Chapter 8 TCP/IP

Match the PDU names from lowest to highest layer inside a network card to the transport layer content described in the excerpt.
A) Ethernet frame → IP packet → TCP segment / UDP datagram
B) TCP segment → IP packet → Ethernet frame
C) UDP datagram → Ethernet frame → IP packet
D) IP packet → TCP segment → Ethernet frame

A — Ethernet frame → IP packet → TCP segment / UDP datagram

What is the fundamental difference between TCP and UDP?
A) TCP is connection-oriented (reliable); UDP is connectionless (unreliable, low overhead)
B) TCP is used only for local networks; UDP only for the internet
C) TCP never uses ports; UDP always uses ports
D) TCP is always faster than UDP

A — TCP is connection-oriented (reliable); UDP is connectionless (unreliable, low overhead)

What is the correct order of the TCP three-way handshake initiated by a client?
A) SYN → SYN-ACK → ACK
B) ACK → SYN → SYN-ACK
C) SYN-ACK → SYN → ACK
D) ACK → ACK → SYN

A — SYN → SYN-ACK → ACK

Why might an application choose UDP over TCP, according to the excerpt?
A) UDP has no handshake and minimal overhead, useful for quick or low-latency transfers (e.g., TFTP)
B) UDP guarantees delivery of every packet
C) UDP encrypts traffic automatically
D) UDP assigns public IP addresses to clients

A — UDP has no handshake and minimal overhead, useful for quick or low-latency transfers (e.g., TFTP)

Which command can you use on a host to view active TCP connections as mentioned in the excerpt?
A) netstat
B) ipconfig /all
C) traceroute
D) nslookup

A — netstat

According to the excerpt, which applications or services are primarily TCP-based?
A) The worldwide web, most file transfers, remote desktop tools, and most games
B) DNS lookups and streaming audio only
C) All real-time voice applications exclusively
D) Only multicast video distribution

A — The worldwide web, most file transfers, remote desktop tools, and most games

At which layer does ICMP operate and what is a key characteristic that differentiates it from TCP/UDP?
A) Transport layer; it uses ports like TCP/UDP
B) IP (internet) layer; it has no port numbers and uses type/code fields instead
C) Data link layer; it resolves MAC addresses only
D) Application layer; it carries HTTP-like payloads

B — IP (internet) layer; it has no port numbers and uses type/code fields instead

What common network utility uses ICMP and what does it do?
A) nslookup — resolves DNS names to IPs
B) ping — sends ICMP Echo Request and expects Echo Reply to verify reachability
C) traceroute — encrypts packets across routers
D) ftp — transfers files using ICMP

B — ping — sends ICMP Echo Request and expects Echo Reply to verify reachability

What is the primary purpose of IGMP?
A) To assign IP addresses to hosts
B) To manage multicast group membership so hosts can join or leave multicast streams
C) To translate domain names to multicast addresses
D) To provide reliable transport for multicast data

B — To manage multicast group membership so hosts can join or leave multicast streams

Which IP address range identifies multicast addresses used with IGMP?
A) 10.0.0.0/8
B) 127.0.0.0/8
C) 224.0.0.0 – 239.255.255.255 (addresses that start with 224)
D) 192.168.0.0/16

C — 224.0.0.0 – 239.255.255.255 (addresses that start with 224)

In an IGMP context, what are the "group address" and "source address" fields used for?
A) Group address selects the multicast stream; source address identifies the original sender/server of that stream
B) Group address is the router IP; source address is the switch MAC
C) Group address is the client's private IP; source address is the DNS server
D) They are used only for ARP resolution

A — Group address selects the multicast stream; source address identifies the original sender/server of that stream

How do routers handle multicast traffic to conserve bandwidth?
A) They duplicate streams for every host on the internet
B) They forward the single multicast stream only to networks that have hosts joined to the multicast group, avoiding separate unicast streams per listener
C) They convert multicast to broadcast and flood the entire internet
D) They drop all multicast packets by default

B — They forward the single multicast stream only to networks that have hosts joined to the multicast group, avoiding separate unicast streams per listener

What is "network traffic" as defined in the excerpt?
A) Only voice or video streams on a network
B) The amount and types of PDUs (packets/frames/segments) moving across a network at a given time
C) Only encrypted data crossing a WAN
D) Only broadcast frames on a LAN

B — The amount and types of PDUs (packets/frames/segments) moving across a network at a given time

Which transmission method sends data from one node to multiple specific nodes?
A) Unicast
B) Broadcast
C) Multicast
D) Anycast

C — Multicast

What does "East-to-West" traffic refer to?
A) Traffic moving between the internet and the organization
B) Traffic moving on the internal network between systems (lateral/internal traffic)
C) Traffic traveling across continents
D) Traffic that is broadcast to all hosts

