Escolar Documentos
Profissional Documentos
Cultura Documentos
Exam WCNA-102.x
2nd Edition (Version 2.1a)
Laura Chappell
Founder, Chappell University
Founder, Wireshark University
This book is intended to provide practice quiz questions based on the thirty-
three areas of study defined for the Wireshark Certified Network Analyst Exam.
This Official Exam Prep Guide offers a companion to Wireshark Network
Analysis: The Official Wireshark Certified Network Analyst Study Guide
Second Edition (ISBN10: 1-893939-94-4; ISBN13: 978-1-893939-94-3;
www.wiresharkbook.com)
Available in hardcopy and digital format. Visit www.amazon.com for more
details.
Wireshark Certified Network Analyst
Official Exam Prep Guide
Second Edition
Exam WCNA-102.x
2nd Edition (Version 2.1a)
Copyright 2012, Protocol Analysis Institute, Inc., dba Chappell University. All rights reserved. No part of this book, or related
materials, including interior design, cover design or contents of the referenced book website, www.wiresharkbook.com, may be
reproduced or transmitted in any form, by any means (electronic, photocopying, recording or otherwise) without the prior written
permission of the publisher.
To arrange bulk purchase discounts for sales promotions, events, training courses, or other purposes, please contact Chappell University
at the address and email listed on the next page.
Distributed worldwide for Chappell University through Protocol Analysis Institute, Inc.
For general information on Chappell University or Protocol Analysis Institute, Inc., including information on corporate licenses, updates,
future titles or courses, contact the Protocol Analysis Institute, Inc. at 408/378 7841 or send email to info@chappellU.com.
For authorization to photocopy items for corporate, personal or educational use, contact Protocol Analysis Institute, Inc. at email to
info@chappellU.com.
Trademarks. All brand names and product names used in this book or mentioned in this book are trade names, service marks,
trademarks, or registered trademarks of their respective owners. Protocol Analysis Institute, Inc. is the exclusive developer for Chappell
University.
Limit of Liability/Disclaimer of Warranty. The author and publisher have used their best efforts in preparing this book and the related
materials used in this book. Protocol Analysis Institute, Inc., Chappell University and the author(s) make no representations or warranties
or merchantability or fitness for a particular purpose. Protocol Analysis Institute, Inc. and Chappell University assume no liability for any
damages caused by following instructions or using the techniques or tools listed in this book or related materials used in this book.
Protocol Analysis Institute, Inc., Chappell University and the author(s) make no representations or warranties that extend beyond the
descriptions contained in this paragraph. No warranty may be created or extended by sales representatives or written sales materials.
The accuracy or completeness of the information provided herein and the opinions stated herein are not guaranteed or warranted to
produce any particular result and the advice and strategies contained herein may not be suitable for every individual. Protocol Analysis
Institute, Inc., Chappell University and author(s) shall not be liable for any loss of profit or any other commercial damages, including
without limitation special, incidental, consequential, or other damages.
Always ensure you have proper authorization before you listen to and capture network traffic.
Copy Protection. In all cases, reselling or duplication of this book and related materials used in this book without explicit written
authorization is expressly forbidden. We will find you, ya know. So dont steal it, plagiarize or upload this book to the Internet.
Cover: Fractal image, Waves Envisioned during Late Nights at Work, by Scott Spicer - Created with Apophysis 2.09
Table of Contents
About This eBook
How Should You Use this eBook?
Whats Online at www.wiresharkbook.com?
Which Version of the Exam Does This Book Match?
Wireshark Certified Network Analyst Exam Objectives
Wireshark Certified Network Analyst Program Overview
Why Should I Pursue the Wireshark Certified Network Analyst Certification?
How Do I Earn the Wireshark Certified Network Analyst Status?
Wireshark University and Wireshark University Training Partners
Schedule Customized Onsite/Web-Based Training
Part 1: Practice Question Set 1-100
Part 1 Answer Key
Part 1 Answer Explanations
Part 2: Practice Question Set 101-206
Part 2 Answer Key
Part 2 Answer Explanations
Part 3: Practice Question Set 207-304
Part 3 Answer Key
Part 3 Answer Explanations
About This eBook
This book is intended to provide practice quiz questions based on the thirty-three areas of study
defined for the Wireshark Certified Network Analyst Exam. This Official Exam Prep Guide offers a
companion to Wireshark Network Analysis: The Official Wireshark Certified Network Analyst
Study Guide Second Edition.
ISBN10: 1-893939-94-4
ISBN13: 978-1-893939-94-3
Paperback: 986 pages
Website: www.wiresharkbook.com
Wireshark Certified Network Analyst Official Exam Prep Guide - Second Edition provides you
with over 300 practice questions to prepare you for the Wireshark Certified Network Analyst Exam.
Print the Answer Sheets located at www.wiresharkbook.com/epg. There is one Answer Sheet for
each of the three parts of this book.
The Answer Sheets enable you to take the tests in the book multiple times without marking up the
book and seeing previous answer selections. Answer Sheets are formatted to match the Answer Keys
for fast grading.
How Should You Use this eBook?
This book is separated into three parts. The following provides a recommendation of how to use this
book to effectively prepare for the Wireshark Certified Network Analyst Exam.
Key Area: The icon marks key topics to study in preparation for the Exam.
Step 1: Review the Study Guide
Each chapter in the Study Guide and each part of this Official Exam Prep Guide lists the
objectives covered in the Wireshark Certified Network Analyst Exam, Second Edition. Ensure
you have the knowledge and skills to master the objectives listed.
Currently, Wireshark University courses are offered throughout the world in instructor-led, self-paced
and online formats through Chappell University (www.chappellU.com) and various Wireshark
University Certified Training Partners.
For more information on Wireshark University, visit www.wiresharktraining.com or send email to
info@wiresharktraining.com.
Schedule Customized Onsite/Web-Based Training
If you are interested in training a team in a fast, effective, hands-on course environment, contact us
directly. Customized courses can be developed and delivered by Laura Chappell. Customized
courses can be based on your network traffic or previously captured traffic from numerous global
networks. Course lengths can run from 2 days to 10 days and even include a web-based delivery
option to meet the training needs of geographically dispersed students.
Contact us at info@chappellU.com or visit www.chappellU.com for more information on scheduling
customized training for your organization.
Part 1: Practice Question
Set 1-100
This practice question set covers sections 1-11 of the Wireshark Certified Network Analyst Exam
topic list.
Section 1: Network Analysis Overview
Section 2: Introduction to Wireshark
Section 3: Capture Traffic
Section 4: Create and Apply Capture Filters
Section 5: Define Global and Personal Preferences
Section 6: Colorize Traffic
Section 7: Define Time Values and Interpret Summaries
Section 8: Interpret Basic Trace File Statistics
Section 9: Create and Apply Display Filters
Section 10: Follow Streams and Reassemble Data
Section 11: Customize Wireshark Profiles
Key Area: The icon marks key topics to study in preparation for the Exam.
