Page 1


Exam Title

: Network General Corp 1T6-540 : Advanced Troubleshooting with InfiniStream Network Mgmt

Version : R6.1

Prepking - King of Computer Certification Important Information, Please Read Carefully Other Prepking products A) Offline Testing engine Use the offline Testing engine product to practice the questions in an exam environment. B) Study Guide (not available for all exams) Build a foundation of knowledge which will be useful also after passing the exam. Latest Version We are constantly reviewing our products. New material is added and old material is updated. Free updates are available for 90 days after the purchase. You should check your member zone at Prepking and update 3-4 days before the scheduled exam date. Here is the procedure to get the latest version: 1.Go 2.Click on Member zone/Log in (right side) 3. Then click My Account 4.The latest versions of all purchased products are downloadable from here. Just click the links. For most updates,it is enough just to print the new questions at the end of the new version, not the whole document. Feedback If you spot a possible improvement then please let us know. We always interested in improving product quality. Feedback should be send to You should include the following: Exam number, version, page number, question number, and your login ID. Our experts will answer your mail promptly. Copyright Each PDF file contains a unique serial number associated with your particular name and contact information for security purposes. So if we find out that a particular PDF file is being distributed by you, Prepking reserves the right to take legal action against you according to the International Copyright Laws. Explanations This product does not include explanations at the moment. If you are interested in providing explanations for this exam, please contact

1. Applications that use ephemeral ports on both sides of a connection are difficult to mine, because: A. The ephemeral ports cannot be predicted B. They all use the same port, TCP/1024 C. The well-known ports cannot be predicted D. The ephemeral ports can be predicted but the port pairings are always different Answer: A 2. Mining FTP frames for both the Control and Data connections is difficult, because: A. The server listens on TCP/20 and on ephemeral addresses that are difficult to predict. B. The server listens on TCP/21 and multiple addresses that cannot be predicted. C. The server listens on TCP/21 and ephemeral ports that are difficult to predict. D. Many implementations of FTP exist that use varying well-known ports. Answer: C 3. Which of the following is NOT typically associated with network security auditing? A. Inspection of passwords B. Examining a network for signs of misuse C. Troubleshooting network application efficiency D. Looking for conformance to policy Answer: C 4. Consider this illustration of a data mining filter. What is wrong with it?

A. The filter only allows packets that are sent to HTTP servers on their well-known port. It would only show commands without replies.

This filter is incomplete.

B. The filter only allows packets that are both to and from the well-known port TCP/80 (HTTP). Both source and destination port cannot be 80. Nothing would pass the filter. C. It would also allow UDP packets to and from port 80 (HTTP), which does not make sense, since HTTP is a TCP-based protocol. D. Nothing.

It will capture normal data to and from TCP/80 (HTTP) servers.

Answer: B 5. The easiest way to identify data for further analysis is to _______. A. create an alias

B. group multiple protocols together C. sort on port number D. select all ephemeral ports Answer: C 6. A one to many relationship is indicative of: A. Backdoors B. Clients sending email to a relay server C. Password guessing D. Peer-to-Peer Answer: D 7. Consider this mining filter. Which description most accurately describes what it does?

A. It includes all packets to and from network B. It includes all packets that have sources and destinations within network C. It includes all packets that are not to or from network D. Nothing.

No packets would pass this filter.

Answer: C 8. Time duration and speed are _______. A. primary limitations of mining and analysis B. not relevant to InfiniStream C. only related to Expert analysis D. relevant, but secondary issues Answer: A 9. For testing, it is useful to convert your _______ into _______. A. data / units of measurement B. hypothesis / an if-then statement C. hypothesis / a conclusion D. conclusion / if-then statement Answer: B 10. Maintaining a baseline can aid in detecting bandwidth denial of service attacks by: A. Listing status codes associated with denial of service.

B. Revealing significant changes in protocol activity and bandwidth through comparison. C. Showing ports known to be associated with bandwidth denial of service. D. Listing source IP addresses know to send denial of service attacks. Answer: B 11. To see user names sent to an FTP server, you should view _______. A. the Expert Service layer objects B. the Expert Application layer objects C. the Advanced tab in the mining interface (Quick Select) D. the Names tab in the mining interface (Quick Select) Answer: B 12. Most Remote Procedure Calls (RPCs) listen on _________ ports? A. all well-known ports B. any port below 512 C. dynamically assigned ports, usually below port 1024 D. dynamically assigned ports, usually above port 1023 Answer: D 13. In order to mine DHCP client addressing problems, it would be best to mine _______. A. RDP and its associated port B. Bootpc and Bootps (DHCP) and the last known address of the client C. the last known address of the client D. the port on the server that the client was attempting to reach Answer: B 14. Consider this mining filter. Which description most accurately describes what it does?

A. It includes packets in either direction only between network and network B. It includes packets sent from network to network C. It includes packets in either direction between network and other all other networks, except D. Nothing.

No packets would pass this filter.

Answer: A 15. Reviewing initial data and noting significant trends is part of a process used to ________.

