the
ARP/RARP preferences configuration.
True
False
Jump to the answer

Q-116. IP provides the fragmentation and reassembly for low MTU (Maximum Transmission
Unit) network paths.
True
False
Jump to the answer

Q-117. Which statement about the IP header shown above is correct?
A. This packet cannot cross a router.
B. A TCP header will follow this IP header.
C. This packet is the last part of an IP fragment set.
D. This packet contains an invalid Identification field value.
Jump to the answer

Q-118. What term does Wireshark use to define TCP retransmissions that occur within
20 ms of a Duplicate ACK?
A. fast retransmissions
B. retransmissions
C. duplicate retransmissions
D. unsolicited retransmissions
Jump to the answer

Q-119. The purpose of the TCP SYN bit is to synchronize the Initial Sequence Number value of
the sender.
True
False
Jump to the answer

Q-120. ARP request packets and ARP reply packets use different formats.
True
False
Jump to the answer

Q-121. Which step is performed by a router before it forwards an IP packet?
A. The target IP address is examined to make routing decisions.
B. The source MAC address is verified against the IP routing table.
C. The destination MAC address is looked up in the forwarding tables.
D. The network name of the target is resolved using DNS.
Jump to the answer

Q-122. If an ICMP Destination Unreachable/Port Unreachable (Type 3/Code 3) is sent in
response to a DHCP Request packet, the DHCP server daemon may not be running on the
target.
True
False
Jump to the answer

Q-123. Which statement about the IP header shown above is correct?
A. The entire packet is 328 bytes long.
B. A UDP header will follow this IP header.
C. This packet is the second part of an IP fragment set.
D. This packet contains the minimum TTL value allowed.
Jump to the answer

Q-124. What is the maximum value that can be defined in the TCP Window Size field?
A. 16
B. 32
C. 1,024
D. 65,535
Jump to the answer

Q-125. The ICMP packet shown above will update the routing tables of the target.
True
False
Jump to the answer

Q-126. When packet loss and delays are not incurred, the TCP Time-Sequence Graph plot
points run from the lower left corner to the upper right corner in a diagonal line of I-bars.
True
False
Jump to the answer

Q-127. Which statement about DHCP communications is correct?
A. DHCP Request packets are sent to the IP multicast address.
B. DHCP servers ping DHCP clients after assigning IP addresses.
C. Relay Agents forward messages between DHCP clients and DHCP servers.
D. Three identical DHCP Discover packets will trigger a duplicate DHCP ACK.
Jump to the answer

Q-128. TCP/IP will not generate DNS host name queries if a sender defines a specific target IP
address.
True
False
Jump to the answer

Q-129. The IPv4 Total Length field includes the data link padding in the calculation.
True
False
Jump to the answer

Q-130. The display filter tcp.analysis.flags shows all packets that have the TCP Reset
bit set to 1.
True
False
Jump to the answer

Q-131. Which statement about the packet shown above is correct?
A. This packet should be routed.
B. This packet was sent from a DHCP/BOOTP client.
C. This packet should have been sent to the DHCP server IP address.
D. This packet was sent to determine if an IP address is already in use.
Jump to the answer

Q-132. ICMP redirects can be sent by servers to indicate a service is unavailable.
True
False
Jump to the answer

Q-133. Which statement about the ICMP packet shown above is correct?
A. This packet was sent from 10.0.0.99.
B. This is an ICMP echo request packet.
C. This type of packet contains two IP headers.
D. This packet does not meet the minimum packet size requirements.
Jump to the answer

Q-134. Which file contains the TCP Expert information?
A. services
B. libpcap
C. packet-tcp.c
D. coloringrules
Jump to the answer

Q-135. What type of device can alter IP header addressing?
A. a layer 2 switch
B. a firewall using Access Control Lists (ACLs)
C. a Network Address Translation (NAT) device
D. a router using Differentiated Services (DiffServ)
Jump to the answer

Q-136. The syntax for ICMP capture filters is icmp.
True
False
Jump to the answer

Q-137. The packet shown above is a DNS inverse query packet used to resolve an IP address to
a host name.
True
False
Jump to the answer

Q-138. Which transport layer protocol is used for multicast traffic?
A. ARP
B. TCP
C. UDP
D. ICMP
Jump to the answer

A. This UDP header is 8 bytes long.
B. The UDP header checksum is too short.
C. This packet should use a TCP header instead of a UDP header.
D. The Time to Live field indicates that this packet cannot cross another router.
Jump to the answer

Q-140. Which statement about ICMP is true?
A. ICMP traffic uses window scaling.
B. All ICMP packets are the same length.
C. Port filtering firewalls can block ICMP Echo Requests.
D. ICMP packets do not contain a UDP or TCP header.
Jump to the answer

Q-141. When a DNS response is truncated, the DNS client may generate another DNS query
using TCP as the transport method.
True
False
Jump to the answer

Q-142. Which communication uses UDP as the transport-layer protocol?
A. ARP
B. ICMP
C. DHCP
D. RARP
Jump to the answer

Q-143. Which step is required when you want to export the TCP Calculated Window Size
information shown in the packet above for analysis in a CSV format file?
A. Select File | Save As on any packet that contains data bytes.
B. Right click on the TCP Calculated Window Size field and export this field independently.
C. Add the TCP Calculated Window Size column to the Packet List pane before exporting.
D. Enable field exporting in Preferences | Protocols | TCP and save all packets.
Jump to the answer

Q-144. The UDP header length field value includes data link padding if it exists.
True
False
Jump to the answer

Q-145. Which function provides host name-to-IP address resolution services?
A. DNS
B. ICMP
C. DHCP
D. SNMP
Jump to the answer

Q-146. The broadcast address can be used in the IP source address field.
True
False
Jump to the answer

Q-147. Which DNS function is used to enable a target DNS server to ask another server for an
answer on behalf of the DNS client?
A. multicasting
B. proxy resolution
C. iterative queries
D. recursive bit setting
Jump to the answer

Q-148. The display filter syntax for UDP-based traffic is udp.
True
False
Jump to the answer

Q-149. TCP offers a connection-oriented transport service that begins with a two-way
handshake between devices.
True
False
Jump to the answer

Q-150. ICMP Destination Unreachable messages sent in response to an FTP connection attempt
indicate the FTP port is likely firewalled.
True
False
Jump to the answer

Q-151. Which feature is supported by IO Graphs?
A. trend lines
B. capture filtering
C. forecasting/predictions
D. copying to CSV format
Jump to the answer

Q-152. TCP packets contain sequence and acknowledgment information to ensure delivery and
enable recovery for lost packets.
True
False
Jump to the answer

Q-153. Which Wireshark feature is used to make the process of following
TCP Sequence/Acknowledgment numbers easier to interpret?
A. predicted sequence numbers
B. relative sequence numbering
C. compressed sequence numbers
D. sequence number interpretations
Jump to the answer

Q-154. Which statement about TCP sequence and acknowledgment numbering is correct?
A. The starting acknowledgment number should be set to 65,535.
B. The sequence number increments by 1 for each data packet transmitted.
C. Both sides of a TCP connection begin with the Initial Sequence Number value of 1.
D. The acknowledgment number indicates the sequence number expected from the TCP peer.
Jump to the answer

Q-155. Which statement about the DNS packet shown above is correct?
A. This is an inverse DNS query.
B. This is a DNS response packet.
C. This DNS packet indicates that a domain name could not be resolved.
D. This is a request to resolve the IP address 2.26.64.24.
Jump to the answer

Q-156. A router that supports proxy ARP may answer an ARP broadcast on behalf of a server
located on another network.
True
False
Jump to the answer

Q-157. The display filter tcp.flags.syn==1 && tcp.flags.ack==1 and the display
filter tcp.flags==0x12 would display the packet shown above.
True
False
Jump to the answer

Q-158. DNS transaction ID numbers associate DNS queries with DNS responses.
True
False
Jump to the answer

Q-159. Filter Expression buttons are saved in the dfilters file.
True
False
Jump to the answer

A. The TCP Sequence Number value is invalid.
B. This is the first packet of a TCP handshake process.
C. The TCP header is too long to be processed properly.
D. The TCP stream index indicates that this is a failed TCP connection attempt.
Jump to the answer

Q-161. TCP peers maintain a TCP Retransmission Timeout (RTO) value to determine how
many times they should attempt a TCP retransmission before giving up.
True
False
Jump to the answer

Q-162. What is the purpose of a DNS CNAME?
A. defines an alias name
B. offers inverse DNS information
C. generates a common name as a DNS host name
D. indicates multiple IP addresses are contained in a DNS response
Jump to the answer

Q-163. Network congestion can be caused by interconnecting devices that support low link
speeds such as 10 Mbps.
True
False
Jump to the answer

Q-164. Which feature offers Assured Forwarding and Expedited Forwarding in IPv4
implementations?
A. Full-duplex routing
B. Differentiated Services
C. Type of Service/Precedence
D. Explicit Congestion Notification
Jump to the answer

Q-165. The TCP receive window defines available TCP buffer space.
True
False
Jump to the answer

Q-166. A TCP window size of 1,024 may interrupt the data transfer process.
True
False
Jump to the answer

Q-167. The BOOTP-DHCP Statistics window lists the DHCP message types seen in a live
capture or saved trace file.
True
False
Jump to the answer

Q-168. IP fragmentation problems can arise when ICMP Type 3, Code 2 packets are blocked
preventing a host from learning why its packets did not make it to a destination.
True
False
Jump to the answer

Q-169. Which statement about TCP Selective Acknowledgments is correct?
A. Selective Acknowledgment byte ranges are displayed in the TCP options area.
B. Selective Acknowledgment capability can be set up after the first packet is lost.
C. Selective Acknowledgments can be used if only one side of a TCP connection supports it.
D. Selective Acknowledgment can be used with UDP communications if a TCP connection
fails.
Jump to the answer

Q-170. Window scaling is established during the TCP handshake process to enable hosts to use
window sizes greater than 65,535.
True
False
Jump to the answer

Q-171. The TCP Time-Sequence Graph can depict window zero conditions.
True
False
Jump to the answer

Q-172. Which TCP setting must be enabled in order to use the tcp.analysis.flags
display filter?
A. Try Heuristic Subdissectors First
B. Analyze TCP Sequence Numbers
C. Allow Subdissector to Reassemble TCP Streams
D. Window Scaling and Relative Sequence Numbers
Jump to the answer

Q-173. A Window Update packet contains no data, but indicates that the sender's TCP window
size field value has decreased.
True
False
Jump to the answer

Q-174. Which statement about the DHCP renewal time is true?
A. The renewal time cannot be shorter than the lease time.
B. The renewal time is calculated as 75% of the Lease Time.
C. The renewal time value is provided by the DHCP client to the DHCP server.
D. The renewal time defines when the DHCP client must contact the DHCP server.
Jump to the answer

Q-175. IO Graphs support display filters.
True
False
Jump to the answer

Q-176. If you do not see anything plotted when you open a TCP Round Trip Time Graph, you
might be plotting a UDP conversation.
True
False
Jump to the answer

Q-177. Which statement about the IO Graph shown above is correct?
A. This IO Graph is being displayed during a live capture.
B. This IO Graph shows the bytes per second rate of an HTTP session.
C. This IO Graph indicates there is a 30-second drop in packet throughput.
D. This IO Graph shows the packets per second rate of TCP and UDP payload only.
Jump to the answer

Q-178. TCP Throughput Graphs are bi-directional and plot the results for the entire trace file.
True
False
Jump to the answer

Q-179. UDP headers have a static length.
True
False
Jump to the answer

A. This packet is 1460 bytes in length.
B. This is the second packet of the TCP handshake process.
C. The Stream Index value indicates the TCP connection failed.
D. This packet contains an invalid Acknowledgement Number field value.
Jump to the answer