Section 1: Network Analysis Overview
Wireshark Certified Network Analyst Exam Objectives:
Define the Purpose of Network Analysis
List Troubleshooting Tasks for the Network Analyst
List Security Tasks for the Network Analyst
List Optimization Tasks for the Network Analyst
List Application Analysis Tasks for the Network Analyst
Define Legal Issues of Listening to Network Traffic
Overcome the "Needle in the Haystack" Issue
Understand General Network Traffic Flows
Review a Checklist of Analysis Tasks
Section 2: Introduction to Wireshark
Wireshark Certified Network Analyst Exam Objectives:
Describe Wireshark's Purpose
Know How to Obtain the Latest Version of Wireshark
Compare Wireshark Release and Development Versions
Report a Wireshark Bug or Submit an Enhancement
Capture Packets on Wired or Wireless Networks
Open Various Trace File Types
Describe How Wireshark Processes Packets
Define the Elements of the Start Page
Identify the Nine GUI Elements
Navigate Wiresharks Main Menu
Use the Main Toolbar for Efficiency
Focus Faster with the Filter Toolbar
Make the Wireless Toolbar Visible
Access Options through Right-Click Functionality
Define the Functions of the Menus and Toolbars
Section 3: Capture Traffic
Wireshark Certified Network Analyst Exam Objectives:
Know Where to Tap Into the Network
Know When to Run Wireshark Locally
Capture Traffic on Switched Networks
Use a Test Access Port (TAP) on Full-Duplex Networks
Define When to Set up Port Spanning/Port Mirroring on a Switch
Analyze Routed Networks
Analyze Wireless Networks
Define Options for Capturing at Two Locations Simultaneously (Dual Captures)
Identify the Most Appropriate Capture Interface
Capture on Multiple Adapters Simultaneously
Capture Traffic Remotely
Automatically Save Packets to One or More Files
Optimize Wireshark to Avoid Dropping Packets
Conserve Memory with Command-Line Capture
Section 4: Create and Apply Capture Filters
Wireshark Certified Network Analyst Exam Objectives:
Describe the Purpose of Capture Filters
Build and Apply a Capture Filter to an Interface
Filter by a Protocol
Create MAC/IP Address or Host Name Capture Filters
Capture One Applications Traffic Only
Use Operators to Combine Capture Filters
Create Capture Filters to Look for Byte Values
Manually Edit the Capture Filters File
Share Capture Filters with Others
Section 5: Define Global and Personal Preferences
Wireshark Certified Network Analyst Exam Objectives:
Find Your Configuration Folders
Set Global and Personal Configurations
Customize Your User Interface Settings
Define Your Capture Preferences
Define How Wireshark Automatically Resolve IP and MAC Names
Plot IP Addresses on a World Map with GeoIP
Resolve Port Numbers (Transport Name Resolution)
Resolve SNMP Information
Configure Filter Expressions [NEW}
Configure Statistics Settings
Define ARP, TCP, HTTP/HTTPS and Other Protocol Settings
Configure Protocol Settings with Right-Click
Section 6: Colorize Traffic
Wireshark Certified Network Analyst Exam Objectives:
Use Colors to Differentiate Traffic
Disable One or More Coloring Rules
Share and Manage Coloring Rules
Identify Why a Packet is a Certain Color
Create a Butt Ugly Coloring Rule for HTTP Errors
Color Conversations to Distinguish Them
Temporarily Mark Packets of Interest
Section 7: Define Time Values and Interpret Summaries
Wireshark Certified Network Analyst Exam Objectives:
Use Time to Identify Network Problems
Understand How Wireshark Measures Packet Time
Choose the Ideal Time Display Format
Identify Delays with Time Values
Create Additional Time Columns
Measure Packet Arrival Times with a Time Reference
Identify Client, Server and Path Delays
Calculate End-to-End Path Delays
Locate Slow Server Responses
Spot Overloaded Clients
View a Summary of Traffic Rates, Packet Sizes and Overall Bytes Transferred
Section 8: Interpret Basic Trace File Statistics
Wireshark Certified Network Analyst Exam Objectives:
Launch Wireshark Statistics
Identify Network Protocols and Applications
Identify the Most Active Conversations
List Endpoints and Map Them on the Earth
Spot Suspicious Targets with GeoIP
List Conversations or Endpoints for Specific Traffic Types
Evaluate Packet Lengths
List All IPv4/IPv6 Addresses in the Traffic
List All Destinations in the Traffic
List UDP and TCP Usage
Analyze UDP Multicast Streams
Graph the Flow of Traffic
Gather Your HTTP Statistics
Examine All WLAN Statistics
Section 9: Create and Apply Display Filters
Wireshark Certified Network Analyst Exam Objectives:
Understand the Purpose of Display Filters
Create Display Filters Using Auto-Complete
Apply Saved Display Filters
Use Expressions for Filter Assistance
Make Display Filters Quickly Using Right-Click Filtering
Filter on Conversations and Endpoints
Understand Display Filter Syntax
Combine Display Filters with Comparison Operators
Alter Display Filter Meaning with Parentheses
Filter on the Existence of a Field
Filter on Specific Bytes in a Packet
Find Key Words in Upper or Lower Case
Use Display Filter Macros for Complex Filtering
Avoid Common Display Filter Mistakes
Manually Edit the dfilters File
Section 10: Follow Streams and Reassemble Data
Wireshark Certified Network Analyst Exam Objectives:
Follow and Reassemble UDP Conversations
Follow and Reassemble TCP Conversations
Follow and Reassemble SSL Conversations
Identify Common File Types
Section 11: Customize Wireshark Profiles
Wireshark Certified Network Analyst Exam Objectives:
Customize Wireshark with Profiles
Create a New Profile
Share Profiles
Create a Troubleshooting Profile
Create a Corporate Profile
Create a WLAN Profile
Create a VoIP Profile
Create a Security Profile
Q-1. Which format is used by capture filters?
A. editcap format
B. libpcap format
C. color filter format
D. Berkeley Packet Filtering (BPF) format
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-2. You can use Wiresharks Expressions to build display filters.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-3. Which packet type may be transmitted by Wireshark when you enable network name
resolution?
A. DHCP requests
B. UDP multicasts
C. ping broadcasts
D. inverse DNS queries
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-4. The location of Wireshark personal preference files is listed under Help | About Wireshark
| Folders.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-5. You can edit Wireshark's services file to change Wireshark's OUI display value from one
manufacturer name to another.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-6. Which statement about the settings shown in the Preferences window above is correct?
A. No interface is available.
B. The Protocol Hierarchy window will launch when the capture is started.
C. Wireshark will use inverse name queries to resolve local host addresses to IP addresses.
D. Wireshark will only capture traffic to the local adapter, broadcast or multicast addresses.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-7. The cfilters file can be shared with other Wireshark users by copying the file into another
host's personal preferences folder.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-8. Which feature is only available with promiscuous mode operation?
A. enables an interface to capture gratuitous ARP request packets
B. enables a WLAN adapter to capture packets regardless of the SSID value
C. enables an interface to capture packets that are sent to any MAC address
D. enables an interface to capture packets addressed to broadcast and multicast addresses
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-9. AirPcap adapters can be used to expand Wireshark's ability to capture wireless network
traffic in a Microsoft Windows environment.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-10. Which statement about the Preferences setting shown above is correct?
A. Wireshark may generate DNS PTR queries to resolve host names.
B. Wireshark may generate port queries to ietf.org to resolve transport names.
C. Wireshark may generate OUI queries to ieee.org to resolve MAC addresses.
D. Wireshark may generate mDNS queries to resolve 500 host names simultaneously.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-11. Wiresharks Status Bar indicates the number of packets shown after a display filter is
applied.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-12. Custom columns can be added to and rearranged in the Packet List pane.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-13. Wireshark contains several pre-defined columns that can be quickly added to the Packet
List pane by right-clicking on a field in the Packet Details pane.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-14. Columns can be right, center or left aligned by right clicking on their heading in the
Packet List pane.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-15. Wireshark's pcap-ng format enables meta data to be saved with a trace file.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-16. What is the purpose of creating Wireshark profiles?
A. dynamically create a hosts file based on saved trace files
B. create a manageable database of packets for use in third-party programs
C. discover and test WEP/WPA keys and pass phrases for traffic decryption
D. customize Wireshark for more efficient analysis in specific environments
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-17. What is the default name of the capture filter file?
