mod2mod2SniffersSnifferslinks../mod2/assets/coursemap.swfcourseMenuBtnCourse menu. Select this button to access the course menu.MainMenuButtonClickedmoduleMapBtnLesson Map. Select this button to access the lesson map.CourseMapButtonClickedglossaryBtnGlossaryGlossary. Select this button open the glossary.GlossaryButtonClickedresourcesBtnResources. Select this button open the resources.ResourcesButtonClickedexitBtnExit. Select this button to exit the course.ExitButtonClickedreplayBtnReplay. Select this button to replay the current screen.ReplayButtonClickedpauseBtnPause. Select this button to pause the course.PauseButtonClickedresumeBtnResume. Select this button to resume the course.ResumeButtonClickedpreviousPgBtnPrevious PagePrevious. Select this button to go to the previous screen.PreviousButtonClickednextPgBtnNext PageNext. Select this button to go to the next screen.NextButtonClickedIntroductionObjectives and Topicsidsal2_011Welcome to the lesson on sniffers. When you have completed this lesson, you will be able to describe what a sniffer is and how it works. You will also be able to identify some basic Berkeley Packet Filter, or BPF, filter constructs and some command-line options for command-line sniffers. Finally, you will be able to identify some strings you can use to analyze packet data. There are four topics in this lesson. After you have completed the introduction, you will learn what a sniffer is used for, about the two basic types of sniffers, and about three of the most commonly used command-line sniffers. Finally, you will learn the fundamentals of how sniffers work. This topic covers packet capture libraries, Berkeley Packet Filters, and strings. For each screen you will hear a description. The description is cued by an audio tone. Listen to the description, and then select the play audio narration button to continue. Screen 1 of 11. Lesson title: Sniffers. Topic title: Introduction. Screen title: Objectives and Topics. Five lesson learning objectives display in support of audio. Four topics display. The first topic is titled Introduction. The second topic is titled What is a Sniffer? The third topic is titled How do Sniffers work? The fourth and final topic is titled Conclusion. A text box displays and states: References to open source or freeware in this training product are for training purposes only, and should not be considered endorsements of these products. Please check with your command, service or agency for guidance on the use of these products.What is a Sniffer?Overviewidsal2_022Large computer networks communicate using a wide variety of protocols. This complexity requires tools that can monitor and troubleshoot network traffic. A network sniffer is a tool that listens to or "sniffs" the traffic traveling between networked devices. Also called a packet analyzer or protocol analyzer, a sniffer intercepts or "captures" raw data packets as they travel across the wire. Packet analysis can help you better understand what is happening on the network. A sniffer "sees" who is on the network who or what is utilizing bandwidth, and can help you identify possible attacks or malicious activity. The packet sniffing process can be broken down into three steps: collect, convert, and analyze. To accomplish the first step, collection, the sniffer requires putting the network interface into promiscuous mode. In promiscuous mode, the sniffer can "see" frames that aren't intended to be delivered to the system performing the sniffing. Typically, these frames would be ignored since they aren't destined for the system on which the sniffer is running. In the second step, the sniffer decodes the protocols and converts the data into a format you can read. The third and final step involves the actual analysis of the captured and converted data. Sniffers can correlate the corresponding layers of the OSI model. Take a few moments to review the information about network sniffers. Then we'll look at two types of sniffers more closely. Screen 2 of 11. Topic title: What is a Sniffer? Screen title: Overview. Several workstation images appear with lines connecting them to create a matrix showing how the workstations are interconnected. Image changes to show only two workstations with two lines connecting them. A grid overlay displays between the workstations and over the connecting lines. Animation shows a circle moving along the lines from one workstation to the next. Cells within the grid fill in with different colors as the animated circles pass under the grid. Text displays in support of audio. A linear process diagram displays. The diagram has three components. Starting on the left, the first component is labeled collect. An arrow point from the first component to the second which is labeled Convert. An arrow points from the second to the third component which is labeled Analyze. Text displays in support of audio. A stack of seven boxes representing the seven layers of the Oh S Eye model displays. Starting at the bottom the layers are labeled: Physical, Data Link, Network, Transport, Session, Presentation and Application. The second through fourth layers become highlighted. These are the Data Link, Network and Transport layers. The top layer Application becomes highlighted. Bulleted text appears and states: Network Sniffers are tools that capture network traffic. They are also called network packet analyzers and network protocol analyzers. Sniffers collect raw data. This requires promiscuous mode access. Sniffers convert binary data into a readable form