A. This packet is being sent from an HTTP server.
B. This packet is establishing a Selective ACK connection.
C. Sequence Number 1787370 is the next expected sequence number from 61.8.0.17.
D. The sender has not received packets using Sequence Numbers 1835550-1847230 or
1829710-1834090.
Jump to the answer

Q-182. DHCP Releases are sent from a DHCP client to a DHCP server to relinquish a
network address.
True
False
Jump to the answer

Q-183. The capture filter syntax for TCP communications is tcp.
True
False
Jump to the answer

Q-184. Which Calc value is best suited to graph the IO rate using tcp.len?
A. SUM(*)
B. MIN(*)
C. LOAD(*)
D. MAX(*)
Jump to the answer

Q-185. The capture and display filter syntax for ARP requests and replies is arp.
True
False
Jump to the answer

Q-186. Advanced IO Graphs can be used to compare round trip latency times of various
applications.
True
False
Jump to the answer

Q-187. Which statement about this Advanced IO Graph setting shown above is true?
A. This graph would isolate UDP and ICMP performance problems.
B. This graph would help spot QoS problems between applications.
C. This graph will define the maximum RTT value for traffic on ports 21, 80 and 8080.
D. Graphs 2, 3 and 4 will show identical information if the same number of packets are seen in
the trace file.
Jump to the answer

Q-188. Both sides of a TCP connection must negotiate a common TCP window size value
during the handshake process.
True
False
Jump to the answer

Q-189. TCP Round Trip Time Graphs depict the maximum latency times flowing bi-
directionally in a conversation.
True
False
Jump to the answer

Q-190. Which filter would capture all DHCP traffic?
A. bootp
B. dhcp
C. udp port 67
D. tcp port == 68
Jump to the answer

Q-191. What value should be placed in the target hardware address field in an ARP request?
A. FF:FF:FF:FF:FF:FF
B. 01:FF:FF:FF:FF:FF
C. 00:00:00:00:00:00
D. the subnet multicast address
Jump to the answer

Q-192. The color of the Expert Infos button on the Status Bar indicates the highest level
classification of Expert Information detected in a live capture or saved trace file.
True
False
Jump to the answer

Q-193. Which protocol is used to locate the hardware address of a local target?
A. IP
B. ARP
C. DNS
D. DHCP
Jump to the answer

Q-194. Which statement about TCP is correct?
A. TCP supports sliding windows.
B. TCP has 20% less overhead than UDP.
C. TCP packets use a static header length.
D. TCP connections begin with a four-part handshake.
Jump to the answer

Q-195. The TCP Time-Sequence Graph can depict packet loss, duplicate ACKs and
retransmissions.
True
False
Jump to the answer

Q-196. The TCP Round Trip Time Graph shown above indicates the highest round trip latency
time seen in this trace file is 19 seconds.
True
False
Jump to the answer

A. This packet is establishing window scaling between the two TCP hosts.
B. The Window Size field value indicates that no additional data can be received by
10.0.52.164.
C. Based on a MSS value of 1460, the sender has enough receive buffer space for two full-
sized TCP segments.
D. The Sequence Number field value is too low to allow additional data segments to be
received by 10.0.52.164.
Jump to the answer

Q-198. The default ports for DHCP communications are port 68 (server daemon) and port 67
(client process).
True
False
Jump to the answer

Q-199. A host that increases the TCP Acknowledgment Number field value in outbound TCP
packets is receiving data from a TCP peer.
True
False
Jump to the answer

Q-200. This Expert Infos Chats window shown above indicates that receiver congestion has
caused a network disconnection.
True
False
Jump to the answer

Q-201. Which Advanced IO Graph Calc function would be best for graphing the frequency of
tcp.analysis.duplicate_ack packets?
A. MIN(*)
B. SUM(*)
C. LOAD(*)
D. COUNT(*)
Jump to the answer

Q-202. The TCP handshake process is SYN, SYN/ACK, ACK.
True
False
Jump to the answer

Q-203. Which statement about the packet shown above correct?
A. The IP address offered is invalid.
B. The DHCP client is using a DHCP Relay Agent.
C. The Subnet Mask value is incorrect for this DHCP client.
D. The DHCP client and DHCP server are on the same network.
Jump to the answer

Q-204. Which statement about the DHCP Discover process is correct?
A. DHCP Discover packets are sent after DHCP Request packets.
B. The DHCP Discover process runs every 10 seconds during the IP address lease time.
C. DHCP Discover packets are sent by DHCP servers to identify assigned IP addresses.
D. The DHCP Discover process is used to locate a DHCP server or a DHCP Relay Agent.
Jump to the answer

Q-205. The capture filter tcp.port 67 would capture all DHCP traffic seen by Wireshark.
True
False
Jump to the answer

Q-206. DNS query packets are dynamic length packets.
True
False
Jump to the answer

or go to next page to view the Part 2 Answer Key. Download the Answer Sheet from
www.wiresharkbook.com/epg) to fill out your answers on paper and grade with the matching Answer
Key.
Part 2 Answer Key
A-101: B
A-102: True
A-103: False
A-104: False
A-105: True
A-106: C
A-107: True
A-108: D
A-109: B
A-110: False
A-111: True
A-112: A
A-113: True
A-114: C
A-115: True
A-116: True
A-117: A
A-118: A
A-119: True
A-120: False
A-121: A
A-122: True
A-123: B
A-124: D
A-125: False
A-126: True
A-127: C
A-128: True
A-129: False
A-130: False
A-131: B
A-132: False
A-133: C
A-134: C
A-135: C
A-136: True
A-137: False
A-138: C
A-139: A
A-140: D
A-141: True
A-142: C
A-143: C
A-144: False
A-145: A
A-146: False
A-147: D
A-148: True
A-149: False
A-150: True
A-151: D
A-152: True
A-153: B
A-154: D
A-155: A
A-156: True
A-157: False
A-158: True
A-159: False
A-160: B
A-161: False
A-162: A
A-163: True
A-164: B
A-165: True
A-166: True
A-167: True
A-168: False
A-169: A
A-170: True
A-171: True
A-172: B
A-173: False
A-174: D
A-175: True
A-176: False
A-177: C
A-178: False
A-179: True
A-180: B
A-181: C
A-182: True
A-183: True
A-184: A
A-185: True
A-186: True
A-187: B
A-188: False
A-189: False
A-190: C
A-191: C
A-192: True
A-193: B
A-194: A
A-195: True
A-196: False
A-197: C
A-198: False
A-199: True
A-200: False
A-201: D
A-202: True
A-203: D
A-204: D
A-205: False
A-206: True
A-101 Details: B
The purpose of the gratuitous ARP process is to identify duplicate IP addresses on the network. This
process must run before a host uses an IP address regardless of whether the address was statically or
dynamically assigned. Gratuitous ARP does not periodically run for connectivity tests, use
multicasting or inform the routers router of local MAC addresses.
Chapter 16: Analyze Address Resolution Protocol (ARP) Traffic

Return to Q-101
A-102 Details: True
IP routers apply a new MAC header onto packets before forwarding them onto the next network. As
packets are routed through a network, routers strip off the data link header (including the MAC
address) of incoming packets, examine the destination IP address, decrement the Time to Live value
by 1 and apply a new MAC header on the packet before forwarding it.
Chapter 17: Analyze Internet Protocol (IPv4) Traffic

Return to Q-102
The TCP backoff algorithm is not used to determine the number of retransmission attempts before
giving up on a TCP connection. The TCP backoff algorithm is used to exponentially increase the wait
time between retransmissions.
Chapter 20: Analyze Transmission Control Protocol (TCP) Traffic

Return to Q-103
The ARP packet shown is a request to identify the MAC address of 10.64.0.1, not 10.64.0.164 as
shown in the Target IP address field. 10.64.0.164 is the address of the host performing the lookup.

Return to Q-104
A-105 Details: True
TCP peers increment their sequence numbers by 1 during the handshake process even though no data
is contained in the SYN or SYN/ACK packets. This is often referred to as the phantom byte in the
handshake process. When Relative Sequence and Window Scaling is enabled in Wiresharks TCP
preferences, every SYN packet has sequence number 0, every SYN/ACK has sequence number
0/acknowledgment number 1 and every ACK finishing the 3-way TCP handshake has sequence
number 1/acknowledgment number 1.

Return to Q-105
A-106 Details: C
Retransmitted packets always use the same sequence number as the original lost packet. The receiver
identifies the retransmitted missing packet by that sequence number. Three identical ACKs trigger a
retransmission. TCP hosts use a retransmission timeout counter to define how many retransmissions
to send before terminating the connection. Packet loss recovery can be started by either the TCP
receiver (who notices a missing sequence number) or the TCP sender (who notices a missing ACK).

Return to Q-106
A-107 Details: True
A high number of duplicate ACKs seen before a TCP retransmission may be a sign of a high latency
path. Duplicate ACKs will continue to be sent until the missing packet is retransmitted.

Return to Q-107
A-108 Details: D
The COUNT(*) Advanced IO Graph Calc function would be best for graphing the frequency of
tcp.analysis.retransmission packets as this is a packet condition. This graph will count
up the number of packets tagged as retransmissions and plot them. You might consider adding
tcp.analysis.fast_retransmission as they are both signs of packet loss.
Chapter 21: Graph IO Rates and TCP Trends

Return to Q-108
A-109 Details: B
ARP packets cannot be routed because they do not have an IP header. Not all ARP packets are
broadcasts (ARP responses are unicast) and ARP packets do not have a Time to Live field (they do
not have an IP header at all). ARP packets should all be minimum size packets.

Return to Q-109
The UDP header checksum calculation is not required for all UDP-based communications. You may
see UDP packets with a UDP header checksum of 0x0000 which indicates that the receiver should not
try to calculate a UDP header checksum as it is not used. TCP header checksums are not optional,
however.
Chapter 19: Analyze User Datagram Protocol (UDP) Traffic

Return to Q-110
A-111 Details: True
The IO Graph shown compares all traffic to packets that trigger Wireshark's TCP analysis flags
(tcp.analysis.flags). All packets are shown by a graph line (Graph 1) while TCP analysis
flags are shown in an FBar format (Graph 2).

Return to Q-111
A-112 Details: A
A SYN, RST/ACK pattern would be seen during a failed TCP connection attempt. None of the other
packet patterns would match a failed TCP connection attempt.

Return to Q-112
A-113 Details: True
If a DHCP clients renewal and rebinding process fails, the DHCP client must release its IP address
and send a DHCP Discover broadcast to locate a DHCP server or Relay Agent. If the clients
Discovery process fails, it cannot use DHCP to get an IP address.
Chapter 22: Analyze Dynamic Host Configuration Protocol (DHCP) Traffic

Return to Q-113
A-114 Details: C
If you are connected to a switch port that is not spanned, you might see ARP queries, but not ARP
responses in a trace. ARP queries are typically sent to the broadcast address and forwarded out all
switch ports, even with spanning and mirroring disabled. ARP responses, on the other hand, are sent
to unicast addresses. The pcap-ng format does not affect what is captured, only how trace files are
created. ARP traffic is not UDP-based, so UDP capture filters have no affect on the traffic. Updating
the list of packets in real time will not affect what you capture.

Return to Q-114
A-115 Details: True
You can enable Wireshark's duplicate IP address detection mechanism in the ARP/RARP preferences
configuration. In addition, you can set up ARP storm detection in this preferences area.

Return to Q-115
A-116 Details: True
IP provides the fragmentation and reassembly for low MTU (Maximum Transmission Unit) network
paths. Packets are not reassembled until they reach the target host.

Return to Q-116
A-117 Details: A
The packet shown cannot cross a router because the Time to Live field value is 1. Routers cannot
decrement this value to 0 and forward the packet on. A router may respond to the sender with an
ICMP Time Exceeded in Transit message. The Protocol field indicates ICMP will follow the IP
header and the Fragment offset of 0 indicates that this cannot be the last fragment of a set. The
identification field is valid as far as we can tell.

