Basic Understanding
What is Wireshark used for?
To analyze network traffic and troubleshoot network issues.
Which protocol is primarily used for web browsing?
HTTP and HTTPS.
How do you find packets in Wireshark with a specific source IP address?
Use the filter "ip.src == [source IP address]"
What is the purpose of ports in network communications?
To differentiate between multiple applications or services running on a single device.
What is contained within the payload of a packet?
The actual data being transmitted, separate from the packet's headers.
Which of the following can Wireshark not do?
a) Capture live packet data.
b) Decrypt encrypted traffic without the proper keys.
c) Create network packets.
d) Analyze captured packet data.
c) Create network packets.
What port does HTTPS use by default?
443
What does the destination IP address tell you?
It indicates the intended recipient of the packet within the network.
How would you identify all traffic related to SMTP in a capture?
By filtering for port 25 (e.g., "tcp.port == 25" for SMTP).
How can you extract files from HTTP traffic in Wireshark?
By following the HTTP stream and extracting the files manually or using Wireshark's "Export Objects" feature.
Which menu in Wireshark would you use to apply a display filter?
The "Filter" toolbar or the "Apply a display filter" entry box.
In Wireshark, how is a TCP three-way handshake identified?
By observing packets with SYN, SYN-ACK, and ACK flags
How can you filter for all traffic going to or from a particular subnet?
Using a CIDR notation filter, like "ip.addr == 192.168.1.0/24"
Which port is commonly used for SSH traffic?
22
What information does the "Info" column in Wireshark provide?
It provides a brief description or summary of the packet's purpose or contents.
True or False: Wireshark can capture packets on multiple interfaces simultaneously.
True
What does a "SYN" flag in TCP signify?
It indicates an attempt to establish a connection.
In a Wireshark capture, how can you tell if the packet was inbound or outbound?
By analyzing the packet's source and destination IP addresses in relation to the known network structure.
How can you filter for packets using a range of ports?
With a range filter, like "tcp.port >= 1000 && tcp.port <= 2000"
How can you identify packets that are part of the same TCP conversation?
By right-clicking a packet and selecting "Follow" -> "TCP Stream" or using the "tcp.stream" filter.
What is a "capture filter" in Wireshark?
A filter applied to limit the data captured by specifying which packets to include or exclude from the capture based on criteria such as IP addresses, protocols, and ports.
How can you identify DNS traffic in Wireshark?
By filtering for protocol "DNS" or port 53.
What is the significance of a MAC address in packet analysis?
It identifies the physical device's network interface on a local network segment.
In Wireshark, what does a filter for "tcp.port == 443" show?
All TCP packets using port 443, typically HTTPS traffic.
How does Wireshark display hexadecimal values of packet contents?
In the "Packet Bytes" pane, showing the raw data of the packet.