wireshark练习及答案lab-ipv4

ip考试题及答案一、单项选择题（每题2分，共20分）1. 以下哪个协议是IP协议的核心？A. TCPB. UDPC. ICMPD. IP答案：D2. IPv4地址由多少位二进制数组成？A. 16位B. 32位C. 64位D. 128位答案：B3. 在IP地址中，哪个类别的地址是保留给特殊用途的？A. A类B. B类C. D类D. E类答案：C4. 以下哪个不是IP地址的组成部分？A. 网络部分B. 主机部分C. 子网掩码D. 广播地址答案：D5. 子网划分的主要目的是什么？A. 减少网络拥堵B. 提高网络速度C. 节省IP地址D. 增加网络的安全性答案：C6. 以下哪个是NAT（网络地址转换）的主要功能？A. 地址解析B. 地址分配C. 地址转换D. 地址过滤答案：C7. ICMP协议的主要功能是什么？A. 路由选择B. 错误报告C. 流量控制D. 数据传输答案：B8. 以下哪个协议用于域名解析？A. FTPB. SMTPC. DNSD. SNMP答案：C9. 以下哪个是IPsec的主要功能？A. 数据加密B. 数据压缩C. 数据传输D. 数据存储答案：A10. 以下哪个不是IP地址？A. 192.168.1.1B. 172.16.0.1C. 10.0.0.1D. 256.1.1.1答案：D二、多项选择题（每题3分，共15分）11. 下列哪些是IPv6地址的特点？A. 更大的地址空间B. 更好的安全性C. 支持自动配置D. 支持多播和任播答案：ABCD12. 以下哪些因素可能导致IP地址冲突？A. 手动配置错误B. DHCP服务器分配错误C. 网络设备故障D. 路由器配置错误答案：AB13. 以下哪些是IP路由选择的影响因素？A. 路由协议B. 路由表C. 网络拓扑D. 带宽和延迟答案：ABCD14. 以下哪些是IPsec的组成部分？A. AH（认证头）B. ESP（封装安全载荷）C. ISAKMP（互联网安全关联和密钥管理协议）D. L2TP（第二层隧道协议）答案：ABC15. 以下哪些是IPv4和IPv6的主要区别？A. 地址长度B. 地址分配方式C. 路由选择机制D. 支持的网络服务答案：ABC三、判断题（每题2分，共10分）16. IPv4和IPv6可以在同一网络中无缝通信。

计算机四级网络工程师试题（含参考答案）一、单选题（共82题，每题1分，共82分）1.设备按信息交换单位进行分类，可分为( )。

A、系统设备和块设备B、系统设备和用户设备C、存储设备和控制设备D、块设备和字符设备正确答案：D2.关于网络管理的资源的描述中，错误的是( )。

A、软件资源包括实现通信协议的软件B、硬件资源包括物理介质C、软件资源不包括应用程序D、硬件资源包括网络设备正确答案：C3.关于XMPP协议的描述中，正确的是( )。

A、由3个RFC文档组成B、核心协议是RFC3922C、采用HTML数据格式D、采用E-mail地址格式正确答案：D4.IP协议规定的内容不包括( )。

A、路由器的硬件和实现方法B、数据报寻址和路由C、数据报分片和重组D、IP数据报的格式正确答案：A5.下列关于页式存储管理方案的叙述中，哪一个是错误的( )。

A、快表中记录了页号与内存块号的对应关系B、快表存放在寄存器组中C、进行地址转换时，如果快表不命中则继续查页表D、64E、系统通常采用的是反置页表正确答案：C6.如果交换机的总带宽为10.4Gbps，它具有4个千兆的全双工端口，则其百兆的半双工端口数量最多( )。

A、8B、48C、24D、16正确答案：C7.系统中有 2 个并发进程，当一个进程在等待另一个进程向它发送消息时，它们之间的关系是( )。

A、互斥关系B、调度关系C、父子进程关系D、同步关系正确答案：D8.POP3邮件传递过程可以分为三个阶段，它们是( )。

A、连接建立阶段、认证阶段、连接关闭阶段B、认证阶段、事务处理阶段、更新阶段C、连接建立阶段、邮件传送阶段、连接关闭阶段D、连接建立阶段、认证阶段、更新阶段正确答案：B9.在采用 P、V 操作对共享资源的使用进行保护时，对该共享资源读写的代码段称为( )。

