week2

Wireshark – Week 2 Practical Quiz

Scenarios: Captures, Filters, Packet Anatomy, Fragmentation & TTL

1. A user reports slow HTTP access to a web server at 10.10.10.50. You can install Wireshark on the client PC. What is the most practical first step?

A. Run Wireshark on the client and capture all traffic during the slow access B. Immediately lower the client’s MTU and test again, without capturing C. Change the client’s DNS servers and hope the issue goes away D. Clear the ARP cache and assume the problem is solved

2. You are capturing on the client for HTTP issues. Which display filter is most practical to view only traffic between the client 10.10.10.20 and server 10.10.10.50 over TCP port 80?

A. http B. ip.addr == 10.10.10.20 && ip.addr == 10.10.10.50 && tcp.port == 80 C. ip.src == 10.10.10.20 && tcp.port == 80 D. icmp

3. You are on a busy web server and only want to capture packets from a single client 192.168.5.100 to reduce file size. Which capture filter is most practical?

A. host 192.168.5.1 B. host 192.168.5.100 C. tcp port 80 D. ip.addr == 192.168.5.100

4. You suspect a router between client and server is dropping large packets due to MTU issues. Which practical approach gives you the best visibility?

A. Capture on a SPAN/mirror port or tap on the link going into the router B. Capture only at the DNS server C. Change all DNS records and do no capture D. Capture on the client only and ignore the network path

5. You want to capture overnight on a Linux sensor without filling the disk. Which dumpcap command pattern is the most practical?

A. dumpcap -i 1 -w night.pcapng B. dumpcap -i 1 -w night.pcapng -b filesize:500000 -b files:10 C. dumpcap -v D. dumpcap -c 1000 -w night.pcapng

6. You want to see which network interfaces you can capture on using dumpcap. Which command is the most practical?

A. dumpcap -i ? B. dumpcap -D C. dumpcap -w interfaces.pcapng D. dumpcap -b list

7. You are analyzing a capture and only want to see DNS queries that contain the string “vpn.company.com”. Which display filter is most practical?

A. dns B. dns.qry.name contains "vpn.company.com" C. frame contains "vpn.company.com" D. http.host contains "vpn.company.com"

8. In a capture from a SPAN port, you see some TCP streams with missing packets and “TCP previous segment not captured” notes. What is the most practical conclusion?

A. The SPAN port may be oversubscribed and dropping mirrored packets B. The server is definitely powered off C. Wireshark installation is corrupt D. The NIC cannot receive any packets at all

9. You are connected to a SPAN port on a switch, monitoring traffic from a single access port. Practically, what type of traffic should you expect to see?

A. Traffic from the selected source port(s) or VLAN(s) that the SPAN session mirrors B. Traffic from every port on every switch in the network C. Only HTTP packets on TCP port 80 D. Only ICMP broadcast packets

10. You open a capture and want to quickly find the three largest frames by size. Which practical steps in Wireshark will help?

A. Add a frame.len column and sort it in descending order B. Change the Time Display Format to “Seconds Since Capture” C. Export the capture to CSV and search in Excel D. Filter on “arp” and check the first three packets

11. In a packet, you see EtherType 0x0800 and an IP header with protocol field 6. Practically, what does this combination tell you?

A. It is an IPv4 packet carrying TCP as the transport protocol B. It is an ARP packet carrying a DNS query C. It is an IPv4 packet carrying ICMP D. It is an IPv6 packet carrying TCP

12. In a capture, you notice multiple IP fragments with the same Identification value but different Fragment Offsets. Practically, how should you analyze the full packet in Wireshark?

A. Enable IP reassembly and then follow the TCP or UDP stream for that conversation B. Delete all fragments and keep only the first one C. Manually edit destination MAC addresses D. Apply a new capture filter to the saved file

13. You see an ICMP “Fragmentation needed” message in the capture with the DF (Don’t Fragment) bit set in the original packet. Practically, what does this tell you?

A. A router could not fragment the packet due to DF being set and MTU being too small B. DNS resolution failed due to a bad record C. Wireshark has changed the packet size D. The client’s antivirus blocked the connection

14. You see that a packet left the client with TTL 128 and arrives at your sensor with TTL 121. Practically, what does this indicate?

A. The packet has passed through roughly 7 routers B. The packet took exactly 7 ms to arrive C. Routers are increasing the TTL by 1 each hop D. There is definitely a routing loop

15. You want to quickly highlight all TCP SYN packets to see where connections are starting. What is the most practical Wireshark customization?

