Quiz : How Well Do You Know Wireshark?

1. You can use Wireshark's Expressions to build display filters.

True

False

Wireshark's Expressions can indeed be used to build display filters. Display filters allow users to selectively view specific network traffic based on various criteria such as source or destination IP addresses, protocols, port numbers, and more. By using Wireshark's Expressions, users can customize and fine-tune their display filters to focus on the specific network traffic they are interested in analyzing.

Explanation

Wireshark's Expressions can indeed be used to build display filters. Display filters allow users to selectively view specific network traffic based on various criteria such as source or destination IP addresses, protocols, port numbers, and more. By using Wireshark's Expressions, users can customize and fine-tune their display filters to focus on the specific network traffic they are interested in analyzing.

2. Which display filter operator is the equivalent of AND?

$$

&&

||

The correct answer is "&&". The "&&" operator in display filtering is the equivalent of the logical AND operator. It is used to combine multiple conditions in a display filter and returns only the packets that satisfy all the specified conditions simultaneously.

Explanation

The correct answer is "&&". The "&&" operator in display filtering is the equivalent of the logical AND operator. It is used to combine multiple conditions in a display filter and returns only the packets that satisfy all the specified conditions simultaneously.

3. A custom column can be added to and rearranged in the Packet List pane.

True

False

A custom column can be added to and rearranged in the Packet List pane, allowing users to customize the display of information in the pane according to their preferences. This feature provides flexibility and convenience for users to organize and view the packet data in a way that best suits their needs.

Explanation

A custom column can be added to and rearranged in the Packet List pane, allowing users to customize the display of information in the pane according to their preferences. This feature provides flexibility and convenience for users to organize and view the packet data in a way that best suits their needs.

4. Both of the the display filters below will provide the same output. ip.dst==10.100.0.1 or ip.dst==10.100.0.1 ip.dst==10.100.0.1 || ip.dst==10.100.0.1

True

False

Both of the display filters provided in the question are the same, as they both specify the same condition for the destination IP address. The "==" operator is used to check for an exact match, and the "||" operator is used for logical OR. In this case, both filters are checking if the destination IP address is equal to 10.100.0.1. Therefore, both filters will provide the same output, which makes the answer true.

Explanation

Both of the display filters provided in the question are the same, as they both specify the same condition for the destination IP address. The "==" operator is used to check for an exact match, and the "||" operator is used for logical OR. In this case, both filters are checking if the destination IP address is equal to 10.100.0.1. Therefore, both filters will provide the same output, which makes the answer true.

5.

Which statement about the TCP stream shown above is correct?

The HTTP client requested a graphic file

The HTTP server redirected the client's request to another server.

The HTTP client sent an HTTP GET request to the HTTP server

None of the above

The correct answer is that the HTTP client sent an HTTP GET request to the HTTP server. This can be inferred from the information given in the question, which states that the TCP stream shown above is related to an HTTP transaction. The HTTP GET request is the most common method used by an HTTP client to request a resource from an HTTP server.

Explanation

The correct answer is that the HTTP client sent an HTTP GET request to the HTTP server. This can be inferred from the information given in the question, which states that the TCP stream shown above is related to an HTTP transaction. The HTTP GET request is the most common method used by an HTTP client to request a resource from an HTTP server.

6. Which Display filter will show only packets for the source address of 192.168.0.25?

Ip.addr == 192.168.0.25 src

Ip.src == 192.168.0.25

!ip.src == 192.168.0.25

The correct answer is "ip.src == 192.168.0.25". This display filter will only show packets that have a source address of 192.168.0.25. It filters out all other packets and only displays the ones that match the specified source address.

Explanation

The correct answer is "ip.src == 192.168.0.25". This display filter will only show packets that have a source address of 192.168.0.25. It filters out all other packets and only displays the ones that match the specified source address.

7. How do you quickly spot large gaps in time between packets in a trace file containing 10,000 packets?

Set the Time column to Seconds Since Epoch and scroll through the trace file

Open and examine the Notes section of Wireshark's Expert infos window

Set the Time column to Seconds Since Previously Displayed Packet and sort the Time column

By setting the Time column to "Seconds Since Previously Displayed Packet" and sorting the Time column, you can quickly spot large gaps in time between packets in the trace file. This will allow you to easily identify any significant delays or interruptions in the packet transmission.