A. cfilters
B. cformat
C. capture.txt
D. capturefilters.txt
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-18. Which statement about the TCP stream shown above is correct?
A. The HTTP client will load the page from cache.
B. The HTTP server refused the client's TCP connection attempt.
C. The HTTP server redirected the clients request to another server.
D. The HTTP client sent an HTTP GET request for the default page.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-19. The MAC name resolution process resolves the first 3 bytes of the MAC address to the
OUI value contained in Wiresharks manuf file.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-20. Aggregating taps capture bi-directional full-duplex traffic and forward the traffic to
separate outbound ports.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-21. Wireshark's services file contains a list of port numbers and application/protocol names.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-22. Which link layer interface is used to capture wired network traffic when Wireshark is
running on a Linux host?
A. libpcap
B. WinPcap
C. AirPcap
D. dumpcap
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-23. Wireshark can playback encrypted VoIP conversations.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-24. Which display filter shows all the TCP Expert Infos warnings and notes?
A. expert.all
B. tcp.errors
C. tcp.analysis.flags
D. expert.info.composite
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-25. Any display filters created and saved while viewing the trace file shown above will be
saved in the "Default" profile directory.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-26. Wireshark's network name resolution process references Wiresharks hosts file before
generating inverse DNS queries to resolve IP addresses to host names.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-27. Which statement about the Capture Options window shown above is correct?
A. Wireshark will resolve IP addresses to host names.
B. Wireshark will scroll to display the most recent packet captured.
C. Wireshark will attempt to resolve OUI values for all MAC addresses.
D. Wireshark will automatically stop capturing packets after two files have been saved.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-28. Display filters applied to a trace file before opening the Protocol Hierarchy Statistics
window are automatically applied to the Protocol Hierarchy results displayed.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-29. Which statement about the highlighted capture filter shown above is correct?
A. This filter is illogical.
B. DNS PTR queries will not be captured.
C. Only UDP packets will be captured using this filter.
D. ARP packets to or from the DNS server will not be captured.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-30. Which statement about the Coloring Rules configuration shown above is correct?[1]
A. All the coloring rules listed are based on capture filters.
B. The Clear button will restore the coloring rules to the default set.
C. HTTP packets with the reset bit set on will be colored based on the HTTP coloring rule.
D. UDP packets containing checksum errors will be displayed based on the UDP coloring rule.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-31. Port numbers set in the HTTP Preferences window for HTTP or HTTPS traffic are
temporary settings.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-32. Display filters and capture filters can be interchanged because they use the same syntax.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-33. By default, Wireshark uses the Type of Service interpretation in the IP header instead of
the DiffServ (Differentiated Services) interpretation.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-34. The Frame section of a packet always indicates which coloring rule has been applied to
the packet.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-35. Which display filter is used to view all DHCPv4 traffic?
A. bootp
B. dhcpv4
C. tcp.port==68
D. ip.addr==[address_of_dhcp_server]
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-36. Which filter can be used as a coloring rule?
A. ip.ttl < 20
B. udp port 161
C. portrange 21-25
D. tcp port 25
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-37. Conversations colored using the right-click coloring method will remain colored when the
trace file is opened on another Wireshark system.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-38. Which statement about marked packets is true?
A. Marked packets are only temporarily marked.
B. Marked packets can be used to generate display filters.
C. Marked packets can be created using coloring rule settings.
D. Marked packets are automatically saved in a temporary file.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-39. Display filter macros can be shared by copying the dfilters file from one Wireshark
system to another.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-40. Wireshark's Epoch time display format is based on the time since January 1 00:00:00 of
2000.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-41. Which traffic type may be seen when you connect Wireshark directly to a switch without
configuring port spanning or port mirroring?
A. broadcast traffic
B. noise and interference
C. DNS queries from all hosts
D. frames that contain CRC errors
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-42. Wireshark's HTTP packet counter lists the HTTP request types such as EHLO and
RETR.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-43. Changing the Filter display max. list entries value in Wireshark's Preferences window
enables you to alter the number of recently created display filters that Wireshark shows in the
drop-down list.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-44. A trace file that is captured on a Wireshark system in Sydney, Australia and emailed to a
Wireshark system in London, England will appear with the same Date/Time of Day value to
both analysts if both Wireshark systems have correct local time zone settings.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-45. How do you quickly spot large gaps in time between packets in a trace file containing
10,000 packets?
A. Open and examine the Notes section of Wireshark's Expert Infos window.
B. Set the Time column to Seconds Since Epoch and scroll through the trace file.
C. Set the Time column to Seconds Since Previously Displayed Packet and sort the Time
column.
D. Sort the packets based on the Time Since Reference or First Frame in the frame details
section.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-46. You can sort the Time column to identify packets that have a large delay between them
when you have set the Time column to Seconds Since Epoch.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-47. Wireshark supports both capture filter macros and display filter macros.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-48. Which statement about the highlighted capture filter shown above is correct?
A. The filter will only capture local broadcast traffic.
B. The filter is using Wiresharks display filter syntax.
C. The filter will capture all traffic to and from D4:85:64:A7:BF:A3.
D. The filter is based on the Berkeley Packet Filter (BPF) format.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-49. Based on the image shown above, Wireshark's time display format is set to Seconds Since
Beginning of Capture.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-50. The Protocol Hierarchies window lists all the protocols and applications dissected by
Wireshark even if those protocols or applications were not seen in a trace file.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-51. In the trace file shown above, Wiresharks time display format is set to Seconds Since
Beginning of Capture. Which statement about this trace file is correct?
A. The Time column has been sorted.
B. Packet 5 arrived 0.034876 seconds before Packet 6.
C. The timestamps of Packet 1 through Packet 5 are invalid.
D. Packet 11 arrived 0.053866 seconds later than Packet 6.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-52. Time Reference packets are permanently set to a timestamp of 00:00:00 in a trace file.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-53. The first two packets of a single TCP handshake process can be used to determine the
long term average round trip latency time between hosts.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-54. The Conversations window shown above includes 239.255.255.250 as an endpoint.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-55. Packet timestamps are saved inside pcap and pcap-ng files so the packet timestamps can
be displayed when the file is opened again.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-56. Multicasts and broadcasts are not listed in the Endpoints window because they cannot be
assigned to a host.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-57. If you want to view decrypted SSL/TLS traffic, a valid RSA key setting is required prior
to using Follow SSL Stream.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-58. Your traffic contains many TCP retransmissions during an HTTP communication. Which
of the coloring rules shown above would these packets match?
A. HTTP
B. Bad TCP
C. TCP RST
D. WLAN Retries
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-59. What is the most efficient method for saving non-contiguous packets in a trace file?
A. Mark the packets and choose to save the marked packets.
B. Apply a capture filter for each packet and save all colored packets.
C. Open each packet in a new window and save them under the same file name.
D. Right click and copy the packets individually to a new instance of Wireshark.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-60. Which address type can be mapped with Wireshark's GeoIP mapping services?
A. public IP addresses
B. MAC and IP addresses
C. broadcast and multicast addresses
D. private IP addresses
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-61. Which of these filters can be used as either a capture filter or a display filter?
A. dns
B. udp
C. dhcp
D. broadcast
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-62. Wireshark's default set of display filters are saved in a file called dfilters in the global
configuration directory.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-63. Which capture filter would capture traffic to and from TCP ports 20 through 25?
