Questions

1. What does tcpdump do?

2. What does wireshark do differently from tcpdump?

3. What factors should you consider when designing an IDS installation?

4. What is the difference between an Intrusion Detection System and an Intrusion Prevention System?

5. What factors would limit your ability to capture packets?

6. Different aspects of network management

7. What is the underlying protocol used in most network monitoring tools?

8. What type of message does a SNMP manager use to pull information from an agent?

9. What tool captures packets queried from a network interface?

10. What tool processes and filters captured files based upon monitoring needs?

11. What tool tracks the bandwidth and utilization of interfaces on devices?

12. What is used by performance monitors to track performance over time?

13. A log of performance indicators that represents a big picture of a network is referred to as?

14. What are the three components to SNMP?

15. Brief description on,

I. Simple Network Management Protocol (SNMP)

II. Network monitoring tools

III. Throughput testers

IV. Status monitoring

V. Traffic monitoring

VI. Route monitoring

VII. Network traffic analysis

VIII. System Performance Monitor

Answers

1. - Captures packets
- Analyzes packets and provides a textual analysis

tcpdump is a popular, lightweight command line tool for capturing packets and analyzing network traffic.

2. - It understands more application-level protocols

- It has graphical interface.
tcpdump is a command line utility, while wireshark has a powerful graphical interface. While tcpdump
understands some application-layer protocols, wireshark expands on this with a much larger
complement of protocols understood.

3. - Traffic bandwidth
- Storage capacity

it’s important to understand the amount of traffic the IDS would be analyzing. This ensures that the IDS system
is capable of keeping up with the volume of traffic. Storage capacity is important to consider for logs and packet
capture retention reasons.

4. An IDS can alert on detected attack traffic, but an IPS can actively block attack traffic. An IDS only detects
intrusions or attacks, while an IPS can make changes to firewall rules to actively drop or block detected attack
traffic.

5. - Network interface not being in promiscuous or monitor mode

- Access to the traffic in question.

If your NIC isn't in monitor or promiscuous mode, it'll only capture packets sent by and sent to your
host. In order to capture traffic, you need to be able to access the packets. So, being connected to a
switch wouldn't allow you to capture other clients' traffic.

6. Operations, Administration, Maintenance, and Provisioning

7. Simple Network Management Protocol

8. GetRequest
9. Packet Sniffer

10. Protocol analyzer

11. Interface monitors

12. Logs

13. Baseline

14. SNMP Manager, Managed devices, Management information base

15. Descriptions

I. Application-layer (Layer 7) protocol used to collect information from network devices for
diagnostic and maintenance purposes.
II. Capture and analyze traffic; create logs; alert you to events you define; monitor different
interfaces such as routers, switches, and servers; indicate areas of traffic congestion; help you
construct baselines; determine upgrade and forecast needs; and generate reports for
management.
III. Software tools that you can use to measure network throughput and capacity.
IV. Used to gather data related to the status of a network.
V. Used to gather data related to the traffic generated in a network.
VI. Used to trace the route taken by packets and detect routing delays, if any.
VII. Identification of the inbound and outbound protocols.

• Checking whether the protocols acknowledge each other. This step helps identify if the
protocols
communicate unidirectionally or bidirectionally.

• Identifying if ports are open and closed.

• Checking the traffic that passes through a firewall.

• Packet flow monitoring

VIII. Software tool that monitors the state of services or daemons, processes, and resources on a
computing device.