B — Traffic moving on the internal network between systems (lateral/internal traffic)

Which two primary methods are mentioned for monitoring network traffic?
A) Packet encryption and VLAN tagging
B) Manual monitoring via gateway/network devices and automated network management software tools
C) Physical inspection of cables and manual DNS checks
D) Using multicast and anycast probing

B — Manual monitoring via gateway/network devices and automated network management software tools

Which of these is a traffic-management strategy to reduce congestion and allocate capacity?
A) ARP caching
B) Traffic shaping, load balancing, and bandwidth management
C) Turning off DHCP
D) Increasing MAC address table size

B — Traffic shaping, load balancing, and bandwidth management

What is a common cause of network traffic problems noted in the excerpt?
A) Excessive use of multicast addresses only
B) Peak usage volumes, bandwidth-heavy applications, misconfigured hardware, latency, and malicious attacks
C) Having too many switches with redundant links only
D) Using IP addressing schemes with /24 masks exclusively

B — Peak usage volumes, bandwidth-heavy applications, misconfigured hardware, latency, and malicious attacks

What does traceroute/tracert display?
A) Each router (hop) along the path to a destination
B) Only the final destination's IP
C) The local ARP table
D) DNS resolution path only

A — Each router (hop) along the path to a destination

Which command is typically used on Windows for traceroute?
A) traceroute
B) tracert
C) pathping
D) ping

B — tracert

How does pathping differ from traceroute?
A) Uses ping probes per hop
B) Shows DNS only
C) Measures MTU
D) Changes TTL permanently

A — Uses ping probes per hop

When is the best time to run traceroute/pathping to build a useful baseline?
A) Only during an outage
B) After firmware upgrade
C) When everything runs well
D) Only on ISP notice

C — When everything runs well

What does a bandwidth speedtester measure?
A) Router CPU
B) Download/upload throughput
C) Number of hops
D) MAC table size

B — Download/upload throughput

If measured speeds are lower than expected, possible causes include:
A) ISP issue
B) Poor router
C) Network congestion
D) All of the above

D — All of the above

What is Wireshark?
A) A paid firewall product
B) A free protocol analyzer used to inspect captured network traffic
C) An ISP speedtest tool
D) A router firmware updater

B — A free protocol analyzer used to inspect captured network traffic

What component actually collects packets for analysis with Wireshark?
A) The Wireshark analyzer only, which synthesizes packets
B) A packet capture tool (the capture utility) that records frames to a capture file
C) The router's web GUI
D) DNS servers

B — A packet capture tool (the capture utility) that records frames to a capture file

How does Wireshark present captured data for inspection?
A) As a single raw text log only
B) As numbered frames with layered dissections (Ethernet → IP → TCP/UDP → application) and a hex pane
C) Only as graphical charts of traffic volume
D) Only as reconstructed audio streams

B — As numbered frames with layered dissections (Ethernet → IP → TCP/UDP → application) and a hex pane

What does the "Follow TCP Stream" feature do in Wireshark?
A) Deletes unrelated packets from the capture
B) Reconstructs and displays the entire TCP session payload associated with a selected packet
C) Converts TCP to UDP automatically
D) Filters only ARP traffic

B — Reconstructs and displays the entire TCP session payload associated with a selected packet

How can you inspect DHCP activity in a packet capture?
A) DHCP cannot be captured
B) Filter for BOOTP/DHCP traffic (Wireshark labels DHCP as BOOTP) to view release/renew exchanges
C) Use traceroute instead of Wireshark
D) Only tcpdump can show DHCP messages

B — Filter for BOOTP/DHCP traffic (Wireshark labels DHCP as BOOTP) to view release/renew exchanges

Why might a network engineer use tcpdump instead of Wireshark's built-in capture tool?
A) tcpdump is graphical and easier to click
B) tcpdump can run headless, be scripted/scheduled, apply capture filters reliably, and save captures for later analysis in Wireshark
C) tcpdump cannot save capture files
D) tcpdump automatically fixes network issues

B — tcpdump can run headless, be scripted/scheduled, apply capture filters reliably, and save captures for later analysis in Wireshark

What is the primary purpose of the netstat command?
A) To display active network connections and listening ports on the local host
B) To change the system's IP address
C) To update router firmware
D) To capture raw packets on the network

A — To display active network connections and listening ports on the local host

What does the netstat -n option do?
A) Shows numeric IP addresses and port numbers instead of resolving names
B) Displays network throughput statistics
C) Clears the routing table
D) Enables verbose debug logging