A. tcp port 20-25
B. tcp portrange 20-25
C. tcp.port > 19 && tcp.port < 26
D. tcp port gt 19 and tcp port lt 26
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-64. The Conversations window shown above indicates that there are two unique IP endpoints
running over three Ethernet addresses.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-65. UDP, TCP and ARP packets are counted in the IP Protocol Types statistic.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-66. The Protocol Hierarchy Statistics window shown above indicates that 10.53% of the IP
traffic is ARP.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-67. Which traffic characteristic is commonly seen when analyzing database record transfers?
A. multicast responses
B. small packet sizes
C. large delays between transmissions
D. separate connections for each record
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-68. ICMP Type 3/Code 4 packets (Destination Unreachable/Fragmentation Needed, but
Don't Fragment Bit was Set) may indicate that a router along a path cannot forward a packet.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-69. Which communication can be used by a host to dynamically join a multicast group?
A. Multicast DNS (mDNS)
B. Open Shortest Path First (OSPF)
C. Protocol Independent Multicast (PIM)
D. Internet Group Management Protocol (IGMP)
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-70. When you select Prepare a filter, the filter is immediately applied to the traffic.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-71. When you disable the TCP protocol decoding process, applications that use TCP (such as
HTTP and FTP) will not be decoded.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-72. What does Wireshark's UDP Multicast Streams burst measurement interval depict?
A. total time length of a burst set of multicasts
B. timing between separate multicast burst sets
C. number of multicast packets within a specific number of milliseconds
D. number of different multicasts groups seen within a specific number of milliseconds
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-73. How can you quickly identify all WLAN BSSIDs seen in a trace file?
A. Open Statistics | WLAN Traffic
B. Sort on the MAC header type field value
C. Open Statistics | Summary
D. Apply a wlan display filter
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-74. Wireshark's display filter syntax can be used for capture filters as well.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-75. The filter shown above will display all ARP packets as well as all TCP packets seen by
Wireshark.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-76. Display filters can be created based on the contents of fields that do not actually exist in a
packet such as the Time Since Referenced or First Packet field.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-77. The following capture filter will capture all FTP traffic on port 21 regardless of the
destination or source host.
host www.wiresharkbook.com and port 21
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-78. The Time Reference setting is saved permanently with the trace file.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-79. Which Wireshark feature provides an overview of saved or unsaved packets such as the
time elapsed from the start to the end of the trace and total bytes in the trace file?
A. IO Graphs
B. Flow Graphs
C. Summary Statistics
D. Expert Info Composite
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-80. Network analyzers may cause security concerns because they can be used maliciously to
listen in on unencrypted network traffic.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-81. Which Wireshark element can be created using the display filter syntax?
A. ACL rules
B. capture filters
C. coloring rules
D. reference packets
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-82. Comparison and logical operators enable you to combine multiple display filters to further
define the traffic of interest.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-83. Which statement about the following display filter is true?
eth.src[4:2] == 06:33
A. The number 2 indicates that Wireshark is looking for a two byte value.
B. The number 4 indicates that Wireshark is looking at the first four bytes of the Ethernet
header.
C. The value 06:33 indicates that Wireshark is looking for Ethernet source addresses starting
with 06:33.
D. The value 06:33 indicates that Wireshark is looking six bytes into the Ethernet header for
the value 33.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-84. Display filters cannot be applied during the capture process.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-85. The ip.addr != 192.168.0.2 display filter shows all packets except ones that
contain the address 192.168.0.2 in the source or destination IP address fields.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-86. You can reorder the filters contained in the dfilters file by manually editing the dfilters
text file.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-87. Coloring Rules are temporary settings maintained in the cfilters file.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-88. Only one TCP conversation in the trace file shown above can use the TCP Stream Index
value of 0.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-89. Which statement about following TCP streams is correct?
A. This feature uses the TCP Stream Index value.
B. An endpoint filter is created when you follow any stream.
C. You must filter on a TCP conversation before following the stream.
D. You must capture the TCP handshake process to follow a TCP stream.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-90. File identifiers indicate the application used to create or open a file.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-91. All WLAN adapters supported by WinPcap can go into monitor mode.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-92. How do you determine which Profile is in use while you are capturing traffic?
A. Examine the Wireshark Title Bar.
B. Open and examine Preferences | Interface.
C. Examine the Profile column in the Status Bar.
D. Expand and examine the Frame information.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-93. When using the oroperator in an inclusion capture filter, a packet that matches one or
more sides of the operator will pass through the filter and be captured.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-94. Which of the following methods can be used to avoid the "needle in a haystack issue"
when analyzing network traffic?
A. span all ports of a core switch
B. use Tshark to capture to file sets
C. place the analyzer appropriately
D. only capture traffic on wired networks
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-95. Which item can be saved with a Wireshark profile?
A. services file
B. editcap scripts
C. preference settings
D. most recent IO Graph settings
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-96. Which statement about the Coloring Rules configuration shown above is correct?
A. The HTTP coloring rule will identify HTTP and SSL/TLS traffic.
B. The UDP coloring rule will be applied to all normal DHCP traffic.
C. TCP packets with incorrect checksums will be colorized based on the Checksum Errors
coloring rule.
D. The TCP SYN/FIN coloring rule will identify packets that have both the SYN and FIN bits
set to 0 in a packet.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-97. Which statement about capture filters is correct?
A. Capture filters are used for coloring rules.
B. Wireshark includes a default set of capture filters.
C. Capture filters can be applied after the capture process begins.
D. Capture filters can be applied while you are opening a trace file.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-98. In the trace file shown above, the time display setting is defined as Seconds Since
Previously Displayed Packet. Packet 11 arrived .020238 seconds after packet 9.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-99. By default, Wireshark maintains your existing personal settings during the installation
process, but overrides the global settings such as the default manuf file.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-100. Disabling promiscuous mode limits your ability to capture local multicast traffic.
True
False
That's the end of Part 1.
Jump to the answer
or go to next page to view the Part 1 Answer Key. Download the Answer Sheet from
www.wiresharkbook.com/epg to fill out your answers on paper and grade with the matching Answer
Key.
Part 1 Answer Key
A-1: D
A-2: True
A-3: D
A-4: True
A-5: False
A-6: D
A-7: True
A-8: C
A-9: True
A-10: A
A-11: True
A-12: True
A-13: True
A-14: True
A-15: False
A-16: D
A-17: A
A-18: D
A-19: True
A-20: False
A-21: True
A-22: A
A-23: False
A-24: C
A-25: False
A-26: True
A-27: B
A-28: True
A-29: A
A-30: B
A-31: False
A-32: False
A-33: False
A-34: True
A-35: A
A-36: A
A-37: False
A-38: A
A-39: False
A-40: False
A-41: A
A-42: False
A-43: True
A-44: False
A-45: C
A-46: False
A-47: False
A-48: D
A-49: False
A-50: False
A-51: D
A-52: False
A-53: False
A-54: True
A-55: True
A-56: False
A-57: True
A-58: B
A-59: A
A-60: A
A-61: B
A-62: True
A-63: B
A-64: False
A-65: False
A-66: False
A-67: B
A-68: True
A-69: D
A-70: False
A-71: True
A-72: C
A-73: A
A-74: False
A-75: True
A-76: True
A-77: False
A-78: False
A-79: C
A-80: True
A-81: C
A-82: True
A-83: A
A-84: False
A-85: False
A-86: True
A-87: False
A-88: True
A-89: A
A-90: True
A-91: False
A-92: C
A-93: True
A-94: C
A-95: C
A-96: B
A-97: B
A-98: True
A-99: True
A-100: False
Part 1 Answer Explanations
Indicates the related chapter in Wireshark Network Analysis: The Official Wireshark Certified
Network Analyst Study Guide (Second Edition)
A-1 Details: D
Capture filters use the Berkeley Packet Filtering (BPF) format (also referred to as the tcpdump
format). Due to the fact that capture filters use this format and display filters use Wiresharks own
filtering format, the two are not interchangeable. Some capture filters, such as ip, udp and tcp, just
happen to use the same format as display filters. At times people mistakenly believe they are using the
same format. Editcap is a command-line tool and libpcap is a link-layer interface they are not
involved in creating or applying any type of filters. Color filters use the display filter format.