A、进入区B、临界区C、退出区D、剩余区正确答案：B10.关于IP互联网的描述中，错误的是( )。

网络与信息安全管理员（4级）试题一、单选题（共60题，每题1分，共60分）1、在Linux系统中，()通常称为FIFO。

A、无名管道B、有名管道C、文件管道D、命名管道正确答案：D2、WireShark软件安装时可选安装的WinPcap软件的作用是()。

A、提供包过滤能力B、提供GUI界面C、提供底层的抓包能力D、增强抓包结果的分析能力正确答案：C3、()是传输层以上实现两个异构系统互连的设备。

A、路由器B、网桥C、网关D、集线器正确答案：A4、()是指攻击者在非授权的情况下，对用户的信息进行修改，如修改电子交易的金额。

A、非法使用攻击B、拒绝服务攻击C、信息泄漏攻击D、完整性破坏攻击正确答案：D5、网络犯罪的人一般具有较高的专业水平体现了互联网信息内容安全犯罪()的特点。

A、犯罪手段提升B、犯罪后果严重化C、犯罪主体专业化D、犯罪手段隐蔽化正确答案：C6、下列关于Botnet说法错误的是()。

A、用Botnet发动DDoS攻击B、Botnet的显著特征是大量主机在用户不知情的情况下，被植入了C、拒绝服务攻击与Botnet网络结合后攻击能力大大削弱D、Botnet可以被用来传播垃圾邮件、窃取用户数据、监听网络和扩正确答案：C7、来自网络的拒绝服务攻击可以分为停止服务和消耗资源两类。

攻击特点不包括以下哪个()。

A、多源性、特征多变性B、攻击目标与攻击手段多样性C、开放性D、隐蔽性正确答案：C8、计算机病毒的特性包括()。

A、传播性、破坏性、寄生性B、传染性、破坏性、可植入性C、破坏性、隐蔽性、潜伏性D、自我复制性、隐蔽性、潜伏正确答案：C9、TCSEC标准将计算机系统分为()个等级、7个级别。

A、4B、5C、6D、7正确答案：A10、上网收集与被害人、被害单位有关的负面信息，并主动联系被害人、被害单位，以帮助删帖、“沉底”为由，向其索取财物的行为，构成()。

A、诈骗罪B、诽谤罪C、侮辱罪D、敲诈勒索罪正确答案：D11、TCP/IP参考模型的四个层次分别为()、网际层、传输层、应用层。

计算机四级网络工程师习题含参考答案一、单选题（共82题，每题1分，共82分）1.按照信息交换方式的不同，一个系统中可以设置多种类型的通道，下列哪一个选项不属于通道类型( )。

A、选择通道B、顺序通道C、数组多路通道D、字节多路通道正确答案：B2.关于1000Base-T标准的描述中，正确的是( )。

A、千兆以太网的会话层标准之一B、IEEE802.3z的物理层标准之一C、可支持单模光纤D、采用波分复用WDM技术正确答案：B3.下列关于文件系统中文件的描述中，哪一个是正确的( )。

A、所有文件系统中的文件名长度都是B、所有文件系统中文件名都不区分大小写C、所有文件系统中文件名都有后缀且统一规定后缀的含义D、所有文件系统中的文件一旦创建，除非被删除或超过保存期限，否则一直存在正确答案：D4.关于SMTP的描述中，错误的是( )。

A、SMTP规定了邮件接收程序如何存储邮件B、SMTP规定了邮件发送使用的命令C、SMTP邮件传输采用客户机/服务器模式D、SMTP使用传输层的TCP服务正确答案：A5.某文件系统把 UNIX 的三级索引结构改进为四级索引结构。

假设物理块大小为 1KB，用 8 字节表示一个物理块号。

主索引表含有 16 个物理块地址指针，其中前 12 个直接指向磁盘块号，第 13 个指向一级索引表，第 14 个指向二级索引表，第 15 个指向三级索引表，第 16 个指向四级索引表。