A. testing a hypothesis B. isolate an application for conversion C. profile network usage D. all of the above Answer: C 16. If you have captured network traffic and misuse of a network is uncovered, it is usually best to: A. Confront the individual and record your conversation. B. Hand the information over to a network security officer or manager. C. Take the initiative and perform your own investigation. D. Not inform anyone. Answer: B 17. Remote Procedure Calls may change their listening port number when the service is disabled and restarted. A. TRUE B. FALSE Answer: A 18. Which of the following uses Remote Procedure Calls? A. Grep B. Linux and Unix C. Windows D. VLANs E. DNS Answer: BC 19. A list of up to 10 of the last file names accessed on an FTP server may be viewed _______. A. in the data mining interface (Quick Select) on Files tab B. in the data mining interface (Quick Select) by creating a custom tab and adding a Files column C. in the analysis interface in an Expert Application layer object D. in the analysis interface in an Expert Service layer object Answer: D 20. While troubleshooting firewall issues, it is useful to compare: A. Stream data on the inside, since anything blocked will be on the inside. B. Stream data on the outside, since anything blocked will be on the outside. C. Stream data on the inside and outside of the firewall to see what is getting through. D. None of the above. Answer: C

21. When conducting a detailed analysis to confirm a hypothesis, we should ________. A. perform a detailed examination of data throughout various networking layers B. focus on specific error messages C. isolate on HTTP as a common problem area D. decrypt the data before beginning analysis Answer: A 22. ICMP messages always indicate: A. Packets could not be forwarded B. UDP errors C. TCP errors D. None of the above Answer: D 23. When troubleshooting a suspected firewall issue, duplicate frame removal is _________. A. not usually useful, since Network Address Translation will assign a new address and ports to the outside traffic and you want to compare this to the inside and outside traffic B. usually useful, since Network Address Translation will assign a new address and ports to the outside traffic and it reduces the redundant frames C. usually useful, since Network Address Translation will assign a new hostname to traffic on the outside traffic D. an unrelated issue Answer: A 24. A valid hypothesis ________. A. can be tested B. is relevant C. is measurable D. is all of the above Answer: D 25. Consider this illustration of a data mining filter.

What would it include?

A. Packets sent to an FTP server from host, and the replies.

B. Packets sent to an FTP server from host C. Packets sent from an FTP server to the host only. D. Nothing. No packets would be included. Answer: C 26. When troubleshooting POPv3 mail problems, the status codes returned by a server indicates _________. A. mail delivery status B. delivery location/address in RFC 822 format C. simple success or failure D. none of the above Answer: C 27. Regarding scanning, if one host only talks to one other host, but attempts connections to thousands of ports, what is likely occurring? A. A backdoor communicating B. A worm is spreading C. Normal activity D. Vertical scanning Answer: D 28. Which of the following cannot be selected as a condition for generating alerts? A. Broadcast frames per second B. HTTP response codes C. UDP bytes per second D. TCP utilization levels Answer: B 29. Which setting(s) does the ICEConfigParams.cfg record? A. Most recently used files B. Tab names and order C. File size and location for extracted data D. Expert Display options Answer: C 30. Which file records the aliases used by InfiniStream? A. ICEConfigParams.cfg B. C. D. aliases.adr

Answer: D 31. Sniffer Focused Analysis can be used to: _______. A. reconstruct TCP connection data B. display packet data to confirm the cause of a problem C. replay captured data and visually reconstruct a series of transactions D. capture and analyze packet data Answer: A 32. Regarding buffer overflows, when an attacker injects random data into the memory of a target, _______. A. the victim host opens a backdoor B. the victim host launches a worm C. arbitrary instruction may be successfully sent to the victim D. it becomes a denial of service, since the service has corrupted memory and stops working Answer: D 33. The primary purpose of a backdoor is to: A. Gain unauthorized access to a remote host to control it B. Cause the host denial of service C. Spread worms D. Initiate a controlled shutdown Answer: A 34. Characterizing data for analysis involves identifying data by ________. A. Port B. Time C. VLAN D. all of the above Answer: D 35. In order to troubleshoot mail problems, which of the following ports should be mined? A. TCP/21 B. TCP/53 C. TCP/161 D. TCP/25 Answer: D 36. Which protocol can InfiniStream Application Playback process? A. Kerberos B. NetBIOS Session

C. DES D. SSH Answer: D 37. The location of the file extracted by the data mining interface (ICE file) is set by ________. A. ICEConfigParams.cfg B. aliases.adr C. protocols.reg D. the user at startup Answer: A 38. When configuring InfiniStream alerts, the bindings tab is used to _______. A. choose the protocol used to send the alert B. set the destination address for SNMP Traps C. set the destination email address D. enable Windows messaging for the Linux ICE service Answer: A 39. An indication of backdoor communication is: A. One-to-one relationship, with an extreme imbalance on the source address. B. Many-to-many relationship, with an extreme imbalance. C. One-to-many relationship, with an extreme imbalance. D. Analysis on the Decode tab displays a common payload in different protocols. Answer: D 40. To create a baseline for our network it is necessary to mine data over a period of time and perform an analysis of the results. A. TRUE B. FALSE Answer: B 41. In order to save and replay a file transferred by a user using HTTP,

the _______ module of Sniffer

Focused Analysis should be used. A. TCP-based reconstruction B. Collector C. HTTP Analysis D. Port Aggregator Answer: A 42. Which of these methods is NOT a valid alert configuration in InfiniStream? A. Send a Syslog message

100% Pass Guaranteed or Full Refund Word to Word Real Exam Questions from Real Test Buy full version of exam from this link below

Pass4sure 1T6-540 dumps  

1T6-540,1T6-540 exam, 1T6-540 exam questions,1T6-540 dumps