1. What is the primary purpose of packet sniffing?
A) Encrypt network traffic
B) Capture and analyze network packets
C) Block malicious IP addresses
D) Perform network segmentation
β
Answer: B) Capture and analyze network packets
π Explanation: Packet sniffing involves capturing and analyzing packets traveling through a network. It helps in monitoring, troubleshooting, and detecting security threats.
2. Which of the following tools is commonly used for packet sniffing?
A) Nmap
B) Wireshark
C) Metasploit
D) John the Ripper
β
Answer: B) Wireshark
π Explanation: Wireshark is one of the most widely used packet sniffing tools that allows deep packet inspection and network traffic analysis.
3. In which mode does a network interface card (NIC) need to be in to capture all packets on a network segment?
A) Managed mode
B) Monitor mode
C) Secure mode
D) Isolation mode
β
Answer: B) Monitor mode
π Explanation: Monitor mode allows a NIC to capture all packets on a network, rather than just the packets addressed to it. This is essential for wireless sniffing.
4. What is promiscuous mode in packet sniffing?
A) A security feature to block sniffers
B) A mode where a NIC captures only broadcast traffic
C) A mode where a NIC captures all network traffic, even if not addressed to it
D) A mode where only encrypted packets are captured
β
Answer: C) A mode where a NIC captures all network traffic, even if not addressed to it
π Explanation: Promiscuous mode allows a NIC to capture all packets on a wired network, regardless of the destination.
5. Which protocol is most vulnerable to packet sniffing attacks?
A) HTTPS
B) SSH
C) Telnet
D) FTPS
β
Answer: C) Telnet
π Explanation: Telnet transmits data, including login credentials, in plaintext, making it highly vulnerable to sniffing attacks.
6. Which of the following is a common countermeasure against packet sniffing?
A) Using HTTP instead of HTTPS
B) Disabling MAC filtering
C) Enabling encryption protocols like TLS
D) Using open Wi-Fi networks
β
Answer: C) Enabling encryption protocols like TLS
π Explanation: Encryption protocols like TLS/SSL prevent attackers from reading sensitive data, even if packets are intercepted.
7. What type of attack can be performed using packet sniffing?
A) DDoS attack
B) Man-in-the-Middle (MitM) attack
C) Buffer overflow attack
D) SQL injection
β
Answer: B) Man-in-the-Middle (MitM) attack
π Explanation: Packet sniffing can be used in MitM attacks to intercept and modify network communication between two parties.
8. Which network type is most susceptible to packet sniffing?
A) Encrypted wireless networks
B) Wired networks with VLANs
C) Open (unencrypted) Wi-Fi networks
D) Fiber optic networks
β
Answer: C) Open (unencrypted) Wi-Fi networks
π Explanation: Open Wi-Fi networks do not use encryption, making it easy for attackers to capture packets and analyze the traffic.
9. Which protocol helps detect packet sniffing attempts?
A) ARP
B) ICMP
C) IDS/IPS
D) FTP
β
Answer: C) IDS/IPS
π Explanation: Intrusion Detection/Prevention Systems (IDS/IPS) can detect unusual network activity, including packet sniffing attempts.
10. Which command in Linux can be used for basic packet sniffing?
A) ping
B) netstat
C) tcpdump
D) whois
β
Answer: C) tcpdump
π Explanation: tcpdump is a command-line packet analyzer used for capturing and analyzing network traffic in Linux.
11. How does an attacker use ARP poisoning in packet sniffing?
A) By sending fake DNS requests
B) By intercepting HTTP requests
C) By tricking devices into sending traffic through the attackerβs machine
D) By encrypting traffic between two devices
β
Answer: C) By tricking devices into sending traffic through the attackerβs machine
π Explanation: ARP poisoning involves sending false ARP messages to a network, making devices send their traffic through the attacker’s system for sniffing.
12. What is a key limitation of packet sniffing on a switched network?
A) Switches encrypt all traffic
B) Switches limit broadcast traffic
C) Sniffers can only capture multicast traffic
D) Packet sniffing does not work on switched networks
β
Answer: B) Switches limit broadcast traffic
π Explanation: Switches only forward packets to their intended destination, preventing traditional sniffing without additional attacks like ARP poisoning.
13. What does an attacker need to do to sniff traffic on a switched network?
A) Use a router
B) Perform ARP spoofing
C) Enable MAC filtering
D) Use Telnet
β
Answer: B) Perform ARP spoofing
π Explanation: ARP spoofing tricks the switch into forwarding traffic to the attacker, allowing packet sniffing on a switched network.
14. Which tool can be used to detect ARP poisoning attacks?
A) Ettercap
B) Nmap
C) ARPwatch
D) Burp Suite
β
Answer: C) ARPwatch
π Explanation: ARPwatch monitors ARP traffic and detects unusual activity, helping identify ARP poisoning attacks.
15. What is deep packet inspection (DPI)?
A) An advanced packet sniffing technique
B) A method for encrypting network traffic
C) A way to block packet sniffers
D) A tool for creating packet floods
β
Answer: A) An advanced packet sniffing technique
π Explanation: DPI examines packet contents beyond headers, allowing detailed traffic analysis for security and monitoring purposes.
16. Which layer of the OSI model do most packet sniffing tools operate on?
A) Physical Layer
B) Network Layer
C) Transport Layer
D) Data Link Layer
β
Answer: D) Data Link Layer
π Explanation: Most sniffing tools operate at the Data Link Layer, allowing them to capture raw packets before processing.
17. Which protocol is commonly used to send DNS queries?
A) TCP
B) UDP
C) ICMP
D) ARP
β
Answer: B) UDP
π Explanation: DNS queries typically use UDP on port 53 for faster communication.
18. What is a defense against packet sniffing on a corporate network?
A) Using Telnet instead of SSH
B) Disabling encryption
C) Using secure protocols like HTTPS
D) Allowing all devices to use promiscuous mode
β
Answer: C) Using secure protocols like HTTPS
π Explanation: HTTPS encrypts data, preventing packet sniffers from reading sensitive information.
19. How can attackers evade detection while packet sniffing?
A) Using encrypted protocols
B) Spoofing MAC addresses
C) Running IDS
D) Sending ping requests
β
Answer: B) Spoofing MAC addresses
π Explanation: Attackers spoof MAC addresses to disguise their presence while sniffing network traffic.
20. What type of attack exploits a packet sniffer?
A) DNS Tunneling
B) MITM Attack
C) Buffer Overflow
D) SQL Injection
β
Answer: B) MITM Attack
π Explanation: MITM attacks leverage packet sniffers to intercept and manipulate network communication.
21. What is the main difference between passive and active sniffing?
A) Passive sniffing requires ARP poisoning, active sniffing does not
B) Active sniffing does not require any special permissions
C) Passive sniffing captures packets without altering network traffic, whereas active sniffing involves manipulating network traffic
D) Active sniffing is only possible on wireless networks
β
Answer: C) Passive sniffing captures packets without altering network traffic, whereas active sniffing involves manipulating network traffic
π Explanation: Passive sniffing involves capturing packets without interaction (e.g., listening on a hub network), while active sniffing requires methods like ARP poisoning to intercept packets on a switched network.
22. What is a SYN flood attack, and how is packet sniffing used in it?
A) An attack where multiple SYN packets are sent to exhaust server resources, with sniffing used to monitor the impact
B) A method to capture login credentials
C) An attack where ACK packets are injected into a session
D) A form of wireless sniffing
β
Answer: A) An attack where multiple SYN packets are sent to exhaust server resources, with sniffing used to monitor the impact
π Explanation: A SYN flood attack overwhelms a target server with incomplete TCP connection requests, while packet sniffing can help analyze network traffic to detect the attack pattern.
23. What command can be used in Wireshark to filter only HTTP GET requests?
A) http.method == "POST"
B) tcp.port == 443
C) http.request.method == "GET"
D) udp.port == 53
β
Answer: C) http.request.method == “GET”
π Explanation: This filter in Wireshark captures only HTTP GET requests, allowing analysis of website requests sent over unencrypted HTTP.
24. What does a TCP Reset (RST) flag indicate in network traffic?
A) The end of a connection
B) A connection timeout
C) The termination of a TCP session abruptly
D) The start of a new connection
β
Answer: C) The termination of a TCP session abruptly
π Explanation: The RST flag is used to reset a TCP connection immediately, often seen in cases of connection termination or when a packet is sent to a closed port.
25. Which tool is specifically designed for network traffic monitoring and anomaly detection?
A) Ettercap
B) Snort
C) Aircrack-ng
D) John the Ripper
β
Answer: B) Snort
π Explanation: Snort is an open-source Intrusion Detection and Prevention System (IDS/IPS) used for real-time network traffic monitoring and anomaly detection.
26. What is a session hijacking attack, and how can sniffing be involved?
A) Taking control of an active session using sniffed authentication tokens
B) Exploiting a database server
C) Manipulating a DNS server
D) Bypassing firewall restrictions
β
Answer: A) Taking control of an active session using sniffed authentication tokens
π Explanation: Session hijacking involves capturing authentication tokens (like session cookies) using sniffing tools and using them to impersonate a user.
