Top Interview Questions & Answers | Learn Now

Wireshark Interview Questions and Answers

Written by Venkatesan M | May 25, 2017 5:48:47 AM

Q1. What is Wireshark?

Ans: Wireshark® is a network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It has a rich and powerful feature set and is world's most popular tool of its kind. It runs on most computing platforms including Windows, macOS, Linux, and UNIX. Network professionals, security experts, developers, and educators around the world use it regularly. It is freely available as open source, and is released under the GNU General Public License version 2.
It is developed and maintained by a global team of protocol experts, and it is an example of a disruptive technology.
Wireshark used to be known as Ethereal®. See the next question for details about the name change. If you're still using Ethereal, it is strongly recommended that you upgrade to Wireshark as Ethereal is unsupported and has known security vulnerabilities.

Q2. How would you setup wireshark to monitor packets passing through an internet router

Ans: A system on the network can be configured and setup with wireshark. The appropriate port on the switch to which the system and internet router is connected can be configured for port mirroring. All packets passing through the switch interface to the router can be mirrored to the system on which wireshark is setup.

Q3. Can wireshark be setup on a Cisco router

Ans: Wireshark is an executable. It can be setup on operating systems like windows and linux. It cannot be setup on a Cisco router , as it runs a proprietary operating system on which additional tools or software cannot be installed.

 Q4. Is it possible to start wireshark from command line on Windows

Ans: Yes, it is possible to start using the appropriate executable on Windows which is wireshark.exe

Q5. A user is unable to ping a system on the network. How can wireshark be used to solve the problem.

Ans: Ping uses ICMP. Wireshark can be used to check if ICMP packets are being sent out from the system. If it is sent out, it can also be checked if the packets are being received.

Q6. Which wireshark filter can be used to check all incoming requests to a HTTP Web server

Ans: HTTP web servers use TCP port 80. Incoming requests to the web server would have the destination port number as 80. So the filter tcp.dstport==80.

Q7. Which wireshark filter can be used to monitor outgoing packets from a specific system on the network.

Ans: Outgoing packets would contain the IP address of the system as it’s source address. So assuming that the IP address of the system is 192.168.1.2, the filter would be ip.src==192.168.1.2

Q8. What's up with the name change? Is Wireshark a fork?

Ans: In May of 2006, Gerald Combs (the original author of Ethereal) went to work for CACE Technologies (best known for WinPcap). Unfortunately, he had to leave the Ethereal trademarks behind.
This left the project in an awkward position. The only reasonable way to ensure the continued success of the project was to change the name. This is how Wireshark was born.
Wireshark is almost (but not quite) a fork. Normally a "fork" of an open source project results in two names, web sites, development teams, support infrastructures, etc. This is the case with Wireshark except for one notable exception -- every member of the core development team is now working on Wireshark. There has been no active development on Ethereal since the name change. Several parts of the Ethereal web site (such as the mailing lists, source code repository, and build farm) have gone offline.

Q9. What kind of shark is Wireshark?

Ans: carcharodon photoshopia.

Q10. What do you think of WireShark?

Ans: It's functional to monitor network traffic flow and see if there is not any traffic. Great freeware.

Q11. How to remove Wireshark Antivirus from my computer?

Ans: Restart your computer and boot it in a safe mode and then you should be able to access your antivirus. if that won't work

Q12. How do I use Wireshark to find a password in my network?

Ans: Wireshark cannot sniff SSL-protected (HTTPS) passwords unless an encryption key is provided: There is a different way to sniff HTTPS data (without providing a key), see here (run Wine for windows apps): Just a friendly reminder, like any other prank war, think twice before you get in trouble with the law.

Q13. How to capture packets using Wireshark in a switched ethernet network?

Ans: You can't because it is a switched network. You can only see your traffic and broadcast/multicast traffic. You are aware, that in most companies running a packet capture device if you are not a network admin can get you fired? And the network admins can see packet capture devices running?

Q14. Doe wireshark work for your computer only?