and understand and decode protocols. They analyze converted data packets and can see corresponding layers of On S Eye model. The text promiscuous mode access becomes a roll over which states: Putting an interface in promiscuous mode allows the system to capture frames that are not intended to be delivered to the system performing the sniffing. Typically, these frames are ignored since they are not destined for the system on which the sniffer is running. The acronym Oh S Eye becomes a rollover which states: Open Systems Interconnection. The data link layer of the Oh S Eye model becomes a rollover which states: A sniffer can see the Data Link Layer, which typically contains the Ethernet header. The Ethernet header identifies the source and destination MAC addresses of the devices communicating on the local network. The network layer in the Oh S Eye model becomes a rollover which states: A sniffer can see the Network Layer which typically contains Internet Protocol or Eye Pea headers. The Eye Pea header identifies the source and destination Eye Pea addresses. From this information, you can see if the sources are talking simply on a local switched network or to a remote network through routers. The transport layer in the Oh S Eye model becomes a rollover which states: A sniffer can look at the Transport layer where the Transmission Control Protocol, or T C P and User Datagram Protocol or U D P headers can be found. You can see which services are being used by looking at the source and destination port numbers. The application layer in the Oh S Eye model becomes a rollover which states: A sniffer can see the Application Layer, which can include headers indicating File Transfer Protocol or F T P, Hypertext Transfer Protocol or H T T P and Simple Mail Transfer Protocol or S M T P and other Application layer protocols.Two Types of Sniffersidsal2_033There are a number of open source sniffers commonly used by network security administrators: Snort, tcpdump, WinDump, TShark, and Wireshark, to name a few. They are categorized as either a command-line sniffer or a GUI sniffer. Command-line sniffers like tcpdump and WinDump are basic sniffers that run quickly. The data captured can be interpreted only on a very basic level, leaving the majority of the analysis to you. For example, the contents of the data packets can be difficult to interpret because the sniffer only analyzes and displays, in the text output, some of the header fields. In the first line of proper output, "172.16.1.1" is the source IP address and dot 138 corresponds to the source port. The number "172.16.255.255" is the destination IP address and dot 138 corresponds to the destination port. The packet is UDP. This data doesn't show you that it's actually NetBIOS Name Service information being sent. You have to use a sniffer with advanced analysis capabilities in order to see the details of the NetBIOS Name Service protocol. On the positive side, the command-line sniffers can quickly write captured packets to a file for later analysis. And, because of their simplicity, they have a lower potential for vulnerabilities from coding errors, which is a security benefit. A GUI-based sniffer does much of the analysis for you. For example, Wireshark can help analyze a stream of packets to help detect intrusions. The header fields and payload data are analyzed by the sniffer. But because it's so complex, there is a higher potential for coding errors in the protocol analyzer. The resulting vulnerabilities may expose your system to compromise. So which type of sniffer should you use? A common approach is to capture packets with a command-line sniffer and write a packet capture file, then use a GUI-based sniffer to analyze the data. Next we'll look at three commonly used command-line sniffers. Screen 3 of 11. Screen title: Two Types of Sniffers. Reprise of grid overlay between two workstations. Logos for open source sniffers display in support of audio. Two banners display. One banner is titled Command Line Interface or C L I Sniffer. The second banner is titled Graphical User Interface or gooey Sniffer. The Win Dump, T C P DUMP, T Shark and SNORT logos display under the command line banner. The Wireshark logo displays under the graphical user interface banner. An example of a command line data capture screen displays. Lines of data contain numerals, symbols and letters. An example of a Wireshark data capture screen displays. Bulleted text displays under the command line banner and states: Advantages: Available as open source, has fewer vulnerabilities, operates fairly quickly to capture packets and quickly writes data to a file for later analysis. Disadvantages: Shows only some header fields and requires knowledge of how to read packet data. Bulleted text displays under the gooey banner and states: Advantages: Available as open source, is capable of complex analysis of protocols, identifies header fields for intrusion detection and analyzes data payload. Disadvantages: is susceptible to coding errors. Each of the sniffer logos becomes a rollover. The rollover for the T C P DUMP logo states: T c p dump is an open source command line packet analyzer for Linux and U NIX systems. The rollover for the Win Dump logo states: Win Dump is an open source command line packet analyzer for Windows environments. The rollover for the SNORT logo states: Snort is an open source network intrusion detection and prevention system. It uses a command line format to display analysis results. The rollover for the T Shark logo states: T Shark is the command line version of Wireshark. It uses the packet capture filtering mechanism of t c p dump and has some of the analysis capabilities of Wireshark. The rollover for the Wireshark logo states: Wireshark is a free complex protocol analyzer that uses a graphical user interface or gooey to display analysis results. It can identify header fields for intrusion detection and analyze data payload. It was formerly known as Ethereal.Common Command-Line Sniffersidsal2_044Tcpdump, WinDump, and Snort are three commonly used command-line sniffers. All three are open source. Tcpdump and WinDump are good basic sniffers, but they require an analyst with a thorough understanding of OSI and embedded protocols or higher level protocol analysis tools to perform most of the analysis. While Snort is classified as a command-line sniffer because of the way it presents data, it has greater analysis capabilities than tcpdump and WinDump. Select the sniffers for a brief description of each one. Common Command-Line Sniffersidsal2_04_014 Tcpdump and WinDump both read and write data packets traveling across the wire, but they provide limited protocol dissection. Tcpdump is the original command-line sniffer and is the default on most Linux and some UNIX systems. WinDump is the Windows version of tcpdump. TCPDUMP and WinDumpPopup 1 of 2. Popup title: T C P DUMP and Win Dump. Reprise of T C P DUMP and Win Dump logos. Bulleted text displays in support of audio.
Common Command-Line Sniffersidsal2_04_024 Snort has three main modes in which it can be configured: sniffer, packet logger, and network intrusion detection system. The sniffer mode simply reads the packets off the network and displays the data in a continuous stream on the console. The packet logger mode logs the packets to a disk. The network intrusion detection mode is the most complex and configurable option. It monitors all the traffic on a network to look for suspicious activity. The power of Snort, as an IDS, comes from its highly configurable detection engine and the flexible rule set used by that detection engine. The engine can filter packets, look for attack-signatures, and create an alert on a potential malicious event. The Snort IDS functionality can be configured with a combination of three detection methods: signature-based, anomaly-based, and protocol-based. SNORTPopup 2 of 2. Popup title: SNORT. Reprise of SNORT logo. Bulleted text displays in support of audio. The word signature based becomes a rollover which states: The signature based method of detection looks for specific patterns of an attack within the network traffic.Snort examines network traffic for particular patterns or characteristics that represent an attack. Because many attacks today have distinct signatures, the patterns are preconfigured by the I D S vendor or created by the analyst using the system. The word anomaly based becomes a rollover which states: The anomaly based method of detection looks for traffic activity that falls outside of normal traffic patterns. Snort samples current network traffic activity against the baseline in order to detect whether or not the traffic is within baseline parameters. The word protocol based becomes a rollover which states: The protocol based method of detection analyzes the protocol activity against standard protocol behaviors. Snort examines the behavior and state of a protocol in use by the system. For example, for a web server Snort would monitor the H T T P or H T T P S communications to determine if the protocol is being implemented and utilized properly as determined by protocol design specifications.Screen 4 of 11. Screen title: Common Command Line Sniffers. Reprise of T C P DUMP, Win Dump and SNORT logos. The T C P DUMP and Win Dump logos become selectable as a popup. The SNORT logo becomes selectable as a popup.
How Do Sniffers Work?Packet Capture Librariesidsal2_055To capture raw network traffic, a sniffer uses a packet capture, or pcap, library as the framework for reading and writing data in a standard format. There are two primary pcap libraries - libpcap and WinPcap. Both are open source projects. Libpcap is the original library for packet capture. It's used by UNIX-like operating systems and is the pcap library used by tcpdump and most other sniffers on UNIX-like systems. WinPcap is the industry-standard pcap tool for Windows environments and is the pcap library used by WinDump and most other Windows based sniffers. By default, a sniffer will capture all traffic traveling across the wire. In a busy network, the data is voluminous and, if unfiltered, the data will scroll faster than you can read it. You can limit the amount of data captured by applying packet capture filters that specify search criteria for what type of data each library will "read." Next you will learn about some basic filter expressions. Screen 5 of 11. Topic title: How Does a Sniffer Work? Screen title: Packet Capture Libraries. Reprise of grid overlay between two workstations. A banner titled Packet Capture displays. The lib pea cap and win pea cap logos display. Bulleted text displays in support of audio. Each of the logos becomes a rollover. The lib pea cap rollover states: Lib pea cap is a portable C C plus plus packet capture library that provides the framework for reading and writing data in a standard format for t c p dump. It is used with U NIX like platforms. Lib pea cap is maintained by the T c p dump Group. For more information, access w w w dot t c p dump dot org. The win pea cap rollover