A. Create a coloring rule with filter tcp.flags.syn == 1 and set a bright background color B. Increase the font size for all packets C. Change the layout so only Packet Bytes are visible D. Configure a capture filter for SYN only and recolor later

16. You frequently investigate ICMP-based connectivity issues. What is a practical use of filter buttons in this case?

A. Create a filter button for a display filter like “icmp” so you can enable it with one click B. Use a filter button to increase capture bandwidth C. Use a filter button to run dumpcap in the background D. Create a filter button that changes router routes

17. You suspect only one specific web request path “/login” is slow. Which practical display filter helps you focus on those HTTP requests?

A. http.request.method == "GET" B. http.request.uri contains "/login" C. dns.qry.name contains "/login" D. frame contains "/login" only

18. In a capture of a failed connection, you see the client sending multiple SYN packets but never receiving a SYN/ACK. Practically, what does this most likely indicate?

A. There is likely a connectivity or firewall issue preventing server responses B. DNS resolution must be misconfigured C. The client’s TTL is set too high D. Wireshark is hiding SYN/ACK packets by default

19. You want to find all packets larger than 1400 bytes on the wire to look for fragmentation risk. Which display filter is most practical?

A. frame.len > 1400 B. ip.ttl > 1400 C. tcp.window_size > 1400 D. udp.length > 1400

20. You apply the filter ip.ttl !in {128 64} on a capture of traffic from Windows and Linux clients. Practically, what are you looking for?

A. Packets with unexpected TTL values that might indicate unusual paths or devices B. Only packets from Windows and Linux systems C. Packets whose IP address is not 128 or 64 D. Packets with MTU greater than 128 bytes

21. You are troubleshooting an intermittent issue that only happens between 2–3 PM. Practically, what is the best capture strategy?

A. Schedule a capture that runs during 2–3 PM and uses a ring buffer to avoid disk issues B. Capture only after 3 PM so the network is quiet C. Clear ARP cache every hour instead of capturing D. Capture at random times during the day with no planning

22. You’re connected to a trunk port carrying VLANs 10, 20 and 30, and you want to see only VLAN 20 traffic. Which practical display filter helps?

A. vlan 10 B. vlan 20 C. ip.addr == 20 D. eth.src == 20

23. You want to see the top “chatty” IP pairs in your capture to know who is talking the most. Which Wireshark feature is most practical?

A. Use Statistics > Conversations and sort by bytes or packets B. Add a coloring rule for every host C. Use Statistics > Endpoints and ignore conversations D. Manually count packets in the packet list

24. You suspect only one TCP connection is problematic. After filtering that stream, which feature is most practical to see the complete request/response data?

A. Use Follow > TCP Stream to view the entire conversation B. Use Statistics > Endpoints C. Change the layout to 1 pane view D. Add more columns for every TCP flag

25. You want to find only packets that are IP fragments (not whole packets). Which display filter is most practical?

A. ip.flags.df == 1 B. ip.flags.mf == 1 || ip.frag_offset > 0 C. icmp D. frame.len > 1400

26. You’re troubleshooting a client’s path to a server and want to estimate how many hops away the server is using a response packet. What is the best approach?

A. Assume a likely initial TTL (64 or 128) and subtract the observed TTL in the response B. Add the client’s TTL and server’s TTL values together C. Divide the TCP window by the TTL D. Read the HTTP status code for the hop count

27. You notice that a single IP conversation has many small fragmented packets, which is unusual. Which is the most practical next step?

A. Check the MTU settings and path characteristics for that flow B. Delete all fragment packets from the capture file C. Change the client operating system immediately D. Change the client MAC address and test again

28. You want to quickly see only client-to-server packets (not server-to-client) in a TCP stream where the client IP is 10.0.0.5. Which display filter is practical?

A. ip.src == 10.0.0.5 B. ip.dst == 10.0.0.5 C. ip.addr == 10.0.0.5 D. frame.len > 10.0.0.5

29. You want to capture only traffic to and from TCP port 443 on interface 2 using dumpcap. Which command is the most practical?

A. dumpcap -i 2 -f "tcp port 443" -w ssl_traffic.pcapng B. dumpcap -D "tcp port 443" C. dumpcap -i 2 -f "tcp.port == 443" -w ssl_traffic.pcapng D. dumpcap -b "tcp port 443" -w ssl_traffic.pcapng

30. You want a quick overview of which hosts (IP addresses) appear in your capture and how much traffic each sent/received. Which Wireshark feature is most practical?

A. Use Statistics > Endpoints and look at the IP tab B. Use Statistics > Conversations only C. Open Capture > Options D. Create 50 different filter buttons