那么，一个文件最大可有多少个物理块( )。

A、12+128+128^2+128^3+128^4B、16+256+256^2+256^3+256^4C、12+512+512^2+512^3+512^4D、16+128+128^2+128^3+128^4正确答案：A6.如果一个IP数据报的报头长度为256b，那么该数据报报头长度字段的值为( )。

A、7B、5C、8D、6正确答案：C7.很多FTP服务器都提供匿名FTP服务。

wireshark实验⼀答案1.What is the IP address and TCP port number used by the clientcomputer (source) that is transferring the file to /doc/8d460b7e8e9951e79b892738.html ?Ip address 192.168.1.36TCP port number：19572.What is the IP address of /doc/8d460b7e8e9951e79b892738.html ? On what port numberis it sending and receiving TCP segments for this connection?the IP address of /doc/8d460b7e8e9951e79b892738.html ：128.119.245.12port number：803.What is the sequence number of the TCP SYN segment that is usedto initiate the TCP connection between the client computer and /doc/8d460b7e8e9951e79b892738.html What is it in the segment that identifies the segment as a SYN segmentsequence number:0syn 被设置为1说明是syn段4.What is the sequence number of the SYNACK segment sent bygaia.cs.umass.ed to the client computer in reply to the SYN? What is the value of the ACKnowledgement field in the SYNACK segment?How did /doc/8d460b7e8e9951e79b892738.html determine that value? What is it in the segment that identifies the segment as a SYNACK segment?The sequence number of the SYNACK segment sent by /doc/8d460b7e8e9951e79b892738.html is:0 SYNACK segment 中ACKnowledgement 的值为1；ACKnowledgement number的值为SYN消息中sequencenumber加上1所得；SYN 和Acknowledgement f都置为1说明这是⼀个SYNACK segment.5.What is the sequence number of the TCP segment containing theHTTP POST command?第11号报⽂段是包含HTTP POST 命令的TCP segment。