Ans: I can only answer your question in general terms, since I have not actually used the Wireshark packet sniffer. I have used other packet sniffers.
In general, packet sniffers are only useful for sniffing packets to or from the PC they are installed on. In most modern switched networks, traffic going to or from other PCs in the network is generally not seen by other PCs on the network, thus there is no way for a packet sniffer to detect it. This is because the router and switch on your network will route network traffic directly to the intended devices without broadcasting it to every device on the network.
In order to monitor your brother's PC you would either need a packet sniffer installed on his PC, or you would need a packet sniffer installed on the gateway device, i.e., your router.
Alternatively, you could place your PC and your brother's on a hub--not a switch. A hub is "dumber" than a switch in that it repeats all traffic on all ports. However this is not ideal for speed and network collision issues.

 

Q15. Why does wireshark not detect my wireless cards?

Ans: One of the worst "Achilles Heels" of many Linux Distros is, they don't recognize WiFi devices. And, therefore, do NOT load the Device Drivers, and, WireShark won't work without the drivers. So, find a Linux Distro that does recognize your WiFi devices..

Q16. How do you determine how many wireless data frames are in a wireshark capture?

Ans: Each line should be one frame.
Are you looking for how to find the number of specifically wireless frames as opposed to the total number of frames?

Q17. How do I modify Wireshark packets on the fly?

Ans: Wireshark is a packet capture & inspection program, not a packet injection program. What you're asking about appears to be a man-in-the-middle attack so I'm not going to assist you in that.

Q18. Why don't the packets I'm capturing have VLAN tags?

Ans: You might be capturing on what might be called a "VLAN interface" - the way a particular OS makes VLANs plug into the networking stack might, for example, be to have a network device object for the physical interface, which takes VLAN packets, strips off the VLAN header and constructs an Ethernet header, and passes that packet to an internal network device object for the VLAN, which then passes the packets onto various higher-level protocol implementations.

In order to see the raw Ethernet packets, rather than "de-VLANized" packets, you would have to capture not on the virtual interface for the VLAN, but on the interface corresponding to the physical network device, if possible.

Q19. How can I capture packets with CRC errors?

Ans: Wireshark can capture only the packets that the packet capture library - libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of libpcap on Windows - can capture, and libpcap/WinPcap can capture only the packets that the OS's raw packet capture mechanism (or the WinPcap driver, and the underlying OS networking code and network interface drivers, on Windows) will allow it to capture.

Unless the OS always supplies packets with errors such as invalid CRCs to the raw packet capture mechanism, or can be configured to do so, invalid CRCs to the raw packet capture mechanism, Wireshark - and other programs that capture raw packets, such as tcpdump - cannot capture those packets. You will have to determine whether your OS needs to be so configured and, if so, can be so configured, configure it if necessary and possible, and make whatever changes to libpcap and the packet capture program you're using are necessary, if any, to support capturing those packets.

Most OSes probably do not support capturing packets with invalid CRCs on Ethernet, and probably do not support it on most other link-layer types. Some drivers on some OSes do support it, such as some Ethernet drivers on FreeBSD; in those OSes, you might always get those packets, or you might only get them if you capture in promiscuous mode (you'd have to determine which is the case).

Note that libpcap does not currently supply to programs that use it an indication of whether the packet's CRC was invalid (because the drivers themselves do not supply that information to the raw packet capture mechanism); therefore, Wireshark will not indicate which packets had CRC errors unless the FCS was captured (see the next question) and you're using Wireshark 0.9.15 and later, in which case Wireshark will check the CRC and indicate whether it's correct or not.

Q20. WireShark error??

Ans: You probably have automake 1.5 installed on your machine (the command automake --version will report the version of automake on your machine). There is a bug in that version of automake that causes this problem; upgrade to a later version of automake (1.6 or later).21.What exactly does WireShark do?

It analyses network traffic.

Q22. Wireshark help??

Ans:  "eth.addr==08.00.08.15.ca.fe

to and from Ethernet MAC address 08:00:08:15:ca:fe

!(eth.addr==08.00.08.15.ca.fe)

all except to and from Ethernet MAC address 08:00:08:15:ca:fe

eth.dst==ff:ff:ff:ff:ff:ff

Ethernet Broadcast only

eth.dst!=ff:ff:ff:ff:ff:ff

all except Ethernet Broadcast "

For q2... filter on either the source/dest IP or ETH(mac).

then , reassemble the transactions starting with the earliest http/get and following packet sequence numbers.

Q23. Can't install wireshark?

Ans: The program you used to download it may have downloaded it incorrectly. Web browsers and download accelerators sometimes may do this. Re-download it and check if the file is supported for your system.