| < Day Day Up > |
|
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. You will also gain access to thousands of other FAQs at ITFAQnet.com.
1. | Why is it that when I right-click on some of my packets the “Follow TCP Stream” options is grayed out? |
|
2. | Can I use Ethereal to discover a trojan that is being sent to someone on my network? |
|
3. | Can I use Ethereal to discover a virus that is being sent to someone on my network? |
|
4. | Are there network activities that will falsely resemble network scanning attacks? |
|
Answers
1. | The underlying protocol that you are trying to reconstruct does not use TCP for its connection method. It may use the connectionless UDP method for its transmission. |
2. | No, Ethereal can only be used to discover the active use of the backdoor access program that the trojan installs. To Ethereal, or any network analyzer, the transmission of the trojan will appear to be a regular executable file. |
3. | No, like a trojan, the transmission of a virus will look like a regular executable or some other type of file. Ethereal will not be able to tell that the file is infected. |
4. | Yes, there are lots of activities that will resemble network scans. A client program that is automatically searching for a server at startup may continue to send TCP SYN packets to the target address. Often multiple and rapid TCP connection that are associated with FTP and HTTP downloads also resemble network scan attacks and trigger alarms. |
| < Day Day Up > |
|