Explanation

By setting the Time column to "Seconds Since Previously Displayed Packet" and sorting the Time column, you can quickly spot large gaps in time between packets in the trace file. This will allow you to easily identify any significant delays or interruptions in the packet transmission.

8.

Which statement about the setting is shown in the Preference window above

The Microsoft device interface is hidden.

Wireshark will use inverse name queries to resolve local host address to IP address.

Wireshark will only capture traffic to the local adapter, broadcast, or multicast address

None of the above

The correct answer is "Wireshark will only capture traffic to the local adapter, broadcast, or multicast address." This means that Wireshark will only capture network traffic that is sent to the local network adapter, as well as any broadcast or multicast traffic on the network. It will not capture traffic that is sent to other devices or addresses on the network.

Explanation

The correct answer is "Wireshark will only capture traffic to the local adapter, broadcast, or multicast address." This means that Wireshark will only capture network traffic that is sent to the local network adapter, as well as any broadcast or multicast traffic on the network. It will not capture traffic that is sent to other devices or addresses on the network.

9. This display filter would remove all packets destined for host 10.0.0.5 ip.dst == 10.100.0.5!

True

False

The given display filter "ip.dst == 10.100.0.5!" would not remove all packets destined for host 10.0.0.5. The filter is checking for packets with a destination IP address of 10.100.0.5, not 10.0.0.5. Therefore, the statement is false.

Explanation

The given display filter "ip.dst == 10.100.0.5!" would not remove all packets destined for host 10.0.0.5. The filter is checking for packets with a destination IP address of 10.100.0.5, not 10.0.0.5. Therefore, the statement is false.

10. Display filters and capture filters can be interchanged because they use the same syntax.

True

False

Display filters and capture filters cannot be interchanged because they serve different purposes and use different syntax. Display filters are used to filter the packets that are displayed in a network capture, while capture filters are used to filter the packets that are actually captured by a network capture tool. Although both types of filters use a similar syntax, they are not interchangeable as they operate at different stages of the packet-capturing process.

Explanation

Display filters and capture filters cannot be interchanged because they serve different purposes and use different syntax. Display filters are used to filter the packets that are displayed in a network capture, while capture filters are used to filter the packets that are actually captured by a network capture tool. Although both types of filters use a similar syntax, they are not interchangeable as they operate at different stages of the packet-capturing process.

11. Which of these filters can be used as either a capture or display filter?

Dns

Udp

Dhcp

The UDP filter can be used as either a capture or display filter. UDP (User Datagram Protocol) is a transport layer protocol that allows data to be sent between applications on the internet. It is a connectionless protocol that does not provide error checking or flow control. As a capture filter, it can be used to capture UDP packets and analyze their contents. As a display filter, it can be used to filter and display only UDP packets in a packet capture file or network traffic.

Explanation

The UDP filter can be used as either a capture or display filter. UDP (User Datagram Protocol) is a transport layer protocol that allows data to be sent between applications on the internet. It is a connectionless protocol that does not provide error checking or flow control. As a capture filter, it can be used to capture UDP packets and analyze their contents. As a display filter, it can be used to filter and display only UDP packets in a packet capture file or network traffic.

12. When you select Prepare a filter, the filter is immediately applied to the traffice

True

False

When you select "Prepare a filter," the filter is not immediately applied to the traffic. Instead, the filter is created and prepared for future use. It is not until you manually apply the filter that it will take effect and filter the traffic. Therefore, the correct answer is false.

Explanation

When you select "Prepare a filter," the filter is not immediately applied to the traffic. Instead, the filter is created and prepared for future use. It is not until you manually apply the filter that it will take effect and filter the traffic. Therefore, the correct answer is false.

13. The following capture filter will capture all FTP traffic on port 21 regardless of the destination or source host. host www.wiresharkbook.com && port 21

True

False

The given capture filter will only capture FTP traffic on port 21 for the host www.wiresharkbook.com. It will not capture FTP traffic for any other destination or source host. Therefore, the statement that it will capture all FTP traffic on port 21 regardless of the destination or source host is false.

Explanation

The given capture filter will only capture FTP traffic on port 21 for the host www.wiresharkbook.com. It will not capture FTP traffic for any other destination or source host. Therefore, the statement that it will capture all FTP traffic on port 21 regardless of the destination or source host is false.

