Network Forensics
Studied by 0 people
Call Kai
Learn
Practice Test
Spaced Repetition
Match
Flashcards
Knowt Play1/94
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
95 Terms
What size is an IPv4 address
32 bits
How are IPv4 addresses written
Four decimal octets
Why does each IPv4 octet range from 0 to 255
Because 8 bits allow 256 values
What were IPv4 network classes used for
Dividing networks into default sizes
What is subnetting used for
Splitting a large network into smaller ones
What does CIDR replace
Replaces the old class system.
What does CIDR stand for?
Classless Inter-Domain Routing
What does the /24 in 192.168.1.0/24 mean
Network uses a 24 bit prefix to show network size in CIDR
How big is an IPv6 address
128 bits
Why was IPv6 created
IPv4 ran out of addresses
What number system does IPv6 use
Hexadecimal
What security feature is built into IPv6
IPsec support
List the OSI model layers in order
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
What does OSI stand for?
Open Systems Interconnection
What is the OSI model used for?
A 7-layer model used to understand how data moves through a network.
What is the job of the application layer?
Where network applications live (e.g., web browsers, email clients).
What protocols are at the Application layer
HTTP
FTP
Telnet
NTP
DHCP
What is the job of the Presentation layer
Data translation (into a format applications can understand) and encryption
What does the Session layer manage
Connections between devices
Manages sessions (connections) between devices.
Keeps track of who is connected to who.
What does the Transport layer do
End to end communication (uses TCP or UDP)
Where do ports live in the OSI model
Transport layer
What is the role of the Network layer
Routing data packets between different networks
(Routing data between networks and IP addressing)
What does the Data Link layer handle
MAC addresses and frames (Ex. Ethernet)
What does the Physical layer send
Electrical or optical signals
List the layers of the TCP/IP Model in order
Application Layer (OSI Layers 5-7)
Transport Layer (OSI Layer 4)
Internet/Network Later (OSI Layer 3)
Network Interface Layer (OSI Layer 1-2)
What does the TCP IP Application layer combine
OSI layers 5 6 and 7
What protocols run in the TCP IP Internet layer
IP ARP ICMP IGMP
What does the Network Interface layer contain
MAC addressing and framing
What type of connection is TCP
Reliable connection based
Why is TCP slower than UDP
It ensures every packet arrives
What is TCP used for
Web browsing, email, file transfer
What type of connection is UDP
Fast and connectionless
What is UDP used for
Gaming streaming voice calls
What does an HTTP GET do
Fetches a web page/resource (read-only).
What does an HTTP POST do
Fetches only the headers (metadata) of a page, not the content.
What does HTTP PUT do
Creates or replaces a resource on the server.
What does HTTP POST do
Adds new data or submits information (often used in forms).
What does HTTP DELETE do
Removes a resource from the server
What is encapsulation
Wrapping one packet inside another packet so it can travel across a network.
Why do network layers encapsulate data
To add routing and control information
What layer does Ethernet operate on
Data Link layer
What fields are needed to send a frame over Ethernet?
Source MAC address → identifies the device sending the frame
Destination MAC address → identifies the device receiving the frame
Type → tells what kind of data is inside (like IP, ARP, etc.)
Payload → the actual data being sent
Checksum (FCS) → used to detect errors in the frame
What does the FCS field do
Checks for errors
What are the key fields of an IP header?
Version → tells which IP version (IPv4 or IPv6)
Source IP address → device sending the packet
Destination IP address → device receiving the packet
Checksum → error checking for the header
What layer is the IP header used in?
Network Layer
What are the key fields of a UDP header?
Source port → sending application’s port
Destination port → receiving application’s port
Length → size of UDP header + payload
Checksum → error checking for UDP packet
What layer is the UDP header used in?
Transport Layer
What are the key fields of a TCP header?
Source port → sending application’s port
Destination port → receiving application’s port
Sequence number → order of data being sent
Acknowledgment number → confirms received data
Flags → control bits for connection (e.g., SYN, ACK, RST)
Length → size of TCP header + payload
Checksum → error checking for TCP segment
What layer is the TCP header used in?
Transport Layer
What does the IP header version field indicate
IPv4 or IPv6
What does the UDP length field contain
Header plus payload size
Why does TCP use sequence numbers
To order data
What is port 20, 21 used for?
