Questions: Packet Analysis and Network Troubleshooting Tools
5 questions to test your understanding
Score: 0 / 5
Question 1 Multiple Choice
You connect your laptop to a switched corporate network and put the interface into promiscuous mode. Which traffic will you capture?
AAll traffic on the network segment, because promiscuous mode disables address filtering
BOnly traffic to and from your own MAC address, plus broadcast and multicast frames — switches forward unicast frames only to the intended destination port
CAll traffic, but only for the subnet your IP address belongs to
DNo traffic at all, because modern NICs block promiscuous mode for security
Promiscuous mode tells your NIC to accept all frames it receives, not just those addressed to it. But on a switched network, the switch's forwarding table ensures unicast frames are only sent to the correct port — your interface simply never receives most traffic. To capture all traffic on a switched network, you need a mirror port (SPAN port) or a network tap that duplicates all frames to your capture interface. This is a critical operational difference from hub-based networks, where promiscuous mode really did capture everything.
Question 2 Multiple Choice
What is the key difference between a capture filter and a display filter in Wireshark?
ACapture filters use regex syntax; display filters use BPF syntax
BCapture filters determine which packets are saved to disk; display filters narrow what you see in the UI from already-captured data, without discarding packets
CDisplay filters are applied before packets reach the NIC; capture filters are applied after
DThey are functionally identical — both discard packets that do not match
Capture filters (BPF syntax) are applied by the kernel before packets reach Wireshark — non-matching packets are never written to the capture file. Display filters are applied afterward within Wireshark's UI, hiding packets from view without deleting them. This distinction matters: if you over-filter at capture time and miss evidence, that data is gone. Display filters are non-destructive — you can remove them and see the full capture. The typical workflow is to capture broadly and filter narrowly in the display.
Question 3 True / False
tcpdump and Wireshark both use the pcap library under the hood, so capture files in .pcap format can be opened by either tool.
TTrue
FFalse
Answer: True
Both tools are built on libpcap (Linux/macOS) or WinPcap/Npcap (Windows), which provides a standard packet capture API and file format. This interoperability is deliberate and useful: tcpdump's lightweight CLI makes it ideal for capturing on remote servers, while Wireshark's full GUI provides better analysis. A common workflow is `tcpdump -w capture.pcap` on a server, then `scp` the file to a workstation and open it in Wireshark for deep inspection.
Question 4 True / False
The most effective approach to packet analysis is to capture most traffic for at least several minutes before applying any filters, ensuring you don't miss relevant packets.
TTrue
FFalse
Answer: False
Capturing everything creates an overwhelming haystack on any non-trivial network. Effective troubleshooting starts with a specific hypothesis ('I think DNS is slow') and applies a targeted capture filter immediately (`udp port 53`). This keeps the capture manageable, reduces disk usage, and makes the relevant data immediately visible. Broad captures without hypotheses are occasionally useful for discovery, but as a routine practice they substitute data volume for diagnostic thinking — which is the opposite of what packet analysis is for.
Question 5 Short Answer
Why is starting with a specific hypothesis and targeted filter more effective than capturing all traffic and analyzing it afterward?
Think about your answer, then reveal below.
Model answer: A hypothesis focuses capture on the traffic actually relevant to the problem, reducing volume to a manageable size and making patterns immediately visible. A busy network produces thousands of packets per second — capturing all of them creates files too large to analyze effectively and buries the signal in noise. A targeted filter like 'tcp port 443 and host 10.0.0.5' may reduce a 100,000-packet capture to 200 packets, all directly relevant to the suspected issue. The hypothesis also guides what to look for in the results: if DNS is suspected, you examine query-response timing; if TCP is suspected, you look for retransmissions and RSTs.
This reflects a broader principle in diagnostic work: tools amplify hypotheses, they don't replace them. Packet analysis is most powerful when you know what question you're asking, because the answer is visible in the filtered trace. Without a hypothesis, even a perfect capture is just raw data.