27. Which Wireshark filter can be used to display only DNS queries?
A) dns.query
B) port 80
C) icmp.type == 8
D) arp.request
β
Answer: A) dns.query
π Explanation: This filter allows network analysts to see DNS queries in Wireshark, useful for analyzing potential DNS-based attacks.
28. What technique allows an attacker to listen to VoIP calls using packet sniffing?
A) SYN flooding
B) RTP stream analysis
C) SQL injection
D) ICMP tunneling
β
Answer: B) RTP stream analysis
π Explanation: Voice over IP (VoIP) calls use RTP (Real-time Transport Protocol), and sniffing tools can reconstruct voice conversations by capturing RTP packets.
29. What is an effective countermeasure against ARP poisoning attacks?
A) Using a VPN
B) Implementing static ARP entries
C) Using weak encryption
D) Switching to Telnet
β
Answer: B) Implementing static ARP entries
π Explanation: Static ARP entries prevent ARP poisoning attacks by binding IP-MAC address mappings permanently.
30. What protocol is commonly used to securely transfer files and protect against packet sniffing?
A) FTP
B) TFTP
C) SCP
D) Telnet
β
Answer: C) SCP
π Explanation: SCP (Secure Copy Protocol) uses SSH encryption to securely transfer files, preventing exposure to packet sniffers.
31. What is the function of the ICMP protocol in packet sniffing?
A) It encrypts network traffic
B) It is used to send error messages and operational information
C) It prevents unauthorized access
D) It is only used in encrypted networks
β
Answer: B) It is used to send error messages and operational information
π Explanation: ICMP is used for diagnostics (e.g., ping commands) and can be analyzed with sniffing tools for network troubleshooting.
32. What tool is commonly used for wireless packet sniffing?
A) Wireshark
B) Aircrack-ng
C) Netcat
D) Dirb
β
Answer: B) Aircrack-ng
π Explanation: Aircrack-ng is used for monitoring, attacking, and cracking wireless networks by capturing and analyzing packets.
33. Which type of attack uses packet sniffing to steal login credentials?
A) Phishing
B) Keylogging
C) Credential harvesting
D) ARP spoofing
β
Answer: C) Credential harvesting
π Explanation: Credential harvesting involves capturing usernames and passwords sent over unencrypted connections using sniffing tools.
34. What does the term “packet injection” refer to?
A) Dropping packets in transit
B) Intentionally sending forged packets into a network
C) Encrypting network traffic
D) Increasing network speed
β
Answer: B) Intentionally sending forged packets into a network
π Explanation: Packet injection is used in various attacks, such as de-authentication attacks in Wi-Fi networks.
35. How does SSL/TLS encryption help prevent packet sniffing?
A) By blocking unauthorized users from sending packets
B) By making packet headers unreadable
C) By encrypting the packet contents so that intercepted data is unreadable
D) By preventing ARP poisoning
β
Answer: C) By encrypting the packet contents so that intercepted data is unreadable
π Explanation: SSL/TLS encrypts transmitted data, making it unreadable even if packets are intercepted by sniffers.
36. What can be inferred from a sudden increase in ARP requests?
A) A network is experiencing high traffic
B) An ARP spoofing attack may be in progress
C) A firewall rule has been misconfigured
D) The DHCP server is overloaded
β
Answer: B) An ARP spoofing attack may be in progress
π Explanation: A sudden rise in ARP requests often indicates an attacker attempting to manipulate ARP tables.
37. What is the primary purpose of iptables in Linux?
A) Sniff packets
B) Encrypt data
C) Filter and control network traffic
D) Crack Wi-Fi passwords
β
Answer: C) Filter and control network traffic
π Explanation: iptables is used for configuring firewall rules and controlling packet flow in Linux.
38. What type of attack can be detected by analyzing DNS traffic with a packet sniffer?
A) SQL Injection
B) DNS Tunneling
C) Clickjacking
D) Buffer Overflow
β
Answer: B) DNS Tunneling
π Explanation: DNS tunneling is an attack that uses DNS queries to transfer data covertly. Packet sniffers can detect unusual patterns in DNS traffic.
39. Which protocol encrypts traffic and prevents packet sniffing on web applications?
A) HTTP
B) SSL/TLS
C) ARP
D) FTP
β
Answer: B) SSL/TLS
π Explanation: SSL/TLS encrypts web traffic, making it unreadable to packet sniffers even if the packets are captured.
40. What is the primary function of NetFlow in network analysis?
A) Encrypting traffic
B) Capturing full packet payloads
C) Collecting metadata about network flows
D) Preventing packet sniffing
β
Answer: C) Collecting metadata about network flows
π Explanation: NetFlow collects flow data such as source/destination IPs, port numbers, and protocol types, useful for network traffic analysis and anomaly detection.
41. Which type of sniffing technique is commonly used in wireless networks?
A) Passive sniffing
B) Active sniffing
C) VLAN hopping
D) SYN flooding
β
Answer: A) Passive sniffing
π Explanation: In wireless networks, passive sniffing is used to capture packets without interfering with the network, often with tools like Wireshark or Aircrack-ng.
42. What is the purpose of an Intrusion Detection System (IDS) in packet analysis?
A) To encrypt packets
B) To detect suspicious network traffic
C) To block all incoming packets
D) To monitor CPU usage
β
Answer: B) To detect suspicious network traffic
π Explanation: IDS analyzes network traffic and alerts administrators of potential security threats based on predefined signatures or anomaly detection techniques.
43. What is one of the biggest challenges when analyzing encrypted network traffic?
A) The inability to see payload content
B) The requirement for a VPN
C) Increased latency
D) Higher CPU usage
β
Answer: A) The inability to see payload content
π Explanation: Encrypted traffic prevents analysts from viewing payload data, requiring techniques like SSL decryption for deeper inspection.
44. How can network administrators monitor encrypted traffic without decrypting it?
A) By using Telnet
B) By analyzing metadata such as IPs, ports, and packet sizes
C) By injecting a backdoor
D) By disabling TLS
β
Answer: B) By analyzing metadata such as IPs, ports, and packet sizes
π Explanation: Even when traffic is encrypted, metadata like source/destination, port numbers, and traffic patterns can provide insights into suspicious activity.
45. What kind of attack is identified by a sudden increase in SYN packets without corresponding ACK responses?
A) DNS spoofing
B) SYN flood attack
C) Man-in-the-Middle attack
D) SQL injection
β
Answer: B) SYN flood attack
π Explanation: A SYN flood attack sends numerous TCP SYN requests without completing the handshake, causing resource exhaustion on the target.
46. What tool is used to reconstruct TCP streams in Wireshark?
A) Netcat
B) Follow TCP Stream
C) Hashcat
D) ARPwatch
β
Answer: B) Follow TCP Stream
π Explanation: Wiresharkβs “Follow TCP Stream” feature reconstructs conversations between clients and servers by reassembling packets in order.
47. What type of network device is least susceptible to packet sniffing attacks?
A) Hub
B) Switch
C) Router
D) Repeater
β
Answer: B) Switch
π Explanation: Unlike hubs, which broadcast traffic to all connected devices, switches send packets only to the intended recipient, reducing exposure to sniffing.
48. Which protocol uses TCP port 22 and prevents packet sniffing?
A) Telnet
B) SSH
C) HTTP
D) TFTP
β
Answer: B) SSH
π Explanation: SSH encrypts all transmitted data, preventing eavesdropping by packet sniffers.
49. What is a common characteristic of packets captured from an ARP spoofing attack?
A) Repeated ARP responses with different MAC addresses
B) High UDP packet volume
C) A large number of ICMP packets
D) Packets containing SQL injection attempts
β
Answer: A) Repeated ARP responses with different MAC addresses
π Explanation: In ARP spoofing, attackers send fake ARP responses to redirect traffic through their machine.
50. What is a “PCAP” file in network analysis?
A) A compressed file format for storing network traffic
B) A format used for storing and analyzing captured packets
C) A virus-infected file
D) A protocol for encrypting data
β
Answer: B) A format used for storing and analyzing captured packets
π Explanation: PCAP (Packet Capture) files store network traffic and are used in tools like Wireshark and tcpdump for analysis.
51. What technique is used to analyze real-time network traffic instead of capturing it for later analysis?
A) Passive analysis
B) Inline traffic monitoring
C) Traffic encryption
D) ICMP sniffing
β
Answer: B) Inline traffic monitoring
π Explanation: Inline traffic monitoring allows real-time analysis of packets as they pass through a network, often using IDS/IPS solutions.
52. How does port mirroring assist in packet sniffing on a switched network?
A) It blocks unwanted traffic
B) It allows a designated port to receive copies of packets from other ports
C) It encrypts network traffic
D) It prevents sniffing attacks
β
Answer: B) It allows a designated port to receive copies of packets from other ports
π Explanation: Port mirroring (or SPAN) duplicates traffic from selected switch ports to another port for analysis.
53. What protocol is often exploited in packet sniffing to capture login credentials?
A) DNS
B) FTP
C) HTTPS
D) SNMPv3
β
Answer: B) FTP
π Explanation: FTP transmits credentials in plaintext, making them vulnerable to interception.
54. What method can be used to detect packet sniffing tools running on a local network?
A) Sending ICMP packets
B) Using anti-sniffing tools like ARPWatch
C) Blocking all UDP traffic
D) Running a SYN flood attack
β
Answer: B) Using anti-sniffing tools like ARPWatch
π Explanation: ARPWatch and similar tools detect suspicious ARP activity, which is a sign of potential sniffing.