14. Which feature is only available with promiscuous mode operation?

Enable an interface to capture packets that are sent to any MAC address

Enable an interface to capture gratuitous ARP request/response packets

Enable an interface to capture packets addressed to broadcast and multicast addresses

Promiscuous mode operation allows an interface to capture packets that are sent to any MAC address. This means that the interface can capture all network traffic, regardless of the destination MAC address. This is useful for network monitoring and troubleshooting purposes, as it allows for the analysis of all packets on the network, including those not intended for the interface itself. It is a feature commonly used by network administrators and security professionals.

Explanation

Promiscuous mode operation allows an interface to capture packets that are sent to any MAC address. This means that the interface can capture all network traffic, regardless of the destination MAC address. This is useful for network monitoring and troubleshooting purposes, as it allows for the analysis of all packets on the network, including those not intended for the interface itself. It is a feature commonly used by network administrators and security professionals.

15.

Which statement about the Capture Options window shown above is correct?

Wireshark will resolve IP addresses to host

Wireshark will attempt to resolve OUI values for all MAC addresses

Wireshark will scroll to display the most recent packet captured

The correct answer is "Wireshark will scroll to display the most recent packet captured." This means that when capturing packets in Wireshark, the program will automatically scroll to show the most recent packet that has been captured.

Explanation

The correct answer is "Wireshark will scroll to display the most recent packet captured." This means that when capturing packets in Wireshark, the program will automatically scroll to show the most recent packet that has been captured.

16. Which statement about capture filters is correct?

Capture filters can be applied after the capture process begins

Capture filters can be applied while you are opening a trace file

Wireshark includes a default set of capture filters

None of the above

Wireshark includes a default set of capture filters. This means that when using Wireshark to capture network traffic, there are pre-defined filters available that can be applied to capture specific types of network packets. These capture filters can help in narrowing down the captured data to only the packets of interest, making it easier to analyze and troubleshoot network issues.

Explanation

Wireshark includes a default set of capture filters. This means that when using Wireshark to capture network traffic, there are pre-defined filters available that can be applied to capture specific types of network packets. These capture filters can help in narrowing down the captured data to only the packets of interest, making it easier to analyze and troubleshoot network issues.

17. Which drive is used to capture packets when Wireshark is running on a Apple computer?

Macpcap

Libpcap

Airpcap

Libpcap is the correct answer because it is a portable library used for packet capture and it is compatible with various operating systems, including Apple's macOS. Wireshark, a network protocol analyzer, relies on Libpcap to capture packets on Apple computers and analyze network traffic. Macpcap is a deprecated library that was used in older versions of Wireshark for macOS, while Airpcap is a library specifically designed for capturing wireless packets on Windows systems.

Explanation

Libpcap is the correct answer because it is a portable library used for packet capture and it is compatible with various operating systems, including Apple's macOS. Wireshark, a network protocol analyzer, relies on Libpcap to capture packets on Apple computers and analyze network traffic. Macpcap is a deprecated library that was used in older versions of Wireshark for macOS, while Airpcap is a library specifically designed for capturing wireless packets on Windows systems.

Submit

19.

Based on the image shown above, Wireshark's time display format is set to Seconds Since the Beginning of Capture.

True

False

The correct answer is False because based on the image shown above, Wireshark's time display format is set to Seconds Since Previous Displayed Packet.

Explanation

The correct answer is False because based on the image shown above, Wireshark's time display format is set to Seconds Since Previous Displayed Packet.

20. Which display filter is used to display all DHCP traffic?

Dhcp

Tcp.port == 68

Bootp

The correct answer is "bootp". BOOTP (Bootstrap Protocol) is an older version of DHCP (Dynamic Host Configuration Protocol) used to assign IP addresses to devices on a network. By using the "bootp" display filter, all DHCP traffic can be displayed, including both DHCPv4 and DHCPv6 traffic.

Explanation

The correct answer is "bootp". BOOTP (Bootstrap Protocol) is an older version of DHCP (Dynamic Host Configuration Protocol) used to assign IP addresses to devices on a network. By using the "bootp" display filter, all DHCP traffic can be displayed, including both DHCPv4 and DHCPv6 traffic.