Network Traffic Baselines and TCP Packet Signatures

Questions and Answers

What is the purpose of the Filter Toolbar in network traffic monitoring?

To allow administrators to quickly edit and apply display filters.

How is the Packet List Panel useful in network traffic analysis?

It provides a list of packets in the capture file, colors them based on the protocol, and shows details like timestamp, source, destination, protocol, and additional information.

What information is displayed in the default columns of the Packet List Panel?

The number of packets, timestamp, source address, destination address, protocol name, and additional information about the packet content.

How does the Packet Details Panel present information about a selected packet?

It displays the details of the selected packet by showing the different protocols making up the layers of data in a tree format that can be expanded and collapsed.

Which layers of data are typically included in the Packet Details Panel?

Frame, Ethernet, IP, TCP, UDP, ICMP, and application protocols such as HTTP.

Why is it important to obtain prior written permission from IBM to reproduce course materials?

To comply with copyright regulations and intellectual property rights.

What is the purpose of using a sniffer in network management?

To monitor and analyze network traffic.

How do network administrators use packet sniffers?

To analyze the behavior of applications or devices causing network problems.

What is the significance of the information running through a network?

It is a valuable source of evidence to counter intrusions or anomalous connections.

What is Wireshark?

An open-source cross-platform packet capture and analysis tool.

What operating systems is Wireshark available for?

Windows and Linux.

How does Wireshark assist in network troubleshooting?

By providing a detailed breakdown of the network protocol stack for each packet.

What are the three bits used in a three-way handshake to establish a TCP connection?

SYN, SYN ACK, ACK

When is the ACK bit set in a TCP packet?

In every packet, except for the initial packet where the SYN bit is set.

What are the two bits used in terminating a TCP connection?

FIN ACK, ACK

What does a suspicious TCP packet contain?

One or more of the following: SYN, FIN, PSH, RST

Why is a packet with only a FIN flag considered illegal?

FIN can be used in network mapping, port scanning, and other stealth activities.

What are packets with all six flags unset known as?

NULL flag packets

What is a brute-force attack, and how do attackers implement it on a network?

A brute-force attack is a lengthy process where attackers use various tools to try different combinations of usernames and passwords to gain unauthorized access to a system or network.

Explain the concept of a dictionary attack and how it relates to SSH services.

A dictionary attack is a type of brute-force attack where the attacker uses a limited set of common words or phrases as potential passwords. With SSH services running on a network, it becomes easier for attackers to perform a dictionary attack by trying these common passwords.

How can an administrator detect a dictionary attack on their network?

An administrator can detect a dictionary attack by monitoring the number of login attempts made from the same IP address or username.

Describe the file transfer protocol (FTP) and its role in transmitting files over the Internet.

FTP is a standard protocol used to transmit files between systems over the Internet using the TCP/IP suite. It is a client-server protocol with two communication channels: one for managing conversations and the other for actual content transmission.

What is the process of initiating an FTP session, and what information is required?

To initiate an FTP session, a client sends a download request to the server, which responds with the requested file. An FTP session requires the user to log in to the FTP server with their username and password.

How can an attacker attempt to crack FTP passwords, and what is the potential impact?

An attacker can attempt to crack FTP passwords through a brute-force or dictionary attack, trying different combinations of usernames and passwords to gain unauthorized access to the FTP server and potentially compromise sensitive data or systems.

What does the ShaPlus Bandwidth Meter software display?

The ShaPlus Bandwidth Meter software displays the bandwidth usage in the current session, day, and month.

What is the purpose of the ShaPlus Bandwidth Meter software?

The purpose of the ShaPlus Bandwidth Meter software is to monitor and track Internet bandwidth usage.

Based on the graph shown, at what time of day does Internet usage appear to be highest?

Based on the graph, Internet usage appears to be highest in the evening hours.

What does the graph in the image represent?

The graph in the image represents how Internet usage varies at different times of the day.

Why is it important to obtain prior written permission from IBM to reproduce course materials?

It is important to obtain prior written permission from IBM to reproduce course materials because the course materials are subject to copyright protection.

What type of information is typically included in the Packet Details Panel in network traffic analysis?

The Packet Details Panel typically includes detailed information about the layers of data within a selected packet.