Chapter 4: Create and Apply Capture Filters and Chapter 9: Create and Apply Display Filters
Return to Q-32
Continue to Question Q-33
A-33 Details: False
By default, Wireshark uses the DiffServ (Differentiated Services) interpretation in the IP header
instead of the Type of Service interpretation. You can change this setting by disabling Decode IPv4
TOS field as DiffServ field in the IP preferences. For details on how the Differentiated Services
field works, refer to Chapter 17 of Wireshark Network Analysis-Second Edition.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-102. IP routers apply a new MAC header to packets before forwarding them on to the next
network.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-103. The TCP backoff algorithm is used to determine the number of retransmission attempts
before giving up on a TCP connection.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-104. The ARP packet shown above is a request to identify the MAC address of 10.64.0.164.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-105. TCP peers increment their sequence numbers by 1 during the handshake process even
though no data is contained in the SYN or SYN/ACK packets.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-106. Which statement about the TCP recovery process is true?
A. A single duplicate ACK can trigger a retransmission.
B. TCP hosts attempt two retransmissions before terminating the connection.
C. Retransmitted packets use the same sequence number as the original lost packet.
D. Packet loss recovery is always started by the TCP host who initiated the connection.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-107. A high number of Duplicate ACKs seen before a TCP retransmission may be a sign of
high latency along a path.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-108. Which Advanced IO Graph Calc function would be best for graphing the frequency of
tcp.analysis.retransmission packets?
A. MIN(*)
B. SUM(*)
C. LOAD(*)
D. COUNT(*)
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-109. Why can't ARP packets be routed?
A. All ARP packets are IP broadcasts.
B. ARP packets do not have an IP header.
C. ARP packets have a Time to Live value of 0.
D. ARP packets are smaller than the minimum packet size allowed.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-110. The UDP header checksum calculation is required for all UDP-based communications.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-111. The IO Graph shown above compares all traffic to packets that trigger Wireshark's
TCP analysis flags.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-112. Which pattern would be seen during a failed TCP connection attempt?
A. SYN, RST/ACK
B. SYN, SYN/RST
C. SYN, ACK, RST
D. SYN, SYN/ACK, ACK, RST
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-113. If a DHCP clients renewal and rebinding process fails, the DHCP client must release its
IP address and send a DHCP Discover broadcast to locate a DHCP server or Relay Agent.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-114. Which condition could cause you to see ARP queries, but not ARP responses in a trace?
A. Wireshark is not capturing in .pcap-ng format.
B. You have applied a capture filter for UDP traffic.
C. You are connected to a switch port that is not spanned.
D. You must enable Update List of Packets in Real Time in Wiresharks capture
preferences.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-115. You can enable Wireshark's duplicate IP address detection mechanism in the
ARP/RARP preferences configuration.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-116. IP provides the fragmentation and reassembly for low MTU (Maximum Transmission
Unit) network paths.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-117. Which statement about the IP header shown above is correct?
A. This packet cannot cross a router.
B. A TCP header will follow this IP header.
C. This packet is the last part of an IP fragment set.
D. This packet contains an invalid Identification field value.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-118. What term does Wireshark use to define TCP retransmissions that occur within
20 ms of a Duplicate ACK?
A. fast retransmissions
B. retransmissions
C. duplicate retransmissions
D. unsolicited retransmissions
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-119. The purpose of the TCP SYN bit is to synchronize the Initial Sequence Number value of
the sender.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-120. ARP request packets and ARP reply packets use different formats.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-121. Which step is performed by a router before it forwards an IP packet?
A. The target IP address is examined to make routing decisions.
B. The source MAC address is verified against the IP routing table.
C. The destination MAC address is looked up in the forwarding tables.
D. The network name of the target is resolved using DNS.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-122. If an ICMP Destination Unreachable/Port Unreachable (Type 3/Code 3) is sent in
response to a DHCP Request packet, the DHCP server daemon may not be running on the
target.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-123. Which statement about the IP header shown above is correct?
A. The entire packet is 328 bytes long.
B. A UDP header will follow this IP header.
C. This packet is the second part of an IP fragment set.
D. This packet contains the minimum TTL value allowed.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-124. What is the maximum value that can be defined in the TCP Window Size field?
A. 16
B. 32
C. 1,024
D. 65,535
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-125. The ICMP packet shown above will update the routing tables of the target.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-126. When packet loss and delays are not incurred, the TCP Time-Sequence Graph plot
points run from the lower left corner to the upper right corner in a diagonal line of I-bars.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-127. Which statement about DHCP communications is correct?
A. DHCP Request packets are sent to the IP multicast address.
B. DHCP servers ping DHCP clients after assigning IP addresses.
C. Relay Agents forward messages between DHCP clients and DHCP servers.
D. Three identical DHCP Discover packets will trigger a duplicate DHCP ACK.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-128. TCP/IP will not generate DNS host name queries if a sender defines a specific target IP
address.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-129. The IPv4 Total Length field includes the data link padding in the calculation.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-130. The display filter tcp.analysis.flags shows all packets that have the TCP Reset
bit set to 1.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-131. Which statement about the packet shown above is correct?
A. This packet should be routed.
B. This packet was sent from a DHCP/BOOTP client.
C. This packet should have been sent to the DHCP server IP address.
D. This packet was sent to determine if an IP address is already in use.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-132. ICMP redirects can be sent by servers to indicate a service is unavailable.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-133. Which statement about the ICMP packet shown above is correct?
A. This packet was sent from 10.0.0.99.
B. This is an ICMP echo request packet.
C. This type of packet contains two IP headers.
D. This packet does not meet the minimum packet size requirements.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-134. Which file contains the TCP Expert information?
A. services
B. libpcap
C. packet-tcp.c
D. coloringrules
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-135. What type of device can alter IP header addressing?
A. a layer 2 switch
B. a firewall using Access Control Lists (ACLs)
C. a Network Address Translation (NAT) device
D. a router using Differentiated Services (DiffServ)
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-136. The syntax for ICMP capture filters is icmp.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-137. The packet shown above is a DNS inverse query packet used to resolve an IP address to
a host name.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-138. Which transport layer protocol is used for multicast traffic?
A. ARP
B. TCP
C. UDP
D. ICMP
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-139. Which statement about the packet shown above is correct?
A. This UDP header is 8 bytes long.
B. The UDP header checksum is too short.
C. This packet should use a TCP header instead of a UDP header.
D. The Time to Live field indicates that this packet cannot cross another router.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-140. Which statement about ICMP is true?
A. ICMP traffic uses window scaling.
B. All ICMP packets are the same length.
C. Port filtering firewalls can block ICMP Echo Requests.
D. ICMP packets do not contain a UDP or TCP header.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-141. When a DNS response is truncated, the DNS client may generate another DNS query
using TCP as the transport method.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-142. Which communication uses UDP as the transport-layer protocol?
A. ARP
B. ICMP
C. DHCP
D. RARP
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-143. Which step is required when you want to export the TCP Calculated Window Size
information shown in the packet above for analysis in a CSV format file?
