CWNP Certified Wireless Analysis Professional CWAP-404 Exam Practice Test

Answer : B

802.11k Neighbor Requests and Neighbor Reports are sent in Action frames. An Action frame is a Management frame that is used to perform various operations or functions related to the operation or maintenance of a wireless network. An Action frame consists of a Category field that indicates the type of action being performed, and a variable-length Action Details field that contains specific information related to the action. For example, an Action frame with a Category field value of 5 indicates a Radio Measurement action, and the Action Details field may contain a Neighbor Request or a Neighbor Report subelement . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 207; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 208; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 12: 802.11k/v/r/u/w/ai Amendments, page 434.

Answer : D

The difference between a Data frame and a QoS-Data frame is that QoS Data frames include a QoS control field. A Data frame is a type of data frame that is used to carry user data or upper layer protocol data between STAs and APs. A QoS Data frame is a type of data frame that is used to carry user data or upper layer protocol data between STAs and APs that support QoS (Quality of Service) features. QoS features allow different types of traffic to be prioritized and handled differently according to their QoS requirements, such as delay, jitter, throughput, etc. QoS Data frames include a QoS control field in their MAC header, which contains information such as traffic identifier (TID), queue size (TXOP), acknowledgment policy (ACK), etc., that are used for QoS purposes. The other options are not correct, as they do not describe the difference between Data and QoS Data frames. QoS Data frames do not include a DSCP (Differentiated Services Code Point) control field, which is part of the IP header in the network layer, not the MAC header in the data link layer. QoS Data frames do not include a QoS information element (IE), which is part of some management frames that indicate QoS capabilities or parameters, not data frames. QoS Data frames do not include an 802.1Q VLAN tag, which is part of some Ethernet frames that indicate VLAN membership or priority, not wireless frames.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 5: 802.11 MAC Sublayer, page 118-119

Answer : D

The most likely issue that can be identified from the spectrum analysis is a power mismatch between the APs and the clients. A power mismatch occurs when the APs transmit at a higher power level than the clients, or vice versa. This can cause asymmetric communication, where one side can hear the other, but not vice versa. This can result in poor performance, disconnections, or packet loss. A spectrum analysis can reveal a power mismatch by showing different signal amplitudes or RSSI values for the APs and the clients on the same channel or frequency. The other options are not correct, as they cannot be identified from the spectrum analysis alone. The tablets' SSID, power save mode, and noise floor can be determined by using other tools or methods, such as protocol analysis, site survey, or device configuration.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 3: Spectrum Analysis, page 79-80

Answer : D

The best way to test the theory of microwave interference from the New York office is to use a remote spectrum analyzer. By placing one of the London APs into spectrum analyzer mode, you can capture and analyze the RF spectrum in the London office over lunch time. You can then look for any signs of microwave interference, such as high duty cycle, high amplitude, or frequency hopping on the 2.4 GHz band. This method does not require any physical access to the microwave or any changes to its frequency.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 64

Answer : A

A hexadecimal value is a value that uses base 16 notation, which means it can have digits from 0 to 9 and letters from A to F. A hexadecimal value is usually preceded by 0x to indicate that it is hexadecimal and not decimal or binary. For example, 0x0A is hexadecimal for 10 in decimal or 00001010 in binary. The other options are not valid prefixes for hexadecimal values. Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 35

CWAP-404 Objectives, Section 2.2: Analyze field values

Answer : C

A capture visualization tool is a software application that can open a packet capture file and display various graphs, charts, tables, and statistics that illustrate the characteristics and behavior of the wireless network. A capture visualization tool can help a network administrator with little knowledge of 802.11 protocols to evaluate the overall health and performance of their wireless network by providing a visual and intuitive representation of the captured data. A spectrum analyzer is a hardware device that measures the radio frequency signals in a given frequency range and displays their amplitude, frequency, and modulation. A spectrum analyzer can help identify sources of interference and noise in the wireless environment, but it cannot open a packet capture file. Python is a programming language that can be used to write scripts or applications that manipulate or analyze packet capture files, but it requires coding skills and knowledge of 802.11 protocols. A WLAN scanner is a software application that scans for available wireless networks and displays information such as SSID, BSSID, channel, signal strength, security type, and vendor.A WLAN scanner can help discover wireless networks and their basic parameters, but it cannot open a packet capture file345Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 63