Return to Q-117
A-118 Details: A
Wireshark uses the term Fast Retransmission to define TCP retransmissions that occur within 20
ms of a Duplicate ACK. Standard Retransmissions occur after at least 20ms have passed from a
Duplicate ACK.
Chapter 13: Use Wiresharks Expert System

Return to Q-118
A-119 Details: True
The purpose of the TCP SYN bit is to synchronize the Initial Sequence Number value of the sender.
The receiver notes the value and will continue to track the incoming Sequence Numbers to note when
packets are lost.

Return to Q-119
ARP request packets and ARP reply packets use the same format. Only the source/target fields and
the opcode field values changes value.

Return to Q-120
A-121 Details: A
The target IP address is examined by a router in order to make routing decisions before forwarding an
IP packet. The source MAC address is not used for routing decisions. The destination MAC address
of the incoming packet is the IP routers MAC address. The router does not perform name resolution
before routing packets.

Return to Q-121
A-122 Details: True
If an ICMP Destination Unreachable/Port Unreachable (Type 3/Code 3) is in response to a DHCP
Request packet, the DHCP server daemon may not be running on the target. DHCP is a UDP-based
serviceUDP service refusals use ICMP Type 3/Code 3 packets.
Chapter 18: Analyze Internet Control Message Protocol (ICMP) Traffic

Return to Q-122
A-123 Details: B
A UDP header will follow this IP header in the packet shown. The Protocol field contains the value
17 which indicates a UDP is coming up next. The entire packet is longer than 328 bytes (the IP header
and valid data is 328 bytes long, but there must be a data link header on the packet as well). The
Fragment Offset field value of 0 indicates that this cannot be the second part of an IP fragment set.
The Time to Live value is not the minimum TTL value allowed (which would be 1).

Return to Q-123
A-124 Details: D
65,535 is the maximum value that can be defined in the TCP Window Size field. This limitation
(caused by a fixed two byte field length) drove the development of window scaling.

Return to Q-124
The ICMP packet shown in the image is an ICMP ping packetit will not update the routing tables of
the target. An ICMP redirect packet would update the routing tables of a target and include a gateway
IP address.

Return to Q-125
A-126 Details: True
When packet loss and delays are not incurred, the TCP Time-Sequence Graph plot points run from the
lower left corner to the upper right corner in a diagonal line of I-bars. Packet loss appears as gaps in
the I-bars and delays may appear as flat lines in the graph.

Return to Q-126
A-127 Details: C
Relay Agents forward messages between DHCP clients and DHCP servers. Since DHCP Discover
packets are sent to the broadcast address, they will not be routed. Local DHCP relay agents act as a
proxy for the DHCP clients to ensure DHCP requests can reach the DHCP server. DHCP Request
packets are not sent to the IP multicast addressthey are sent to the broadcast address. DHCP
servers typically do not ping DHCP clients after assigning IP addresses. Three identical DHCP
Discover packets do not trigger a duplicate DHCP ACK.

Return to Q-127
A-128 Details: True
TCP/IP will not generate DNS host name queries if a host defines a specific target IP address. There
is no need to resolve a name to an IP address if the IP address is already available. For example,
when a user enters http://10.2.4.2 as the URL in a browser window, TCP/IP does not need to
perform DNS resolution since it already has the IP address.
Chapter 15: Analyze Domain Name System (DNS) Traffic

Return to Q-128
The IPv4 Total Length field includes the IP header and valid datathe data link padding is not
included in this value.

Return to Q-129
The display filter tcp.analysis.flags shows many packets that have triggered Wiresharks
Expert Infos notification. For example, retransmissions, fast retransmissions, duplicate ACKs,
window update and window zero packets all match the tcp.analysis.flags display filter. The
Analyze TCP Sequence Numbers preference must be enabled to use this feature.

Return to Q-130
A-131 Details: B
The packet shown in the image was sent from a DHCP/BOOTP client on port 68 to the
DHCP/BOOTPS server port on port 67. The packet should not be routed (the target is the broadcast
address). DHCP traffic is often sent to the broadcast address, not the DHCP IP server address. This
is not a packet to determine if an IP address is already in use.

Return to Q-131
ICMP redirects are used to provide another gateway (router) to use, not to indicate a service is
unavailable. ICMP Destination Unreachable/Port Unreachable packets are used to indicate a service
is not available.

Return to Q-132
A-133 Details: C
All ICMP Destination Unreachable messages contain two IP headers. One IP header is the routing
header to get the packet through the network and the other IP header is the restatement of the IP header
in the packet that triggered the ICMP response. In the image shown, an IGMP packet triggered the
ICMP Destination Unreachable response. The IGMP packetnot the ICMP packetwas sent from
10.0.0.99.

Return to Q-133
A-134 Details: C
The TCP Expert information is contained in the packet-tcp.c file. This file is available at
www.wireshark.org (Develop | Browse the Code | trunk | epan | dissectors | packet-tcp.c).

Return to Q-134
A-135 Details: C
A Network Address Translation (NAT) device can alter IP header addressing. Layer 2 switches
simply forward packets based on the MAC layer addressing. A firewall using Access Control Lists
(ACLs) can only block or forward packets based on the contents of the IP header, MAC header
and/or transport header values. Routers using Differentiated Services (DiffServ) prioritize traffic
based on the DiffServ field value.

Return to Q-135
A-136 Details: True
The syntax for ICMP capture filters is icmp. This is also the syntax used for display filters.

Return to Q-136
The packet shown in the image is a DNS standard query packet used to resolve an IP host name
(www.msnbc.com) to an IP address. The Type field indicates that this DNS query is resolving an A
record, not a PTR record (used by an inverse query).

Return to Q-137
A-138 Details: C
UDP is the transport layer protocol used for multicast traffic. TCP is never sent to the multicast
address. ARP and ICMP are not transport protocols.

Return to Q-138
A-139 Details: A
The UDP header shown is 8 bytes longin fact, all UDP headers are exactly 8bytes long. The UDP
checksum field is the correct length2 bytes. The DNS packet does not need to use TCP instead of
UDP header and the IP TTL field indicates the packet can cross numerous additional routers.

Return to Q-139
A-140 Details: D
ICMP Echo Request packets do not contain a UDP or TCP header. This is why port filtering firewalls
cannot block ICMP traffic. ICMP packets are variable length (compare a Ping packet to an ICMP
Redirect packet).

Return to Q-140
A-141 Details: True
When a DNS response is truncated, the DNS client may generate another DNS query using TCP as the
transport method. This is due to a traditional limitation on DNS-over-UDP packet lengths.

Return to Q-141
A-142 Details: C
DHCP uses UDP as the transport-layer protocol whereas each other protocol listed (ARP, ICMP and
RARP) does not use UDP at all.

Return to Q-142
A-143 Details: C
You must add the Calculated Window Size column to the Packet List pane before exporting the
advertised window size information for analysis in a CSV format file. Any column you add to the
Packet List pane can be exported using File | Export Packet Dissections.
Chapter 12: Annotate, Save, Export and Print Packets

Return to Q-143
The UDP header is a static 8 bytes longalways. Therefore, there is no need for a UDP length field.
TCP headers, on the other hand, are variable length and include a header length field.

Return to Q-144
A-145 Details: A
DNS provides host name-to-IP address resolution services. DNS can provide other resolution
information as well. SNMP, ICMP and DHCP do not provide name resolution services.

Return to Q-145
The broadcast address can never be used in the IP source address field. Any packet that has the
broadcast address in the IP source address field should be inspected further.

Return to Q-146
A-147 Details: D
The recursive bit in a DNS packet indicates that the DNS client will allow a target DNS server to ask
another server for an answer on behalf of the DNS client. If the recursive bit is not set, the DNS query
is iterative.

Return to Q-147
A-148 Details: True
The display filter syntax for UDP-based traffic is udp. This just happens to be the same syntax used
for capture filters.

Return to Q-148
TCP offers a connection-oriented transport service that begins with a three-way not a two-way
handshake between devices. The three-way handshake is SYN, SYN/ACK, ACK.

Return to Q-149
A-150 Details: True
ICMP Destination Unreachable messages sent in response to an FTP connection attempt indicates the
FTP port is likely firewalled. In fact, an ICMP response to any TCP connection attempt is a strong
indication of a firewalled port. Normally, a TCP RST should be sent if a port is closed or a
SYN/ACK is sent if the port is open.

Return to Q-150
A-151 Details: D
Copying to CSV format is a feature supported by IO Graphs (click the Copy button). The individual
plot points are exported, but no X or Y axis labels are exported. If you have added Graph lines,
additional plot points are exported for these graph lines. IO Graphs do not support trend lines,
capture filtering or forecasting/predictions.

Return to Q-151
A-152 Details: True
TCP packets contain sequence and acknowledgment information to guarantee delivery and enable
recovery for lost packets. Each side of a TCP connection keeps track of the sequence number of
packets received from the TCP peer.

Return to Q-152
A-153 Details: B
Relative sequence numbering is a Wireshark feature that is used to make the process of following
TCP Sequence/Acknowledgment numbers easier to interpret. Rather than work with 4-byte numbers
(such as 49868270), relative sequence numbers begin with 0 and increment based on the amount of
data transferred.

Return to Q-153
A-154 Details: D
The Acknowledgment Number indicates the Sequence Number expected from the TCP peer. The
starting Acknowledgment Number is set to 0. The Sequence Number increments by the number of data
bytes in each packet transmitted. Both sides of a TCP connection begin with the Initial Sequence
Number value of 0 if relative sequence numbering is used. Otherwise the Initial Sequence Number
value will be the actual 4-byte value sent by the TCP host.

Return to Q-154
A-155 Details: A
The DNS packet shown in the image is an inverse DNS query sent from a client as defined in the
query type field (PTR). The IP address being resolved to a name is 24.64.26.2 (read the address
backwards).

Return to Q-155
A-156 Details: True
A router that supports proxy ARP may answer an ARP broadcast on behalf of a server located on
another network. A proxy ARP router may also answer on behalf of clients located on another
network. Proxy ARP is easy to detect by capturing the packets. A client will ARP for a host that is
remote. A local router will respond with its own MAC address and the remote hosts IP address.

Return to Q-156
The display filter tcp.flags.syn==1 && tcp.flags.ack==1 and the display filter
tcp.flags==0x12 would not display the packet shown in the image. Both of these display filters
would only show packets that have BOTH the SYN and ACK bits set. The packet shown only has the
SYN bit set.

Return to Q-157
A-158 Details: True
DNS transaction ID numbers are used to associate DNS queries with DNS responses.

Return to Q-158
The Filter Expression button settings are saved in the current profile's preferences file.
Chapter 12: Annotate, Save, Export and Print Packets

Return to Q-159
A-160 Details: B
This packet shown is the first packet of a TCP handshake process which contains only the TCP SYN
bit set to 1. The TCP Sequence Number value is set to 0 because relative sequence numbering is
enabled. The TCP header is an acceptable length for a TCP SYN packet24 bytes (including
options). The TCP stream index will not identify a failed connection attempt.

Return to Q-160
TCP peers maintain a TCP Retransmission Timeout (RTO) value to determine how long to wait
before retransmitting a packet, not to determine how many times they should attempt a TCP
retransmission before giving up.

Return to Q-161
A-162 Details: A
A DNS CNAME defines an alias name. For example, if you perform a DNS query for
video.google.com, the response will contain a CNAME value of video.l.google.com along with the
IP address (or addresses) associated with that name.