Lab Exercise – Protocol LayersObjectiveTo learn how protocols and layering are represented in packets. They are key concepts for structuring networks that are covered in the text.The trace for this lab is here:/~kevin/com320/labs/wireshark/trace-protocol-layers.pcap(although the main trace you will look at is from a site you pick such as in the exam-ples which follow).RequirementsWireshark: This lab uses the Wireshark software tool to capture and examine a packet trace. A packet trace is a record of traffic at a location on the network, as if a snapshot was taken of all the bits that passed across a particular wire. The packet trace records a timestamp for each packet, along with the bits that make up the packet, from the lower-layer headers to the higher-layer contents. Wireshark runs on most operating systems, including Windows, Mac and Linux. It provides a graphical UI that shows the sequence of packets and the meaning of the bits when interpreted as protocol headers and data. It col-or-codes packets by their type, and has various ways to filter and analyze packets to let you investigate the behavior of network protocols. Wireshark is widely used to troubleshoot networks. You can down-load it from for your personal computer. It is an ideal packet analyzer for our labs –it is stable, has a large user base and well-documented support that includes a user-guide /docs/wsug_html_chunked), and a detailed FAQ, rich functionality that in-cludes the capability to analyze hundreds of protocols, and a well-designed user interface. It operates in computers using Ethernet, serial (PPP and SLIP), 802.11 wireless LANs, and many other link-layer tech-nologies (if the OS on which it is running allows Wireshark to do so). It is already installed in the labs.A quick help guide to Wireshark display filters is here: /wireshark_filters.php Wireshark is a c ore tool for any wireless ‘man in the middle’ or similar snooping attack. It is simply in-dispensable for those who wish to examine packets being transferred over a network –good or bad…..Wireshark & Packet Sniffing BackgroundThe basic tool for observing the messages exchanged between executing protocol entities is called a packet sniffer. As the name suggests, a packet sniffer captures (“sniffs”) messages being sent/received from/by your computer; it will also typically store and/or display the contents of the various protocol fields in these captured messages. A packet sniffer itself is passive. It observes messages being sent and received by applications and protocols running on your computer, but never sends packets itself. Simi-larly, received packets are never explicitly addressed to the packet sniffer. Instead, a packet sniffer re-ceives a copy of packets that are sent/received from/by application and protocols executing on your machine.Figure 1 shows the structure of a packet sniffer. At the right of Figure 1 are the protocols (in this case, Internet protocols) and applications (such as a web browser or ftp client) that normally run on your computer. The packet sniffer, shown within the dashed rectangle in Figure 1 is an addition to the usual software in your computer, and consists of two parts. The packet capture library receives a copy of eve-ry link-layer frame that is sent from or received by your computer. Messages exchanged by higher layer protocols such as HTTP, FTP, TCP, UDP, DNS, or IP all are eventually encapsulated in link-layer frames that are transmitted over physical media such as an Ethernet cable.Figure 1: Packet Sniffer StructureIn Figure 1, the assumed physical media is an Ethernet, and so all upper-layer protocols are eventually encapsulated within an Ethernet frame. Capturing all link-layer frames thus gives you all messagessent/received from/by all protocols and applications executing in your computer.The second component of a packet sniffer is the packet analyzer, which displays the contents of all fields within a protocol message. In order to do so, the packet analyzer must “understand” the structure of all messages exchanged by protocols. For example, suppose we are interested in displaying the various fields in messages exchanged by the HTTP protocol in Figure 1. The packet analyzer understands the format of Ethernet frames, and so can identify the IP datagram within an Ethernet frame. It also under-stands the IP datagram format, so that it can extract the TCP segment within the IP datagram. Finally, it understands the TCP segment structure, so it can extract the HTTP message contained in the TCP seg-ment. Finally, it understands the HTTP protocol and so, for example, knows that the first bytes of an HTTP message will contain the string “GET,”“POST,” or “HEAD,”.Step 1: Capture a Traceunching WiresharkYou can type Wireshark in the run box of main Windows 8 start screen. Press the Windows key on the keyboard and type “wireshark”. If a problem launching it then see here1.Figure 2: Wireshark in lab2.Just close the dialog box which prompts you to install a new version. You will then see a startupscreen, as shown next.Figure 3: Initial Wireshark Screen3.Take a look at the left hand side of the screen –you’ll see an “Interface list”. This is the list ofnetwork interfaces on your computer. Choose Ethernet.1 It should load but there can be a problem with the new lab configuration for Wireshark and npf driver. Therefore if this is not working…. then please do the next step. Launch Wireshark as follows. Click desktop icon on main windows screen & use the file explorer to browse to C:\local Disk (C)\Program Files\Wireshark. Finally, RIGHT CLICK on Wireshark as “Run as administrator”.4.Next, click Start (as shown below).5.Wireshark will capture all packets on that interface. Click on the network card on the particularmachine you are working on. In the example above, it is the Ethernet Driver to start packet cap-ture (i.e., for Wireshark to begin capturing all packets being sent to/from that interface), ascreen like the one below will be displayed, showing information about the packets being cap-tured. Once you start packet capture, you can stop it by using the Capture pull down menu and selecting Stop.We want this trace to look at the protocol structure of packets. A simple Web fetch of a URL from a server of your choice to your computer, which is the client, could also serve as traffic.6.Open your browser, e.g. Chrome and pick a URL & fetch it e.g.”