CWAP-404 Objectives, Section 2.5: Use capture visualization tools

CWAP-404 Study Guide, Chapter 4: Spectrum Analysis and Troubleshooting, page 117

CWAP-404 Objectives, Section 4.1: Use spectrum analysis tools

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 33

CWAP-404 Objectives, Section 2.2: Analyze field values

Answer : D

The interframe space that would be expected between a CTS (Clear to Send) and a Data frame is SIFS (Short Interframe Space). A SIFS is the shortest interframe space that is used for high-priority transmissions, such as ACKs (Acknowledgements), CTSs, or data frames that are part of a fragmentation or aggregation process. A SIFS is a fixed value that depends on the PHY type and channel width. A CTS and a Data frame are part of a virtual carrier sense mechanism called RTS/CTS (Request to Send/Clear to Send), which is used to avoid collisions and hidden node problems in wireless transmissions. When a STA (station) wants to send a data frame, it first sends an RTS frame to the intended receiver, indicating the duration of the transmission. The receiver then responds with a CTS frame, also indicating the duration of the transmission. The other STAs in the vicinity hear either the RTS or the CTS frame and update their NAV (Network Allocation Vector) timers accordingly, deferring their access to the medium until the transmission is over. The sender then sends the data frame after waiting for a SIFS, followed by an ACK frame from the receiver after another SIFS. The other options are not correct, as they are not used between a CTS and a Data frame. A PIFS (PCF Interframe Space) is used for medium access by the PCF (Point Coordination Function), which is an optional and rarely implemented polling-based mechanism that provides contention-free service for time-sensitive traffic. An AIFS (Arbitration Interframe Space) is used for medium access by different ACs (Access Categories), which are logical queues that correspond to different QoS (Quality of Service) levels for different types of traffic. An AIFS is a variable interframe space that depends on the AIFSN (Arbitration Interframe Space Number) value of each AC. A DIFS (Distributed Interframe Space) is used for medium access by the DCF (Distributed Coordination Function), which is the default and mandatory contention-based mechanism that provides best-effort service for normal traffic.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 6: 802.11 Frame Exchanges, page 166-167; Chapter 7: QoS Analysis, page 194-195

Answer : A

Real-time packet decodes are not a consideration when configuring a long-term, forensic packet capture and saving all packets to disk. Real-time packet decodes are useful for live analysis and troubleshooting, but they consume CPU and memory resources that could affect the performance of the capture process. For a long-term, forensic packet capture, it is more important to consider the analyzer location, the total capture storage space, and the individual trace file size.These factors affect the quality and quantity of the captured packets and the ease of post-capture analysis34Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 49

CWAP-404 Objectives, Section 2.1: Configure protocol analyzers

Answer : B

The Group Key Handshake consists of two frames excluding any Ack frames that may be required. The Group Key Handshake is used to distribute and update the Group Temporal Key (GTK) for encrypting broadcast and multicast traffic. The AP initiates the Group Key Handshake by sending a Group Key Message 1 frame to a STA, which contains the new GTK and other information. The STA responds with a Group Key Message 2 frame to the AP, which confirms the receipt of the GTK and other information. After this, both the AP and the STA can use the new GTK for encryption and decryption of broadcast and multicast traffic . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 7: 802.11 Security, page 246; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 7: 802.11 Security, page 247.

Answer : B

The most likely cause of higher airtime utilization on the first 20 MHz of the 80 MHz channel is non-Wi-Fi interference. Non-Wi-Fi interference can prevent an AP from using its full channel width, as it will degrade the signal quality and increase the noise floor on some parts of the channel. This will force the AP to fall back to a narrower channel width, such as 20 MHz or 40 MHz, to maintain communication with its clients. The waterfall plot can help identify non-Wi-Fi interference by showing spikes or bursts of RF energy on specific frequencies or sub-channels. The other options are not correct, as they do not explain why only the first 20 MHz of the channel has higher airtime utilization.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 74-75

Answer : D

Delta is the timing column in the packet view that measures the time difference between two consecutive packets in a capture file. Delta can be used to measure the roaming time from the last VoIP packet sent on the old AP's channel to the first VoIP packet sent on the new AP's channel by selecting these two packets and looking at their delta values. The other timing columns are not suitable for this measurement because they do not show the time difference between two specific packets. Roaming is a column that shows whether a packet belongs to a roaming event or not. Relative is a column that shows the time elapsed since the beginning of the capture file.Absolute is a column that shows the date and time when a packet was captured5Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 57

CWAP-404 Objectives, Section 2.4: Analyze timing values

Answer : B

802.11k Neighbor Requests and Neighbor Reports are sent in Action frames. An Action frame is a Management frame that is used to perform various operations or functions related to the operation or maintenance of a wireless network. An Action frame consists of a Category field that indicates the type of action being performed, and a variable-length Action Details field that contains specific information related to the action. For example, an Action frame with a Category field value of 5 indicates a Radio Measurement action, and the Action Details field may contain a Neighbor Request or a Neighbor Report subelement . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 207; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 208; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 12: 802.11k/v/r/u/w/ai Amendments, page 434.