states: Win pea cap provides the framework for reading and writing data in a standard format for Win Dump. It is based on the lib pea cap model and Berkeley Packet Filters for U NIX and runs on Win thirty two and Win sixty four platforms. Win pea cap is maintained by the Win pea cap Group. For more information, access w w w dot win pea cap dot org. The packet capture banner becomes a rollover which states: Pea cap provides the framework for sniffing packets and presents a raw packet in a standard binary file format. A raw packet is a packet that is left in its original, unmodified form as it traveled across the network from client to server.Berkeley Packet Filtersidsal2_066Libpcap and WinPcap implement BPFs. BPFs make it possible to narrow down the data a sniffer captures by allowing you to specify the types of packets to capture based on layer two through four header fields. Filter expressions are built from primitives, which are shortcuts for specifying desired contents of header fields. Select Primitives to see some commonly used shortcuts. Berkeley Packet Filtersidsal2_06_016 Here are some common primitives you can use to instruct the sniffer to capture only specific packets. A primitive consists of an ID followed by a qualifier. The ID for the first primitive in the table is the word "host" followed by the qualifier, an IP address, or hostname, that specifies you want to filter for packets with a specific source or destination address. In contrast, the primitive "src host 192.168.1.3" filters packets with the specified source address and "dst host 192.168.1.4" filters packets with the specified destination address. Tcp captures only TCP packets. Udp captures only UDP packets. And, icmp captures only ICMP packets. Port 53 looks for TCP or UDP packets with the source or destination port of 53. Primitives can be combined with the logical operators "and," "not," and "or" to add another layer of filtering. In this example, "host 192.168.1.5 and tcp and port 80" the word "and" instructs the sniffer to capture all TCP port 80 packets going to and from the address. Using the words "and" and "not" together instructs the sniffer to look for all traffic that is going to or from the address, but not the ICMP traffic. In the example, "port 80 or port 443" the word "or" instructs the sniffer to capture either HTTP traffic traveling through port 80 or HTTPS traffic traveling through port 443. PrimitivesPopup 1 of 1. Popup title: Primitives. Seven examples of primitive syntax display with an explanation of each primitive in support of audio. Text displays in support of audio. When the narrator talks about using the "and" and "not" logical operators in combination text displays and states: host one ninety two dot one sixty eight dot one dot five and not i c m p.Screen 6 of 11. Screen title: Berkeley Packet Filters. A diagram displays representing the flow of incoming I P traffic through a Berkeley Packet Filter or B P F. Two arrows point toward a screen that represents the B P F. The filtered traffic is represented by one arrow that moving away from the screen to an icon representing output packet data. Text displays and states: Packet capture and processing. Image of an individual data packet displays. Text displays in support of audio. The word primitives becomes selectable as a popup. Text displays in support of audio. The word primitives becomes selectable as a popup.Common Command-Line Optionsidsal2_077In addition to specifying the types of packets to capture, there are command-line options or flags that you can use to narrow down and focus the output. Dash capital "D" will list the interfaces that you can sniff on and give a number for each interface. For UNIX, knowing the interface name is usually not too difficult. The name is fairly short and is usually "e t h zero" or "e n zero." With Windows the interface names are based on the Globally Unique Identifier, or GUID, for each interface. These are 25 characters long. So, it will be easier to list the interfaces first and get the number for each when you want to specify which interface you want to sniff. The command-line option dash "i" and a number specifies the interface you want to sniff. If you do not specify an interface, you'll end up on some random interface that is unlikely to be the one you want to use. Dash "n" specifies "don't resolve host," also known as DNS names. Dash "s" sets the snap length, the amount of data that is captured in bytes. Dash "w" and a filename writes the raw data to the file specified. This allows you to create a packet capture file, sometimes called a pcap file. You can read from a pcap file using dash "r" and the file name. Dash "v" indicates that you want to be verbose in displaying the data. Dash "v v" indicates to be even more verbose and decode more information about the packet. The additional information can help you better understand what is in the packet. Dash capital "X" displays the contents of the packet in hexadecimal format and the sniffer tries to interpret the data into ASCII to see if there is anything in plain text. You now know some of the common capture filters and command-line flags that can help you narrow down and focus sniffing. Next, we will look at a tool you can use to analyze packets. Screen 7 of 11. Screen title: Common Command Line Options. Reprise of Berkeley Packet Filter diagram. Image of a workstation displays between the filter screen and the filtered I P traffic arrow. The workstation is labeled Command Line Options. Test and bulleted