55. What does a high number of fragmented IP packets in a network trace indicate?
A) A network under normal load
B) Potential evasion techniques by an attacker
C) The presence of an HTTP request
D) A DNS query
β
Answer: B) Potential evasion techniques by an attacker
π Explanation: Attackers often fragment packets to evade detection by firewalls and IDS solutions.
56. What is the primary difference between tcpdump and Wireshark?
A) Wireshark is command-line only, while tcpdump has a GUI
B) tcpdump captures packets, while Wireshark provides an advanced GUI for analysis
C) Wireshark only supports wireless networks
D) tcpdump cannot filter packets
β
Answer: B) tcpdump captures packets, while Wireshark provides an advanced GUI for analysis
π Explanation: tcpdump is a command-line tool for capturing packets, while Wireshark offers an advanced GUI for deep packet inspection.
57. What type of attack can be detected by analyzing unexpected ICMP packets?
A) MITM Attack
B) ICMP Tunneling
C) SQL Injection
D) Clickjacking
β
Answer: B) ICMP Tunneling
π Explanation: ICMP tunneling allows attackers to exfiltrate data by embedding it in ICMP Echo (ping) packets, which can be detected via packet sniffing.
58. What does a high number of retransmitted TCP packets indicate?
A) A healthy network
B) Packet loss or network congestion
C) An increase in ARP poisoning attacks
D) A failed SYN flood attack
β
Answer: B) Packet loss or network congestion
π Explanation: Retransmissions occur when packets are lost or delayed, often due to network congestion, poor routing, or interference.
59. How does SSL stripping work in packet sniffing?
A) It forces HTTPS traffic to downgrade to HTTP, exposing plaintext packets
B) It encrypts packets to prevent sniffing
C) It blocks packet captures by firewalls
D) It only works on FTP traffic
β
Answer: A) It forces HTTPS traffic to downgrade to HTTP, exposing plaintext packets
π Explanation: SSL stripping attacks downgrade encrypted HTTPS connections to HTTP, allowing attackers to capture sensitive data in plaintext.
60. What is a common indicator of an active packet sniffer on a network?
A) A sudden increase in ARP requests
B) An increase in SSH traffic
C) A high number of ICMP replies
D) A spike in legitimate HTTP traffic
β
Answer: A) A sudden increase in ARP requests
π Explanation: ARP requests are often used in ARP poisoning to redirect traffic, a common method for active sniffing on switched networks.
61. What is the primary goal of using a VPN in relation to packet sniffing?
A) To increase download speeds
B) To encrypt network traffic and prevent packet sniffers from reading data
C) To monitor open ports on a network
D) To disable packet filtering
β
Answer: B) To encrypt network traffic and prevent packet sniffers from reading data
π Explanation: VPNs encrypt traffic, making it unreadable even if a packet sniffer captures the data.
62. What tool can be used to detect promiscuous mode sniffing on a network?
A) ARPwatch
B) Netcat
C) Nmap
D) TCP Wrappers
β
Answer: A) ARPwatch
π Explanation: ARPwatch monitors ARP traffic and can help detect suspicious activity, including sniffers operating in promiscuous mode.
63. What does it mean if a TCP packet has the PUSH (PSH) flag set?
A) The packet is dropped by the firewall
B) The packet should be delivered immediately without waiting for more data
C) The connection is being reset
D) The connection is in an idle state
β
Answer: B) The packet should be delivered immediately without waiting for more data
π Explanation: The PSH flag tells the receiver to process the packet immediately rather than buffering it.
64. Why is capturing packets on a VLAN more difficult than on a hub-based network?
A) VLANs encrypt traffic
B) VLANs do not allow packet forwarding
C) Switches only forward packets to the intended recipient
D) VLANs use non-IP-based communication
β
Answer: C) Switches only forward packets to the intended recipient
π Explanation: Unlike hubs, switches isolate traffic to specific devices, preventing sniffers from capturing traffic unless port mirroring or ARP poisoning is used.
65. What type of packet is often used in a deauthentication attack on Wi-Fi networks?
A) TCP SYN
B) ICMP Echo Request
C) 802.11 Deauthentication Frame
D) UDP Broadcast
β
Answer: C) 802.11 Deauthentication Frame
π Explanation: Deauthentication frames are used to force Wi-Fi clients to disconnect, often part of attacks like Wi-Fi sniffing and cracking.
66. What tool is specifically designed for analyzing NetFlow traffic?
A) Wireshark
B) tcpdump
C) nfdump
D) John the Ripper
β
Answer: C) nfdump
π Explanation: nfdump is a tool used for analyzing NetFlow data, which provides insights into network traffic patterns.
67. What kind of encryption does WPA3 use to prevent packet sniffing?
A) WEP
B) TKIP
C) AES-GCM with SAE (Simultaneous Authentication of Equals)
D) MD5 Hashing
β
Answer: C) AES-GCM with SAE (Simultaneous Authentication of Equals)
π Explanation: WPA3 uses AES-GCM and SAE for strong encryption and resistance against sniffing-based attacks like KRACK.
68. How does NetFlow differ from full packet capture?
A) NetFlow only captures metadata, while full packet capture records complete packet contents
B) NetFlow encrypts captured packets
C) NetFlow blocks unauthorized access
D) NetFlow is only used in wireless networks
β
Answer: A) NetFlow only captures metadata, while full packet capture records complete packet contents
π Explanation: NetFlow captures traffic metadata (source/destination, ports, timestamps) while full packet capture records all packet details.
69. What is a common use of an IDS in packet analysis?
A) Encrypting network packets
B) Detecting suspicious network traffic patterns
C) Blocking all outgoing traffic
D) Injecting packets into a network
β
Answer: B) Detecting suspicious network traffic patterns
π Explanation: An Intrusion Detection System (IDS) analyzes packets for suspicious patterns that may indicate cyber attacks.
70. How can attackers evade IDS detection while sniffing packets?
A) Encrypting their packets
B) Using fragmented packets
C) Blocking UDP traffic
D) Sending ICMP requests
β
Answer: B) Using fragmented packets
π Explanation: Packet fragmentation helps attackers evade IDS systems by breaking malicious payloads into smaller, less suspicious-looking packets.
71. What is a potential risk of enabling port mirroring on a switch?
A) It slows down network traffic
B) It allows sniffers to capture all mirrored traffic
C) It disables VLANs
D) It encrypts traffic automatically
β
Answer: B) It allows sniffers to capture all mirrored traffic
π Explanation: Port mirroring duplicates traffic to a monitoring port, which can be exploited if an unauthorized device gains access.
71. What happens if a packet sniffer is placed on a network segment behind a Network Address Translation (NAT) device?
A) It captures all packets on the Internet
B) It can only capture packets that have already been translated
C) It can decrypt encrypted traffic
D) It stops working entirely
β
Answer: B) It can only capture packets that have already been translated
π Explanation: NAT modifies packet headers, so a sniffer behind a NAT device will only see internal network traffic with translated IP addresses.
72. Which of the following can be used to inject packets into an active session?
A) tcpdump
B) Scapy
C) Wireshark
D) ARPwatch
β
Answer: B) Scapy
π Explanation: Scapy is a powerful Python library for crafting and injecting packets into a network for testing and exploitation.
73. What is one sign of an attacker performing passive sniffing on a network?
A) High CPU usage
B) Sudden network slowdowns
C) No direct indication, as passive sniffing does not interfere with traffic
D) Increased failed login attempts
β
Answer: C) No direct indication, as passive sniffing does not interfere with traffic
π Explanation: Passive sniffing is stealthy because it only listens to traffic without sending or modifying packets.
74. In Wireshark, what filter can be used to capture only packets related to SSH traffic?
A) port 22
B) tcp.port == 443
C) ssh.traffic
D) udp.port == 22
β
Answer: A) port 22
π Explanation: SSH operates on TCP port 22, and filtering by this port captures all SSH-related traffic.
75. What is the primary advantage of using encrypted DNS (DNS over HTTPS/DoH)?
A) It blocks all malicious websites
B) It prevents ISPs and sniffers from viewing DNS queries
C) It increases internet speed
D) It replaces SSL/TLS encryption
β
Answer: B) It prevents ISPs and sniffers from viewing DNS queries
π Explanation: DNS over HTTPS (DoH) encrypts DNS queries, preventing sniffers from intercepting domain lookup requests.
76. What type of network attack can be detected by monitoring unusually high volumes of DNS queries?
A) Clickjacking
B) DNS Tunneling
C) SQL Injection
D) Cross-Site Scripting
β
Answer: B) DNS Tunneling
π Explanation: DNS tunneling exfiltrates data by encoding it in DNS requests, often generating a large number of unusual queries.
77. What does the FIN flag in a TCP packet indicate?
A) Start of a new connection
B) End of a TCP connection
C) A request for retransmission
D) A rejected connection
β
Answer: B) End of a TCP connection
π Explanation: The FIN (Finish) flag signals graceful termination of a TCP session.
