Conduct a Network Traffic Analysis & Baseline Definition
1. Which tool is better at performing protocol captures and which tool is better at performing protocol analysis? The best tool for protocol captures is Wireshark.
The best tool for protocol analysis is Netwitness.
2. What is promiscuous mode and how does this allow tcpdump, Wireshark, and Netwitness Investigator to perform protocol capture off a live network?
Promiscuous mode causes the controller to pass all traffic it receives to the CPU rather than passing only the frames that the controller is intended to receive. It allows them to perform protocol captures because it is using the network traffic from the system network.
3. What is the significance of the TCP, 3-Way Handshake for applications that utilize TCP as a transport protocol? Which application in your protocol capture uses TCP as a transport protocol?
The significance of the TCP 3-way handshake is that it is required for both the server and the client to setup initial sequence numbers and ensure that they both understand each other. The protocol that uses TCP as a transport protocol is Wireshark.
5. What function in Wireshark provides you with a breakdown of the different protocol types on the LAN segment?
Statistics → Protocol Hierarchy
6. How and where can you find Wireshark network traffic packet size counts? Can you distinguish how many of each packet size was transmitted on your LAN segment? Why is this important?
In Wireshark, network traffic packet size counts can be found at: Statistics → Packet Length → Packet Length w/ filter window.
Yes, the columns ‘Packet Length’ and the ‘count’, show the packet size distribution of the capture It is important to know and understand what protocols and what size of Ethernet frames are being used for the transmission on the LAN segment. It is an important network traffic baseline-definition.
7. Is FTP data able to be replayed and reconstructed if the packets are...