Wireshark Traffic Display Manipulation Quiz

Questions and Answers

PDF Questions PDF Answers

What does using the Decode As option in Wireshark allow you to do?

Modify the source IP address of the captured packets

Change the display language of Wireshark

Apply a certain protocol decode method to specific traffic (correct)

Filter out unwanted packets from the capture

What action should you take to specify that traffic to port 10002 should be decoded as HTTP in Wireshark?

Choose Destination (10002) in the TCP Port(s) field (correct)

Choose Source (10002) in the TCP Port(s) field

Click on the packet and select 'Decode As' without any further specification

Select the HTTP filter from the filter menu

What happens when you right-click on a packet in a stream and select 'Decode As' in Wireshark?

You permanently delete the packet from the capture

You initiate a live capture of the selected packet

You can specify the protocol decode method for specific traffic (correct)

You mark the packet as irrelevant and hide it from the display

What is the purpose of scrolling through the protocols listed on the right in Wireshark when using the Decode As option?

To find and select the appropriate protocol for decoding the traffic

What is the first task of recovery after an incident has been contained?

Assess the damage caused

When should evidence for legal proceedings be identified during the recovery process?

Before recovery commences

Why is it imperative for individuals performing recovery operations to be trained in handling evidence?

To ensure evidence is not violated in value

Study Notes

Wireshark Decode As

• Using the Decode As option in Wireshark allows you to override Wireshark's automatic protocol detection and specify a protocol to decode the traffic as.
• To specify that traffic to port 10002 should be decoded as HTTP, go to Analyze > Decode As, select the protocol (HTTP) and enter the port number (10002).

Packet Analysis

• Right-clicking on a packet in a stream and selecting 'Decode As' in Wireshark allows you to decode a specific packet or a range of packets as a different protocol.
• Scrolling through the protocols listed on the right in Wireshark when using the Decode As option helps to select the desired protocol.

Incident Response and Recovery

• The first task of recovery after an incident has been contained is to identify and collect evidence for legal proceedings.
• Evidence for legal proceedings should be identified during the initial stages of the recovery process.
• Individuals performing recovery operations must be trained in handling evidence to ensure its integrity and admissibility in court.

Description

Learn how to manipulate traffic display in Wireshark by using the "Decode As" feature. This quiz will guide you through the process of changing the protocol decode method for specific traffic to enhance your analysis capabilities.