A. Select File | Save As on any packet that contains data bytes.
B. Right click on the TCP Calculated Window Size field and export this field independently.
C. Add the TCP Calculated Window Size column to the Packet List pane before exporting.
D. Enable field exporting in Preferences | Protocols | TCP and save all packets.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-144. The UDP header length field value includes data link padding if it exists.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-145. Which function provides host name-to-IP address resolution services?
A. DNS
B. ICMP
C. DHCP
D. SNMP
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-146. The broadcast address can be used in the IP source address field.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-147. Which DNS function is used to enable a target DNS server to ask another server for an
answer on behalf of the DNS client?
A. multicasting
B. proxy resolution
C. iterative queries
D. recursive bit setting
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-148. The display filter syntax for UDP-based traffic is udp.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-149. TCP offers a connection-oriented transport service that begins with a two-way
handshake between devices.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-150. ICMP Destination Unreachable messages sent in response to an FTP connection attempt
indicate the FTP port is likely firewalled.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-151. Which feature is supported by IO Graphs?
A. trend lines
B. capture filtering
C. forecasting/predictions
D. copying to CSV format
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-152. TCP packets contain sequence and acknowledgment information to ensure delivery and
enable recovery for lost packets.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-153. Which Wireshark feature is used to make the process of following
TCP Sequence/Acknowledgment numbers easier to interpret?
A. predicted sequence numbers
B. relative sequence numbering
C. compressed sequence numbers
D. sequence number interpretations
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-154. Which statement about TCP sequence and acknowledgment numbering is correct?
A. The starting acknowledgment number should be set to 65,535.
B. The sequence number increments by 1 for each data packet transmitted.
C. Both sides of a TCP connection begin with the Initial Sequence Number value of 1.
D. The acknowledgment number indicates the sequence number expected from the TCP peer.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-155. Which statement about the DNS packet shown above is correct?
A. This is an inverse DNS query.
B. This is a DNS response packet.
C. This DNS packet indicates that a domain name could not be resolved.
D. This is a request to resolve the IP address 2.26.64.24.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-156. A router that supports proxy ARP may answer an ARP broadcast on behalf of a server
located on another network.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-157. The display filter tcp.flags.syn==1 && tcp.flags.ack==1 and the display
filter tcp.flags==0x12 would display the packet shown above.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-158. DNS transaction ID numbers associate DNS queries with DNS responses.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-159. Filter Expression buttons are saved in the dfilters file.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-160. Which statement about the packet shown above is correct?
A. The TCP Sequence Number value is invalid.
B. This is the first packet of a TCP handshake process.
C. The TCP header is too long to be processed properly.
D. The TCP stream index indicates that this is a failed TCP connection attempt.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-161. TCP peers maintain a TCP Retransmission Timeout (RTO) value to determine how
many times they should attempt a TCP retransmission before giving up.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-162. What is the purpose of a DNS CNAME?
A. defines an alias name
B. offers inverse DNS information
C. generates a common name as a DNS host name
D. indicates multiple IP addresses are contained in a DNS response
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-163. Network congestion can be caused by interconnecting devices that support low link
speeds such as 10 Mbps.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-164. Which feature offers Assured Forwarding and Expedited Forwarding in IPv4
implementations?
A. Full-duplex routing
B. Differentiated Services
C. Type of Service/Precedence
D. Explicit Congestion Notification
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-165. The TCP receive window defines available TCP buffer space.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-166. A TCP window size of 1,024 may interrupt the data transfer process.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-167. The BOOTP-DHCP Statistics window lists the DHCP message types seen in a live
capture or saved trace file.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-168. IP fragmentation problems can arise when ICMP Type 3, Code 2 packets are blocked
preventing a host from learning why its packets did not make it to a destination.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-169. Which statement about TCP Selective Acknowledgments is correct?
A. Selective Acknowledgment byte ranges are displayed in the TCP options area.
B. Selective Acknowledgment capability can be set up after the first packet is lost.
C. Selective Acknowledgments can be used if only one side of a TCP connection supports it.
D. Selective Acknowledgment can be used with UDP communications if a TCP connection
fails.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-170. Window scaling is established during the TCP handshake process to enable hosts to use
window sizes greater than 65,535.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-171. The TCP Time-Sequence Graph can depict window zero conditions.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-172. Which TCP setting must be enabled in order to use the tcp.analysis.flags
display filter?
A. Try Heuristic Subdissectors First
B. Analyze TCP Sequence Numbers
C. Allow Subdissector to Reassemble TCP Streams
D. Window Scaling and Relative Sequence Numbers
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-173. A Window Update packet contains no data, but indicates that the sender's TCP window
size field value has decreased.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-174. Which statement about the DHCP renewal time is true?
A. The renewal time cannot be shorter than the lease time.
B. The renewal time is calculated as 75% of the Lease Time.
C. The renewal time value is provided by the DHCP client to the DHCP server.
D. The renewal time defines when the DHCP client must contact the DHCP server.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-175. IO Graphs support display filters.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-176. If you do not see anything plotted when you open a TCP Round Trip Time Graph, you
might be plotting a UDP conversation.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-177. Which statement about the IO Graph shown above is correct?
A. This IO Graph is being displayed during a live capture.
B. This IO Graph shows the bytes per second rate of an HTTP session.
C. This IO Graph indicates there is a 30-second drop in packet throughput.
D. This IO Graph shows the packets per second rate of TCP and UDP payload only.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-178. TCP Throughput Graphs are bi-directional and plot the results for the entire trace file.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-179. UDP headers have a static length.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-180. Which statement about the packet shown above is correct?
A. This packet is 1460 bytes in length.
B. This is the second packet of the TCP handshake process.
C. The Stream Index value indicates the TCP connection failed.
D. This packet contains an invalid Acknowledgement Number field value.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-181. Which statement about the packet shown above is correct?
A. This packet is being sent from an HTTP server.
B. This packet is establishing a Selective ACK connection.
C. Sequence Number 1787370 is the next expected sequence number from 61.8.0.17.
D. The sender has not received packets using Sequence Numbers 1835550-1847230 or
1829710-1834090.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-182. DHCP Releases are sent from a DHCP client to a DHCP server to relinquish a
network address.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-183. The capture filter syntax for TCP communications is tcp.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-184. Which Calc value is best suited to graph the IO rate using tcp.len?
A. SUM(*)
B. MIN(*)
C. LOAD(*)
D. MAX(*)
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-185. The capture and display filter syntax for ARP requests and replies is arp.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-186. Advanced IO Graphs can be used to compare round trip latency times of various
applications.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-187. Which statement about this Advanced IO Graph setting shown above is true?
A. This graph would isolate UDP and ICMP performance problems.
B. This graph would help spot QoS problems between applications.
C. This graph will define the maximum RTT value for traffic on ports 21, 80 and 8080.
D. Graphs 2, 3 and 4 will show identical information if the same number of packets are seen in
the trace file.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-188. Both sides of a TCP connection must negotiate a common TCP window size value
during the handshake process.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-189. TCP Round Trip Time Graphs depict the maximum latency times flowing bi-
directionally in a conversation.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-190. Which filter would capture all DHCP traffic?
A. bootp
B. dhcp
C. udp port 67
D. tcp port == 68
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-191. What value should be placed in the target hardware address field in an ARP request?
A. FF:FF:FF:FF:FF:FF
B. 01:FF:FF:FF:FF:FF
C. 00:00:00:00:00:00
D. the subnet multicast address
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-192. The color of the Expert Infos button on the Status Bar indicates the highest level
classification of Expert Information detected in a live capture or saved trace file.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-193. Which protocol is used to locate the hardware address of a local target?
A. IP
B. ARP
C. DNS
D. DHCP
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-194. Which statement about TCP is correct?
