2. What is promiscuous mode and how does this allow tcpdump, Wireshark, and Netwitness Investigator to perform protocol capture off a live network? “Promiscuous mode is a mode for a wired network interface controller (NIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive. This mode is normally used for packet sniffing that takes place on a router or on a computer connected to a hub (instead of a switch) or one being part of a WLAN”. This allows tcpdump, Wireshark, and Netwitness Investigator to perform protocol capture off a live network.
3. What is the significance of the TCP, 3-Way Handshake for applications that utilize TCP as a transport protocol? Which application in your protocol capture uses TCP as a transport protocol?
The significance of the TCP, 3-Way Handshake for applications that utilize TCP as a transport protocol is to ensure a connection is made before transmitting data such as SSH and HTTP. FTP, Telnet, HTTP, HTTPS, SMTP, POP3, IMAP, SSH use TCP as a transport protocol.
4. How many different source IP host addresses did you capture in your protocol capture?
There are some that we don’t use.
5. How many different protocols (layer 3, layer 4, etc.) did your protocol capture session have? What function in Wireshark provides you with a breakdown of the different protocol types on the LAN segment? 5. Epan
6. Can Wireshark provide you with network traffic packet size counts? How and where ? Are you able to distinguish how many of each packet size was transmitted on your LAN segment? Why is this important to know? Yes. Using the command –c. Yes. This is important to know to make sure