header bg

Download PASSEMALL Prep app now

Scan QR code or get instant email to install app

Question:

Which Wireshark display filter displays all packets including the term Facebook?

A tcp contains facebook
explanation

The following Wireshark display filter is appropriate: The search string is contained in tcp.

Explore more Cehv10 questions
Take more free practice tests for other PASSEMALL topics with our ceh exam now!

Comments

Leave a Reply

Your email address will not be published.

*

Related Questions

(Select all that apply) Which of the following active sniffer techniques are acceptable for a switched network?

ARP poisoning

MAC flooding

ARP poisoning can be used to deceive a system into delivering packets to your computer rather than the intended recipients (including the default gateway). MAC flooding is an older exploit that fills a CAM table and causes a switch to behave like a hub.

At Layer 5 of the OSI model, which of the following works?

Circuit-level firewall

This one, I must admit, is difficult. Yes, circuit-level firewalls function at Layer 5. Stateful firewalls can be considered to operate at Layer 5, however, their primary concentration is on Layers 3 and 4. Layer 7 is where the application operates.

Which type of IDS is in place in the case that an IDS installed on the network perimeter sees a spike in traffic during off-duty hours and begins logging and alerting?

Anomaly based

IDSs might be based on signatures or anomalies. Over time, anomaly-based systems establish a baseline of usual traffic patterns, and anything that deviates from the baseline is flagged.

When an IDS does not suitably identify a malicious packet entering the network, what takes place?

False negative

A false negative occurs when traffic reaches the IDS, is analyzed and is still allowed through despite being nasty. And a false negative is quite dangerous.

What driver and library are required to allow the NIC to work in promiscuous mode In setting up Wireshark if a pen tester is configuring a Windows laptop for a test?

winpcap

The WinPcap library is used for Windows devices. On Linux devices, Libpcap is used for the same purpose.

In which of the following situation would you select a proxy server?

You want to filter Internet traffic for internal systems.

There are several reasons to use a proxy. You're using it to filter traffic between internal hosts and the rest of the world in this situation. Proxies, in general, do not serve as file servers, websites, or DHCP servers.

Which of the following is most likely true in the situation that your customer tells you they understand beyond a doubt an attacker is sending messages back and forth from their network, yet the IDS doesn’t appear to be alerted on the traffic?

The attacker is sending messages over an SSL tunnel.

The bane of IDS’ existence is Encryption. The IDS is blind as a bat if traffic is encrypted.

Which of the following rules are correct for this situation:
You are configuring Snort rules and want an alert message of "Attempted FTP" on any FTP packet originating from an outside IP and destined for one of your internal hosts.

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:″Attempted FTP″)

The syntax for Snort rules is the same: action protocol src address src port -> dest address port (options).

The best describes a honeypot is which of the following?

It is used to gather information about potential network attackers.

A honeypot is created to encourage attackers so that you may see what they do, how they do it, and where they do it.

(Select all that apply) Which of the following statements are true?
An attacker attached a laptop to a switch port and activated a sniffer. The NIC is set to promiscuous mode, and the laptop is left alone for a few hours to collect information.

The packet capture will provide the MAC addresses of other machines connected to the switch.

The packet capture will display all traffic intended for the laptop.

Switches filter or flood traffic based on the address. Broadcast traffic, such as ARP requests and answers, is flooded to all ports. Unicast traffic, such as  traffic intended for the laptop itself or the default gateway, is sent only to the port on which the machine rests.

Which of the following best describes active sniffing? (Select all that apply.)

Active sniffing is usually required when switches are in place.

Active sniffing is easier to detect than passive sniffing.

Why bother with active sniffing tactics if you're on a hub. You can already see everything. Furthermore, active sniffing is far more likely to result in your arrest than merely putting in a wire and sitting back.

(Select all that apply) Which of the following Wireshark filters would show all traffic coming from or going to systems on the 172.17.15.0/24 subnet?

ip.addr == 172.17.15.0/24

ip.src == 172.17.15.0/24 or ip.dst == 172.17.15.0/24

Always pay attention to the operators when answering Wireshark filter questions.

Machine A (MAC address 00-01-02-AA-BB-CC) and Machine B (MAC address 00-01-02-BB-CC-DD) are on the same subnet. Machine C is on a different subnet and has the address 00-01-02-CCDD-EE. Machine B delivers a communication to Machine C while the attacker is sniffing on the fully switched network. Which of the following conditions would be required for an attacker on Machine A to get a copy of this message?

The ARP cache of Machine B would need to be poisoned, changing the entry for the default gateway to 00-01-02-AA-BB-CC.

ARP poisoning is performed on the computer that generates the frame - the sender. When the sender machine's default gateway entry is changed, all packets destined for an IP address outside the subnet are routed to the attacker. It is pointless to change the ARP cache on the other machine or the router.