Return to Q-162
A-163 Details: True
Network congestion can be caused by interconnecting devices that support low link speeds such as 10
Mbps. As more high-bandwidth applications begin to strain an internetwork, low link speed segments
can affect congestion as packets are either dropped or queued up at bordering routers.
Chapter 14: TCP/IP Analysis Overview

Return to Q-163
A-164 Details: B
Differentiated Services (DiffServ) offers Assured Forwarding and Expedited Forwarding in IPv4
implementations. By default, Wireshark dissects the IP header bits to interpret DiffServ values. You
can alter the TCP preferences to display Type of Service/Precedence, if desired.

Return to Q-164
A-165 Details: True
The TCP receive window defines available TCP buffer space of the sender. If this buffer space
reaches a value that is too low to accept a TCP segment or the buffer space reaches zero, the sender
is indicating that it cannot receive any more data. Wireshark denotes an increase in the TCP receive
window size as a Window Update packet.

Return to Q-165
A-166 Details: True
A TCP window size of 1,024 may interrupt the data transfer process if the other side of a TCP
connection has more data than 1,024 bytes buffered to send.

Return to Q-166
A-167 Details: True
The BOOTP-DHCP Statistics window lists the DHCP message types seen in a live capture or saved
trace file. These DHCP message types include Discover, Offer, Request, Acknowledgment, Decline
and Release, etc.

Return to Q-167
IP fragmentation problems can arise when ICMP Type 3, Code 4 (not Code 2) packets are blocked
preventing a host from learning why its packets did not make it to a destination. ICMP Type 3, Code 4
packets are Destination Unreachable/Fragmentation Needed and Dont Fragment Bit Set messages
whereas ICMP Type 3, Code 2 packets are Destination Unreachable/Protocol Unreachable messages.

Return to Q-168
A-169 Details: A
Selective Acknowledgment byte ranges are displayed in the TCP options area using a Left Edge/Right
Edge format to define the bytes that have been received. Selective Acknowledgment capability will
be established during the TCP handshake if both sides of a TCP connection support the feature.
Selective Acknowledgments can only be used with TCP communications.

Return to Q-169
A-170 Details: True
Window scaling is established during the TCP handshake process to enable hosts to use window
sizes greater than is 65,535. If one side of a TCP connection does not support window scaling, then
neither side can use this feature.

Return to Q-170
A-171 Details: True
The TCP Time-Sequence Graph can depict window zero conditions as a sudden flat line in an active
transfer process. This graph can also depict packet loss, duplicate ACKs and retransmissions.

Return to Q-171
A-172 Details: B
The Analyze TCP Sequence Numbers preference setting must be enabled in order to use the
tcp.analysis.flags display filter. Packets that would match this filter include TCP
retransmissions, fast retransmissions, duplicate ACKs, window updates and out-of-order packets.

Return to Q-172
A Window Update packet contains no data, but indicates that the sender's TCP window size field
value has increased not decreased. Interestingly, Wireshark does not have an expert notification for
decreasing receive window sizes.

Return to Q-173
A-174 Details: D
The DHCP renewal time defines when the DHCP client must contact the DHCP server. This time is
typically 50% of the DHCP lease time. The client can calculate the DHCP renewal time based on the
lease time or a DHCP server can provide an explicit renewal time value.

Return to Q-174
A-175 Details: True
Basic and Advanced IO Graphs support display filters and expressions. In addition, you can click on
the Display button to examine and apply saved display filters to one of the five graph sections.

Return to Q-175
You cannot create a TCP Round Trip Time Graph after clicking on a UDP packetit is, after all TCP
Round Trip Time Graph, not a UDP Round Trip Time Graph.

Return to Q-176
A-177 Details: C
This IO Graph shown indicates there is a 30-second drop in packet throughput that begins around 5
seconds into the trace file and continues until approximately 35seconds into the trace file (which is
listed in the title bar). The IO Graph shown is set to display the packets per second rate of all traffic
including headers and payload.

Return to Q-177
TCP Throughput Graphs are uni-directional and plot the results for the entire trace file. If your TCP
Throughput Graph is blank, consider selecting a packet that contains data before launching the graph
again.

Return to Q-178
A-179 Details: True
UDP headers have a static lengththey are always exactly 8 bytes long. TCP headers, however, are
variable length (hence the need for the TCP header length field).

Return to Q-179
A-180 Details: B
The image shown is the second packet of the TCP handshake process. This is evident by the TCP
Flags setting of 0x12 (SYN/ACK). All TCP handshake packets are minimum sized length. The packet
shown has valid Stream Index and Acknowledgement Number field values.

Return to Q-180
A-181 Details: C
In the packet shown, sequence number 1787370 is the next expected Sequence Number as defined in
the Acknowledgment Number field. This packet cannot be used to establish SACK as that is only
done in SYN and SYN/ACK packets. The packet is being sent to port 80 (likely an HTTP server) and
it is not part of the handshake process to establish a Selective ACK.

Return to Q-181
A-182 Details: True
DHCP Releases are sent from a DHCP client to a DHCP server to relinquish their network address.

Return to Q-182
A-183 Details: True
The capture filter syntax for TCP communications is tcp. This coincidentally is also the display
filter syntax.

Return to Q-183
A-184 Details: A
The SUM(*) Calc value is best suited to graphing the IO rate using tcp.len. This calc value adds
up and plots the total number of TCP payload bytes (excluding the TCP header) for the time period
defined by the X axis setting. MIN(*) and MAX(*) would only plot the minimum or maximum value
seen comparing all packets during the time period. LOAD(*) is best suited for graphing time values.

Return to Q-184
A-185 Details: True
The capture and display filter syntax for ARP requests and replies is arp. Although capture and
display filters use different formats, there are a few instances where both filter types use the same
syntax.

Return to Q-185
A-186 Details: True
Advanced IO Graphs can be used to compare round trip latency times of various applications. Setting
the graphs to compare traffic to/from different ports and defining the Calc AVG(*) as
tcp.analysis.ack_rtt provides this information.

Return to Q-186
A-187 Details: B
The graph shown would help spot QoS problems between applications by comparing the average (not
the maximum) TCP ACK roundtrip time for traffic to and from ports 21, 80 and 8080. The graph is
not focused on UDP or ICMP traffic. The number of packets shown in graphs 2, 3 and 4 are based on
the results of the filter, not on the total number of packets in the trace file.

Return to Q-187
Both sides of a TCP connection state their individual TCP window size values during the handshake
process. There is no negotiation of a common TCP receive window size value.

Return to Q-188
TCP Round Trip Time Graphs depict the maximum latency times flowing in a single direction in a
conversation. If you see a blank RTT Graph, select a packet going in the opposite direction and
launch the graph again.

Return to Q-189
A-190 Details: C
The filter udp port 67 would capture all DHCP traffic. The dhcp filter and bootp filters are
invalid as capture filters. The tcp port==68 filter would not work because DHCP runs over UDP
and the syntax is incorrect.

Return to Q-190
A-191 Details: C
The value 00:00:00:00:00:00 should be placed in the target hardware address field in an ARP
requestthe field is essentially filled with null because that information is not known.

Return to Q-191
A-192 Details: True
The color of the Expert Infos button on the Status Bar indicates the highest level classification of
Expert Information detected in a live capture or saved trace file. For example a red Expert Infos
button indicates the highest level of classification detected is an Error whereas a cyan Expert Infos
button indicates the highest level of classification detected is a Note.

Return to Q-192
A-193 Details: B
ARP is used to locate the hardware address of a local target. IP is used to route a packet through the
network. DNS is used for name resolution. DHCP is used for dynamic configuration (most commonly
for IP address assignment).

Return to Q-193
A-194 Details: A
TCP supports sliding windows, a mechanism for in-order data transmission that allows for throughput
adjustment based on received acknowledgments. TCP has more overhead than UDP with a three-way
handshake process, dynamic-length, larger header and acknowledgment requirements.

Return to Q-194
A-195 Details: True
The TCP Time-Sequence Graph can depict packet loss, duplicate ACKs and retransmissions. Packet
loss appears as a missing I-bar, duplicate ACKs appear as hanging notches and retransmissions
appear as I-bars that are out of time-sequence order.

Return to Q-195
The TCP Round Trip Time Graph shown indicates the highest round trip latency time is
approximately .19 seconds or 190 milliseconds, not 19 seconds. The Y axis label indicates that the
time is measured in seconds ([s]) and the top plot point appears around the .19 mark.

Return to Q-196
A-197 Details: C
In the image shown, based on a MSS value of 1460, the sender has enough receive buffer space
(2,920) for two full-sized TCP segments (1,460 x 2 = 2,920). The packet is not used to establish
window scaling between the two TCP hosts (this is not one of the first two packets of the TCP
handshake) and the Sequence Number field value does not define the number of data segments that a
host can receive (that is not the purpose of the Window Size field).

Return to Q-197
The default ports for DHCP communications are port 67 (server daemon) and port 68 (client
process).

Return to Q-198
A-199 Details: True
A host that increases the TCP Acknowledgment Number field value in outbound TCP packets is
receiving data from a TCP peer. As data is received by a TCP host, it will continually increase the
TCP Acknowledgment Number field value in outbound packets to indicate the next Sequence Number
expected from its TCP peer.

Return to Q-199
The Expert Infos Chats window shown indicates that a TCP host is increasing its Window Size field
value, not that receiver congestion has caused a network disconnection. A Window Zero Warning
would indicate a problem with receiver congestion.

Return to Q-200
A-201 Details: D
The Advanced IO Graph Calc function COUNT(*) would be best for graphing the frequency of
tcp.analysis.duplicate_ack packets as this function counts the number of times this
characteristic is seen.

Return to Q-201
A-202 Details: True
The three-way TCP handshake process is SYN, SYN/ACK, ACK.

Return to Q-202
A-203 Details: D
The packet shown indicates that the DHCP client and DHCP server are on the same network
network 192.168.0. The packet contains the client IP address, the DHCP server IP address (DHCP
Server Identifier) and the subnet mask (255.255.255.0). The IP address offered appears valid and the
client is not using a DHCP Relay Agent (no Relay Agent IP Address field value defined).

Return to Q-203
A-204 Details: D
The DHCP Discover process is used to locate a DHCP server or a DHCP Relay Agent. DHCP
Discover packets are broadcastthey should not be forwarded by routers. Local DHCP Relay
Agents act as a proxy to unicast DHCP requests to a DHCP server on another network. DHCP
Discover packets are always sent before DHCP request packets.

Return to Q-204
The capture filter tcp.port 67 would not capture all DHCP traffic seen by Wireshark because
this is not a valid capture filter and DHCP runs over UDP.

Return to Q-205
A-206 Details: True
DNS query packets are dynamic length packets allowing for variable-length host names to be
included in the packets.