Answer : D

A VoIP phone, using WMM Power Save, requests data frames buffered at the AP by transmitting a trigger frame, which is a QoS Null frame or a QoS Data frame. WMM Power Save is a power saving mode that allows a STA (station) to conserve battery power by periodically sleeping and waking up. WMM Power Save is based on WMM (Wi-Fi Multimedia), which is a QoS (Quality of Service) enhancement that provides prioritized and differentiated access to the medium for different types of traffic. When a STA sleeps, it cannot receive any data frames from the AP, so it informs the AP of its power save status by setting a bit in its MAC header. The AP then buffers any data frames destined for the sleeping STA until it wakes up. When a STA wakes up, it sends a trigger frame to the AP, indicating its AC (Access Category), which is a logical queue that corresponds to its QoS level. A trigger frame can be either a QoS Null frame or a QoS Data frame, depending on whether it has any payload or not. The AP then responds with one or more data frames from the same AC as the trigger frame, followed by an ACK or BA (Block Acknowledgement) frame from the STA. The other options are not correct, as they are not used by a VoIP phone using WMM Power Save to request data frames buffered at the AP. A PS-Poll (Power Save Poll) frame is used by a STA using legacy power save mode, not WMM Power Save mode, to request data frames buffered at the AP. A PS-Poll frame does not indicate any AC or QoS information. Setting the More Data bit in the MAC header to 1 does not request any data frames from the AP, but indicates that there are more data frames to be sent by the STA or received by the STA. Transmitting a WMM Action frame does not request any data frames from the AP, but performs various management actions related to WMM features, such as admission control, parameter update, etc.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 7: QoS Analysis, page 198-199

Answer : D

Receive sensitivity is the minimum signal level that a receiver can detect and decode. Different devices may have different receive sensitivity levels depending on their hardware specifications and antenna configurations. In this scenario, the portable analyzer has a lower receive sensitivity than the AP, meaning that it requires a stronger signal to capture the packets from the client STA. The AP, on the other hand, has a higher receive sensitivity and can receive the packets from the client STA even if they have a weaker signal.This explains why the portable analyzer can only see unidirectional traffic from the AP to the client when capturing near the AP5Reference:

CWAP-403 Study Guide, Chapter 4: PHY Layer Analysis, page 121

CWAP-403 Objectives, Section 4.3: Analyze PHY layer metrics

Answer : D

The difference between a Data frame and a QoS-Data frame is that QoS Data frames include a QoS control field. A Data frame is a type of data frame that is used to carry user data or upper layer protocol data between STAs and APs. A QoS Data frame is a type of data frame that is used to carry user data or upper layer protocol data between STAs and APs that support QoS (Quality of Service) features. QoS features allow different types of traffic to be prioritized and handled differently according to their QoS requirements, such as delay, jitter, throughput, etc. QoS Data frames include a QoS control field in their MAC header, which contains information such as traffic identifier (TID), queue size (TXOP), acknowledgment policy (ACK), etc., that are used for QoS purposes. The other options are not correct, as they do not describe the difference between Data and QoS Data frames. QoS Data frames do not include a DSCP (Differentiated Services Code Point) control field, which is part of the IP header in the network layer, not the MAC header in the data link layer. QoS Data frames do not include a QoS information element (IE), which is part of some management frames that indicate QoS capabilities or parameters, not data frames. QoS Data frames do not include an 802.1Q VLAN tag, which is part of some Ethernet frames that indicate VLAN membership or priority, not wireless frames.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 5: 802.11 MAC Sublayer, page 118-119

Answer : C

A PHY header is added to the PSDU at the PHY layer. A PHY header is a part of the PPDU that contains information such as modulation, coding, and data rate. The PHY header is added by the PHY layer when it converts a PSDU to a PPDU for transmission, or removed by the PHY layer when it converts a PPDU to a PSDU for reception. The other layers do not add or remove a PHY header.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 4: 802.11 Physical Layer, page 97-98

Answer : A

The Swept Spectrogram plot is a spectrum analysis plot that shows the RF power present at a particular frequency over the course of time. It can help identify trends and patterns in the RF spectrum over a longer period of time. It can also show how the RF environment changes over time and how different sources of RF signals affect each other. The other options are not correct, as they describe different types of plots or information that are not related to the Swept Spectrogram plot.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 72-73

Answer : D

A Reassociation Request frame is sent every time a STA roams from one AP to another within the same ESS. A Reassociation Request frame is similar to an Association Request frame, but it also contains the BSSID of the current AP that the STA is leaving. This allows the new AP to coordinate with the old AP and transfer the STA's context information, such as security keys, QoS parameters, and buffered frames. This way, the STA can maintain its connectivity and session continuity during roaming . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 195; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 196.

Answer : D

The first step in any troubleshooting process is to define the problem. This involves gathering information from various sources, such as users, network administrators, network documentation, and network monitoring tools.Defining the problem helps to narrow down the scope of the issue and identify the symptoms, causes, and effects of the problem12Reference:

CWAP-403 Study Guide, Chapter 1: Troubleshooting Methodology, page 7

CWAP-403 Objectives, Section 1.1: Define the problem

Answer : C

A capture visualization tool is a software application that can open a packet capture file and display various graphs, charts, tables, and statistics that illustrate the characteristics and behavior of the wireless network. A capture visualization tool can help a network administrator with little knowledge of 802.11 protocols to evaluate the overall health and performance of their wireless network by providing a visual and intuitive representation of the captured data. A spectrum analyzer is a hardware device that measures the radio frequency signals in a given frequency range and displays their amplitude, frequency, and modulation. A spectrum analyzer can help identify sources of interference and noise in the wireless environment, but it cannot open a packet capture file. Python is a programming language that can be used to write scripts or applications that manipulate or analyze packet capture files, but it requires coding skills and knowledge of 802.11 protocols. A WLAN scanner is a software application that scans for available wireless networks and displays information such as SSID, BSSID, channel, signal strength, security type, and vendor.A WLAN scanner can help discover wireless networks and their basic parameters, but it cannot open a packet capture file345Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 63