.7.Close unnecessary browser tabs and windows. By minimizing browser activity you will stop yourcomputer from fetching unnecessary web content, and avoid incidental traffic in the trace.8.Now return to Wireshark and you will see a screen similar to below.That is all for now. Next you will read a little more about Wireshark and tracing packets.Main Wireshark InterfaceThe Wireshark interface has five major components:Figure 4: Wireshark Graphical User Interface, during packet capture and analysis• The command menus are standard pull down menus located at the top of the window. The File menu allows you to save captured packet data or open a file containing previously captured packet data. The Capture menu allows you to begin packet capture.• The packet-listing window displays a one-line summary for each packet captured, including the pack-et number (assigned by Wireshark; this is not a packet number contained in any protocol’s header), the time at which the packet was captured, the packet’s source and destination addresses, the protocol type, and protocol-specific information contained in the packet. The packet listing can be sorted accord-ing to any of these categories by clicking on a column name. The protocol type field lists the highest-level protocol that sent or received this packet, i.e., the protocol that is source or ultimate sink for this packet.• The packet-header details window provides details about the packet selected (highlighted) in the packet-listing window. (To select a packet in the packet-listing window, place the cursor over the pack-et’s one-line summary in the packet-listing window and click with the left mouse button.). These details include information about the Ethernet frame (assuming the packet was sent/received over an Ethernet interface) and IP datagram that contains this packet. The amount of Ethernet and IP-layer detail dis-played can be expanded or minimized by clicking on the plus minus boxes to the left of the Ethernet frame or IP datagram line in the packet details window.• The packet-contents window displays the entire contents of the captured frame, in both ASCII and hexadecimal format. Towards the top of the Wireshark graphical user interface, is the packet display fil-ter field, into which a protocol name or other information can be entered in order to filter the infor-mation displayed in the packet-listing window.Filtering TrafficNow return to your Wireshark trace captured earlier. We will look to see how we can isolate the Web Page traffic from the other protocol packets.9.You have two options. You can simply type “tcp.port==80” in the main filter box on the mainscreen like below.10.Instead of the method above, you can also filter by typing “port 80” in the filter box like below.This filter will record only standard web traffic and not other kinds of packets that your comput-er may send. The checking will translate the addresses of the computers sending and receivingpackets into names, which should help you to recognize whether the packets are going to orfrom your computer. Your capture window will be similar to the one pictured in next screenshot.Figure 5: Setting up the capture options11.When the capture is started, visit a site which uses http (not https). This time, the packets will berecorded by Wireshark as the content is transferred. Try again, in your browser.12.After the fetch is successful, return to Wireshark and use the menus or buttons to stop the trace.If you have succeeded, the upper Wireshark window will show multiple packets, and most likely it will be full. How many packets are captured will depend on the size of the web page, but there should be at least 8 packets in the trace, and typically 20-100, and many of these packets will be colored green. I recommend you stop recording by pressing the Red Stop button on the inter-face as this will make it easier for you to scroll back to the start of the request to find the “200 OK” packet. An example is shown below. Congratulations, you have captured a trace!Figure 6: Packet trace of web browsing trafficStep 2: Inspect the TraceSelect a packet for which the Protocol column is “HTTP” and the Info column says it is a GET. It is the packet that carries the web (HTTP) request sent from your computer to the server. (You can click the column headings to sort by that value, though it should not be difficult to find an HTTP packet by inspec-tion.) Let’s have a closer look to s ee how the packet structure reflects the protocols that are in use. Since we are fetching a web page, we know that the protocol layers being used are as shown below. That is, HTTP is the application layer web protocol used to fetch URLs. Like many Internet applications, it runs on top of the TCP/IP transport and network layer protocols. The link and physical layer protocols depend on your network, but are typically combined in the form of Ethernet (shown) if your computer is wired, or 802.11 (not shown) if your computer is wireless.Figure 7: Protocol stack for a web fetchWith the HTTP GET packet selected, look closely to see the similarities and differences between it and our protocol stack as described next. The protocol blocks are listed in the middle panel. You can expand each block (by clicking on the “+” expander or icon) to see its details.• The first Wireshark block is “Frame”. This is not a protocol, it is a record that describes overall information about the packet, including when it was captured and how many bits long it is.• The second block is “Ethernet”. Note that you may have taken a trace on a computer using 802.11 yet still see an Ethernet block instead of an 802.11 block. Why? It happens because we asked Wireshark to capture traffic in Ethernet format on the capture options, so it converted the real 802.11 header into a pseudo-Ethernet header.