Return to Q-206
Set 207-304
topic list.
Section 23: Analyze Hypertext Transfer Protocol (HTTP) Traffic
Section 24: Analyze File Transfer Protocol (FTP) Traffic
Section 25: Analyze Email Traffic
Section 26: Introduction to 802.11 (WLAN) Analysis
Section 27: Voice over IP (VoIP) Analysis Fundamentals
Section 28: Baseline Normal Traffic Patterns
Section 29: Find the Top Causes of Performance Problems
Section 30: Network Forensics Overview
Section 31: Detect Scanning and Discovery Processes
Section 32: Analyze Suspect Traffic
Section 33: Effective Use of Command-Line Tools
Section 23: Analyze Hypertext Transfer Protocol (HTTP) Traffic
Define the Purpose of HTTP
Analyze Normal HTTP Communications
Analyze HTTP Problems
Dissect HTTP Packet Structures
Filter on HTTP or HTTPS Traffic
Export HTTP Objects
Display HTTP Statistics
Graph HTTP Traffic Flows
Set HTTP Preferences
Analyze HTTPS Communications
Analyze SSL/TLS Handshake
Analyze TLS Encrypted Alerts
Decrypt HTTPS Traffic
Export SSL Keys
Section 24: Analyze File Transfer Protocol (FTP) Traffic
Define the Purpose of FTP
Analyze Normal FTP Communications
Analyze Passive Mode Connections
Analyze Active Mode Connections
Analyze FTP Problems
Dissect the FTP Packet Structure
Filter on FTP Traffic
Reassemble FTP Traffic
Section 25: Analyze Email Traffic
Analyze Normal POP Communications
Analyze POP Problems
Dissect the POP Packet Structure
Filter on POP Traffic
Analyze Normal SMTP Communication
Analyze SMTP Problems
Dissect the SMTP Packet Structure
Filter on SMTP Traffic
Section 26: Introduction to 802.11 (WLAN) Analysis
Analyze Signal Strength and Interference
Capture WLAN Traffic
Compare Monitor Mode and Promiscuous Mode
Set up WLAN Decryption
Prepend a Radiotap or PPI Header
Compare Signal Strength and Signal-to-Noise Ratios
Describe 802.11 Traffic Basics
Analyzed Normal 802.11 Communications
Dissect Basic 802.11 Frame Elements
Filter on WLAN Traffic
Analyze Frame Control Types and Subtypes
Customize Wireshark for WLAN Analysis
Section 27: Voice over IP (VoIP) Analysis Fundamentals
Define VoIP Traffic Flows
Analyze Session Bandwidth and RTP Port Definition
Analyze VoIP Problems
Examine SIP Traffic
Examine RTP Traffic
Play Back VoIP Conversations
Decipher RTP Player Marker Definitions
Create a VoIP Profile
Filter on VoIP Traffic
Section 28: Baseline Normal Traffic Patterns
Define the Importance of Baselining
Baseline Broadcast and Multicast Types and Rates
Baseline Protocols and Applications
Baseline Boot up Sequences
Baseline Login/Logout Sequences
Baseline Traffic during Idle Time
Baseline Application Launch Sequences and Key Tasks
Baseline Web Browsing Sessions
Baseline Name Resolution Sessions
Baseline Throughput Tests
Baseline Wireless Connectivity
Baseline VoIP Communications
Section 29: Find the Top Causes of Performance Problems
Troubleshoot Performance Problems
Identify High Latency Times
Point to Slow Processing Times
Find the Location of Packet Loss
Watch Signs of Misconfigurations
Analyze Traffic Redirections
Watch for Small Payload Sizes
Look for Congestion
Identify Application Faults
Note Any Name Resolution Faults
Section 30: Network Forensics Overview
Compare Host to Network Forensics
Gather Evidence
Avoid Detection
Handle Evidence Properly
Recognize Unusual Traffic Patterns
Color Unusual Traffic Patterns
Section 31: Detect Scanning and Discovery Processes
Define the Purpose of Discovery and Reconnaissance
Detect ARP Scans (aka ARP Sweeps)
Detect ICMP Ping Sweeps
Detect Various Types of TCP Port Scans
Detect UDP Port Scans
Detect IP Protocol Scans
Define Idle Scans
Know Your ICMP Types and Codes
Analyze Traceroute Path Discovery
Detect Dynamic Router Discovery
Define Application Mapping Processes
Use Wireshark for Passive OS Fingerprinting
Detect Active OS Fingerprinting
Identify Spoofed Addresses and Scans
Section 32: Analyze Suspect Traffic
Identify Vulnerabilities in the TCP/IP Resolution Processes
Find Maliciously Malformed Packets
Identify Invalid or Dark Destination Addresses
Differentiate between Flooding or Standard Denial of Service Traffic
Find Clear Text Passwords and Data
Identify Phone Home Behavior
Catch Unusual Protocols and Applications
Locate Route Redirection Using ICMP
Catch ARP Poisoning
Catch IP Fragmentation and Overwriting
Spot TCP Splicing
Watch Other Unusual TCP Traffic
Identify Password Cracking Attempts
Build Filters and Coloring Rules from IDS Rules
Section 33: Effective Use of Command-Line Tools
Define the Purpose of Command-Line Tools
Use Wireshark.exe (Command-Line Launch)
Capture Traffic with Tshark
List Trace File Details with Capinfos
Edit Trace Files with Editcap
Merge Trace Files with Mergecap
Convert Text with Text2pcap
Capture Traffic with Dumpcap
Define Rawshark
Q-207. Baselines of basic VoIP traffic patterns should include analysis of the call setup process.
True
False
Jump to the answer

Q-208. In monitor mode, an 802.11 adapter only captures packets of the first SSID seen by the
adapter.
True
False
Jump to the answer

Q-209. In order to capture all WLAN management and control traffic, your Wireshark system
adapter must support promiscuous mode. Monitor mode is not required.
True
False
Jump to the answer

Q-210. Wireshark can only decrypt WPA and WPA2 traffic with the proper RSA decryption
keys.
True
False
Jump to the answer

Q-211. If no response is received when a TCP FIN scan is performed, the target port is likely
either open or filtered.
True
False
Jump to the answer

Q-212. FTP data is only transferred over port 21.
True
False
Jump to the answer

Q-213. You can create custom columns based on the individual fields contained in a WLAN
Radiotap or PPI header.
True
False
Jump to the answer

Q-214. There are three modes of FTP data transfer - passive mode, active mode and proxy
mode.
True
False
Jump to the answer

Q-215. ARP ping can be used to discover all remote devices even if those devices are running
local firewalls.
True
False
Jump to the answer

Q-216. Which type of WLAN frame is a Disassociation Request frame?
A. Data
B. Control
C. Connection
D. Management
Jump to the answer

Q-217. TCP full scans appear as TCP three-way handshakes.
True
False
Jump to the answer

Q-218. The display filter retries==1 can be used to view WLAN retransmission packets.
True
False
Jump to the answer

Q-219. Which statement about the FTP packet shown above is correct?
A. This packet was sent from an FTP server.
B. The sender will open port 52904 for an FTP data connection.
C. The window size value indicates only files smaller than 7,970 bytes can be sent.
D. The packet is a request for the FTP server to open port 52904 for a new TCP connection.
Jump to the answer

A. This is a WLAN retransmission packet.
B. The packet is too short for a wireless network.
C. The PPI header was applied by the receiver.
D. The sender has not associated with an access point yet.
Jump to the answer

Q-221. Baselining is the process of creating trace files of normal communications on the
network.
True
False
Jump to the answer

Q-222. Which statement about the WLAN packet shown above is correct?
A. This is an 802.11 retransmission.
B. This is a WLAN Management frame.
C. This is the second fragment in a fragment set.
D. This packet will occur every 1,000 ms by default.
Jump to the answer

Q-223. The display filter syntax for all FTP command and data channel traffic is
tcp.port==21.
True
False
Jump to the answer

Q-224. In an active mode FTP data transfer, the client provides its IP address and listening port
number to the FTP server.
True
False
Jump to the answer

Q-225. During a UDP scan, which response indicates that the service is not available on the
target?
A. any response with the RST bit set
B. any response with the SYN bit set
C. ICMP Destination Unreachable/Port Unreachable
D. ICMP Destination Unreachable/Protocol Unreachable
Jump to the answer

Q-226. The capture filter syntax for POP traffic is tcp port 110.
True
False
Jump to the answer

Q-227. HTTP packets are static length packets.
True
False
Jump to the answer

Q-228. Session Initiation Protocol (SIP) is a protocol that can be used to set up a VoIP call.
True
False
Jump to the answer

Q-229. Which statement about the traffic shown above is correct?
A. This is a TCP port scan.
B. The SYN packets are sent from multiple source port numbers.
C. The responses to the SYN packets should only have the RST bit set.
D. A TCP connection has been established to the sybaseanywhere port.
Jump to the answer

Q-230. Try to decode RTP outside of conversations should be set if Wireshark cannot identify
the RTP traffic in a trace file.
True
False
Jump to the answer

Q-231. You are working with a VoIP trace file that depicts packet loss due to jitter issues.
Lowering Wireshark's jitter buffer value from 100 ms to 25 ms before playback will cause more
packets to be dropped during the playback.
True
False
Jump to the answer

Q-232. You can apply a display filter to a Flow Graph.
True
False
Jump to the answer

Q-233. Baselines should be created as soon as the network appears to have throughput
problems.
True
False
Jump to the answer

Q-234. Excessive RF noise can cause connectivity problems on WLANs.
True
False
Jump to the answer

Q-235. You cannot load Wireshark on a host and capture that same hosts bootup baseline
information.
True
False
Jump to the answer

Q-236. Which WLAN frames are used by stations to discover an access point that does not
broadcast an SSID?
A. beacons
B. probe requests
C. reassociation requests
D. authentication requests
Jump to the answer

Q-237. To decrypt SSL communications, you must configure the SSL preferences to recognize
the traffic that you want to decrypt and point to a directory that contains your RSA key.
True
False
Jump to the answer

Q-238. Which statement about the HTTP packet shown above is correct?
A. This packet was sent from an HTTP server.
B. This packet contains an invalid HTTP URI.
C. The packet is sending a cookie to an HTTP client.
D. This packet is from an HTTP client that is browsing webcast.aph.gov.au.
Jump to the answer

Q-239. You can use display filters with saved files and Tshark.
True
False
Jump to the answer

Q-240. Watching the traffic flow to and from a host when no one is using the host can identify
unattended background traffic.
True
False
Jump to the answer

Q-241. Baselines of WLAN environments should include analysis of RF noise rates.
True
False
Jump to the answer

Q-242. One of the easiest ways to identify delays in a trace file is to set the Time column to
Seconds Since Beginning of Capture.
True
False
Jump to the answer

Q-243. Which statement about packet timestamps is correct?
A. Packet timestamps are provided by WinPcap, libpcap, or AirPcap.
B. Packet timestamps for pcap files can denote time to the nanosecond level.
C. You can use Editcap to alter packet timestamps of separate packets in a trace file.
D. Sorting on the packet timestamp column alters the packet numbers in the trace file.
Jump to the answer

Q-244. The frame.time_relative == 0 display filter shows packets marked with a Time
Reference as well as the first packet in the trace file.
True
False
Jump to the answer

Q-245. In a UDP-based application, the retransmission timeout value is defined by the IP
timeout setting.
True
False
Jump to the answer

Q-246. WLAN stations can either wait for a beacon frame from the access point or the stations
can send an association request to discover the access point.
True
False
Jump to the answer

Q-247. ICMP redirection packets may be an indication that a path is not optimal.
True
False
Jump to the answer

Q-248. Which network problem may cause throttling of possible throughput maximums?
A. congestion along a network path
B. an overloaded TCP connection table
C. minimal packet sizes
D. receive window size set at 65,535
Jump to the answer

Q-249. Baselines of broadcast and multicast traffic can help identify new hosts on the network
in a passive discovery manner.
True
False
Jump to the answer

Q-250. When you are analyzing network performance related to slow responses, the Time
column can help spot delays between requests and replies.
True
False
Jump to the answer

Q-251. The packet shown above did not receive a response. Which issue could cause such a
condition?
A. The TCP port at the target is closed.
B. There is packet loss along the path.
C. The target has a window zero condition.
D. Selective Acknowledgment is not enabled.
Jump to the answer

Q-252. Network forensics and host forensics provide the same type of evidence of breaches.
True
False
Jump to the answer

Q-253. Analysis of hard drive contents is not part of the network forensics process.
True
False
Jump to the answer

Q-254. Your web server runs the HTTP daemon on port 92. How can you configure Wireshark
to permanently dissect this traffic as HTTP?
A. Add port 92 in the HTTP Preferences area.
B. Create a User Specified Decode for port 92 traffic.
C. Select Decode As and replace port 80 with port 92.
D. Change the name listed for port 92 in Wireshark's services file.
Jump to the answer

Q-255. Network forensic evidence may be gathered for either proactive or reactive analysis.
True
False
Jump to the answer

