8. What characteristics of a Web Proxy make it appealing to forensic investigato

Question

8. What characteristics of a Web Proxy make it appealing to forensic investigators?

9. What is the role of a central log server?

10. List and briefly describe the most commonly used software libraries for recording, parsing, and analyzing captured packet data.

11. Which tools are commonly associated with the software libraries you identified in the previous question?

12. What are the qualifiers for the Berkeley Packet Filter (BPF)?

13. What are some of the reasons tecpdump is such a powerful network forensic tool?

14. What is the purpose of Wireshark?

What is tshark?

Explanation / Answer

Hi friend, Question is long, so please try to post one question per post.

I have answered Q10, 11 and 12.

Please repost others in separate post.

10. List and briefly describe the most commonly used software libraries for recording, parsing, and analyzing captured packet data.

Snort: It is an open source libpcap network intrusion detection and prevention system owned by CISCO SYSTEMS. It detects attack methods like Denial of Service, butter overflow, CGI attacks, stealth port scans. it sends a real-time alert to syslog, a separate alert file or a pop up window. It is the most widely deployed intrusion detection and prevention technology worldwide. it has more than 500,000 registered users.

WinPcap: It is the windows version of the libpcap library which also includes a driver to support capturing packets also. In the field of computers, pcap9packet capture) consists of an application programming interface for packet capturing network traffic.
Unix-like systems implement pcap in the libpcap library: Windows like systems uses a port of libpcap which is also termed as WinPcap.

WiresharkSuite: It is the personal best tool for a networking enthusiast with numerous numbers of features and user friendly interface. It acts as packet analyzer and protocol decoder. It also includes many practical tools and suprots most of the common usages.
It uses libpcap sftware library. As capture filter strings are passed from Wireshark to libpcap, the availbale capture filter syntax depends on the libpcap version installed. It has also the option of using WinPcap library.

11. Which tools are commonly associated with the software libraries you identified in the previous question?

Some other libraries are zlib, SMI, Gcrypt, PortAudio.

12. What are the qualifiers for the Berkeley Packet Filter (BPF)?

There are three types of qualifiers for the BPF and they are as follows:
dir : These are the types of qualifiers which specify a particular transfer direction to and/or from id. Some of the possible directions are following: dst, src, src and dst and src or dst. If there is no dir qualifier, src or dst is assumed by default. For some of the link layers like "cooked" and the "SLIP", Linux capture mode for the any device and for some other device types.
The inbound and outbound qualifiers can be used to specify desired direction.

proto: These qualifiers restrict the match to a a particular protocol. Possible protos are: fddi(fiber distributed data interchange), wlan(wireless local area network), IP(Internet protocol), ip6(internet rpotocol 6), tcp(transmission control protocol), udp(user datagram protocol), decent, arp(address resolution protocol) and ether(Ethernet).

type: These qualifiers tells about the kind of thing the id name or number refers to. Some types are: net, port, host and postrange. if there is no qualifier, host is assumed.

Please DONT forgot to rate my answer. We are working hard for you Guys!!

Related Questions

Navigate

• Browse (All)
• Browse 8
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.