CWAP-404 Objectives, Section 2.5: Use capture visualization tools

CWAP-404 Study Guide, Chapter 4: Spectrum Analysis and Troubleshooting, page 117

CWAP-404 Objectives, Section 4.1: Use spectrum analysis tools

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 33

CWAP-404 Objectives, Section 2.2: Analyze field values

Answer : D

The best way to test the theory of microwave interference from the New York office is to use a remote spectrum analyzer. By placing one of the London APs into spectrum analyzer mode, you can capture and analyze the RF spectrum in the London office over lunch time. You can then look for any signs of microwave interference, such as high duty cycle, high amplitude, or frequency hopping on the 2.4 GHz band. This method does not require any physical access to the microwave or any changes to its frequency.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 64

Answer : B

802.11k Neighbor Requests and Neighbor Reports are sent in Action frames. An Action frame is a Management frame that is used to perform various operations or functions related to the operation or maintenance of a wireless network. An Action frame consists of a Category field that indicates the type of action being performed, and a variable-length Action Details field that contains specific information related to the action. For example, an Action frame with a Category field value of 5 indicates a Radio Measurement action, and the Action Details field may contain a Neighbor Request or a Neighbor Report subelement . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 207; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 208; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 12: 802.11k/v/r/u/w/ai Amendments, page 434.

Answer : D

Delta is the timing column in the packet view that measures the time difference between two consecutive packets in a capture file. Delta can be used to measure the roaming time from the last VoIP packet sent on the old AP's channel to the first VoIP packet sent on the new AP's channel by selecting these two packets and looking at their delta values. The other timing columns are not suitable for this measurement because they do not show the time difference between two specific packets. Roaming is a column that shows whether a packet belongs to a roaming event or not. Relative is a column that shows the time elapsed since the beginning of the capture file.Absolute is a column that shows the date and time when a packet was captured5Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 57

CWAP-404 Objectives, Section 2.4: Analyze timing values

Answer : D

A VoIP phone, using WMM Power Save, requests data frames buffered at the AP by transmitting a trigger frame, which is a QoS Null frame or a QoS Data frame. WMM Power Save is a power saving mode that allows a STA (station) to conserve battery power by periodically sleeping and waking up. WMM Power Save is based on WMM (Wi-Fi Multimedia), which is a QoS (Quality of Service) enhancement that provides prioritized and differentiated access to the medium for different types of traffic. When a STA sleeps, it cannot receive any data frames from the AP, so it informs the AP of its power save status by setting a bit in its MAC header. The AP then buffers any data frames destined for the sleeping STA until it wakes up. When a STA wakes up, it sends a trigger frame to the AP, indicating its AC (Access Category), which is a logical queue that corresponds to its QoS level. A trigger frame can be either a QoS Null frame or a QoS Data frame, depending on whether it has any payload or not. The AP then responds with one or more data frames from the same AC as the trigger frame, followed by an ACK or BA (Block Acknowledgement) frame from the STA. The other options are not correct, as they are not used by a VoIP phone using WMM Power Save to request data frames buffered at the AP. A PS-Poll (Power Save Poll) frame is used by a STA using legacy power save mode, not WMM Power Save mode, to request data frames buffered at the AP. A PS-Poll frame does not indicate any AC or QoS information. Setting the More Data bit in the MAC header to 1 does not request any data frames from the AP, but indicates that there are more data frames to be sent by the STA or received by the STA. Transmitting a WMM Action frame does not request any data frames from the AP, but performs various management actions related to WMM features, such as admission control, parameter update, etc.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 7: QoS Analysis, page 198-199

Answer : A

A hexadecimal value is a value that uses base 16 notation, which means it can have digits from 0 to 9 and letters from A to F. A hexadecimal value is usually preceded by 0x to indicate that it is hexadecimal and not decimal or binary. For example, 0x0A is hexadecimal for 10 in decimal or 00001010 in binary. The other options are not valid prefixes for hexadecimal values. Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 35

CWAP-404 Objectives, Section 2.2: Analyze field values

Answer : D

The most likely issue that can be identified from the spectrum analysis is a power mismatch between the APs and the clients. A power mismatch occurs when the APs transmit at a higher power level than the clients, or vice versa. This can cause asymmetric communication, where one side can hear the other, but not vice versa. This can result in poor performance, disconnections, or packet loss. A spectrum analysis can reveal a power mismatch by showing different signal amplitudes or RSSI values for the APs and the clients on the same channel or frequency. The other options are not correct, as they cannot be identified from the spectrum analysis alone. The tablets' SSID, power save mode, and noise floor can be determined by using other tools or methods, such as protocol analysis, site survey, or device configuration.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 3: Spectrum Analysis, page 79-80