Q-256. RTP provides transport functions for real-time data such as audio over multicast or
unicast network services.
True
False
Jump to the answer

Q-257. Wireshark may transmit data on the network if you have enabled network name
resolution and/or launch a GeoIP map from the endpoints window.
True
False
Jump to the answer

Q-258. The traffic pattern of a TCP scan is difficult to identify.
True
False
Jump to the answer

Q-259. Coloring rules can be created to spot traffic of various scanning and malicious tools.
True
False
Jump to the answer

Q-260. Capturing your traffic when you run discovery or testing tools can help you identify the
signatures of those tools.
True
False
Jump to the answer

Q-261. Which command-line tool can be used to create file sets out of a single trace file?
A. tcpdump
B. Capinfos
C. Editcap
D. Mergecap
Jump to the answer

Q-262. Which network condition can cause excessive jitter on a VoIP network?
A. SIP errors
B. packet retransmissions
C. TCP Window Scaling usage
D. Quality of Service configurations
Jump to the answer

Q-263. You can use Follow TCP Stream after selecting an HTTPS packet, but the data traffic
will be encrypted unless an RSA key is set.
True
False
Jump to the answer

Q-264. An FTP passive mode connection may not work if a server firewall blocks incoming
connections on the passive mode port number.
True
False
Jump to the answer

Q-265. You can use ARP to scan the local network for active hosts.
True
False
Jump to the answer

Q-266. Which VoIP element can be used to carry the call setup commands?
A. Session Initiation Protocol (SIP)
B. Realtime Transport Protocol (RTP)
C. Transmission Control Protocol (TCP)
D. Realtime Transport Control Protocol (RTCP)
Jump to the answer

Q-267. Null scans use illegal TCP flag settings.
True
False
Jump to the answer

Q-268. UDP scans can be used to perform quick connectivity tests.
True
False
Jump to the answer

Q-269. An unusually high number of TCP SYNs and RSTs without any transfer of data is a
possible indication that a TCP scan is underway.
True
False
Jump to the answer

Q-270. What is the approximate interval of WLAN beacon frames?
A. 1 ms
B. 100 ms
C. 1,000 ms
D. 100,000 ms
Jump to the answer

A. This packet contains 946 bytes of VoIP call data.
B. The RTP communication will use UDP port 5060.
C. This SDP information is contained in a SIP packet.
D. This packet will not be processed because the Owner/Creator information is required.
Jump to the answer

A. This is a TCP retransmission.
B. The packet contains email data.
C. The sender supports Enhanced SMTP.
D. This packet is sent from the "accelenet" application.
Jump to the answer

Q-273. Throughput baselining may require the use of a data transmission tool to generate
traffic.
True
False
Jump to the answer

Q-274. TCP ACK scans are not used to identify open ports.
True
False
Jump to the answer

Q-275. What type of TCP scan would this filter display?
(tcp.flags.urg==1) && (tcp.flags.push==1) && (tcp.flags.fin==1)
A. IP scan
B. Xmas scan
C. stealth scan
D. half-connect scan
Jump to the answer

Q-276. What may be the purpose of the traffic shown in the image above?
A. scan to identify active hosts on a network
B. scan to determine open UDP ports on a target
C. scan to discover IP-based protocols on a target
D. scan to determine if a host is active on the network
Jump to the answer

Q-277. Creating a baseline of normal protocols and applications on the network can help you
identify breached hosts based on unusual traffic patterns.
True
False
Jump to the answer

Q-278. Suspect traffic may simply be caused by poorly performing applications.
True
False
Jump to the answer

Q-279. TCP/IP port resolution relies on the integrity of the local hosts services file (used by the
TCP/IP stack) and the application that is requesting to use a specific port number.
True
False
Jump to the answer

Q-280. If a malicious user program has altered the content of Wiresharks services file, the OUI
name resolution process may be affected.
True
False
Jump to the answer

Q-281. If desired, you can force Wireshark to temporarily dissect traffic to and from port 2600
as FTP traffic using the Decode As function.
True
False
Jump to the answer

Q-282. You can enable key discovery in Wiresharks WLAN Preferences to dynamically
discover WLAN decryption keys.
True
False
Jump to the answer

Q-283. Which statement about HTTP analysis is correct?
A. You should export HTTP objects to find TCP transport errors.
B. You should reassemble TCP streams to identify HTTP round trip delays.
C. You should use the display filter http to view all HTTP requests, replies and ACKs.
D. You should check for the If-Modified-Since request modifier to determine if web pages are
being loaded from cache.
Jump to the answer

Q-284. You can edit the Wireshark services file if you want Wireshark to permanently dissect
port 80 traffic as IRC.
True
False
Jump to the answer

Q-285. To view all packets related to a POP communication, including the TCP handshake used
to set up a POP connection, use the display filter udp.port==110.
True
False
Jump to the answer

Q-286. If a malicious application has altered the client's hosts file, the client may resolve a
network name to the IP address of a malicious site.
True
False
Jump to the answer

Q-287. TCP splicing is used to poison the hosts file at a target.
True
False
Jump to the answer

Q-288. Wireshark can only display clear text communications if a dissector for the application
traffic has been loaded.
True
False
Jump to the answer

Q-289. Which type of scan can locate a device that supports Enhanced Interior Gateway
Routing Protocol (EIGRP)?
A. null scan
B. Xmas scan
C. IP protocol scan
D. half-connect scan
Jump to the answer

Q-290. "Phone home" traffic is seen when an application periodically connects to a remote host
without user intervention. This traffic may be malicious or part of a normal application update
process.
True
False
Jump to the answer

Q-291. The Protocol Hierarchy Statistics window helps identify unusual protocols and
applications during a live capture or in a saved trace file.
True
False
Jump to the answer

Q-292. Fragmentation override occurs when a malicious host hides data from decryption in out-
of-order fragment packets.
True
False
Jump to the answer

Q-293. Following the TCP stream when analyzing an HTTP web browsing session reveals a
site's HTML tags.
True
False
Jump to the answer

Q-294. You have captured traffic to and from a compromised host. Which statement about the
Protocol Hierarchy Statistics window shown above is correct?
A. The HTTP traffic listed is running over UDP and should be investigated further.
B. The SMB traffic should be listed directly under TCP and should be investigated further.
C. There are an insufficient number of DNS packets to support the various communications
shown.
D. The Internet Relay Chat traffic may be used by a bot to communicate with a Command and
Control server.
Jump to the answer

Q-295. Which problem could cause the condition illustrated in the packet shown above?
A. packet loss
B. minimal packet sizes
C. excessive retransmissions
D. slow or non-responsive application
Jump to the answer

Q-296. Having baselines that were created before network problems occur can speed up the
process of identifying the cause of those problems.
True
False
Jump to the answer

Q-297. By default, Mergecap combines trace files based on the timestamps in those trace files.
True
False
Jump to the answer

Q-298. You are performing a TCP scan on a target while capturing your traffic with Wireshark.
Which statement about the analysis is correct?
A. If you receive UDP responses, the target does not support TCP.
B. If you receive TCP RST responses, the target is not currently on.
C. If you receive ICMP responses, the target port is likely firewalled.
D. If you receive TCP Zero Window responses, the target port is blocked.
Jump to the answer

Q-299. Which display filter shows FTP user names in a trace file?
A. ftp.request == USER
B. ftp contains "user"
C. ftp.request.command == user
D. ftp.request.command == "USER"
Jump to the answer

Q-300. Which command-line tool can be used to alter trace file timestamps?
A. tcpdump
B. Capinfos
C. Editcap
D. Mergecap
Jump to the answer

Q-301. Which type of traffic signature defines malicious traffic based on the proximity, order or
grouping of specific packets?
A. sequence signatures
B. encrypted signatures
C. fragmentation override signatures
D. splicing signatures
Jump to the answer

A. This is a fast retransmission packet.
B. This packet depicts an FTP command.
C. The sender, 64.251.30.69, is using port 20 to transfer data.
D. The sender's receive buffer space is too low to accept additional data.
Jump to the answer

Q-303. SIP response codes lower than 399 indicate errors or failures.
True
False
Jump to the answer

Q-304. The WLAN association process takes place after a station has completed the MAC-
layer authentication process.
True
False
Jump to the answer

.
Part 3 Answer Key
A-207: True
A-208: False
A-209: False
A-210: False
A-211: True
A-212: False
A-213: True
A-214: False
A-215: False
A-216: D
A-217: True
A-218: False
A-219: B
A-220: C
A-221: True
A-222: A
A-223: False
A-224: True
A-225: C
A-226: True
A-227: False
A-228: True
A-229: A
A-230: True
A-231: True
A-232: True
A-233: False
A-234: True
A-235: True
A-236: B
A-237: True
A-238: D
A-239: True
A-240: True
A-241: True
A-242: False
A-243: A
A-244: True
A-245: False
A-246: False
A-247: True
A-248: A
A-249: True
A-250: True
A-251: B
A-252: False
A-253: True
A-254: A
A-255: True
A-256: True
A-257: True
A-258: False
A-259: True
A-260: True
A-261: C
A-262: D
A-263: True
A-264: True
A-265: True
A-266: A
A-267: True
A-268: True
A-269: True
A-270: B
A-271: C
A-272: C
A-273: True
A-274: True
A-275: B
A-276: C
A-277: True
A-278: True
A-279: True
A-280: False
A-281: True
A-282: False
A-283: D
A-284: False
A-285: False
A-286: True
A-287: False
A-288: False
A-289: C
A-290: True
A-291: True
A-292: False
A-293: True
A-294: D
A-295: D
A-296: True
A-297: True
A-298: C
A-299: D
A-300: C
A-301: A
A-302: C
A-303: False
A-304: True
A-207 Details: True
Baselines of basic VoIP traffic patterns should include analysis of the call setup process. Baselines of
VoIP traffic should also include analysis of actual calls. Baselines are extremely important for
comparative analysis of good communications with problem communications.
Chapter 27: Voice over IP (VoIP) Analysis Fundamentals

Return to Q-207
In monitor mode, an 802.11 adapter does not join a particular SSID allowing it to capture packets on
various WLANs. An adapter that does not support monitor mode can only capture packets on the
SSID on which it associated itself.
Chapter 26: Introduction to 802.11 (WLAN) Analysis

Return to Q-208
Promiscuous mode allows you to capture traffic addressed to other MAC addresses than your own.
The adapter must go into monitor mode to capture all packets from all SSIDs on the currently selected
channel.

Return to Q-209
RSA keys are used to decrypt SSL communications and are configured in Wiresharks SSL protocol
preferences area. Wireshark can decrypt WPA and WPA2 traffic with the proper WPA/WPA2 keys.

Return to Q-210
A-211 Details: True
If no response is received when a TCP FIN scan is performed, the target port is likely either open or
filtered. A TCP Reset response indicates the port is closed. An ICMP Destination Unreachable (Type
3) response with a Code 1, 2, 3, 9, 10 or 13 indicates that the port is probably firewalled.
Chapter 31: Detect Scanning and Discovery Processes

Return to Q-211
FTP data can be transferred over any port number. Typically, TCP port 21 is used for the FTP
command channel (although an FTP server can be configured to use any port).
Chapter 24: Analyze File Transfer Protocol (FTP) Traffic

Return to Q-212
A-213 Details: True
You can create custom columns based on the individual fields contained in a WLAN Radiotap or PPI
header. These headers are prepended by the local adapter at the time of capture.

Return to Q-213
There are only two modes for FTP data transfer passive mode and active mode. In passive mode
the client asks the server to open a listening port for an inbound data channel connection. In active
mode, the FTP client defines a listening port and the FTP server initiates the data channel connection.

Return to Q-214
ARP packets cannot be routed and therefore cannot be used to discover remote devices (regardless of
whether the remote devices are running local firewalls or not).