A. TCP supports sliding windows.
B. TCP has 20% less overhead than UDP.
C. TCP packets use a static header length.
D. TCP connections begin with a four-part handshake.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-195. The TCP Time-Sequence Graph can depict packet loss, duplicate ACKs and
retransmissions.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-196. The TCP Round Trip Time Graph shown above indicates the highest round trip latency
time seen in this trace file is 19 seconds.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-197. Which statement about the packet shown above is correct?
A. This packet is establishing window scaling between the two TCP hosts.
B. The Window Size field value indicates that no additional data can be received by
10.0.52.164.
C. Based on a MSS value of 1460, the sender has enough receive buffer space for two full-
sized TCP segments.
D. The Sequence Number field value is too low to allow additional data segments to be
received by 10.0.52.164.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-198. The default ports for DHCP communications are port 68 (server daemon) and port 67
(client process).
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-199. A host that increases the TCP Acknowledgment Number field value in outbound TCP
packets is receiving data from a TCP peer.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-200. This Expert Infos Chats window shown above indicates that receiver congestion has
caused a network disconnection.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-201. Which Advanced IO Graph Calc function would be best for graphing the frequency of
tcp.analysis.duplicate_ack packets?
A. MIN(*)
B. SUM(*)
C. LOAD(*)
D. COUNT(*)
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-202. The TCP handshake process is SYN, SYN/ACK, ACK.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-203. Which statement about the packet shown above correct?
A. The IP address offered is invalid.
B. The DHCP client is using a DHCP Relay Agent.
C. The Subnet Mask value is incorrect for this DHCP client.
D. The DHCP client and DHCP server are on the same network.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-204. Which statement about the DHCP Discover process is correct?
A. DHCP Discover packets are sent after DHCP Request packets.
B. The DHCP Discover process runs every 10 seconds during the IP address lease time.
C. DHCP Discover packets are sent by DHCP servers to identify assigned IP addresses.
D. The DHCP Discover process is used to locate a DHCP server or a DHCP Relay Agent.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-205. The capture filter tcp.port 67 would capture all DHCP traffic seen by Wireshark.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-206. DNS query packets are dynamic length packets.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-208. In monitor mode, an 802.11 adapter only captures packets of the first SSID seen by the
adapter.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-209. In order to capture all WLAN management and control traffic, your Wireshark system
adapter must support promiscuous mode. Monitor mode is not required.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-210. Wireshark can only decrypt WPA and WPA2 traffic with the proper RSA decryption
keys.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-211. If no response is received when a TCP FIN scan is performed, the target port is likely
either open or filtered.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-212. FTP data is only transferred over port 21.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-213. You can create custom columns based on the individual fields contained in a WLAN
Radiotap or PPI header.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-214. There are three modes of FTP data transfer - passive mode, active mode and proxy
mode.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-215. ARP ping can be used to discover all remote devices even if those devices are running
local firewalls.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-216. Which type of WLAN frame is a Disassociation Request frame?
A. Data
B. Control
C. Connection
D. Management
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-217. TCP full scans appear as TCP three-way handshakes.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-218. The display filter retries==1 can be used to view WLAN retransmission packets.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-219. Which statement about the FTP packet shown above is correct?
A. This packet was sent from an FTP server.
B. The sender will open port 52904 for an FTP data connection.
C. The window size value indicates only files smaller than 7,970 bytes can be sent.
D. The packet is a request for the FTP server to open port 52904 for a new TCP connection.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-220. Which statement about the packet shown above is correct?
A. This is a WLAN retransmission packet.
B. The packet is too short for a wireless network.
C. The PPI header was applied by the receiver.
D. The sender has not associated with an access point yet.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-221. Baselining is the process of creating trace files of normal communications on the
network.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-222. Which statement about the WLAN packet shown above is correct?
A. This is an 802.11 retransmission.
B. This is a WLAN Management frame.
C. This is the second fragment in a fragment set.
D. This packet will occur every 1,000 ms by default.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-223. The display filter syntax for all FTP command and data channel traffic is
tcp.port==21.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-224. In an active mode FTP data transfer, the client provides its IP address and listening port
number to the FTP server.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-225. During a UDP scan, which response indicates that the service is not available on the
target?
A. any response with the RST bit set
B. any response with the SYN bit set
C. ICMP Destination Unreachable/Port Unreachable
D. ICMP Destination Unreachable/Protocol Unreachable
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-226. The capture filter syntax for POP traffic is tcp port 110.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-227. HTTP packets are static length packets.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-228. Session Initiation Protocol (SIP) is a protocol that can be used to set up a VoIP call.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-229. Which statement about the traffic shown above is correct?
A. This is a TCP port scan.
B. The SYN packets are sent from multiple source port numbers.
C. The responses to the SYN packets should only have the RST bit set.
D. A TCP connection has been established to the sybaseanywhere port.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-230. Try to decode RTP outside of conversations should be set if Wireshark cannot identify
the RTP traffic in a trace file.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-231. You are working with a VoIP trace file that depicts packet loss due to jitter issues.
Lowering Wireshark's jitter buffer value from 100 ms to 25 ms before playback will cause more
packets to be dropped during the playback.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-232. You can apply a display filter to a Flow Graph.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-233. Baselines should be created as soon as the network appears to have throughput
problems.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-234. Excessive RF noise can cause connectivity problems on WLANs.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-235. You cannot load Wireshark on a host and capture that same hosts bootup baseline
information.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-236. Which WLAN frames are used by stations to discover an access point that does not
broadcast an SSID?
A. beacons
B. probe requests
C. reassociation requests
D. authentication requests
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-237. To decrypt SSL communications, you must configure the SSL preferences to recognize
the traffic that you want to decrypt and point to a directory that contains your RSA key.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-238. Which statement about the HTTP packet shown above is correct?
A. This packet was sent from an HTTP server.
B. This packet contains an invalid HTTP URI.
C. The packet is sending a cookie to an HTTP client.
D. This packet is from an HTTP client that is browsing webcast.aph.gov.au.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-239. You can use display filters with saved files and Tshark.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-240. Watching the traffic flow to and from a host when no one is using the host can identify
unattended background traffic.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-241. Baselines of WLAN environments should include analysis of RF noise rates.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-242. One of the easiest ways to identify delays in a trace file is to set the Time column to
Seconds Since Beginning of Capture.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-243. Which statement about packet timestamps is correct?
A. Packet timestamps are provided by WinPcap, libpcap, or AirPcap.
B. Packet timestamps for pcap files can denote time to the nanosecond level.
C. You can use Editcap to alter packet timestamps of separate packets in a trace file.
D. Sorting on the packet timestamp column alters the packet numbers in the trace file.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-244. The frame.time_relative == 0 display filter shows packets marked with a Time
Reference as well as the first packet in the trace file.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-245. In a UDP-based application, the retransmission timeout value is defined by the IP
timeout setting.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-246. WLAN stations can either wait for a beacon frame from the access point or the stations
can send an association request to discover the access point.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-247. ICMP redirection packets may be an indication that a path is not optimal.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-248. Which network problem may cause throttling of possible throughput maximums?
A. congestion along a network path
B. an overloaded TCP connection table
C. minimal packet sizes
D. receive window size set at 65,535
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-249. Baselines of broadcast and multicast traffic can help identify new hosts on the network
in a passive discovery manner.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-250. When you are analyzing network performance related to slow responses, the Time
column can help spot delays between requests and replies.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-251. The packet shown above did not receive a response. Which issue could cause such a
condition?