Answer : D

Receive sensitivity is the minimum signal level that a receiver can detect and decode. Different devices may have different receive sensitivity levels depending on their hardware specifications and antenna configurations. In this scenario, the portable analyzer has a lower receive sensitivity than the AP, meaning that it requires a stronger signal to capture the packets from the client STA. The AP, on the other hand, has a higher receive sensitivity and can receive the packets from the client STA even if they have a weaker signal.This explains why the portable analyzer can only see unidirectional traffic from the AP to the client when capturing near the AP5Reference:

CWAP-403 Study Guide, Chapter 4: PHY Layer Analysis, page 121

CWAP-403 Objectives, Section 4.3: Analyze PHY layer metrics

Answer : A

The FFT plot is a spectrum analysis plot that shows the RF power present at a particular frequency over a short period of time. It can help identify the sources and characteristics of RF signals in the spectrum. By looking at the FFT plot, you can determine which ZigBee channels are used by the lighting system and whether they overlap with the WLAN channels in the 2.4 GHz band. ZigBee channels are 5 MHz wide and WLAN channels are 20 MHz or 40 MHz wide, so there is a possibility of overlap and interference between them. The other questions cannot be answered by looking at the FFT plot alone, as they require other types of plots or analysis tools, such as duty cycle plot, airtime utilization plot, or protocol analyzer.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 69-70

Answer : A

The Swept Spectrogram plot is a spectrum analysis plot that shows the RF power present at a particular frequency over the course of time. It can help identify trends and patterns in the RF spectrum over a longer period of time. It can also show how the RF environment changes over time and how different sources of RF signals affect each other. The other options are not correct, as they describe different types of plots or information that are not related to the Swept Spectrogram plot.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 72-73

Answer : D

The best way to test the theory of microwave interference from the New York office is to use a remote spectrum analyzer. By placing one of the London APs into spectrum analyzer mode, you can capture and analyze the RF spectrum in the London office over lunch time. You can then look for any signs of microwave interference, such as high duty cycle, high amplitude, or frequency hopping on the 2.4 GHz band. This method does not require any physical access to the microwave or any changes to its frequency.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 64

Answer : B

The Group Key Handshake consists of two frames excluding any Ack frames that may be required. The Group Key Handshake is used to distribute and update the Group Temporal Key (GTK) for encrypting broadcast and multicast traffic. The AP initiates the Group Key Handshake by sending a Group Key Message 1 frame to a STA, which contains the new GTK and other information. The STA responds with a Group Key Message 2 frame to the AP, which confirms the receipt of the GTK and other information. After this, both the AP and the STA can use the new GTK for encryption and decryption of broadcast and multicast traffic . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 7: 802.11 Security, page 246; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 7: 802.11 Security, page 247.

Answer : D

The first step in any troubleshooting process is to define the problem. This involves gathering information from various sources, such as users, network administrators, network documentation, and network monitoring tools.Defining the problem helps to narrow down the scope of the issue and identify the symptoms, causes, and effects of the problem12Reference:

CWAP-403 Study Guide, Chapter 1: Troubleshooting Methodology, page 7

CWAP-403 Objectives, Section 1.1: Define the problem

Answer : D

The interframe space that would be expected between a CTS (Clear to Send) and a Data frame is SIFS (Short Interframe Space). A SIFS is the shortest interframe space that is used for high-priority transmissions, such as ACKs (Acknowledgements), CTSs, or data frames that are part of a fragmentation or aggregation process. A SIFS is a fixed value that depends on the PHY type and channel width. A CTS and a Data frame are part of a virtual carrier sense mechanism called RTS/CTS (Request to Send/Clear to Send), which is used to avoid collisions and hidden node problems in wireless transmissions. When a STA (station) wants to send a data frame, it first sends an RTS frame to the intended receiver, indicating the duration of the transmission. The receiver then responds with a CTS frame, also indicating the duration of the transmission. The other STAs in the vicinity hear either the RTS or the CTS frame and update their NAV (Network Allocation Vector) timers accordingly, deferring their access to the medium until the transmission is over. The sender then sends the data frame after waiting for a SIFS, followed by an ACK frame from the receiver after another SIFS. The other options are not correct, as they are not used between a CTS and a Data frame. A PIFS (PCF Interframe Space) is used for medium access by the PCF (Point Coordination Function), which is an optional and rarely implemented polling-based mechanism that provides contention-free service for time-sensitive traffic. An AIFS (Arbitration Interframe Space) is used for medium access by different ACs (Access Categories), which are logical queues that correspond to different QoS (Quality of Service) levels for different types of traffic. An AIFS is a variable interframe space that depends on the AIFSN (Arbitration Interframe Space Number) value of each AC. A DIFS (Distributed Interframe Space) is used for medium access by the DCF (Distributed Coordination Function), which is the default and mandatory contention-based mechanism that provides best-effort service for normal traffic.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 6: 802.11 Frame Exchanges, page 166-167; Chapter 7: QoS Analysis, page 194-195