78. How does MAC address filtering help mitigate packet sniffing?
A) It blocks specific IP addresses from accessing the network
B) It encrypts all network traffic
C) It restricts network access to known MAC addresses
D) It tunnels traffic through a proxy
β
Answer: C) It restricts network access to known MAC addresses
π Explanation: MAC address filtering limits network access to trusted devices, preventing unauthorized sniffers from easily joining the network.
79. What command in Linux allows real-time monitoring of active network connections?
A) whois
B) netstat -an
C) grep -i network
D) dig -t A
β
Answer: B) netstat -an
π Explanation: netstat -an lists active network connections, including open ports, protocols, and remote IPs.
80. What is one way to detect if someone is sniffing Wi-Fi traffic on a network?
A) Checking for high CPU usage
B) Monitoring for devices in monitor mode
C) Checking for new domain registrations
D) Performing a SYN flood test
β
Answer: B) Monitoring for devices in monitor mode
π Explanation: Wireless sniffers often operate in monitor mode, which can be detected using tools like Airodump-ng.
81. What is a common packet sniffing tool used in forensic investigations?
A) Nmap
B) Wireshark
C) John the Ripper
D) Metasploit
β
Answer: B) Wireshark
π Explanation: Wireshark is a key tool for forensic network analysis, used to reconstruct traffic flows and detect suspicious activity.
82. What is a honeypot in the context of network security?
A) A method of encrypting packets
B) A trap set to detect unauthorized network activity
C) A tool used to inject packets into a network
D) A way to filter legitimate traffic
β
Answer: B) A trap set to detect unauthorized network activity
π Explanation: Honeypots are fake systems designed to attract and detect attackers attempting to sniff or manipulate traffic.
83. Which of the following is a common countermeasure against session hijacking?
A) Using Telnet instead of SSH
B) Implementing HSTS (HTTP Strict Transport Security)
C) Using weak encryption algorithms
D) Enabling MAC address filtering
β
Answer: B) Implementing HSTS (HTTP Strict Transport Security)
π Explanation: HSTS enforces secure HTTPS connections, preventing session hijacking via cookie theft.
84. What type of attack attempts to overload a packet sniffer with excessive data?
A) Smurf Attack
B) Flooding Attack
C) SQL Injection
D) Clickjacking
β
Answer: B) Flooding Attack
π Explanation: Attackers overload packet sniffers by sending huge volumes of traffic, making meaningful analysis difficult.
85. What is a key limitation of Wireshark when used in packet sniffing?
A) It cannot capture packets from remote machines
B) It only captures ICMP traffic
C) It cannot filter traffic
D) It does not support encryption
β
Answer: A) It cannot capture packets from remote machines
π Explanation: Wireshark only captures packets on local interfaces, unless used with remote capture tools.
86. What is a key benefit of using TLS 1.3 over previous versions?
A) Faster handshakes and stronger encryption
B) Increased reliance on plaintext communication
C) Supports legacy encryption methods
D) Uses 64-bit encryption
β
Answer: A) Faster handshakes and stronger encryption
π Explanation: TLS 1.3 removes weak encryption, enhances security, and reduces handshake overhead.
87. What is an effective way to prevent Man-in-the-Middle (MITM) attacks involving packet sniffing?
A) Using ARP spoofing
B) Disabling firewalls
C) Enforcing mutual TLS authentication
D) Using open Wi-Fi networks
β
Answer: C) Enforcing mutual TLS authentication
π Explanation: Mutual TLS ensures both client and server authenticate each other, preventing MITM attacks.
88. What role do decapsulation techniques play in network analysis?
A) Removing encryption from packets
B) Extracting payloads from encapsulated network packets
C) Increasing packet transmission speed
D) Redirecting network traffic
β
Answer: B) Extracting payloads from encapsulated network packets
π Explanation: Decapsulation is used to extract inner data from encapsulated protocols like VPN or tunneling packets.
91. What type of attack allows an attacker to intercept VoIP communications using packet sniffing?
A) SQL Injection
B) SIP Spoofing
C) RTP Sniffing
D) DNS Poisoning
β
Answer: C) RTP Sniffing
π Explanation: Real-Time Transport Protocol (RTP) carries VoIP traffic, and sniffing these packets can intercept voice conversations.
92. What protocol is primarily used for sending and receiving emails and can be vulnerable to sniffing attacks if unencrypted?
A) FTP
B) IMAP
C) HTTPS
D) SSH
β
Answer: B) IMAP
π Explanation: IMAP (Internet Message Access Protocol) is used to retrieve emails from a mail server. If not secured with TLS, it can be sniffed.
93. What is a critical weakness of WEP encryption that makes Wi-Fi sniffing easier?
A) It uses 256-bit encryption
B) It reuses IVs (Initialization Vectors)
C) It is protected against brute-force attacks
D) It requires complex hardware to crack
β
Answer: B) It reuses IVs (Initialization Vectors)
π Explanation: WEP encryption reuses IVs, making it vulnerable to attacks such as Aircrack-ng based Wi-Fi sniffing and cracking.
94. What is a sign that an attacker may be conducting SSL stripping on a network?
A) Users are redirected from HTTPS to HTTP
B) Increased ARP traffic
C) More TCP RST packets than usual
D) Higher number of ICMP replies
β
Answer: A) Users are redirected from HTTPS to HTTP
π Explanation: SSL stripping forces HTTPS connections to downgrade to HTTP, exposing sensitive data to packet sniffing.
95. What method can be used to inject false DNS responses in a sniffing attack?
A) TCP Reset Attack
B) DNS Spoofing
C) Clickjacking
D) SYN Flood
β
Answer: B) DNS Spoofing
π Explanation: DNS spoofing involves injecting false DNS responses to redirect victims to malicious websites, often leveraging sniffed traffic.
96. What role does GRE tunneling play in network packet analysis?
A) It encrypts all packets
B) It encapsulates packets, making them harder to analyze
C) It speeds up network transmission
D) It prevents packet fragmentation
β
Answer: B) It encapsulates packets, making them harder to analyze
π Explanation: Generic Routing Encapsulation (GRE) wraps packets inside other packets, which can obscure traffic from packet sniffers.
97. How can packet sniffing be used to detect malicious traffic on a network?
A) By analyzing packet headers and payloads for anomalies
B) By disabling SSL/TLS
C) By sending ICMP echo requests
D) By increasing the TTL (Time To Live) value of packets
β
Answer: A) By analyzing packet headers and payloads for anomalies
π Explanation: Packet sniffers like Wireshark help identify malicious payloads, unusual traffic patterns, and unauthorized data transfers.
98. What is a key feature of NetFlow that makes it useful in packet sniffing analysis?
A) It captures full packet contents
B) It provides metadata about network traffic
C) It encrypts packets
D) It replaces traditional firewalls
β
Answer: B) It provides metadata about network traffic
π Explanation: NetFlow does not capture packet contents but collects traffic metadata, useful for anomaly detection and forensic analysis.
99. What is the primary security risk associated with FTP that makes it vulnerable to packet sniffing?
A) It uses weak encryption
B) It transmits data, including credentials, in plaintext
C) It only supports IPv4
D) It relies on broadcast packets
β
Answer: B) It transmits data, including credentials, in plaintext
π Explanation: FTP sends usernames and passwords in plaintext, making it highly vulnerable to sniffing attacks. SFTP or FTPS should be used instead.
100. How does port security help mitigate packet sniffing attacks?
A) It disables all ports except HTTPS
B) It encrypts network traffic
C) It limits the number of MAC addresses allowed on a switch port
D) It redirects traffic to a honeypot
β
Answer: C) It limits the number of MAC addresses allowed on a switch port
π Explanation: Port security prevents unauthorized devices from joining the network and conducting sniffing attacks.
101. How can an IDS (Intrusion Detection System) detect packet sniffing attempts?
A) By blocking all ICMP packets
B) By detecting excessive ARP requests or promiscuous mode activity
C) By disabling firewalls
D) By filtering HTTPS traffic
β
Answer: B) By detecting excessive ARP requests or promiscuous mode activity
π Explanation: IDS tools like Snort detect packet sniffing attempts by monitoring ARP behavior and suspicious packet flows.
102. What security feature in modern browsers helps mitigate packet sniffing attacks?
A) Incognito mode
B) HTTP Strict Transport Security (HSTS)
C) Disabling JavaScript
D) Lowering CPU usage
β
Answer: B) HTTP Strict Transport Security (HSTS)
π Explanation: HSTS forces browsers to always use HTTPS, preventing SSL stripping and packet sniffing.
103. What kind of attack involves capturing and replaying authentication packets?
A) Clickjacking
B) Replay Attack
C) DNS Cache Poisoning
D) ICMP Flood
β
Answer: B) Replay Attack
π Explanation: In a Replay Attack, sniffed authentication packets are replayed to gain unauthorized access.
104. How does encrypted email (PGP) protect against sniffing?
A) It prevents email delivery over untrusted networks
B) It encrypts the email content before transmission
C) It blocks unauthorized IP addresses
D) It forces emails to be sent only via HTTPS
β
Answer: B) It encrypts the email content before transmission
π Explanation: PGP (Pretty Good Privacy) encrypts email content, ensuring that even if sniffed, the contents remain unreadable.