Return to Q-215
A-216 Details: D
WLAN Disassociation Request frames are Management frames. All WLAN frames are categorized as
Management, Control or Data frames.

Return to Q-216
A-217 Details: True
TCP full scans appear as full TCP three-way handshakes and complete a full connection with the
target. Half-connect TCP scans (aka stealth scans) do not finish the three-way handshakethey
only consist of the SYN, SYN/ACK packets.

Return to Q-217
The display filter wlan.fc.retry==1 (not retries==1) is the correct display filter syntax to
view WLAN retransmission packets. This is an important display filter (that can also be created as a
coloring rule) to highlight WLAN connectivity problems.

Return to Q-218
A-219 Details: B
In the packet shown, an FTP client will open port 52904 for an FTP data connection as defined in the
Active Port field. This PORT command was generated by the FTP client to the FTP server on port
21. The receive window size will change as data is received and processed so file sizes are not
limited to 7,970 bytes.

Return to Q-219
A-220 Details: C
In the packet shown, the PPI header was prepended by the receiver. Radiotap headers are also
prepended by the receiving adapterthese two headers are not on the packets as they travel along the
WLAN. The retry bit is not set (no R in the IEEE 802.11 Data, Flags summary line) and the packet
is not too short for a wireless network. In order for the sender to transmit this data packet it must have
associated with an access point already.

Return to Q-220
A-221 Details: True
Baselining is the process of creating trace files of normal communications on the network. Baselines
should be taken when network and application performance is considered acceptable. These
baselines can be compared to trace files taken when performance is unacceptable.
Chapter 28: Baseline Normal Traffic Patterns

Return to Q-221
A-222 Details: A
The image shows an 802.11 retransmission as shown in the IEEE 802.11 Data, Flags section (the R
indication)the Retry bit is set to 1. The Frame Control Type field indicates this is a Data frame (not
a Management frame).

Return to Q-222
The display filter syntax for FTP command channel traffic is tcp.port==21 if that is the port the
FTP server is configured to use. The data channel will use another channel as defined in the set up of
the active or passive mode data connection setup process.

Return to Q-223
A-224 Details: True
In an active mode FTP data transfer, the client provides its IP address and listening port number to the
FTP server using the PORT command. The FTP server will initiate a data channel connection to the
client.

Return to Q-224
A-225 Details: C
During a UDP scan, an ICMP Destination Unreachable/Port Unreachable response indicates that the
service is not available on the target. RST and SYN bits are used in TCP communications, not UDP
communications. An ICMP Destination Unreachable/Protocol Unreachable may be seen in response
to an IP scan.

Return to Q-225
A-226 Details: True
The capture filter syntax for POP traffic running over the default port is tcp port 110. Wireshark
does not recognize just pop as the capture filter.
Chapter 25: Analyze Email Traffic

Return to Q-226
HTTP packets are variable length. Analyze any web browsing session and you will see shorter
packets used for the HTTP client requests (such as GET requests) and longer packets used to transfer
web pages or images.
Chapter 23: Analyze Hypertext Transfer Protocol (HTTP) Traffic

Return to Q-227
A-228 Details: True
Session Initiation Protocol (SIP) is a protocol that can be used to set up a VoIP call. SIP is not
defined to work only with VoIP call setup. SIP is a general signaling protocol that can also be used to
support video and other applications.

Return to Q-228
A-229 Details: A
The image shown depicts a TCP port scan (all scans seen have been sent from the same source port
number, 42542). The scanner sends a series of TCP handshake packets (SYN) in hopes of
discovering an open port. The RST/ACK responses indicate that these ports are closed.

Return to Q-229
A-230 Details: True
Try to decode RTP outside of conversations should be set if Wireshark cannot identify the RTP traffic
in a trace file. This setting uses a heuristic dissectora dissector that looks into the first few bytes of
the packets to identify common patterns of a specific protocol or application. Heuristic dissectors
may be used when conventional dissectors cannot identify a protocol or application.

Return to Q-230
A-231 Details: True
You are working with a VoIP trace file that depicts packet loss due to jitter issues. Lowering
Wireshark's jitter buffer value from 100 ms to 25 ms before playback will cause more packets to be
dropped during the playback. Wiresharks jitter buffer emulates the jitter buffer in place while the
VoIP traffic was captured. Jitter buffers temporarily store packets in order to minimize delay
variations (an elastic buffer). By reducing the jitter buffer value, you reduce the elasticity of this
buffer therefore causing more packets to be dropped by the emulated jitter buffer.

Return to Q-231
A-232 Details: True
You can apply a display filter to a Flow Graph. During the Flow Graph process, you are prompted to
create the Flow Graph using displayed packets only (thereby applying a display filter to the traffic).

Return to Q-232
Baselines should be created before the network appears to have throughput problems as they are used
for comparative analysis when network problems occur.

Return to Q-233
A-234 Details: True
Excessive RF noise can cause connectivity problems on WLANs. This may seem like a very simple
questionisnt it nice to have a simple question every once in a while?

Return to Q-234
A-235 Details: True
You cannot load Wireshark on a host and capture that same hosts bootup baseline information. To
capture the bootup sequence of a host you must run Wireshark on another machine that will be able to
see traffic to and from the machine that is booting up.

Return to Q-235
A-236 Details: B
Probe requests are used by WLAN stations to discover an access point that does not broadcast an
SSID. Setting an access point not to broadcast an SSID does not provide any security for the WLAN
environment.

Return to Q-236
A-237 Details: True
To decrypt SSL communications, you must configure the SSL preferences to recognize the
conversation you want to decrypt and point to a directory that contains your keys. The syntax of the
key setting often trips up analysts so be very careful to test out this feature before you are in a high
pressure situation to use it.

Return to Q-237
A-238 Details: D
In the packet shown, the HTTP client (67.161.32.69) is browsing webcast.aph.gov.au as seen in the
Host field of the clients HTTP GET request. The cookie is being sent from the client to the HTTP
server. We cannot tell if this URI is invalid unless we see the response.

Return to Q-238
A-239 Details: True
You can use display filters with saved files and Tshark. You can load a saved trace file using the r
parameter (-r trace.pcapng) and define a display filter using the R parameter (-R
wlan.fc.retry==1). Finally you can output the filtered set of packets using the w parameter (-
w newtrace.pcapng).
Chapter 33: Effective Use of Command-Line Tools

Return to Q-239
A-240 Details: True
Watching the traffic flow to and from a host when no one is using the host can identify unattended
background traffic. This traffic might include virus update communications or phone home behavior
of applications.

Return to Q-240
A-241 Details: True
Baselines of WLAN environments should include analysis of RF noise rates. You should know what
the noise floor is so you can validate an increase in the noise level later if users complain of
performance.

Return to Q-241
One of the easiest ways to identify delays in a trace file is to set the Time column to Seconds Since
Previous Displayed packet, not Seconds Since Beginning of Capture. Once you set the column
properly you can sort it to list the larger delay times at the top of the Packet List panenow you can
identify what occurred at the time of the higher delays.
Chapter 29: Find the Top Causes of Performance Problems

Return to Q-242
A-243 Details: A
Packet timestamps are provided by WinPcap, libpcap, or AirPcap. These link layer interfaces get the
timestamp from the capture mechanism they use. Packet timestamps for pcap files can denote time to
the microsecond level, whereas timestamps for .pcap-ng files can go to the nanosecond level. You
can use Editcap to alter packet timestamps of all packets in a trace file (not individual packets). No
matter which column you sort on, the packet number remains linked to its respective packet.

Return to Q-243
A-244 Details: True
The frame.time_relative == 0 display filter shows packets marked with a Time Reference
as well as the first packet in the trace file.

Return to Q-244
In a UDP-based application, the retransmission timeout value is defined by the applications timeout
setting. IP doesnt have a timeout setting and is essentially a connectionless protocol.

Return to Q-245
WLAN stations can either wait for a beacon frame from the access point or the stations can send a
Probe Request to discover an access point. Other WLAN management frames cannot be sent until the
access point has been located.

Return to Q-246
A-247 Details: True
ICMP redirection packets may be an indication that a path is not optimal. When Router A receives a
packet destined to another network, but Router A knows that Router B has a better path to the target
network, Router A sends an ICMP redirection packet to inform the original packet sender of the better
Router to use (Router B). The client will update its routing table at this time.

Return to Q-247
A-248 Details: A
Congestion along a network path may cause throttling of possible throughput maximums. This
congestion may cause queuing at a router or even packet loss. An overloaded TCP connection table
may cause service refusals (TCP RSTs). Minimal packet sizes likely would not cause congestion
(they are just not the most efficient method of sending data). Data can still be transferred efficiently
when the window receive size is set to 65,535.

Return to Q-248
A-249 Details: True
Baselines of broadcast and multicast traffic can help identify new hosts on the network in a passive
discovery manner. Simply connect your analyzer to a switch (no port spanning or port mirroring is
required). The broadcasts and multicasts will be forwarded out all ports and you can easily discover
network devices.

Return to Q-249
A-250 Details: True
When you are analyzing network performance related to slow responses, the Time column can help
spot delays between requests and replies. This is especially true if you set the Time column to
Seconds Since Previous Displayed packet.

Return to Q-250
A-251 Details: B
If the packet shown did not receive a response, most likely there is packet loss along the path. The
target should respond with either a SYN/ACK(target port is open) or a RST (target port is closed)
if the SYN arrived and if the response could be returned. The target should not advertise a window
zero condition in response to a SYN packet.

Return to Q-251
Network forensics and host forensics do not provide the same type of evidence of breaches. Host
forensics deals with the digital storage media (and even system memory) whereas network forensics
focuses on the traffic on the network. Combining both skills offers a more thorough investigation
process.
Chapter 30: Network Forensics Overview

Return to Q-252
A-253 Details: True
Analysis of hard drive contents is not part of the network forensics process. Analysis of hard drive
contents is part of host forensics.

Return to Q-253
A-254 Details: A
Your web server runs the HTTP daemon on port 92. To configure Wireshark to permanently dissect
this traffic as HTTP, simply add port 92 in the HTTP Preferences area. You do not need to create any
special decodes and you cannot use Decode As to replace one port with another. Changing the name
listed for port 92 in Wireshark's services file will not apply the HTTP dissector to the traffic it will
only use that new name in the port field.

Return to Q-254
A-255 Details: True
Network forensic evidence may be gathered for either proactive or reactive analysis. Proactive
analysis includes the process of baselining and investigating hosts on a network. Reactive analysis
includes the process of detecting anomalies and malicious signatures in the traffic.

Return to Q-255
A-256 Details: True
RTP provides transport functions for real-time data such as audio over multicast or unicast network
services. Its not just for VoIP, but that is what most people associate RTP with.

Return to Q-256
A-257 Details: True
Wireshark will transmit data on the network if you have enabled network name resolution and/or
launch a GeoIP map from the endpoints window. Network name resolution will generate DNS PTR
queries and accessing the GeoIP map launches a browser and accesses OpenStreetMaps site.

Return to Q-257
The traffic pattern of a TCP scan is easy to identifya high number of TCP SYN packets with a high
number of TCP RST packets and no data transfers across any open connections.

Return to Q-258
A-259 Details: True
Coloring rules can be created to spot traffic of various scanning and malicious tools. Although
Wireshark includes many default coloring rules, you should consider adding to this list when you find
the signature of suspicious traffic.
Chapter 32: Analyze Suspect Traffic

Return to Q-259
A-260 Details: True
Capturing your traffic when you run discovery or testing tools can help you identify the signatures of
those tools. When you know their signatures you can spot those tools in use on your network at a later
date.