Answer : C

A capture visualization tool is a software application that can open a packet capture file and display various graphs, charts, tables, and statistics that illustrate the characteristics and behavior of the wireless network. A capture visualization tool can help a network administrator with little knowledge of 802.11 protocols to evaluate the overall health and performance of their wireless network by providing a visual and intuitive representation of the captured data. A spectrum analyzer is a hardware device that measures the radio frequency signals in a given frequency range and displays their amplitude, frequency, and modulation. A spectrum analyzer can help identify sources of interference and noise in the wireless environment, but it cannot open a packet capture file. Python is a programming language that can be used to write scripts or applications that manipulate or analyze packet capture files, but it requires coding skills and knowledge of 802.11 protocols. A WLAN scanner is a software application that scans for available wireless networks and displays information such as SSID, BSSID, channel, signal strength, security type, and vendor.A WLAN scanner can help discover wireless networks and their basic parameters, but it cannot open a packet capture file345Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 63

CWAP-404 Objectives, Section 2.5: Use capture visualization tools

CWAP-404 Study Guide, Chapter 4: Spectrum Analysis and Troubleshooting, page 117

CWAP-404 Objectives, Section 4.1: Use spectrum analysis tools

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 33

CWAP-404 Objectives, Section 2.2: Analyze field values

Answer : B

The most likely cause of higher airtime utilization on the first 20 MHz of the 80 MHz channel is non-Wi-Fi interference. Non-Wi-Fi interference can prevent an AP from using its full channel width, as it will degrade the signal quality and increase the noise floor on some parts of the channel. This will force the AP to fall back to a narrower channel width, such as 20 MHz or 40 MHz, to maintain communication with its clients. The waterfall plot can help identify non-Wi-Fi interference by showing spikes or bursts of RF energy on specific frequencies or sub-channels. The other options are not correct, as they do not explain why only the first 20 MHz of the channel has higher airtime utilization.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 74-75

Answer : A

The FFT plot is a spectrum analysis plot that shows the RF power present at a particular frequency over a short period of time. It can help identify the sources and characteristics of RF signals in the spectrum. By looking at the FFT plot, you can determine which ZigBee channels are used by the lighting system and whether they overlap with the WLAN channels in the 2.4 GHz band. ZigBee channels are 5 MHz wide and WLAN channels are 20 MHz or 40 MHz wide, so there is a possibility of overlap and interference between them. The other questions cannot be answered by looking at the FFT plot alone, as they require other types of plots or analysis tools, such as duty cycle plot, airtime utilization plot, or protocol analyzer.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 69-70

Answer : D

A VoIP phone, using WMM Power Save, requests data frames buffered at the AP by transmitting a trigger frame, which is a QoS Null frame or a QoS Data frame. WMM Power Save is a power saving mode that allows a STA (station) to conserve battery power by periodically sleeping and waking up. WMM Power Save is based on WMM (Wi-Fi Multimedia), which is a QoS (Quality of Service) enhancement that provides prioritized and differentiated access to the medium for different types of traffic. When a STA sleeps, it cannot receive any data frames from the AP, so it informs the AP of its power save status by setting a bit in its MAC header. The AP then buffers any data frames destined for the sleeping STA until it wakes up. When a STA wakes up, it sends a trigger frame to the AP, indicating its AC (Access Category), which is a logical queue that corresponds to its QoS level. A trigger frame can be either a QoS Null frame or a QoS Data frame, depending on whether it has any payload or not. The AP then responds with one or more data frames from the same AC as the trigger frame, followed by an ACK or BA (Block Acknowledgement) frame from the STA. The other options are not correct, as they are not used by a VoIP phone using WMM Power Save to request data frames buffered at the AP. A PS-Poll (Power Save Poll) frame is used by a STA using legacy power save mode, not WMM Power Save mode, to request data frames buffered at the AP. A PS-Poll frame does not indicate any AC or QoS information. Setting the More Data bit in the MAC header to 1 does not request any data frames from the AP, but indicates that there are more data frames to be sent by the STA or received by the STA. Transmitting a WMM Action frame does not request any data frames from the AP, but performs various management actions related to WMM features, such as admission control, parameter update, etc.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 7: QoS Analysis, page 198-199

Answer : B

802.11k Neighbor Requests and Neighbor Reports are sent in Action frames. An Action frame is a Management frame that is used to perform various operations or functions related to the operation or maintenance of a wireless network. An Action frame consists of a Category field that indicates the type of action being performed, and a variable-length Action Details field that contains specific information related to the action. For example, an Action frame with a Category field value of 5 indicates a Radio Measurement action, and the Action Details field may contain a Neighbor Request or a Neighbor Report subelement . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 207; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 208; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 12: 802.11k/v/r/u/w/ai Amendments, page 434.