105. What does a sudden increase in small-sized TCP packets indicate in network traffic analysis?
A) A normal internet connection
B) Potential data exfiltration or beaconing from malware
C) A reduction in bandwidth usage
D) A SYN flood attack
β
Answer: B) Potential data exfiltration or beaconing from malware
π Explanation: Small TCP packets may indicate covert data exfiltration or command-and-control (C2) communication.
106. What does the URG flag in a TCP packet signify?
A) The packet is urgent and should be processed immediately
B) The packet is part of a SYN flood attack
C) The packet contains encryption keys
D) The packet should be ignored by the receiver
β
Answer: A) The packet is urgent and should be processed immediately
π Explanation: The URG flag (Urgent) in TCP signals that urgent data should be processed immediately.
107. What is the purpose of an SSL proxy in network traffic analysis?
A) To generate fake SSL certificates
B) To bypass firewall rules
C) To inspect encrypted traffic by intercepting and decrypting SSL/TLS connections
D) To block all HTTPS requests
β
Answer: C) To inspect encrypted traffic by intercepting and decrypting SSL/TLS connections
π Explanation: SSL proxies decrypt and inspect HTTPS traffic for security monitoring and threat detection, then re-encrypt the data before forwarding it.
108. What is the significance of the “Don’t Fragment (DF)” flag in an IP packet?
A) It instructs routers not to fragment the packet
B) It encrypts the packet automatically
C) It marks the packet for higher priority routing
D) It forces the receiver to drop the packet
β
Answer: A) It instructs routers not to fragment the packet
π Explanation: The DF (Don’t Fragment) flag prevents packet fragmentation, which can be used in MTU discovery and certain evasion techniques.
109. Which protocol is most commonly used for remote packet capture?
A) FTP
B) Remote Desktop Protocol (RDP)
C) SSH with tcpdump
D) ICMP
β
Answer: C) SSH with tcpdump
π Explanation: tcpdump can be run over SSH on remote machines to capture packets securely without local access.
110. What is the primary risk of using a shared network in a public Wi-Fi environment?
A) Reduced internet speed
B) Packet sniffing and session hijacking attacks
C) Increased bandwidth usage
D) Higher data encryption
β
Answer: B) Packet sniffing and session hijacking attacks
π Explanation: Unencrypted public Wi-Fi is vulnerable to sniffing attacks, where attackers capture and analyze network traffic.
111. What is the primary use of the iptables command in Linux for security?
A) To capture packets
B) To configure firewall rules for filtering network traffic
C) To send ICMP packets
D) To perform DNS lookups
β
Answer: B) To configure firewall rules for filtering network traffic
π Explanation: iptables is a Linux firewall tool that filters incoming, outgoing, and forwarded packets for security.
112. What is the impact of using GRE tunnels on packet sniffing?
A) It encrypts network traffic
B) It makes packet sniffing harder by encapsulating traffic
C) It prevents all forms of attacks
D) It converts TCP packets into UDP
β
Answer: B) It makes packet sniffing harder by encapsulating traffic
π Explanation: GRE (Generic Routing Encapsulation) wraps packets inside a new IP header, making direct sniffing of original content more difficult.
113. What type of attack involves inserting a malicious payload into legitimate packets?
A) Packet injection attack
B) DNS Cache Poisoning
C) MAC Flooding
D) SYN Flood
β
Answer: A) Packet injection attack
π Explanation: Packet injection manipulates legitimate network traffic by injecting crafted malicious packets into an active session.
114. Which of the following techniques helps identify if an attacker is sniffing packets on a LAN?
A) Sending fake ARP responses and checking responses
B) Blocking all UDP traffic
C) Disabling ICMP
D) Changing MAC addresses frequently
β
Answer: A) Sending fake ARP responses and checking responses
π Explanation: Fake ARP packets can reveal sniffing tools in promiscuous mode that respond unexpectedly.
115. What is a key feature of Wireshark that helps analyze encrypted TLS traffic?
A) It automatically decrypts TLS without keys
B) It supports importing private keys for decryption
C) It captures only unencrypted traffic
D) It injects traffic into TLS sessions
β
Answer: B) It supports importing private keys for decryption
π Explanation: Wireshark can decrypt TLS traffic if provided with the necessary private keys.
116. How can attackers use packet sniffing to perform replay attacks?
A) By modifying DNS settings
B) By capturing and resending authentication packets
C) By analyzing TTL values
D) By disabling ARP
β
Answer: B) By capturing and resending authentication packets
π Explanation: Replay attacks involve sniffing and replaying authentication packets to impersonate a legitimate user.
117. What method can prevent wireless packet sniffing attacks?
A) Disabling DHCP
B) Using WPA3 encryption
C) Using HTTP instead of HTTPS
D) Increasing Wi-Fi signal strength
β
Answer: B) Using WPA3 encryption
π Explanation: WPA3 provides strong encryption that prevents unauthorized sniffing of wireless traffic.
118. What is an indicator of a possible rogue access point performing a sniffing attack?
A) Unusual SSID broadcasts
B) Increased TCP handshakes
C) High ICMP response times
D) More DNS queries
β
Answer: A) Unusual SSID broadcasts
π Explanation: Rogue APs mimic legitimate networks to trick users into connecting and expose them to packet sniffing attacks.
119. What type of encryption does TLS 1.3 use to prevent sniffing-based attacks?
A) AES-GCM with forward secrecy
B) MD5 Hashing
C) 3DES
D) Blowfish
β
Answer: A) AES-GCM with forward secrecy
π Explanation: TLS 1.3 enhances security using AES-GCM with forward secrecy, preventing old sessions from being decrypted if sniffed.
120. What attack can be detected by monitoring excessive TCP SYN packets?
A) DNS Spoofing
B) SYN Flood
C) ARP Poisoning
D) Buffer Overflow
β
Answer: B) SYN Flood
π Explanation: SYN floods generate excessive half-open connections, overwhelming a serverβs resources.
121. What is the purpose of the tcpdump -w command?
A) To filter packets by protocol
B) To write captured packets to a file for later analysis
C) To block incoming traffic
D) To decrypt SSL traffic
β
Answer: B) To write captured packets to a file for later analysis
π Explanation: tcpdump -w allows captured packets to be saved in PCAP format for later inspection in Wireshark or other tools.
122. How does HSTS (HTTP Strict Transport Security) help prevent packet sniffing attacks?
A) It forces websites to use only HTTPS connections
B) It blocks all DNS queries
C) It prevents all TCP connections
D) It encrypts network packets at the IP layer
β
Answer: A) It forces websites to use only HTTPS connections
π Explanation: HSTS ensures browsers only connect via HTTPS, preventing SSL stripping and MITM sniffing attacks.
123. What is a good indicator of an internal network being actively sniffed?
A) Increased DNS request failures
B) Unusual ARP traffic and duplicate IP addresses
C) Higher CPU usage
D) More SSH sessions than normal
β
Answer: B) Unusual ARP traffic and duplicate IP addresses
π Explanation: ARP spoofing and duplicate IP conflicts are strong indicators of internal sniffing and MITM attempts.
124. What type of attack involves intercepting encrypted packets and attempting to break their encryption offline?
A) Passive sniffing
B) Replay attack
C) Ciphertext-only attack
D) SYN flood
β
Answer: C) Ciphertext-only attack
π Explanation: In a ciphertext-only attack, attackers capture encrypted packets and attempt to decrypt them offline, using cryptanalysis techniques.
125. What is the primary reason VPNs are effective against packet sniffing?
A) They encrypt all network traffic between the client and server
B) They block unauthorized IP addresses
C) They prevent MAC address spoofing
D) They disable ICMP traffic
β
Answer: A) They encrypt all network traffic between the client and server
π Explanation: VPNs encrypt data in transit, ensuring that even if traffic is captured, it remains unreadable to attackers.
126. What tool can be used to analyze network latency by examining packet timestamps?
A) Wireshark
B) Hydra
C) Nmap
D) John the Ripper
β
Answer: A) Wireshark
π Explanation: Wireshark provides detailed timestamp analysis, helping detect network latency and packet delays.
127. What does an IDS (Intrusion Detection System) typically do when it detects suspicious packet sniffing behavior?
A) Immediately shuts down the network
B) Sends alerts to administrators
C) Encrypts all traffic
D) Blocks all ICMP traffic
β
Answer: B) Sends alerts to administrators
π Explanation: IDS systems like Snort or Suricata analyze network traffic and generate alerts for suspicious sniffing activities.
128. What protocol is used by Wi-Fi devices to authenticate before joining a network?
A) SNMP
B) EAP (Extensible Authentication Protocol)
C) ICMP
D) DNS
β
Answer: B) EAP (Extensible Authentication Protocol)
π Explanation: EAP is used in 802.1X authentication to verify Wi-Fi clients before granting access to a network.
129. Which attack can be detected by observing excessive TCP RST (Reset) packets in a network capture?
A) SYN Flood
B) TCP Reset Attack
C) ARP Spoofing
D) DNS Poisoning
β
Answer: B) TCP Reset Attack
π Explanation: TCP Reset Attacks terminate active connections by injecting forged RST packets into a session.
130. How can attackers use packet sniffing to perform credential stuffing attacks?
A) By capturing hashed passwords and cracking them offline
B) By sending SYN packets repeatedly
C) By injecting JavaScript into a web page
D) By spoofing ARP requests
β
Answer: A) By capturing hashed passwords and cracking them offline
π Explanation: Attackers can sniff hashed credentials, crack them, and reuse them in credential stuffing attacks.