• Then come IP, TCP, and HTTP, which are just as we wanted. Note that the order is from the bot-tom of the protocol stack upwards. This is because as packets are passed down the stack, the header information of the lower layer protocol is added to the front of the information from the higher layer protocol, as in Fig. 1-15 of your text. That is, the lower layer protocols come first in the packet “on the wire”.HTTPTCPIP Ethernet ClientServer HTTP TCP IPEthernetpacketStep 3: Inspect the Trace AgainNow find another HTTP packet, the response from the server to your computer, and look at the structure of this packet for the differences compared to the HTTP GET packet.This packet should have “200 OK” in the Info field, denoting a successful fetch. In our trace, there are two extra blocks in the detail panel as seen in the next figure.•The first extra block says something like “[... reassembled TCP segments …]”. Details in your cap-ture will vary, but this block is describing more than the packet itself. Most likely, the web re-sponse was sent across the network as a series of packets that were put together after they ar-rived at the computer. The packet labeled HTTP is the last packet in the web response, and the block lists packets that are joined together to obtain the complete web response. Each of these packets is shown as having protocol TCP even though the packets carry part of an HTTP re-sponse. Only the final packet is shown as having protocol HTTP when the complete HTTP mes-sage may be understood, and it lists the packets that are joined together to make the HTTP re-sponse.•The second extra block says “Line-based text data …”. Details in your capture will vary, but this block is describing the contents of the web page that was fetched. In our case it is of typetext/html, though it could easily have been text/xml, image/jpeg, or many other types. As with the Frame record, this is not a true protocol. Instead, it is a description of packet contents that Wireshark is producing to help us understand the network traffic.Figure 8: Inspecting a HTTP “200 OK” response1.Locate the HTTP GET packet which has “200 OK (text/html)” in the Info field, denoting asuccessful fetch. See below for instance in the third line in white.2.Scroll down in the middle pane to [+] Line-based text data: text/html and rightclick with your mouse. (See above)3.From the context menu which now appears, select Copy -→ Bytes → Printable Text Only Youshould see a window similar to the following popup window below.4.This copies all the code for the Ulster home page.5.Open up a text editor such as notepad++ and paste this HTML code into a new document. Saveas UlsterHomePage.html in a directory such as W: or downloads. Next open up explorer and scroll to where you have saved the file and open it in the default browser by clicking on it.6.Note how much of the Ulster home page actually gets sent over the wire to your PC.Step 4: Packet StructureExamine a HTTP GET packet that shows the position and size in bytes of the TCP, IP and Ethernet proto-col headers. Note the range of the Ethernet header and the Ethernet payload that IP passes to Ethernet to send over the network. Note also the range of the IP header and the IP payload.To work out sizes, observe that when you click on a protocol block in the middle panel (the block itself, not the “+” expander) then Wireshark will highlight the bytes it corresponds to in the packet in the lower panel and display the length at the bottom of the window. For instance, clicking on the IP version 4 header of a packet in our trace shows us that the length is 20 bytes. (Your trace will be different if it is IPv6, and may be different even with IPv4 depend-ing on various options.) You may also use the overall packet size shown in the Length column or Frame detail block. AnswerFigure 9: Protocol layer structure of the HTTP GET packet There are several features to note:• The order of the headers (Ethernet, IP, TCP, HTTP) is the protocol stack from the bottom up-wards because the lower layers are outermost in the packet as it travels through the network. • Observant students will note some differences between the Ethernet header size in Wireshark and in the text that will be explored in later labs.• The size of the IP and TCP headers is normally around 20 bytes each, but it may be larger in some cases depending on the OS, e.g., IPv6 instead of IPv4 and optional TCP header fields might double these numbers.• The size of the HTTP message will vary depending on what tool and URL is used to send the web request. For wget/curl, it is likely to be around 100-300 bytes.• The Ethernet payload comprises everything beyond the Ethernet header. That is, Ethernet does not understand the IP / TCP / HTTP internal structure; it is up to higher layers to determine their headers and message boundaries.• Similarly, the IP payload comprises everything beyond the IP header. Note that neither the IP header nor payload covers the Ethernet header. HTTP EthernetIP TCP 14 bytes 20 bytes20 bytes 112 bytesEthernet header Ethernet payload166 bytes totalStart of packetIP header IP payloadStep 5: Demultiplexing KeysWhen an Ethernet frame arrives at a computer, the Ethernet layer must hand the packet that it contains to the next higher layer to be processed. The act of finding the right higher layer to process received packets is called demultiplexing. We know that in our case the higher layer is IP. But how does the Ethernet protocol know this? After all, the higher-layer could have been another protocol entirely (such as ARP). We have the same issue at the IP layer – IP must be able to determine that the contents of IP message is a TCP packet so that it can hand it to the TCP protocol to process. The answer is that proto-cols use information in their header known as a “demultiplexing key” to determine the higher layer. Look at the Ethernet and IP headers of a download packet in detail to answer the following questions:1.Which Ethernet header field is the demultiplexing key that tells it the next higher layer is IP?What value is used in this field to indicate “IP”?Answer. The demultiplexing key for Ethernet is the Type field. It holds 0x800 when the higherlayer is IP.2.Which IP header field is the demultiplexing key that tells it the next higher layer is TCP? Whatvalue is used in this field to indicate “TCP”?Answer: The demultiplexing key for IP is the Protocol field. It has value 6 when the higher layer is TCP.。