A. The TCP port at the target is closed.
B. There is packet loss along the path.
C. The target has a window zero condition.
D. Selective Acknowledgment is not enabled.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-252. Network forensics and host forensics provide the same type of evidence of breaches.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-253. Analysis of hard drive contents is not part of the network forensics process.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-254. Your web server runs the HTTP daemon on port 92. How can you configure Wireshark
to permanently dissect this traffic as HTTP?
A. Add port 92 in the HTTP Preferences area.
B. Create a User Specified Decode for port 92 traffic.
C. Select Decode As and replace port 80 with port 92.
D. Change the name listed for port 92 in Wireshark's services file.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-255. Network forensic evidence may be gathered for either proactive or reactive analysis.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-256. RTP provides transport functions for real-time data such as audio over multicast or
unicast network services.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-257. Wireshark may transmit data on the network if you have enabled network name
resolution and/or launch a GeoIP map from the endpoints window.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-258. The traffic pattern of a TCP scan is difficult to identify.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-259. Coloring rules can be created to spot traffic of various scanning and malicious tools.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-260. Capturing your traffic when you run discovery or testing tools can help you identify the
signatures of those tools.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-261. Which command-line tool can be used to create file sets out of a single trace file?
A. tcpdump
B. Capinfos
C. Editcap
D. Mergecap
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-262. Which network condition can cause excessive jitter on a VoIP network?
A. SIP errors
B. packet retransmissions
C. TCP Window Scaling usage
D. Quality of Service configurations
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-263. You can use Follow TCP Stream after selecting an HTTPS packet, but the data traffic
will be encrypted unless an RSA key is set.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-264. An FTP passive mode connection may not work if a server firewall blocks incoming
connections on the passive mode port number.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-265. You can use ARP to scan the local network for active hosts.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-266. Which VoIP element can be used to carry the call setup commands?
A. Session Initiation Protocol (SIP)
B. Realtime Transport Protocol (RTP)
C. Transmission Control Protocol (TCP)
D. Realtime Transport Control Protocol (RTCP)
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-267. Null scans use illegal TCP flag settings.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-268. UDP scans can be used to perform quick connectivity tests.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-269. An unusually high number of TCP SYNs and RSTs without any transfer of data is a
possible indication that a TCP scan is underway.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-270. What is the approximate interval of WLAN beacon frames?
A. 1 ms
B. 100 ms
C. 1,000 ms
D. 100,000 ms
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-271. Which statement about the packet shown above is correct?
A. This packet contains 946 bytes of VoIP call data.
B. The RTP communication will use UDP port 5060.
C. This SDP information is contained in a SIP packet.
D. This packet will not be processed because the Owner/Creator information is required.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-272. Which statement about the packet shown above is correct?
A. This is a TCP retransmission.
B. The packet contains email data.
C. The sender supports Enhanced SMTP.
D. This packet is sent from the "accelenet" application.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-273. Throughput baselining may require the use of a data transmission tool to generate
traffic.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-274. TCP ACK scans are not used to identify open ports.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-275. What type of TCP scan would this filter display?
(tcp.flags.urg==1) && (tcp.flags.push==1) && (tcp.flags.fin==1)
A. IP scan
B. Xmas scan
C. stealth scan
D. half-connect scan
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-276. What may be the purpose of the traffic shown in the image above?
A. scan to identify active hosts on a network
B. scan to determine open UDP ports on a target
C. scan to discover IP-based protocols on a target
D. scan to determine if a host is active on the network
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-277. Creating a baseline of normal protocols and applications on the network can help you
identify breached hosts based on unusual traffic patterns.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-278. Suspect traffic may simply be caused by poorly performing applications.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-279. TCP/IP port resolution relies on the integrity of the local hosts services file (used by the
TCP/IP stack) and the application that is requesting to use a specific port number.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-280. If a malicious user program has altered the content of Wiresharks services file, the OUI
name resolution process may be affected.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-281. If desired, you can force Wireshark to temporarily dissect traffic to and from port 2600
as FTP traffic using the Decode As function.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-282. You can enable key discovery in Wiresharks WLAN Preferences to dynamically
discover WLAN decryption keys.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-283. Which statement about HTTP analysis is correct?
A. You should export HTTP objects to find TCP transport errors.
B. You should reassemble TCP streams to identify HTTP round trip delays.
C. You should use the display filter http to view all HTTP requests, replies and ACKs.
D. You should check for the If-Modified-Since request modifier to determine if web pages are
being loaded from cache.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-284. You can edit the Wireshark services file if you want Wireshark to permanently dissect
port 80 traffic as IRC.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-285. To view all packets related to a POP communication, including the TCP handshake used
to set up a POP connection, use the display filter udp.port==110.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-286. If a malicious application has altered the client's hosts file, the client may resolve a
network name to the IP address of a malicious site.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-287. TCP splicing is used to poison the hosts file at a target.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-288. Wireshark can only display clear text communications if a dissector for the application
traffic has been loaded.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-289. Which type of scan can locate a device that supports Enhanced Interior Gateway
Routing Protocol (EIGRP)?
A. null scan
B. Xmas scan
C. IP protocol scan
D. half-connect scan
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-290. "Phone home" traffic is seen when an application periodically connects to a remote host
without user intervention. This traffic may be malicious or part of a normal application update
process.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-291. The Protocol Hierarchy Statistics window helps identify unusual protocols and
applications during a live capture or in a saved trace file.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-292. Fragmentation override occurs when a malicious host hides data from decryption in out-
of-order fragment packets.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-293. Following the TCP stream when analyzing an HTTP web browsing session reveals a
site's HTML tags.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-294. You have captured traffic to and from a compromised host. Which statement about the
Protocol Hierarchy Statistics window shown above is correct?
A. The HTTP traffic listed is running over UDP and should be investigated further.
B. The SMB traffic should be listed directly under TCP and should be investigated further.
C. There are an insufficient number of DNS packets to support the various communications
shown.
D. The Internet Relay Chat traffic may be used by a bot to communicate with a Command and
Control server.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-295. Which problem could cause the condition illustrated in the packet shown above?
A. packet loss
B. minimal packet sizes
C. excessive retransmissions
D. slow or non-responsive application
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-296. Having baselines that were created before network problems occur can speed up the
process of identifying the cause of those problems.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-297. By default, Mergecap combines trace files based on the timestamps in those trace files.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-298. You are performing a TCP scan on a target while capturing your traffic with Wireshark.
Which statement about the analysis is correct?
A. If you receive UDP responses, the target does not support TCP.
B. If you receive TCP RST responses, the target is not currently on.
C. If you receive ICMP responses, the target port is likely firewalled.
D. If you receive TCP Zero Window responses, the target port is blocked.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-299. Which display filter shows FTP user names in a trace file?
A. ftp.request == USER
B. ftp contains "user"
C. ftp.request.command == user
D. ftp.request.command == "USER"
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-300. Which command-line tool can be used to alter trace file timestamps?
A. tcpdump
B. Capinfos
C. Editcap
D. Mergecap
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-301. Which type of traffic signature defines malicious traffic based on the proximity, order or
grouping of specific packets?
A. sequence signatures
B. encrypted signatures
C. fragmentation override signatures
D. splicing signatures
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-302. Which statement about the packet shown above is correct?
A. This is a fast retransmission packet.
B. This packet depicts an FTP command.
C. The sender, 64.251.30.69, is using port 20 to transfer data.
D. The sender's receive buffer space is too low to accept additional data.
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-303. SIP response codes lower than 399 indicate errors or failures.
True
False
*This is a good choice if you are using the Answer Sheet available from
www.wiresharkbook.com/epg.
Q-304. The WLAN association process takes place after a station has completed the MAC-
layer authentication process.
True
False