When configuring a long-term, forensic packet capture and saving all packets to disk which of the following is not a consideration?
Correct Answer:
A
Real-time packet decodes are not a consideration when configuring a long- term, forensic packet capture and saving all packets to disk. Real-time packet decodes are useful for live analysis and troubleshooting, but they consume CPU and memory resources that could affect the performance of the capture process. For a long-term, forensic packet capture, it is more important to consider the analyzer location, the total capture storage space, and the individual trace file size. These factors affect the quality and quantity of the captured packets and the ease of post-capture analysis34 References:
✑ CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 49
✑ CWAP-404 Objectives, Section 2.1: Configure protocol analyzers
What is used to respond with an uplink transmission to an MU-RTS trigger frame in the 802.11ax PHY?
Correct Answer:
C
An HE TB PPDU (High Efficiency Trigger-Based Packet Data Unit) is used to respond with an uplink transmission to an MU-RTS trigger frame in the 802.11ax PHY (Physical Layer). An MU-RTS trigger frame is a frame that initiates a multi-user transmission opportunity (MU-TXOP) by requesting multiple stations (STAs) to send clear- to-send (CTS) frames on different spatial streams or resource units (RUs). An HE TB PPDU is a frame that contains data from multiple STAs that have been allocated RUs by an MU-RTS trigger frame or another type of trigger frame. An HE SU PPDU (High Efficiency Single User Packet Data Unit) is a frame that contains data from a single STA using all available spatial streams or RUs. An HE MU PPDU (High Efficiency Multi User Packet Data Unit) is a frame that contains data from multiple STAs using different spatial streams or RUs without being triggered by another frame. A VHT PPDU (Very High Throughput Packet Data Unit) is a frame that uses the 802.11ac PHY and does not support multi-user transmissions.References:
✑ CWAP-404 Study Guide, Chapter 3: 802.11 MAC Layer Frame Formats and
Technologies, page 101
✑ CWAP-404 Objectives, Section 3.4: Analyze multi-user transmissions
✑ CWAP-404 Study Guide, Chapter 3: 802.11 MAC Layer Frame Formats and Technologies, page 99
You are analyzing a packet decode of a Probe Request and notice the SSID element has a length of zero. What do you conclude about the transmitting STA?
Correct Answer:
D
The STA is discovering a list of available BSSs by sending a Probe Request with an empty SSID element. This is also known as a broadcast Probe Request, as it does not specify any particular SSID to probe for. Any AP that receives this Probe Request will respond with a Probe Response containing its own SSID and other information about its BSS. This way, the STA can learn about all the BSSs in its vicinity and choose which one to associate with . References: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 191; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 193.
Which common feature of a Spectrum Analyzer would be the best to help you locate a non-802.11 interference source?
Correct Answer:
D
The device finder is a common feature of a spectrum analyzer that helps locate a non-802.11 interference source. The device finder uses a directional antenna to measure the signal strength of a specific frequency or signal source. By pointing the antenna in different directions, the device finder can indicate the direction and distance of the interference source. The device finder can also filter out other signals that are not related to the interference source. The other options are not correct, as they do not help locate a non-802.11 interference source. Max hold and min hold are features that show the maximum and minimum RF power levels over time,respectively. Location filter is a feature that filters out signals that are not from a specific location or area. References: [Wireless Analysis Professional Study Guide CWAP-404], Chapter 3: Spectrum Analysis, page 77-78
What should the To DS and From DS flags be to set to in an Association Response frame?
Correct Answer:
C
The To DS and From DS flags should be set to 0 in an Association Response frame. An Association Response frame is a type of management frame that is transmitted by an AP to accept or reject an association request from a STA. The To DS (To Distribution System) and From DS (From Distribution System) flags are two bits in the Frame Control field of the MAC header that indicate whether a frame is destined for or originated from the DS (Distribution System), which is a system that connects multiple BSSs together. The To DS and From DS flags can have four possible combinations: 00, 01, 10, or 11. For an Association Response frame, which is sent from an AP to a STA within a BSS, both flags should be set to 0. References: [Wireless Analysis Professional Study Guide CWAP-404], Chapter 5: 802.11 MAC Sublayer, page 121-122
