ECCouncil 312-38 Practice Test - Questions Answers, Page 19

Wireshark is an open source protocol analyzer that can capture traffic in real time. Wireshark is a free packet sniffer computer application. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is very similar to tcpdump, but it has a graphical frontend, and many more information sorting and filtering options. It allows the user to see all traffic being passed over the network (usually an Ethernet network but support is being added for others) by putting the network interface into promiscuous mode.

Wireshark uses pcap to capture packets, so it can only capture the packets on the networks supported by pcap. It has the following features:

Data can be captured "from the wire" from a live network connection or read from a file that records the already-captured packets.

Live data can be read from a number of types of network, including Ethernet, IEEE 802.11, PPP, and loopback.

Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, tshark.

Captured files can be programmatically edited or converted via command-line switches to the "editcap" program.

Data display can be refined using a display filter. Plugins can be created for dissecting new protocols.

Answer option C is incorrect. Snort is an open source network intrusion prevention and detection system that operates as a network sniffer. It logs activities of the network that is matched with the predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). Answer option D is incorrect. NetWitness is used to analyze and monitor the network traffic and activity.

Answer option A is incorrect. Netresident is used to capture, store, analyze, and reconstruct network events and activities.

PsLoggedOn and PsGetSid are not logging tools. They are command-line utilities used in the Windows operating system.

PsLoggedOn is an applet that displays both the local and remote logged on users. If an attacker specifies a user name instead of a computer, PsLoggedOn searches the computers in the network and tells whether the user is currently logged on or not. The command syntax for PsLoggedOn is as follows: psloggedon [-] [-l] [-x] [\\computername | username] PsGetSid is a tool that is used to query SIDs remotely. Using PsGetSid, the attacker can access the SIDs of user accounts and translate an SID into the user name. The command syntax for PsGetSid is as follows: psgetsid [\\computer[,computer[,...] | @file] [-u username [-p password]]] [account|SID]

Answer options C and D are incorrect. Timbersee and Swatch are tools used for logging network activities in the Linux operating system.

The TCP/IP model is a description framework for computer network protocols. It describes a set of general design guidelines and implementations of specific networking protocols to enable computers to communicate over a network. TCP/IP provides end-to-end connectivity specifying how data should be formatted, addressed, transmitted, routed and received at the destination. Protocols exist for a variety of different types of communication services between computers. The TCP/IP Model is sometimes called the Internet Model or the DoD Model.

The TCP/IP model has four unique layers as shown in the image. This layer architecture is often compared with the seven-layer OSI Reference Model. The TCP/ IP model and related protocols are maintained by the Internet Engineering Task Force (IETF).

A sniffer is a software tool that is used to capture any network traffic. Since a sniffer changes the NIC of the LAN card into promiscuous mode, the NIC begins to record incoming and outgoing data traffic across the network. A sniffer attack is a passive attack because the attacker does not directly connect with the target host. This attack is most often used to grab logins and passwords from network traffic. Tools such as Ethereal, Snort, Windump, EtherPeek, Dsniff are some good examples of sniffers. These tools provide many facilities to users such as graphical user interface, traffic statistics graph, multiple sessions tracking, etc.

Answer option A is incorrect. An intrusion prevention system (IPS) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass.

Answer option B is incorrect. An IDS (Intrusion Detection System) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators.

Answer option C is incorrect. Warchalking is the drawing of symbols in public places to advertise an open Wi-Fi wireless network. Having found a Wi-Fi node, the warchalker draws a special symbol on a nearby object, such as a wall, the pavement, or a lamp post. The name warchalking is derived from the cracker terms war dialing and war driving.

RG-59 type of coaxial cable is used for cable TV and cable modems.

Answer option A is incorrect. RG-8 coaxial cable is primarily used as a backbone in an Ethernet LAN environment and often connects one wiring closet to another. It is also known as 10Base5 or ThickNet.

Answer option B is incorrect. RG-62 coaxial cable is used for ARCNET and automotive radio antennas.

Answer option D is incorrect. RG-58 coaxial cable is used for Ethernet networks. It uses baseband signaling and 50-Ohm terminator. It is also known as 10Base2 or ThinNet.