A — Shows numeric IP addresses and port numbers instead of resolving names

Why must you run netstat with elevated/administrator privileges to use the -b option?
A) Because -b shows the executable/program owning each connection and requires elevation
B) Because -b modifies firewall rules
C) Because -b changes DNS settings
D) Because -b resets network adapters

A — Because -b shows the executable/program owning each connection and requires elevation

What does the netstat -o option display and how is it useful?
A) It shows the process ID (PID) for each connection so you can identify the owning process in Task Manager
B) It outputs only open UDP ports and blocks TCP
C) It orders results by bandwidth usage
D) It opens the router web GUI

A — It shows the process ID (PID) for each connection so you can identify the owning process in Task Manager

What information does netstat -a display and what related command shows the routing table?
A) -a shows all active and listening ports; netstat -r or route print shows the routing table
B) -a shows only established TCP connections; ipconfig shows the routing table
C) -a displays ARP cache; tracert shows the routing table
D) -a clears all sockets; ping -r shows the routing table

A — -a shows all active and listening ports; netstat -r or route print shows the routing table

What connection states might you observe with repeated netstat output and what do they indicate?
A) States like ESTABLISHED and TIME_WAIT indicate active connections and sockets waiting for timeout after closure
B) States like OPEN and CLOSED indicate firewall rule status
C) States like SENDING and RECEIVING indicate CPU usage
D) States like BOUND and FREE indicate DHCP lease status

A — States like ESTABLISHED and TIME_WAIT indicate active connections and sockets waiting for timeout after closure

What is FTP primarily used for and what is notable about its history?
A) A modern encrypted web protocol developed after HTTPS
B) File Transfer Protocol used to move (often large) files; it predates the World Wide Web
C) A routing protocol for transferring IP routes between routers
D) A multicast streaming protocol for live video

B — File Transfer Protocol used to move (often large) files; it predates the World Wide Web

Which ports does traditional (active-mode) FTP use for control and data?
A) Control 80, Data 443
B) Control 21, Data 20
C) Control 69, Data 21
D) Control 22, Data 20

B — Control 21, Data 20

How are FTP usernames and passwords transmitted over the network by default?
A) Encrypted with TLS by default
B) Transmitted in clear text (unencrypted); use SFTP/FTPS for encryption
C) Hashed with MD5 automatically
D) Sent as multicast packets to all hosts

B — Transmitted in clear text (unencrypted); use SFTP/FTPS for encryption

What is an "anonymous" FTP account and typical permissions for it?
A) A VPN-only account that tunnels FTP over SSH
B) A public account named Anonymous (often with an email as password) mapped to a home directory with read/list (download-only) permissions
C) An admin account with full write permissions for all users
D) An account that automatically encrypts uploads

B — A public account named Anonymous (often with an email as password) mapped to a home directory with read/list (download-only) permissions

What is TFTP and how does it differ from FTP?
A) TFTP is a secure FTP variant using TLS on port 21
B) TFTP is Trivial File Transfer Protocol, a lightweight UDP-based protocol that runs on port 69 and has minimal features/authentication
C) TFTP is a GUI FTP client included with Windows Explorer
D) TFTP is FTP tunneled over BGP for WAN transfers

B — TFTP is Trivial File Transfer Protocol, a lightweight UDP-based protocol that runs on port 69 and has minimal features/authentication

Which commands are commonly used in a command-line FTP client to download and upload files?
A) PULL and PUSH
B) GET (download) and PUT (upload)
C) OPEN and CLOSE only
D) SEND and RECEIVE

B — GET (download) and PUT (upload)

Which ports correspond to SMTP, POP3, and IMAP in traditional email setups?
A) SMTP 25, POP3 110, IMAP 143
B) SMTP 110, POP3 25, IMAP 143
C) SMTP 143, POP3 25, IMAP 110
D) SMTP 21, POP3 20, IMAP 69

A — SMTP 25, POP3 110, IMAP 143

What is the primary role of SMTP in email architecture?
A) Sending outbound email from clients to mail servers and between mail servers
B) Storing and synchronizing mailboxes on the server
C) Downloading mail to a local client
D) Encrypting email content end-to-end

A — Sending outbound email from clients to mail servers and between mail servers

How does POP3 differ from IMAP in how mail is handled on the server?
A) POP3 copies mail down to the client (client-side storage); IMAP leaves mail on the server and synchronizes folders across clients
B) POP3 leaves mail on the server; IMAP always removes mail after download
C) POP3 uses multicast; IMAP uses unicast
D) POP3 encrypts by default; IMAP never encrypts

A — POP3 copies mail down to the client (client-side storage); IMAP leaves mail on the server and synchronizes folders across clients

