lab 5
Lab #5 Questions and Answers
1. Which tool is better at performing protocol captures and which tool is better at performing protocol analysis?
Wireshark is better for performing protocol analysis and Netwitness Investigator is best at performing protocol captures. Wireshark does well at both aspects, which makes it a little better.
2. What is promiscuous mode and how does this allow tcpdump, Wireshark, and NetWitness Investigator to perform protocol capture off a live network?
Promiscuous mode is for a wired network interface controller or wireless network interface controller that causes the controller to pass all traffic to the CPU instead of passing only through the frames the controller is supposed to receive. It allows tcpdump, Wireshark, and NetWitness Investigator to perform protocol capture off a live network because it’s made for packet sniffing, which all these applications perform.
3. What is the significance of the TCP three-way handshake for applications that utilize TCP as a transport protocol? Which application in your protocol capture uses TCP as a transport protocol?
The significance of the TCP three-way handshake is that three messages are transmitted by TCP to negotiate and start a TCP session between the computers. The purpose is so that two computers can negotiate the parameters of the network TCP socket connection before transmitting the data. Wireshark is the application that uses TCP as a transport protocol.
4. How many different source IP host addresses did you capture in your protocol capture?
There were 6 different IP host addresses captured in the protocol capture.
5. How many different protocols (layer 3, layer 4, etc.) did your protocol capture session have? What function in Wireshark provides you with a breakdown of the different protocol types on the LAN segment?
6. Can Wireshark provide you with network traffic packet size counts? How and where? Are you able to distinguish how many of each
1. Which tool is better at performing protocol captures and which tool is better at performing protocol analysis?
Wireshark is better for performing protocol analysis and Netwitness Investigator is best at performing protocol captures. Wireshark does well at both aspects, which makes it a little better.
2. What is promiscuous mode and how does this allow tcpdump, Wireshark, and NetWitness Investigator to perform protocol capture off a live network?
Promiscuous mode is for a wired network interface controller or wireless network interface controller that causes the controller to pass all traffic to the CPU instead of passing only through the frames the controller is supposed to receive. It allows tcpdump, Wireshark, and NetWitness Investigator to perform protocol capture off a live network because it’s made for packet sniffing, which all these applications perform.
3. What is the significance of the TCP three-way handshake for applications that utilize TCP as a transport protocol? Which application in your protocol capture uses TCP as a transport protocol?
The significance of the TCP three-way handshake is that three messages are transmitted by TCP to negotiate and start a TCP session between the computers. The purpose is so that two computers can negotiate the parameters of the network TCP socket connection before transmitting the data. Wireshark is the application that uses TCP as a transport protocol.
4. How many different source IP host addresses did you capture in your protocol capture?
There were 6 different IP host addresses captured in the protocol capture.
5. How many different protocols (layer 3, layer 4, etc.) did your protocol capture session have? What function in Wireshark provides you with a breakdown of the different protocol types on the LAN segment?
6. Can Wireshark provide you with network traffic packet size counts? How and where? Are you able to distinguish how many of each