计算机四级网络工程师习题与参考答案一、单选题（共82题，每题1分，共82分）1.关于计算机网络定义的描述中，正确的是( )。

A、联网计算机之间需要有明确的主从关系B、计算机网络的基本特征是网络资源共享C、联网计算机通信无需遵循相同网络协议D、计算机网络是互联的仿真终端的集合正确答案：B2.在使用FTP时，如果用户希望进入被动传输模式，那么他可以使用的用户接口命令为( )。

A、pwdB、passiveC、mputD、open正确答案：B3.用户检索POP3服务器的过程分为三个阶段。

这三个阶段依次是( )。

A、认证阶段、事务处理阶段、更新阶段B、事务处理阶段、认证阶段、更新阶段C、认证阶段、更新阶段、事务处理阶段D、更新阶段、认证阶段、事务处理阶段正确答案：A4.关于Adhoc网络的描述中，错误的是( )。

A、Adhoc是自组织的网络B、Adhoc是有基站的网络C、Adhoc是对等式的网络D、Adhoc是一种无线网络正确答案：B5.1000Base-LX标准支持的传输介质是( )。

A、双绞线B、红外线C、单模光纤D、多模光纤正确答案：C6.用户进程在实现系统调用时，下列哪种方法不能用于传递参数( )。

A、通过变量传递B、通过寄存器传递C、通过指令自带传递D、通过堆栈传递正确答案：A7.操作系统中，将逻辑地址转换为内存物理地址的过程称为( )。

A、运行B、链接C、编译D、重定位正确答案：D8.关于网络管理模型的描述中，正确的是( )。

A、集中式管理效果最好B、管理者称为网管代理C、一般采用管理者-代理模型D、代理运行于管理服务器正确答案：C9.在以下几种加密算法中，都属于公钥密码类型的是( )。

A、DES与3DESB、RSA与ElGamalC、AES与IDEAD、RC2与Blowfish正确答案：B10.关于NetBIOS协议的描述中，正确的是( )。

A、最先在Unix系统中使用B、名称可由15个英文字符组成C、与SMB完全等价D、可无限制地建立通讯话路正确答案：C11.在实现文件系统时，可采用“目录项分解法”加快文件目录检索速度。