What is a major security characteristic of traditional (old-school) SMTP/POP3/IMAP email traffic as shown by packet captures?
A) Usernames and passwords and message text are typically transmitted in clear text unless encryption (TLS/SSL) is used
B) All email traffic is automatically encrypted end-to-end by default
C) SMTP uses UDP to protect credentials
D) IMAP masks passwords with multicast addresses

A — Usernames and passwords and message text are typically transmitted in clear text unless encryption (TLS/SSL) is used

Which statement about common email server software is true?
A) Many mail server packages provide SMTP plus either POP3 or IMAP (or both) in the same application
B) SMTP servers cannot be combined with POP3/IMAP and must always be separate hardware appliances
C) Email servers only support webmail and never client-based protocols
D) A single mail server can only host one user account

A — Many mail server packages provide SMTP plus either POP3 or IMAP (or both) in the same application

Which email protocols are unencrypted by default?
A) SMTP, POP3, IMAP
B) SMTP, FTP, IMAP
C) POP3, SSH, SMTP
D) IMAP, HTTPS, SMTP

A — SMTP, POP3, IMAP

What was the first method to encrypt email traffic?
A) SSL
B) Traditional TLS
C) STARTTLS
D) VPN tunneling

B — Traditional TLS

Which ports were used by Traditional TLS for IMAP, POP3, and SMTP?
A) IMAP 993, POP3 995, SMTP 465
B) IMAP 143, POP3 110, SMTP 25
C) IMAP 587, POP3 465, SMTP 995
D) IMAP 993, POP3 143, SMTP 110

A — IMAP 993, POP3 995, SMTP 465

What problem did Traditional TLS have?
A) It required certificates
B) It started unencrypted before switching
C) It only worked with webmail
D) It was incompatible with Outlook

B — It started unencrypted before switching

Which port is now the standard for STARTTLS?
A) 465
B) 587
C) 993
D) 25

B — 587

Why might you still see STARTTLS on port 465?
A) Legacy support
B) Official permanent port
C) ISPs block 587
D) Newer than 587

A — Legacy support

Which port does Telnet use by default?
A) 21
B) 22
C) 23
D) 25

C — 23

Which protocol replaced Telnet for secure remote access?
A) FTP
B) SSH
C) SMTP
D) RDP

B — SSH

What is the main weakness of Telnet?
A) It uses too much bandwidth
B) It sends data in plaintext
C) It only works on Windows
D) It requires certificates

B — It sends data in plaintext

Which port does SSH typically use?
A) 20
B) 21
C) 22
D) 23

C — 22

What is a secure alternative to FTP using SSH?
A) FTPS
B) SFTP
C) TFTP
D) SNMP

B — SFTP

Which protocol is often used with SSH for secure file transfer?
A) SCP
B) SMTP
C) RDP
D) HTTP

A — SCP

Which protocol is the full-featured network time protocol?
A) SNTP
B) PTP
C) NTP
D) HTTP

C — NTP

What does SNTP stand for?
A) Simple Network Time Protocol
B) Standard Network Time Protocol
C) Secure Network Time Protocol
D) Serial Network Time Protocol

A — Simple Network Time Protocol

What is PTP mainly used for?
A) Precise synchronization in LANs
B) Encrypting network data
C) Web browsing
D) File transfer

A — Precise synchronization in LANs

Which protocol offers the highest accuracy in time sync?
A) SNTP
B) PTP
C) FTP
D) NTP

B — PTP

Which protocol is best for devices with limited resources?
A) PTP
B) NTP
C) SNTP
D) SMTP

C — SNTP

Where is NTP typically used?
A) In securing emails
B) In synchronizing clocks across networks
C) In transferring files
D) In compressing data

B — In synchronizing clocks across networks

What does DHCP primarily provide?

A) Domain names

B) Automatic IP addressing

C) File sharing

D) Encryption

B) Automatic IP addressing ✅

What IP address range is reserved for APIPA?

A) 192.168.x.x

B) 10.x.x.x

C) 169.254.x.x

D) 172.16.x.x

C) 169.254.x.x

Why might some devices always get an IP even when the scope is exhausted?

A) DNS caching

B) MAC reservations

C) Long leases

D) Static routing

B) MAC reservations ✅

What default lease time does Windows use for DHCP?

A) 1 hour

B) 8 hours

C) 1 day

D) 8 days

D) 8 days ✅

What problem occurs when DHCP scope runs out of addresses?

A) Network loop

B) Scope exhaustion

C) Duplicate MAC

D) DNS poisoning

B) Scope exhaustion ✅

What does IPAM stand for?

A) Internet Protocol Access Method

B) IP Address Management

C) Internal Packet Address Mapping

D) Integrated Protocol Allocation Mechanism

B) IP Address Management ✅