Lab 5 performing packet capture and traffic analysis
In this lab, you used common applications to generate traffic and transfer files between the machines in this lab. You captured data using Wireshark and reviewed the captured traffic at the packet level, and then you used NetWitness Investigator, a free tool that provides security practitioners with a means of analyzing a complete packet capture, to review the same traffic at a consolidated level.
Lab Assessment Questions & Answers
- Why would a network administrator use Wire shark and NetWitness Investigator together?
Because Wireshark will provide detailed information about the network traffic while NetWitness Investigator quickly translate a large packets session into a readable data.
- What was the IP address for Lan Switch1? 172.16.20.5
- 16.8.5 IP host responded to the ICM Pecho-requests, how many ICMP echo-reply packets were sent back to the vWorkstation?
- When using SSH to remotely access a Cisco router, can you see the terminal password? Why or why not?
No, because is encrypted
- What were the Destination IP addresses discovered by the NetWitness Investigator analysis?
172.30.0.15, 184.108.40.206, 172.30.0.2, 172.16.0.255, 172.16.8.5
- Are packet capturing tools like Wire sharkless dangerous ons witched LANs?
While the threat posed by tools like Wireshark might be cause for alarm to network security analysts, Wireshark’s ability to capture traffic is greatly hampered by switched networks. Switches only forward packets destined to and from an attached system (as well as broadcast packets). Thus, it is impossible for a system in promiscuous mode to “sniff” all traffic on a given network without first compromising the switching hardware in some way.