WireShark Exam Questions and
Answers 2023 Solved Correctly
Status Bar - Bottom right corner displays how many packets have been captured and
are displayed
dfilters - File for custom used display filters
Aggregation Taps - Aggregation/regeneration network TAPs are used to capture 100%
full duplex network traffic; the traffic can then be sent to multiple monitoring appliances
to analyze your network.
Manuf file - Used to store the first 3 blocks of mac address for name resolution
Services File - Contains list of all ports and services
WinPcap - WinPcap consists of a driver, that extends the operating system to provide
low-level network access, and a library that is used to easily access the low-level
network layers. This library also contains the Windows version of the well known libpcap
Unix API.
Promiscuous mode - Enables a network card and driver to capture traffic that is
addressed to other devices on
the network, not just to the local hardware address
TCP Backoff Algorithm - Exponential backoff is an algorithm that uses feedback to
multiplicatively decrease the rate of some process, in order to gradually find an
acceptable rate.
TCP Syn - SYN - (Synchronize) Initiates a connection
IPv4 total length - This 16-bit field defines the entire packet size, including header and
data, in bytes. The minimum-length packet is 20 bytes (20-byte header + 0 bytes data)
and the maximum is 65,535 bytes — the maximum value of a 16-bit word. All hosts are
required to be able to reassemble datagrams of size up to 576 bytes, but most modern
hosts handle much larger packets. Sometimes subnetworks impose further restrictions
on the packet size, in which case datagrams must be fragmented. Fragmentation is
handled in either the host or router in IPv4.
IPv4 Data Link Padding -
Proxy ARP - Proxy ARP is a technique by which a device on a given network answers
the ARP queries for a network address that is not on that network. The ARP Proxy is
, aware of the location of the traffic's destination, and offers its own MAC address as
(ostensibly final) destination.
TCP Retransmission Timeout - Retransmissions are the result of
packet loss and are triggered when the sender's TCP retransmission timeout (RTO)
timer expires or a receiver sends Duplicate Acknowledgments to request a missing
segment
Monitor Mode - In order to capture all traffic that the adapter can receive, the adapter
must be put into "monitor mode", sometimes called "rfmon mode". In this mode, the
driver doesn't make the adapter a member of any service set.
TCP Stream Index - the Stream Index value in TCP
conversations begins at 0 and counts up by 1 for each TCP conversation seen in the tra
Routing Overview - Pg. 32
Initial Sequence Number - The SYN packets synchronize the sequence numbers to
ensure both sides know each other's starting sequence numbers (the Initial Sequence
Number, or ISN). This is how they will keep track of the sequence of data exchanged
between them.
tcp.analysis.flags - Packets have been flagged with TCP issues or notifications (will not
work if Analyze TCP Sequence Numbers is disabled in the TCP preferences)
Total Length Field - This field defines the length of the IP header and any valid data
(this does not include any data link padding). In the example shown in Figure 203, the
total length field value is 1500 bytes. The first 20 bytes of that is the IP header—this
indicates that the remaining packet length (not including any data link padding) is 1480
bytes.
Unusual IP addresses - The IP source address cannot be the loopback address
(127.0.0.0/8), a multicast address or a broadcast address.
Display BOOTP-DHCP Statistics - The BOOTP-DHCP statistics window summarizes
the DHCPv4 message types in the trace file. As of Wireshark 1.7.2 this feature does not
support DHCPv6.
TCP window size field - When a host advertises a small size or zero, network
performance can be severely impacted.
TCP Throughput Graphs - are unidirectional—if you do not see anything plotted when
you open a Throughput
graph, you might be looking at the wrong side of the communication. Highlight a packet
going in the reverse direction and load the graph again.
Answers 2023 Solved Correctly
Status Bar - Bottom right corner displays how many packets have been captured and
are displayed
dfilters - File for custom used display filters
Aggregation Taps - Aggregation/regeneration network TAPs are used to capture 100%
full duplex network traffic; the traffic can then be sent to multiple monitoring appliances
to analyze your network.
Manuf file - Used to store the first 3 blocks of mac address for name resolution
Services File - Contains list of all ports and services
WinPcap - WinPcap consists of a driver, that extends the operating system to provide
low-level network access, and a library that is used to easily access the low-level
network layers. This library also contains the Windows version of the well known libpcap
Unix API.
Promiscuous mode - Enables a network card and driver to capture traffic that is
addressed to other devices on
the network, not just to the local hardware address
TCP Backoff Algorithm - Exponential backoff is an algorithm that uses feedback to
multiplicatively decrease the rate of some process, in order to gradually find an
acceptable rate.
TCP Syn - SYN - (Synchronize) Initiates a connection
IPv4 total length - This 16-bit field defines the entire packet size, including header and
data, in bytes. The minimum-length packet is 20 bytes (20-byte header + 0 bytes data)
and the maximum is 65,535 bytes — the maximum value of a 16-bit word. All hosts are
required to be able to reassemble datagrams of size up to 576 bytes, but most modern
hosts handle much larger packets. Sometimes subnetworks impose further restrictions
on the packet size, in which case datagrams must be fragmented. Fragmentation is
handled in either the host or router in IPv4.
IPv4 Data Link Padding -
Proxy ARP - Proxy ARP is a technique by which a device on a given network answers
the ARP queries for a network address that is not on that network. The ARP Proxy is
, aware of the location of the traffic's destination, and offers its own MAC address as
(ostensibly final) destination.
TCP Retransmission Timeout - Retransmissions are the result of
packet loss and are triggered when the sender's TCP retransmission timeout (RTO)
timer expires or a receiver sends Duplicate Acknowledgments to request a missing
segment
Monitor Mode - In order to capture all traffic that the adapter can receive, the adapter
must be put into "monitor mode", sometimes called "rfmon mode". In this mode, the
driver doesn't make the adapter a member of any service set.
TCP Stream Index - the Stream Index value in TCP
conversations begins at 0 and counts up by 1 for each TCP conversation seen in the tra
Routing Overview - Pg. 32
Initial Sequence Number - The SYN packets synchronize the sequence numbers to
ensure both sides know each other's starting sequence numbers (the Initial Sequence
Number, or ISN). This is how they will keep track of the sequence of data exchanged
between them.
tcp.analysis.flags - Packets have been flagged with TCP issues or notifications (will not
work if Analyze TCP Sequence Numbers is disabled in the TCP preferences)
Total Length Field - This field defines the length of the IP header and any valid data
(this does not include any data link padding). In the example shown in Figure 203, the
total length field value is 1500 bytes. The first 20 bytes of that is the IP header—this
indicates that the remaining packet length (not including any data link padding) is 1480
bytes.
Unusual IP addresses - The IP source address cannot be the loopback address
(127.0.0.0/8), a multicast address or a broadcast address.
Display BOOTP-DHCP Statistics - The BOOTP-DHCP statistics window summarizes
the DHCPv4 message types in the trace file. As of Wireshark 1.7.2 this feature does not
support DHCPv6.
TCP window size field - When a host advertises a small size or zero, network
performance can be severely impacted.
TCP Throughput Graphs - are unidirectional—if you do not see anything plotted when
you open a Throughput
graph, you might be looking at the wrong side of the communication. Highlight a packet
going in the reverse direction and load the graph again.