Answer : D

The most likely issue that can be identified from the spectrum analysis is a power mismatch between the APs and the clients. A power mismatch occurs when the APs transmit at a higher power level than the clients, or vice versa. This can cause asymmetric communication, where one side can hear the other, but not vice versa. This can result in poor performance, disconnections, or packet loss. A spectrum analysis can reveal a power mismatch by showing different signal amplitudes or RSSI values for the APs and the clients on the same channel or frequency. The other options are not correct, as they cannot be identified from the spectrum analysis alone. The tablets' SSID, power save mode, and noise floor can be determined by using other tools or methods, such as protocol analysis, site survey, or device configuration.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 3: Spectrum Analysis, page 79-80

Answer : A

Real-time packet decodes are not a consideration when configuring a long-term, forensic packet capture and saving all packets to disk. Real-time packet decodes are useful for live analysis and troubleshooting, but they consume CPU and memory resources that could affect the performance of the capture process. For a long-term, forensic packet capture, it is more important to consider the analyzer location, the total capture storage space, and the individual trace file size.These factors affect the quality and quantity of the captured packets and the ease of post-capture analysis34Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 49

CWAP-404 Objectives, Section 2.1: Configure protocol analyzers

Answer : D

The difference between a Data frame and a QoS-Data frame is that QoS Data frames include a QoS control field. A Data frame is a type of data frame that is used to carry user data or upper layer protocol data between STAs and APs. A QoS Data frame is a type of data frame that is used to carry user data or upper layer protocol data between STAs and APs that support QoS (Quality of Service) features. QoS features allow different types of traffic to be prioritized and handled differently according to their QoS requirements, such as delay, jitter, throughput, etc. QoS Data frames include a QoS control field in their MAC header, which contains information such as traffic identifier (TID), queue size (TXOP), acknowledgment policy (ACK), etc., that are used for QoS purposes. The other options are not correct, as they do not describe the difference between Data and QoS Data frames. QoS Data frames do not include a DSCP (Differentiated Services Code Point) control field, which is part of the IP header in the network layer, not the MAC header in the data link layer. QoS Data frames do not include a QoS information element (IE), which is part of some management frames that indicate QoS capabilities or parameters, not data frames. QoS Data frames do not include an 802.1Q VLAN tag, which is part of some Ethernet frames that indicate VLAN membership or priority, not wireless frames.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 5: 802.11 MAC Sublayer, page 118-119

Answer : A

A hexadecimal value is a value that uses base 16 notation, which means it can have digits from 0 to 9 and letters from A to F. A hexadecimal value is usually preceded by 0x to indicate that it is hexadecimal and not decimal or binary. For example, 0x0A is hexadecimal for 10 in decimal or 00001010 in binary. The other options are not valid prefixes for hexadecimal values. Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 35

CWAP-404 Objectives, Section 2.2: Analyze field values

Answer : B

The most likely cause of higher airtime utilization on the first 20 MHz of the 80 MHz channel is non-Wi-Fi interference. Non-Wi-Fi interference can prevent an AP from using its full channel width, as it will degrade the signal quality and increase the noise floor on some parts of the channel. This will force the AP to fall back to a narrower channel width, such as 20 MHz or 40 MHz, to maintain communication with its clients. The waterfall plot can help identify non-Wi-Fi interference by showing spikes or bursts of RF energy on specific frequencies or sub-channels. The other options are not correct, as they do not explain why only the first 20 MHz of the channel has higher airtime utilization.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 74-75

Answer : D

The best way to test the theory of microwave interference from the New York office is to use a remote spectrum analyzer. By placing one of the London APs into spectrum analyzer mode, you can capture and analyze the RF spectrum in the London office over lunch time. You can then look for any signs of microwave interference, such as high duty cycle, high amplitude, or frequency hopping on the 2.4 GHz band. This method does not require any physical access to the microwave or any changes to its frequency.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 64

Answer : C

An HE TB PPDU (High Efficiency Trigger-Based Packet Data Unit) is used to respond with an uplink transmission to an MU-RTS trigger frame in the 802.11ax PHY (Physical Layer). An MU-RTS trigger frame is a frame that initiates a multi-user transmission opportunity (MU-TXOP) by requesting multiple stations (STAs) to send clear-to-send (CTS) frames on different spatial streams or resource units (RUs). An HE TB PPDU is a frame that contains data from multiple STAs that have been allocated RUs by an MU-RTS trigger frame or another type of trigger frame. An HE SU PPDU (High Efficiency Single User Packet Data Unit) is a frame that contains data from a single STA using all available spatial streams or RUs. An HE MU PPDU (High Efficiency Multi User Packet Data Unit) is a frame that contains data from multiple STAs using different spatial streams or RUs without being triggered by another frame. A VHT PPDU (Very High Throughput Packet Data Unit) is a frame that uses the 802.11ac PHY and does not support multi-user transmissions. Reference:

CWAP-404 Study Guide, Chapter 3: 802.11 MAC Layer Frame Formats and Technologies, page 101

CWAP-404 Objectives, Section 3.4: Analyze multi-user transmissions

CWAP-404 Study Guide, Chapter 3: 802.11 MAC Layer Frame Formats and Technologies, page 99

Answer : A

The Swept Spectrogram plot is a spectrum analysis plot that shows the RF power present at a particular frequency over the course of time. It can help identify trends and patterns in the RF spectrum over a longer period of time. It can also show how the RF environment changes over time and how different sources of RF signals affect each other. The other options are not correct, as they describe different types of plots or information that are not related to the Swept Spectrogram plot.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 72-73

Answer : C

A PHY header is added to the PSDU at the PHY layer. A PHY header is a part of the PPDU that contains information such as modulation, coding, and data rate. The PHY header is added by the PHY layer when it converts a PSDU to a PPDU for transmission, or removed by the PHY layer when it converts a PPDU to a PSDU for reception. The other layers do not add or remove a PHY header.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 4: 802.11 Physical Layer, page 97-98