File Transfer Protocol (sending & receiving files)
What is port 22 used for
SSH
Secure Shell (secure remote login)
What is port 23 used for
Telnet
Remote login (not secure)
What is port 25 used for
SMTP (Simple Mail Transfer Protocol for sending emails)
What is port 53 used for
Domain Name System (translates website names to IP addresses)
What is port 80 used for
HTTP
Accessing websites (web browsing)
Why is port 407 risky
Used for remote access to computers
Not commonly used for legitimate purposes
Risk: Can be exploited by hackers to gain unauthorized access
What starts a TCP connection
Initiator (client) sends a packet with SYN flag set to request a connection.
Receiver (server) responds with SYN + ACK to acknowledge and agree to the connection.
Initiator sends a final ACK, completing the handshake. (✅ Connection is now established.)
How is a TCP connection closed
Initiator sends a packet with FIN flag set to indicate it wants to close the connection.
Receiver sends an ACK to acknowledge the FIN packet (must have a valid sequence number).
Receiver may also send its own FIN if it’s ready to close the other side.
Initiator sends a final ACK, fully terminating the TCP session.
What does a network sniffer do
Captures and logs packets (network traffic)
What is Wireshark used for
Packet sniffer and network protocol analysis
What does Nmap scan
Scans ports on a target device
Shows which ports are open, closed, or filtered
Helps identify which services are running on open ports
What is Snort
Intrusion detection system
Can detect threats and suspicious activity (log, analyze, alert)
What are the three main packet sections
Header
payload
trailer/footer
What does the header contain in the packet
metadata about the packet (protocol info, source/destination, etc.)
What does the payload contain in the packet
the actual data being sent
What does the trailer/footer contain in the packet
Provides data error checking to ensure correct transmission
What is the goal of a DoS attack
Overwhelm a system so real users can’t access it.
What is a Ping of Death
Sends an oversized ICMP (PING) packet larger than the system can handle.
Causes crashes or freezes.
What is a Ping Flood
Sends huge amounts of ICMP echo requests (PINGs).
What is a Teardrop attack
Send broken IP fragments, causing the system to crash while trying to fix them
What is a SYN flood
Abusing handshake by not sending ACK
Attacker sends many SYN packets but never sends the final ACK.
Server waits forever, keeping resources busy—eventually it can’t accept real users.
What is a Land Attack
Sends a fake TCP SYN where source IP = destination IP and same ports.
Target thinks it's talking to itself and becomes confused or crashes.
What is a Smurf attack
ICMP amplification using broadcast
Uses ICMP echo requests to a broadcast address (many hosts).
Each host replies → creates an amplified traffic jam toward the victim.
What is a Fraggle Attack
Same idea as Smurf attack, but with UDP packets instead of ICMP. It uses UDP echo requests sent to a broadcast address, amplifying the traffic directed at the target.
What is DHCP starvation
Consuming all DHCP IP addresses by flooding the DHCP server with requests for IP addresses, preventing legitimate users from obtaining an IP address.
What is a HTTP POST attack
Sends a legitimate HTTP POST request, but…
Sends the message body extremely slowly.
Server keeps waiting, holding connections open → becomes overloaded.
What is a PDoS
Damages system firmware or hardware → system becomes unusable.
aka phlashing
What is Packet Mistreating
router breaking packets
Happens when a compromised router mishandles packets.
Causes network congestion or routing failures.
Slows down or blocks legitimate traffic → DoS effect.
What is a login DoS
Floods the login system with repeated login attempts.
Can:
Lock out accounts (from too many failed attempts)
Prevent real users from logging in at all
What does a hub do with packets
Sends every packet to all ports (no intelligence)
Can cause traffic flooding)
What does a Network Card (NIC) do
Allows a computer to connect to a network.
Used in Ethernet LANs.
Sends any packet it receives out every port (basic, no filtering).
What does a switch do
Sends packets to the correct MAC
What does a router do
Connects different networks together (e.g., home network ↔ internet).
Makes decisions using IP addresses.
Sends traffic only to the destination network.
Separates broadcast domains.
What is router table poisoning
Attackers send fake routing information to the router.
This creates incorrect entries in the routing table.
Can cause:
Artificial congestion
Router overload
Traffic being redirected to the attacker
Loss of network connectivity
Why must investigators not turn off a router
Volatile logs may be lost
What does show running-config display
Current router settings
What does a packet filter firewall check
Source IP destination IP ports protocol
What advantage does a stateful firewall have
Tracks connection history
What does 802.11x represent
Wi Fi standards
Why is WEP insecure
Weak RC4 encryption easily cracked
What does WPA use for encryption
TKIP per packet keys
Why is WPA3 safer
Requires live interaction for password guesses