text displays in support of audio. The syntax dash n becomes a rollover which states: By default, most sniffers will attempt a reverse D N S lookup for all I P address unless the dash n is specified. If there is no D N S server or no response from the D N S server, this default behavior will slow displaying the sniffer output while the sniffer waits for the D N S lookup to time out. The syntax dash s becomes a rollover which states: The default snap length for most command line sniffers is either sixty eight or ninety four bytes, which in most cases is not enough to capture the entire packet. If you want to capture the entirety of every packet, specify the snap length as zero or dash s zero.Stringsidsal2_088A tool you can use during a first pass analysis of packet data is called "strings." This tool searches binary pcap files looking for ASCII printable characters. By default, strings looks for a sequence of four or more printable characters ending with a nonprintable character such as a newline or null. The basic strings syntax is the word "strings" followed by an option of the minimum number of characters you want in the string. You'll typically want to use some number greater than four; otherwise you'll get a lot of noise from random ASCII strings that are in packet headers. Eight to twelve characters is a good value to produce useable results. The last part of the syntax is the name of the file or files you want to search. In this example, the text dash "n" with the number eight indicates we want strings to search for ASCII characters that have at least eight consecutive characters in the file named "file one dot pcap." An additional tool you want to know about is "more." More is a pagination tool that allows you to scroll downward through the output either one page or one line at a time. There is a similar tool called "less" that allows scrolling up or down in the text. In this example of strings output, 10 characters were specified as the minimum string of ASCII characters to search for. The search was piped through "more" to allow the viewer to page through the output. We can see some NetBIOS Name Service type strings identifiable by the all capital letter strings. In the bottom half of the example, we see the text "This program cannot be run in DOS mode." It looks like some executable file was captured in this pcap. This gives you a clue of what to look for as you begin your analysis of the pcap file. In a nutshell, "strings" is a quick method to do a triage of what is in a packet capture. You can use the utility to identify suspicious traffic or start a "dirty" word list search. One final thing about strings you should know is that a strings tool is not, by default, available on Windows systems. You can download a version of strings from the Microsoft Sysinternals website that allows strings to run on a Windows system when you are performing an analysis. Screen 8 of 11. Screen title: Strings. An example of packet capture data in a strings output screen displays. Animation shows magnifying glass moving across the data screen. Text displays in support of audio. An example of strings syntax displays and states: strings dash n eight file one dot pea cap. At the end of the example the vertical bar symbol and the word more displays. Reprise of string output screen. At the top of the data is the string syntax used to filter the data. The syntax states: strings dash n ten lab four dash one dot pea cap vertical bar more.Knowledge Checkidsal2_099Knowledge Check1500550Berkeley Packet Filters allow you to specify the types of packets to capture based on layer two through four header fields.True, for statement: Berkeley Packet Filters allow you to specify the types of packets to capture based on layer two through four header fieldsFalse, for statement: Berkeley Packet Filters allow you to specify the types of packets to capture based on layer two through four header fieldsCorrect. Berkeley Packet Filters (BPFs) make it possible to narrow down the data a sniffer captures based on OSI layers two through four header fields. BPFs are created from a filter expression called a primitive.Incorrect. Berkeley Packet Filters (BPFs) make it possible to narrow down the data a sniffer captures based on OSI layers two through four header fields. BPFs are created from a filter expression called a primitive.By default, strings looks for a sequence of four or more printable characters ending with a nonprintable character such as newline or null.True, for statement: By default, strings looks for a sequence of four or more printable characters ending with a nonprintable character such as newline or null.False, for statement: By default, strings looks for a sequence of four or more printable characters ending with a nonprintable character such as newline or null.Correct. Strings search binary packet capture (pcap) files looking for ASCII printable characters.Incorrect. Strings search binary packet capture (pcap) files looking for ASCII printable characters.Libpcap provides the framework for reading and writing packet data in a standard format for tcpdump.True, for statement: Libpcap provides the framework for reading and writing packet data in a standard format for tcpdump.False, for statement: Libpcap provides the framework for reading and writing packet data in a standard format for tcpdump.Correct. Libpcap is the packet capture (pcap) library used by tcpdump and most other sniffers on UNIX-like systems.Incorrect. Libpcap is the packet capture (pcap) library used by tcpdump