Lab Exercise – Snooping on other traffic in Lab through ARP Poison AttackObjective - To demonstrate a Man in the middle (MITM) hack with the Ettercap tool.Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN, and pretty much the Swiss army knife of ARP poisoning. Every security researcher should include it in his toolbox. It is included in Backtrack – the popular Linux distribution. Ettercap features a GUI and a command line text mode tool.1. Download Ettercap from /~kevin/com320/labs/ettercap.exe.2. Follow the instructions to install it. See figure below.Figure 1: Ettercap installation in progress3. Go to Run button in bottom left and type "ettercap". You should see it appear as in the following fig-ure. Of course, you can also run it from All programs menu in Windows as well.Figure 2: Running Ettercap in Lab4. Next select Unified Sniffing from the Sniff menu option as show in figure 3.Figure 3: Step 1 in process of snooping5. Select the first Etternet interface (in this case it is “eXtreme Gigabit Ethernet Driver” network interface (see figure 4).Figure 4: Selection of network interface1.Next you should be presented with a series of menu options including Start, Targets, Hosts, ViewMitm, Filters, Logging and Plugins. You should select the Hosts option and choose Scan for Hosts.See figure 5.Figure 5: Selection of hosts to scan on LAN2.Once you select Scan for hosts, you should see a pop up window displaying the progess when all255 hosts on the local network are scanned. See figure 6.Figure 6: Hosts being scanned locally3.Next you should select Hosts List from the Hosts menu. You should then see a screen similar tofigure 7 with a list of hosts that have been found.Figure 7: Hosts that were scanned locally4.Please ask permission from a colleague to allow you to select their computer to be scanned.They should confirm their IP address to you. That can be found as in previous weeks by typing cmd in the windows start menu and opening a command prompt. Then in the command prompt, type ipconfig and note the ipv4 address displayed. You may need to scroll up to see it in the command prompt window. Here in figure 8, host 193.61.190.73 is being selected for scanning.Figure 8: host 193.61.190.73 is being selected for scanning5.Once you have the target selected with your mouse, then select the Add to Target 1 button. Seefigure 9.Figure 9: host 193.61.190.73 is being added to Target 1.6.Select the Targets menu option and then select C urrent Targets as shown in figure 10.Figure 10: Targets being selected7.Now you should only see your class mates computer shown as in figure 11.Figure 11: host selected for attack8.Now go to the mitm option as show in figure 12. Select Arp poisoning.Figure 12: ARP Poisoning selection9.Once Arp poisoning is selected, you will be presented with the dialogue window as shown in fig-ure 13. Simply click OK.Figure 13: Options for ARP poison attack10.You will then be presented with a window once again which is similar to figure 14. The ARP poi-son attack however is happening underneath. You now have access to all the traffic which is be-ing routed to the IP address which you have entered earlier. We will now move to Wireshark to see the power of an ARP poison mitm attack.Figure 14: Main window after attack has been started11.Open Wireshark by typing wireshark at the run programs option. You will then select the usualEtternet Intel Interface and Start a capture. In the display filter, type the following:ip.src==yourfriendsipaddress&&tcp.port==80 e.g. ip.src==193.61.191.88 &&tcp.port==80. See figure 15.Figure 15: Sample scan of web traffic on IP address 193.61.191.8812.Get your friend to browse to any site. In this example below, I have gone to a CNN page whichdiscusses Coca-Cola remarks from the CEO. It is at/2013/02/05/business/coke-ceo-muhtar-kent-capitalism-evolve/Figure 16: Sample page surfed.13.Once your friend has started to surf, you should start to see a lot of HTTP and TCP packets ap-pear in your packet list window. After some time you can stop the capture. You may also choose to stop the mitm attack. You can always resume the attack to see ‘fresh’ traffic remotely. You should then select the page that he surfed through e.g. CNN and right click on it as displayed be-low and select Follow TCP Stream.Figure17: Sample page from CNN being selected in the Wireshark interface. Note the ip address and port filtering14.The TCP Follow Stream should lead you to a window such as displayed below. Note the contentsof the GET and HOST on the first two lines. When we put them together we get the location of the site visited which is /2013/02/05/business/coke-ceo-muhtar-kent-capitalism-evolve/. This should now show you that all surfing can be snooped on a LAN.Figure18: CNN page after selecting Follow TCP Stream20.Now get your friend to go to a site which requires a login or passing information such as cnnweather at: /weather. Here type a city such as Belfast:21. Next, examine the wireshark tr ace, you should see a captured packet with “cit y-Search/json/true HTTP/1.1” showing the ‘sensitive data’.22.Finally, please return to the ettercap program and select Mitm and click on Stop mitm attack(s).This will ensure that the ARP tables return to normal and no unnecessary snooping of a newco-mer to your friend’s machine takes place. See figure 19.Figure19: Stopping the man in the middle ARP attack23.The following popup windows should confirm that all man in the middle attacks have stopped.People are now safe again in the lab.Figure 20: Confirmation of mitm attack being stopped.24.Finally, you can exit the program.Figure 21: Ensuring you exit the attack vector programPlease be responsible with this new knowledge……。