131. What is a common use of GRE (Generic Routing Encapsulation) in relation to network security?
A) To create encrypted VPN tunnels
B) To encapsulate traffic for easier routing
C) To block untrusted IPs
D) To disable packet sniffing
β
Answer: B) To encapsulate traffic for easier routing
π Explanation: GRE encapsulates packets inside another IP header, often used for VPNs, routing, and bypassing network restrictions.
132. What network layer does packet sniffing typically occur at?
A) Application Layer
B) Network Layer
C) Data Link Layer
D) Transport Layer
β
Answer: C) Data Link Layer
π Explanation: Packet sniffing typically occurs at the Data Link Layer, allowing raw frame-level analysis of network traffic.
133. What type of attack leverages packet sniffing to inject fraudulent ARP replies into a network?
A) ARP Poisoning
B) SQL Injection
C) DNS Amplification
D) ICMP Flood
β
Answer: A) ARP Poisoning
π Explanation: ARP Poisoning tricks network devices into sending traffic through the attacker’s machine, enabling packet sniffing and interception.
134. What is the role of deep packet inspection (DPI) in network security?
A) It decrypts encrypted traffic without permission
B) It analyzes packet payloads to detect malicious content
C) It injects fake packets to mislead attackers
D) It prevents TCP handshakes from completing
β
Answer: B) It analyzes packet payloads to detect malicious content
π Explanation: Deep Packet Inspection (DPI) examines packet contents beyond headers to detect malware, data exfiltration, and unauthorized access.
135. What is a method for detecting network sniffers operating in promiscuous mode?
A) Sending ARP requests with incorrect MAC addresses
B) Blocking TCP traffic
C) Increasing the TTL of packets
D) Using a SYN flood attack
β
Answer: A) Sending ARP requests with incorrect MAC addresses
π Explanation: Sniffers in promiscuous mode may respond to malformed ARP packets, exposing their presence.
136. How does SSL/TLS Forward Secrecy (PFS) help mitigate sniffing-based attacks?
A) It blocks MITM attacks by default
B) It prevents replay attacks
C) It generates a unique encryption key for each session
D) It disables ARP requests
β
Answer: C) It generates a unique encryption key for each session
π Explanation: Perfect Forward Secrecy (PFS) ensures that each SSL/TLS session has a unique key, preventing decryption of previously sniffed sessions.
137. What tool can be used to reconstruct files from sniffed network traffic?
A) Wireshark
B) Metasploit
C) Nikto
D) Hydra
β
Answer: A) Wireshark
π Explanation: Wireshark can reconstruct captured file transfers, such as HTTP downloads, email attachments, and SMB file transfers.
138. What is one way attackers use packet sniffing to perform DNS hijacking?
A) By modifying BGP routing tables
B) By capturing and altering DNS responses
C) By overloading the DHCP server
D) By disabling SSL/TLS
β
Answer: B) By capturing and altering DNS responses
π Explanation: Attackers can sniff DNS queries, inject fake responses, and redirect users to malicious sites.
139. What command in Wireshark can be used to filter only HTTPS traffic?
A) tcp.port == 443
B) dns.request
C) http.filter == "secure"
D) icmp.type == 8
β
Answer: A) tcp.port == 443
π Explanation: HTTPS traffic runs on TCP port 443, so filtering on this port isolates encrypted web traffic.
140. What type of security header in HTTP helps prevent packet sniffing attacks?
A) Content-Security-Policy (CSP)
B) HTTP Strict Transport Security (HSTS)
C) Cross-Origin Resource Sharing (CORS)
D) Referrer-Policy
β
Answer: B) HTTP Strict Transport Security (HSTS)
π Explanation: HSTS forces browsers to always use HTTPS, preventing downgrade attacks like SSL stripping that enable packet sniffing.
141. Which network component is most effective at preventing packet sniffing attacks?
A) Hub
B) Unmanaged switch
C) Managed switch with port security enabled
D) Open Wi-Fi network
β
Answer: C) Managed switch with port security enabled
π Explanation: A managed switch with port security prevents MAC address spoofing, restricting unauthorized access for sniffing.
142. What feature of WPA3 enhances security against packet sniffing compared to WPA2?
A) MAC filtering
B) Simultaneous Authentication of Equals (SAE)
C) Enabling WEP as a fallback
D) Disabling DHCP
β
Answer: B) Simultaneous Authentication of Equals (SAE)
π Explanation: WPA3 uses SAE, preventing offline dictionary attacks and enhancing encryption against sniffing.
143. What kind of attack exploits a packet sniffer to modify network traffic in transit?
A) MITM (Man-in-the-Middle) Attack
B) SQL Injection
C) Port Scanning
D) DNS Reflection Attack
β
Answer: A) MITM (Man-in-the-Middle) Attack
π Explanation: In MITM attacks, an attacker intercepts, alters, and forwards network traffic between two parties.
144. What is one major limitation of passive packet sniffing on a switched network?
A) It cannot capture unicast traffic without additional techniques
B) It automatically decrypts encrypted traffic
C) It increases network bandwidth
D) It only works on IPv6 networks
β
Answer: A) It cannot capture unicast traffic without additional techniques
π Explanation: On switched networks, unicast traffic is only sent to the intended recipient, making passive sniffing difficult without techniques like ARP poisoning or port mirroring.
145. How can network segmentation help mitigate packet sniffing risks?
A) By isolating sensitive traffic into separate VLANs
B) By increasing packet transmission speed
C) By disabling encryption
D) By allowing all devices to communicate freely
β
Answer: A) By isolating sensitive traffic into separate VLANs
π Explanation: Network segmentation (e.g., using VLANs) reduces sniffing risks by isolating traffic, limiting an attacker’s access.
146. What technique allows Wireshark to analyze encrypted TLS traffic if the correct keys are available?
A) Exporting session tokens
B) Importing the private key and using TLS decryption
C) Using brute-force decryption
D) Analyzing HTTP headers
β
Answer: B) Importing the private key and using TLS decryption
π Explanation: If private keys are available, Wireshark can decrypt and analyze TLS traffic by loading the key into its decryption settings.
147. What is one of the primary risks of using an unencrypted VoIP service?
A) Increased network congestion
B) Calls can be intercepted and recorded using packet sniffing
C) Higher CPU usage on devices
D) Lower voice quality
β
Answer: B) Calls can be intercepted and recorded using packet sniffing
π Explanation: Unencrypted VoIP traffic can be captured and reconstructed using tools like Wireshark or RTP analysis.
148. What does the “tcpdump -i eth0” command do?
A) Captures packets on interface eth0
B) Encrypts packets before transmission
C) Injects packets into eth0
D) Blocks all outgoing TCP traffic
β
Answer: A) Captures packets on interface eth0
π Explanation: The tcpdump -i eth0 command captures live packets on the network interface eth0.
149. What is an effective way to prevent ARP poisoning-based sniffing attacks?
A) Using static ARP entries
B) Disabling Wi-Fi
C) Switching to HTTP instead of HTTPS
D) Increasing the TTL of packets
β
Answer: A) Using static ARP entries
π Explanation: Static ARP entries prevent attackers from sending fake ARP replies, which is commonly used for MITM sniffing attacks.
150. What does a “fragmented TCP packet” indicate in network traffic analysis?
A) Normal behavior in packet transmission
B) Possible evasion technique to bypass IDS/IPS detection
C) A SYN flood attack
D) Packet corruption
β
Answer: B) Possible evasion technique to bypass IDS/IPS detection
π Explanation: Attackers may fragment TCP packets to bypass IDS/IPS detection and hide malicious payloads.
151. How can a security analyst detect an unauthorized packet sniffer running on a local machine?
A) Using netstat -an to check for unusual listening ports
B) Running a SYN flood attack
C) Blocking all UDP packets
D) Increasing firewall rules
β
Answer: A) Using netstat -an to check for unusual listening ports
π Explanation: Sniffing tools might open unusual network connections, which can be detected using netstat -an.
152. What does a sudden increase in ICMP Echo Request packets indicate in network traffic?
A) Normal network operation
B) A potential ping sweep or reconnaissance scan
C) A SYN flood attack
D) An SSL downgrade attack
β
Answer: B) A potential ping sweep or reconnaissance scan
π Explanation: Attackers use ICMP Echo Requests (ping sweeps) to identify live hosts on a network before launching further attacks.
153. Which protocol uses TLS encryption by default to prevent packet sniffing?
A) Telnet
B) HTTPS
C) FTP
D) DNS
β
Answer: B) HTTPS
π Explanation: HTTPS (TLS over HTTP) encrypts web traffic, making it unreadable to sniffers.
154. What attack technique allows an attacker to capture unencrypted HTTP session cookies?
A) Session Hijacking via Firesheep
B) ICMP Flooding
C) SQL Injection
D) SYN Scanning
β
Answer: A) Session Hijacking via Firesheep
π Explanation: Firesheep is a session hijacking tool that captures unencrypted HTTP session cookies for account takeover.