and most other sniffers on UNIX-like systems.The "more" tool allows scrolling downward through the output either one page or one line at a time.True, for statement: The "more" tool allows scrolling downward through the output either one page or one line at a time.False, for statement: The "more" tool allows scrolling downward through the output either one page or one line at a time.Correct. The word "more" in a strings expression is a pagination tool that allows you to scroll downward through the output either one page or one line at a time.Incorrect. The word "more" in a strings expression is a pagination tool that allows you to scroll downward through the output either one page or one line at a time.Now check your knowledge of the packet capture fundamentals. Screen 9 of 11. Screen title: Knowledge Check. This knowledge check presents four questions. For each question there are two possible answers, true or false. Use your keyboard to cycle through the options.Knowledge Checkidsal2_1010Knowledge Check1500550Set snap length-D, for statement: Set snap length-i#, for statement: Set snap length-n, for statement: Set snap length-r, for statement: Set snap length-s, for statement: Set snap length-v, for statement: Set snap length-vv, for statement: Set snap length-w, for statement: Set snap length-X, for statement: Set snap lengthCorrect. The option -s sets the snap length.Incorrect. The option -s sets the snap length.List available interfaces-D, for statement: List available interfaces-i#, for statement: List available interfaces-n, for statement: List available interfaces-r, for statement: List available interfaces-s, for statement: List available interfaces-v, for statement: List available interfaces-vv, for statement: List available interfaces-w, for statement: List available interfaces-X, for statement: List available interfacesCorrect. The option -D instructs the sniffer to list the available interfaces.Incorrect. The option -D instructs the sniffer to list the available interfaces.Write data to a pcap file-D, for statement: Write data to a pcap file-i#, for statement: Write data to a pcap file-n, for statement: Write data to a pcap file-r, for statement: Write data to a pcap file-s, for statement: Write data to a pcap file-v, for statement: Write data to a pcap file-vv, for statement: Write data to a pcap file-w, for statement: Write data to a pcap file-X, for statement: Write data to a pcap fileCorrect. The option -w followed by a file name indicates where to write pcap files.Incorrect. The option -w followed by a file name indicates where to write pcap files.Be verbose when printing-D, for statement: Be verbose when printing-i#, for statement: Be verbose when printing-n, for statement: Be verbose when printing-r, for statement: Be verbose when printing-s, for statement: Be verbose when printing-v, for statement: Be verbose when printing-vv, for statement: Be verbose when printing-w, for statement: Be verbose when printing-X, for statement: Be verbose when printingCorrect. The option -v indicates to be verbose when printing to the screen.Incorrect. The option -v indicates to be verbose when printing to the screen.Do not resolve host names-D, for statement: Do not resolve host names-i#, for statement: Do not resolve host names-n, for statement: Do not resolve host names-r, for statement: Do not resolve host names-s, for statement: Do not resolve host names-v, for statement: Do not resolve host names-vv, for statement: Do not resolve host names-w, for statement: Do not resolve host names-X, for statement: Do not resolve host namesCorrect. The option -n instructs the sniffer to NOT resolve host (DNS names).Incorrect. The option -n instructs the sniffer to NOT resolve host (DNS names).Print data in hexadecimal and ASCII-D, for statement: Print data in hexadecimal and ASCII-i#, for statement: Print data in hexadecimal and ASCII-n, for statement: Print data in hexadecimal and ASCII-r, for statement: Print data in hexadecimal and ASCII-s, for statement: Print data in hexadecimal and ASCII-v, for statement: Print data in hexadecimal and ASCII-vv, for statement: Print data in hexadecimal and ASCII-w, for statement: Print data in hexadecimal and ASCII-X, for statement: Print data in hexadecimal and ASCIICorrect. The option -X instructs the sniffer to print data in hexadecimal and ASCII.Incorrect. The option -X instructs the sniffer to print data in hexadecimal and ASCII.Now check your knowledge of tcpdump command-line options for capturing packet data. Screen 10 of 11. Screen title: Knowledge Check. This matching knowledge check presents six statements and nine command line options. For each statement select the command line option this is described. Moving for left to right the options are dash capital D, dash i and number symbol, dash n, dash r, dash s, dash v, dash v v, dash w, and dash capital X. Use your keyboard to cycle through the options.ConclusionSummary and Conclusionidsal2_1111Congratulations! You have completed the Sniffers lesson. You should now be able to describe what a sniffer is and how it works. You should also be able to identify some basic BPF filter constructs and some command-line options for command-line sniffers. Finally, you should be able to identify some strings you can use to analyze packet data. Screen 11 of 11. Topic title: Conclusion. Screen title: Summary and Conclusion. The word Congratulations appears in large text. Text and bullet points display lesson objectives. Bullet points turn into checkmarks in synch with audio.