Return to Q-260
A-261 Details: C
Editcap is a command-line tool that can be used to create file sets out of a single trace file. Use the
syntax editcap bigtrace.pcapng c 1000 smallertrace.pcapng to split a file
into smaller 1,000 packet files. Alternately, you can use the i parameter to define the number of
seconds in each of the subset files.

Return to Q-261
A-262 Details: D
Quality of Service configurations can cause excessive jitter on a VoIP network because traffic
prioritization may alter the timing of traffic flows.

Return to Q-262
A-263 Details: True
You can follow the TCP stream of HTTPS communications, but the data traffic will be encrypted and
somewhat useless. You must apply an RSA key to the SSL Preferences area in order to decrypt
HTTPS traffic. Then you can select Follow SSL Stream.

Return to Q-263
A-264 Details: True
An FTP passive mode connection may not work if a server firewall blocks incoming connections on
the passive mode port number. Passive mode connections establish the data channel based on the port
number in the response to a PASV command. A firewall would need to know this port number to
block itmany companies do not support passive mode FTP because of the dynamic nature of this
port assignment.

Return to Q-264
A-265 Details: True
You can use ARP to scan the local network for active hosts. Even a host that has a firewall loaded on
it cannot hide from a local ARP scandoing so would break the entire TCP/IP communication
structure. ARP scans can only be run on the local network as they have no IP header for routing.

Return to Q-265
A-266 Details: A
Session Initiation Protocol (SIP) can be used to carry the call setup commands. RTCP and RTP are
used for the actual call process and TCP is not a VoIP element.

Return to Q-266
A-267 Details: True
Null scans have no TCP flags set which is an illegal setting. No response to a null scan indicates that
the port is either open or filtered. A TCP Reset response indicates the port is closed. An ICMP
Destination Unreachable (Type 3) response with a Code 1, 2, 3, 9, 10 or 13 indicates that the port is
probably firewalled. Pay attention to the footnote regarding Microsoft clients responses to null scans
in Chapter 31: Detect Scanning and Discovery Processes of Wireshark Network Analysis-Second
Edition.

Return to Q-267
A-268 Details: True
UDP scans can be used to perform quick connectivity tests. An unusually high number of ICMP
Destination Unreachable/Port Unreachable packets or a high number of unanswered UDP packets are
strong indications that a UDP scan is underway.

Return to Q-268
A-269 Details: True
An unusually high number of TCP SYNs and RSTs without any transfer of data is a possible
indication that a TCP scan is underway. It is logical to expect that a TCP connection was established
for the purpose of data transfer. To see no data transfer across an established connection before it is
torn down is suspect.

Return to Q-269
A-270 Details: B
WLAN beacon frames occur approximately every 100 ms on a WLAN. If they dont, you have a
serious problem with an access point.

Return to Q-270
A-271 Details: C
The SDP information shown is contained in a SIP packet. Wireshark indicates which SIP packets
have SDP inside in the Protocol field of the Packet List pane (SIP/SDP). This packet does not contain
any bytes of VoIP call datait is a call setup packet. The SDP portion of the packet indicates that
RTP communication will use UDP port 8000 (the m record). The Owner/Creator information is
optional.

Return to Q-271
A-272 Details: C
The sender of the packet shown, vid01, supports Enhanced SMTP as noted by the EHLO command.
This is not a TCP retransmission (the Expert Infos did not denote a retransmission in the Packet List
pane) and the EHLO packet does not contain email data. This packet is sent by an SMTP client
application, not from the "accelenet" application (which is shown simply because Wiresharks
services file lists port 1182 as registered to accelenet).

Return to Q-272
A-273 Details: True
Throughput baselining may require the use of a data transmission tool to generate traffic. Wireshark
cant generate traffic so you need another tool, such as iPerf (sourceforge.net/projects/iperf/) to send
traffic for the throughput tests.

Return to Q-273
A-274 Details: True
TCP ACK scans are not used to identify open portsthey are used to determine whether there may be
an unfiltered path to a target system. When an ACK scan receives a TCP RST response, this indicates
that this outbound port value is not filtered at a firewall or router.

Return to Q-274
A-275 Details: B
The filter shown -(tcp.flags.urg==1) && (tcp.flags.push ==1) &&
(tcp.flags.fin==1) - would identify an Xmas scan which has the TCP URG, PUSH and FIN
bits set in a single packet. No response to a Xmas scan indicates that the port is either open or
filtered. A TCP Reset response indicates the port is closed. An ICMP Destination Unreachable (Type
3) response with a Code 1, 2, 3, 9, 10 or 13 indicates that the port is probably firewalled.

Return to Q-275
A-276 Details: C
The traffic shown is a scan to discover IP-based protocols on a target. This is an IP scan. Note that
Wiresharks Protocol column indicates that IPv4 is the highest layer protocol dissected. In the image
shown, 192.168.1.118 is performing an IP scan against 192.168.1.117.

Return to Q-276
A-277 Details: True
Creating a baseline of normal protocols and applications on the network can help you identify
breached hosts based on unusual traffic patterns. This is the process of comparative analysis. You
may not need to understand every packet in the two trace files to compare them and spot higher packet
rates, greater latency or service refusals.

Return to Q-277
A-278 Details: True
Suspect traffic may simply be caused by poorly performing applications. Creating an unnecessary
number of connections, transferring data in unencrypted format and conversations between unusual
pairs are all application performance symptoms that may be suspect on the network.

Return to Q-278
A-279 Details: True
TCP/IP port resolution relies on the integrity of the local hosts services file and the application that
is requesting to use a specific port number. This question references the TCP/IP services file, not
Wiresharks services file.

Return to Q-279
If a malicious user program has altered the content of Wiresharks manuf file (not the services file),
the OUI name resolution process may be affected. Wireshark uses the manuf file to resolve the first
three bytes of the MAC address to a manufacturer name.

Return to Q-280
A-281 Details: True
If desired, you can force Wireshark to temporarily dissect traffic to and from port 2600 as FTP traffic
using the Decode As function.

Return to Q-281
Wireshark does not discover WLAN decryption keysyou must enter the keys in either the IEEE
802.11 preferences or in the Decryption Keys section of the Wireless Toolbar.

Return to Q-282
A-283 Details: D
You should check for the If-Modified-Since request modifier to determine if web pages are being
loaded from cache. This indicates that the client has already browsed to the target site and will now
load the page from cache. You wont see the true across-the-network HTTP load process in this case.
Clear the browser cache before capturing HTTP traffic.

Return to Q-283
Editing the Wireshark's services file does not change the dissecting processthis only changes the
name listed for a port.

Return to Q-284
To view all packets related to a POP communication, including the TCP handshake used to set up a
POP connection, use the display filter tcp.port==110 as POP traffic runs over TCP.

Return to Q-285
A-286 Details: True
If a malicious application has altered the client's hosts file, the client may resolve a network name to
the IP addresses of a malicious site. For example, if the hosts file indicates that
www.wiresharkbook.com is located at a spammer site IP address, then browsing to
www.wiresharkbook.com will cause a TCP SYN packet to be sent to the spammers IP address.

Return to Q-286
TCP splicing is used to obscure the actual TCP data to be processed at the peer by splitting TCP
segments over multiple packets.

Return to Q-287
Wireshark can display clear text communications regardless of whether Wireshark has a dissector for
the application traffic. You can see the clear text traffic by simply following a UDP or TCP stream of
the traffic.

Return to Q-288
A-289 Details: C
An IP protocol scan can locate a device that supports Enhanced Interior Gateway Routing Protocol
(EIGRP). An IP protocol scan is intended to identify applications or services that reside directly after
the IP header (such as EIGRP).

Return to Q-289
A-290 Details: True
"Phone home" traffic is seen when an application periodically connects to a remote host without user
intervention. This traffic may be malicious or part of a normal application update process. You
should have a baseline of your traffic during idle time to identify any phone home traffic.

Return to Q-290
A-291 Details: True
The Protocol Hierarchy Statistics window helps identify unusual protocols and applications during
live capture or in a saved trace file. For example, if you see IRC traffic on a network that does not
usually support IRC, this is considered suspect. You can right click on any protocol or application
listed to apply a filter to see that traffic only.

Return to Q-291
Fragmentation override occurs when data arriving later in a fragmented set overrides previous data
based on its Fragmentation Offset field value when the data is reassembled.

Return to Q-292
A-293 Details: True
Following the TCP stream when analyzing an HTTP web browsing session reveals a site's HTML
tags. These tags are shown in clear text in HTTP communications. HTTPS traffic, by contrast, is not
in clear text.

Return to Q-293
A-294 Details: D
The Internet Relay Chat traffic shown in the Protocol Hierarchy window may be used by a bot to
communicate with a Command & Control server. The HTTP traffic listed is running over TCP which
is the expected transport. The SMB traffic is correctly listed below NetBIOS Session Service. There
is no way to determine if there is a problem with the number of DNS packets by examining the
Protocol Hierarchy window.

Return to Q-294
A-295 Details: D
The condition illustrated in the packet shown can be caused by a slow or non-responsive application.
When the application is slow to pick up traffic from the receive buffer, that buffer fills and may
eventually reach a window zero condition.

Return to Q-295
A-296 Details: True
Having baselines that were created before network problems occur can speed up the process of
identifying the cause of those problems. So finish up this Prep Guide and get your network baselines
soon.

Return to Q-296
A-297 Details: True
By default, Mergecap combines trace files based on the timestamps of the files. Use the a parameter
to cause packets to be merged in the order they are listed rather than merge traffic based on the packet
timestamps.

Return to Q-297
A-298 Details: C
If you receive ICMP responses while performing a TCP scan on a target, the target port is likely
firewalled. If the port is open, a SYN/ACK is expected. If the port is closed, a RST or RST/ACK is
expected.

Return to Q-298
A-299 Details: D
The display filter ftp.request.command == "USER" shows FTP user names in a trace file.
The command USER is always in all capital letters in FTP communications and this area is case
sensitive. The field name is ftp.request.command.

Return to Q-299
A-300 Details: C
Editcap can be used to alter trace file timestamps using the t parameter. For example, to add one-
half second to a trace file called latertrace.pcapng, use the command editcap
latertrace.pcapng t 0.5. As of Wireshark 1.8 you can also right click on a packet and
use the Time Shift feature to alter the timestamp of all packets in a trace file.

Return to Q-300
A-301 Details: A
Sequence signatures define malicious traffic based on the proximity, order or grouping of specific
packets. An example of this would be OS fingerprinting that uses ICMP Types 13, 15 and 17 in close
proximity.

Return to Q-301
A-302 Details: C
The sender, 64.251.30.69, is using port 20 to transfer data. The sender is sending the data from port
20 to port 52904 in the image shown. This is not a fast retransmission packet (Wiresharks expert has
not designated it as a fast retransmission) and this packet is not an FTP command such as RETR,
STOR, or CWD. We cannot determine the sender's receive buffer space unless we expand the TCP
header.

Return to Q-302
SIP response codes higher than (not lower than) 399 indicate errors or failures. SIP client errors
begin at 400; server errors begin at 500; global errors begin at 600.

Return to Q-303
A-304 Details: True
The WLAN association process takes place after a station has completed the MAC-layer
authentication process. Before each of these processes, the WLAN client must locate the access point
using beacons or probe requests.

Return to Q-304
[1] The Wireshark Certified Network Analyst Exam displays full color graphics although, due to
color blind issues, questions regarding actual colors (other than black and white) were discarded in
the Exam review process.

20417D ENU Companion

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

20417D ENU Companion

Transféré par

Droits d'auteur :

Formats disponibles

Wireshark Certified Network Analyst

Official Exam Prep Guide

Book URL: www.wiresharkbook.com

Protocol Analysis Institute, Inc.

Also refer to Chappell University at the same address

Step 2: Print Out the Answer Sheets

Step 3: Answer the Book Practice Questions in Three Parts

Step 4: Grade Your Answers

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer

Jump to the answer