155. Which feature of Wireshark allows analysts to filter packets based on their HTTP request type?
A) http.request.method == "GET"
B) tcp.port == 22
C) dns.query
D) udp.length > 50
β
Answer: **A) http.request.method == “GET”`
π Explanation: This Wireshark filter isolates HTTP GET requests, allowing easy analysis of web requests.
156. What tool can be used to detect rogue Wi-Fi access points?
A) Kismet
B) John the Ripper
C) Burp Suite
D) Dirb
β
Answer: A) Kismet
π Explanation: Kismet is a wireless security tool used to detect rogue APs, monitor traffic, and identify Wi-Fi sniffing attempts.
157. What is an indicator of a possible DNS hijacking attack in network logs?
A) Sudden increase in UDP traffic on port 53
B) Large volume of TCP RST packets
C) ICMP timeouts
D) ARP broadcast storms
β
Answer: A) Sudden increase in UDP traffic on port 53
π Explanation: Unusual UDP activity on port 53 may indicate malicious DNS modifications or exfiltration via DNS tunneling.
158. What tool can be used to detect network sniffers operating in promiscuous mode?
A) Nmap
B) AntiSniff
C) Hydra
D) Burp Suite
β
Answer: B) AntiSniff
π Explanation: AntiSniff is a security tool designed to detect promiscuous-mode network sniffers, revealing unauthorized monitoring attempts.
159. Which protocol is commonly targeted by packet sniffers due to its use of plaintext authentication?
A) SSH
B) Telnet
C) HTTPS
D) TLS
β
Answer: B) Telnet
π Explanation: Telnet transmits data in plaintext, including authentication credentials, making it vulnerable to sniffing attacks.
160. What is a key limitation of packet sniffing tools when analyzing encrypted traffic?
A) They cannot capture packets
B) They cannot read the payload of encrypted packets without decryption keys
C) They only work on IPv6 networks
D) They automatically filter out HTTPS traffic
β
Answer: B) They cannot read the payload of encrypted packets without decryption keys
π Explanation: While packet sniffers can capture encrypted traffic, they cannot decrypt it without the necessary private keys.
161. What is a common method for detecting ARP poisoning attacks?
A) Monitoring for duplicate ARP responses
B) Increasing the TTL of all packets
C) Using SYN flooding techniques
D) Blocking all ICMP traffic
β
Answer: A) Monitoring for duplicate ARP responses
π Explanation: ARP poisoning creates duplicate ARP responses, which can be detected using tools like ARPwatch or Wireshark.
162. What does the “SYN-ACK” packet indicate in a TCP handshake?
A) The request to terminate a connection
B) The acknowledgment of a connection request
C) A packet has been lost in transit
D) The packet has been fragmented
β
Answer: B) The acknowledgment of a connection request
π Explanation: In the three-way TCP handshake, a SYN-ACK packet is sent to acknowledge the client’s initial SYN request.
163. How can packet sniffing be prevented in a wired network environment?
A) Using SSH instead of Telnet
B) Enabling port mirroring on all network switches
C) Using encrypted protocols like TLS/SSL
D) Setting all NICs to promiscuous mode
β
Answer: C) Using encrypted protocols like TLS/SSL
π Explanation: TLS/SSL encryption prevents sniffers from reading sensitive data, even if packets are intercepted.
164. What network device can help prevent MITM sniffing attacks by ensuring proper traffic routing?
A) Hub
B) Firewall
C) Managed Switch
D) Wireless Repeater
β
Answer: C) Managed Switch
π Explanation: A managed switch prevents MITM attacks by isolating traffic, making sniffing harder unless ARP poisoning or port mirroring is used.
165. What does a high number of FIN packets in a short time indicate in network traffic analysis?
A) A TCP connection is being established
B) An attacker is attempting session hijacking
C) An active TCP connection is being closed multiple times, possibly indicating a scanning attack
D) A DNS cache poisoning attack is occurring
β
Answer: C) An active TCP connection is being closed multiple times, possibly indicating a scanning attack
π Explanation: A large number of FIN packets in a short period may indicate port scanning or active session terminations, often a sign of reconnaissance attacks.
166. What is the purpose of the “Follow TCP Stream” feature in Wireshark?
A) To capture only encrypted traffic
B) To reconstruct an entire conversation from captured TCP packets
C) To drop fragmented packets
D) To prevent SYN flood attacks
β
Answer: B) To reconstruct an entire conversation from captured TCP packets
π Explanation: Wireshark’s “Follow TCP Stream” feature reconstructs TCP conversations, making it easier to analyze communication sequences in captured packets.
167. What attack involves intercepting and modifying communication between two parties without their knowledge?
A) DNS Poisoning
B) Man-in-the-Middle (MITM) Attack
C) UDP Flooding
D) IP Spoofing
β
Answer: B) Man-in-the-Middle (MITM) Attack
π Explanation: In a MITM attack, the attacker intercepts and manipulates communication between two parties, often using sniffing techniques.
168. What kind of network traffic anomaly could indicate a slow data exfiltration attack?
A) A high volume of TCP SYN packets
B) A steady stream of small encrypted packets being sent to an external IP
C) A sudden burst of UDP packets
D) A significant increase in ICMP echo requests
β
Answer: B) A steady stream of small encrypted packets being sent to an external IP
π Explanation: Slow data exfiltration avoids detection by sending small, encrypted packets over time rather than large data dumps.
169. Which protocol is often used for secure remote management and protects against packet sniffing?
A) Telnet
B) FTP
C) SSH
D) TFTP
β
Answer: C) SSH
π Explanation: SSH (Secure Shell) encrypts data and commands, making it secure against packet sniffing attacks.
170. What is the primary function of “Port Mirroring” on a switch?
A) To duplicate network traffic to a monitoring port for analysis
B) To encrypt all incoming and outgoing packets
C) To block packet sniffers from accessing the network
D) To prevent DNS hijacking
β
Answer: A) To duplicate network traffic to a monitoring port for analysis
π Explanation: Port Mirroring (SPAN) is used for traffic monitoring, allowing security tools to inspect network packets in real time.
171. What type of packet analysis focuses on identifying unusual patterns in network traffic rather than predefined attack signatures?
A) Signature-based detection
B) Anomaly-based detection
C) Heuristic-based detection
D) Passive sniffing
β
Answer: B) Anomaly-based detection
π Explanation: Anomaly-based detection identifies suspicious deviations from normal traffic behavior, which may indicate attacks or data exfiltration.
172. Which Linux command allows you to capture network packets in real-time and filter them based on protocol?
A) whois
B) tcpdump
C) dig
D) grep -i network
β
Answer: B) tcpdump
π Explanation: tcpdump is a command-line packet analyzer that can capture and filter packets based on protocol, port, or IP.
173. What is a common sign of a rogue DHCP server being used for packet sniffing?
A) Increased ICMP packets
B) Unexpected IP addresses assigned to clients
C) High CPU usage
D) Increased use of SSL/TLS
β
Answer: B) Unexpected IP addresses assigned to clients
π Explanation: A rogue DHCP server can provide clients with malicious gateway or DNS settings, redirecting traffic for sniffing or attacks.
174. What network security measure helps prevent unauthorized devices from sniffing packets on a wired network?
A) Disabling TCP/IP
B) Enforcing MAC address filtering
C) Using plaintext passwords
D) Blocking UDP traffic
β
Answer: B) Enforcing MAC address filtering
π Explanation: MAC address filtering allows only authorized devices to connect, reducing unauthorized packet sniffing attempts.
175. What happens if a router receives an IP packet with a TTL value of 1?
A) It forwards the packet normally
B) It drops the packet and sends an ICMP Time Exceeded message
C) It fragments the packet
D) It encrypts the packet before sending
β
Answer: B) It drops the packet and sends an ICMP Time Exceeded message
π Explanation: TTL (Time to Live) prevents packets from looping indefinitely; a TTL of 1 causes packet expiration.
176. What technique is commonly used by attackers to capture Wi-Fi packets without connecting to the network?
A) MAC spoofing
B) Monitor mode sniffing
C) SYN flooding
D) VPN tunneling
β
Answer: B) Monitor mode sniffing
π Explanation: Monitor mode allows attackers to passively capture Wi-Fi packets, even without authentication.
177. What is the function of a “Null Scan” in network reconnaissance?
A) To send SYN-ACK packets without initiating a handshake
B) To send packets without TCP flags to bypass firewall rules
C) To flood a target with ICMP packets
D) To disable ARP requests
β
Answer: B) To send packets without TCP flags to bypass firewall rules
π Explanation: Null scans attempt to bypass firewall rules by sending packets without TCP flags, potentially revealing open ports.
178. What tool is commonly used to analyze NetFlow data for detecting packet sniffing activity?
A) tcpdump
B) Wireshark
C) nfdump
D) Metasploit
β
Answer: C) nfdump
π Explanation: nfdump is used for analyzing NetFlow data, which helps in detecting abnormal network patterns that may indicate sniffing.
179. What type of attack occurs when an attacker forges a response packet before the legitimate server can reply?
A) DNS Spoofing
B) SSL Stripping
C) SYN Flood
D) MAC Flooding
β
Answer: A) DNS Spoofing
π Explanation: DNS spoofing tricks a device into accepting a forged DNS response, redirecting users to malicious sites.
180. How does an attacker use DHCP Starvation in a packet sniffing attack?
A) By exhausting available IP addresses to force clients onto a rogue DHCP server
B) By encrypting all network traffic
C) By sending fake DNS responses
D) By injecting ICMP packets
β
Answer: A) By exhausting available IP addresses to force clients onto a rogue DHCP server
π Explanation: DHCP Starvation floods a networkβs DHCP server with fake requests, forcing users to connect to a malicious DHCP server for further attacks.
181. What is the primary purpose of the “RST” flag in a TCP packet?
A) To establish a new connection
B) To reset or terminate an existing connection
C) To request encryption of a session
D) To signal a UDP handshake
β
Answer: B) To reset or terminate an existing connection
π Explanation: The RST (Reset) flag in TCP is used to immediately terminate an active connection.
182. What tool can be used to scan for active sniffers on a local network?
A) ARPwatch
B) Nikto
C) OWASP ZAP
D) SQLmap
β
Answer: A) ARPwatch
π Explanation: ARPwatch monitors ARP traffic to detect signs of spoofing and sniffing attempts.
183. What is one way to detect a rogue AP (Access Point) being used for sniffing?
A) Checking for increased SYN packets
B) Scanning for unauthorized SSIDs using Kismet
C) Blocking all UDP packets
D) Increasing Wi-Fi transmission power
β
Answer: B) Scanning for unauthorized SSIDs using Kismet
π Explanation: Kismet helps detect rogue APs by identifying unauthorized or suspicious Wi-Fi networks.
184. What network security measure prevents unauthorized devices from connecting and sniffing wireless traffic?
A) Disabling MAC addresses
B) Implementing WPA3 encryption
C) Enabling HTTP instead of HTTPS
D) Blocking all ICMP requests
β
Answer: B) Implementing WPA3 encryption
π Explanation: WPA3 encryption prevents unauthorized sniffing of Wi-Fi traffic by enforcing strong authentication.
185. What attack is characterized by a flood of fragmented packets designed to bypass IDS/IPS detection?
A) Teardrop Attack
B) SYN Flood
C) Man-in-the-Middle
D) DNS Spoofing
β
Answer: A) Teardrop Attack
π Explanation: The Teardrop attack sends malformed fragmented packets, causing reassembly errors and potentially crashing systems.
186. What does the “tcpdump -X” option do?
A) Displays packet headers only
B) Captures packets and shows data in both hex and ASCII
C) Encrypts captured packets
D) Filters only TCP traffic
β
Answer: B) Captures packets and shows data in both hex and ASCII
π Explanation: tcpdump -X captures packets and displays their data in hexadecimal and ASCII formats for deeper analysis.
187. How does a Deauthentication Attack assist in sniffing Wi-Fi traffic?
A) It forces devices to reconnect, allowing attackers to capture the handshake
B) It encrypts packets in transit
C) It blocks unauthorized sniffers
D) It disables Wi-Fi security protocols
β
Answer: A) It forces devices to reconnect, allowing attackers to capture the handshake
π Explanation: Deauthentication attacks force Wi-Fi clients to disconnect, allowing attackers to capture handshakes for cracking encryption keys.
188. What attack takes advantage of unencrypted HTTP session cookies to hijack user sessions?
A) Cross-Site Scripting (XSS)
B) Session Hijacking (Sidejacking)
C) SQL Injection
D) DNS Tunneling
β
Answer: B) Session Hijacking (Sidejacking)
π Explanation: Session Hijacking (or Sidejacking) occurs when an attacker sniffs unencrypted HTTP session cookies and reuses them to gain unauthorized access to a userβs session.
189. What is the primary purpose of an IDS (Intrusion Detection System) in detecting packet sniffing attacks?
A) Blocking all network traffic
B) Detecting unusual packet flow patterns that indicate sniffing activity
C) Encrypting all captured packets
D) Spoofing ARP requests
β
Answer: B) Detecting unusual packet flow patterns that indicate sniffing activity
π Explanation: IDS tools like Snort analyze network traffic for abnormal ARP behavior, excessive broadcast requests, and MITM patterns, helping detect sniffing attempts.
190. What type of attack occurs when an attacker continuously sends ICMP Echo Requests to a target?
A) Man-in-the-Middle Attack
B) Ping Flood (ICMP Flood)
C) DNS Spoofing
D) TCP SYN Flood
β
Answer: B) Ping Flood (ICMP Flood)
π Explanation: A Ping Flood (ICMP Flood) overwhelms a target with ICMP Echo Requests, potentially denying legitimate traffic.
191. Which Wireshark display filter would show only DNS queries in a packet capture?
A) tcp.port == 53
B) udp.port == 53
C) dns.query
D) http.request
β
Answer: C) dns.query
π Explanation: The dns.query filter in Wireshark shows only DNS query packets, making it useful for analyzing DNS requests.
192. What type of attack uses packet sniffing to intercept and modify API traffic between a client and a server?
A) API Man-in-the-Middle (MITM) Attack
B) SQL Injection
C) Clickjacking
D) DNS Amplification
β
Answer: A) API Man-in-the-Middle (MITM) Attack
π Explanation: API MITM attacks use sniffing techniques to intercept, modify, or inject malicious API requests between a client and a server.
193. What feature of WPA3 helps prevent packet sniffing on wireless networks?
A) Dynamic MAC addressing
B) Opportunistic Wireless Encryption (OWE)
C) Pre-shared WEP key authentication
D) Static IP assignment
β
Answer: B) Opportunistic Wireless Encryption (OWE)
π Explanation: WPA3 introduces OWE, which encrypts open Wi-Fi networks, preventing packet sniffing on public hotspots.
194. What type of network traffic is most commonly targeted in packet sniffing attacks?
A) Encrypted SSH sessions
B) Unencrypted HTTP and FTP traffic
C) VPN traffic
D) IPv6 multicast packets
β
Answer: B) Unencrypted HTTP and FTP traffic
π Explanation: HTTP and FTP traffic lack encryption, making them easy targets for sniffing attacks to capture credentials and sensitive data.
195. How does enabling HSTS (HTTP Strict Transport Security) help mitigate packet sniffing risks?
A) It forces browsers to use only HTTPS connections
B) It disables JavaScript on a webpage
C) It blocks all non-SSL connections
D) It encrypts DNS queries
β
Answer: A) It forces browsers to use only HTTPS connections
π Explanation: HSTS ensures browsers always use HTTPS, preventing SSL stripping attacks that could expose data to sniffers.
196. What kind of sniffing attack is possible on a switched network without ARP poisoning?
A) Passive sniffing using port mirroring
B) Blind SQL Injection
C) DNS Cache Poisoning
D) SYN Flood
β
Answer: A) Passive sniffing using port mirroring
π Explanation: Switches normally prevent sniffing, but port mirroring (SPAN) allows all traffic to be monitored passively without disrupting the network.
197. What kind of traffic is typically used in exfiltration techniques to bypass detection during packet sniffing?
A) Plaintext email traffic
B) DNS queries and ICMP packets
C) Large TCP segments
D) SMTP requests
β
Answer: B) DNS queries and ICMP packets
π Explanation: DNS and ICMP traffic are commonly used in covert data exfiltration techniques since they are less frequently inspected.
198. What technique allows attackers to inject malicious packets into a legitimate network conversation?
A) Packet Injection
B) MAC Flooding
C) SYN Spoofing
D) ARP Filtering
β
Answer: A) Packet Injection
π Explanation: Packet Injection enables attackers to alter network communication by injecting malicious packets into an active session.
199. How can you detect a rogue DHCP server being used for sniffing?
A) Checking for unexpected DHCP Offer packets
B) Filtering only UDP traffic
C) Monitoring SYN flood attacks
D) Disabling all ICMP traffic
β
Answer: A) Checking for unexpected DHCP Offer packets
π Explanation: Rogue DHCP servers can be identified by analyzing DHCP Offers and looking for unexpected IP configurations.
200. Which of the following is an effective countermeasure against packet sniffing in an open Wi-Fi environment?
A) Using a VPN
B) Disabling TCP connections
C) Using Telnet instead of SSH
D) Increasing network bandwidth
β
Answer: A) Using a VPN
π Explanation: VPNs encrypt network traffic, preventing sniffers from capturing and reading sensitive data.
201. What is the role of a honeypot in network security?
A) To actively block MITM attacks
B) To lure and detect potential attackers
C) To encrypt all traffic using AES
D) To inject malicious packets into a network
β
Answer: B) To lure and detect potential attackers
π Explanation: Honeypots mimic real systems to attract attackers, allowing defenders to monitor their activities.
202. What is a sign of a potential SSL stripping attack detected through packet sniffing?
A) A downgrade from HTTPS to HTTP in captured packets
B) Increased DNS resolution failures
C) More ICMP Echo Request packets than usual
D) Multiple TCP RST packets from the same source
β
Answer: A) A downgrade from HTTPS to HTTP in captured packets
π Explanation: SSL stripping forces HTTPS connections to HTTP, making traffic readable in sniffed packets.
203. What does the iptables -A INPUT -j DROP command do?
A) Allows all incoming traffic
B) Blocks all incoming traffic
C) Encrypts network packets
D) Initiates a packet capture
β
Answer: B) Blocks all incoming traffic
π Explanation: The iptables -A INPUT -j DROP command adds a rule to drop all incoming packets, effectively blocking all traffic.