Answer : D

The first step in any troubleshooting process is to define the problem. This involves gathering information from various sources, such as users, network administrators, network documentation, and network monitoring tools.Defining the problem helps to narrow down the scope of the issue and identify the symptoms, causes, and effects of the problem12Reference:

CWAP-403 Study Guide, Chapter 1: Troubleshooting Methodology, page 7

CWAP-403 Objectives, Section 1.1: Define the problem

Answer : B

The Group Key Handshake consists of two frames excluding any Ack frames that may be required. The Group Key Handshake is used to distribute and update the Group Temporal Key (GTK) for encrypting broadcast and multicast traffic. The AP initiates the Group Key Handshake by sending a Group Key Message 1 frame to a STA, which contains the new GTK and other information. The STA responds with a Group Key Message 2 frame to the AP, which confirms the receipt of the GTK and other information. After this, both the AP and the STA can use the new GTK for encryption and decryption of broadcast and multicast traffic . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 7: 802.11 Security, page 246; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 7: 802.11 Security, page 247.

Answer : A

The FFT plot is a spectrum analysis plot that shows the RF power present at a particular frequency over a short period of time. It can help identify the sources and characteristics of RF signals in the spectrum. By looking at the FFT plot, you can determine which ZigBee channels are used by the lighting system and whether they overlap with the WLAN channels in the 2.4 GHz band. ZigBee channels are 5 MHz wide and WLAN channels are 20 MHz or 40 MHz wide, so there is a possibility of overlap and interference between them. The other questions cannot be answered by looking at the FFT plot alone, as they require other types of plots or analysis tools, such as duty cycle plot, airtime utilization plot, or protocol analyzer.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 69-70

Answer : B

802.11k Neighbor Requests and Neighbor Reports are sent in Action frames. An Action frame is a Management frame that is used to perform various operations or functions related to the operation or maintenance of a wireless network. An Action frame consists of a Category field that indicates the type of action being performed, and a variable-length Action Details field that contains specific information related to the action. For example, an Action frame with a Category field value of 5 indicates a Radio Measurement action, and the Action Details field may contain a Neighbor Request or a Neighbor Report subelement . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 207; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 208; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 12: 802.11k/v/r/u/w/ai Amendments, page 434.

Answer : D

Receive sensitivity is the minimum signal level that a receiver can detect and decode. Different devices may have different receive sensitivity levels depending on their hardware specifications and antenna configurations. In this scenario, the portable analyzer has a lower receive sensitivity than the AP, meaning that it requires a stronger signal to capture the packets from the client STA. The AP, on the other hand, has a higher receive sensitivity and can receive the packets from the client STA even if they have a weaker signal.This explains why the portable analyzer can only see unidirectional traffic from the AP to the client when capturing near the AP5Reference:

CWAP-403 Study Guide, Chapter 4: PHY Layer Analysis, page 121

CWAP-403 Objectives, Section 4.3: Analyze PHY layer metrics

Answer : D

The interframe space that would be expected between a CTS (Clear to Send) and a Data frame is SIFS (Short Interframe Space). A SIFS is the shortest interframe space that is used for high-priority transmissions, such as ACKs (Acknowledgements), CTSs, or data frames that are part of a fragmentation or aggregation process. A SIFS is a fixed value that depends on the PHY type and channel width. A CTS and a Data frame are part of a virtual carrier sense mechanism called RTS/CTS (Request to Send/Clear to Send), which is used to avoid collisions and hidden node problems in wireless transmissions. When a STA (station) wants to send a data frame, it first sends an RTS frame to the intended receiver, indicating the duration of the transmission. The receiver then responds with a CTS frame, also indicating the duration of the transmission. The other STAs in the vicinity hear either the RTS or the CTS frame and update their NAV (Network Allocation Vector) timers accordingly, deferring their access to the medium until the transmission is over. The sender then sends the data frame after waiting for a SIFS, followed by an ACK frame from the receiver after another SIFS. The other options are not correct, as they are not used between a CTS and a Data frame. A PIFS (PCF Interframe Space) is used for medium access by the PCF (Point Coordination Function), which is an optional and rarely implemented polling-based mechanism that provides contention-free service for time-sensitive traffic. An AIFS (Arbitration Interframe Space) is used for medium access by different ACs (Access Categories), which are logical queues that correspond to different QoS (Quality of Service) levels for different types of traffic. An AIFS is a variable interframe space that depends on the AIFSN (Arbitration Interframe Space Number) value of each AC. A DIFS (Distributed Interframe Space) is used for medium access by the DCF (Distributed Coordination Function), which is the default and mandatory contention-based mechanism that provides best-effort service for normal traffic.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 6: 802.11 Frame Exchanges, page 166-167; Chapter 7: QoS Analysis, page 194-195

Answer : D

Delta is the timing column in the packet view that measures the time difference between two consecutive packets in a capture file. Delta can be used to measure the roaming time from the last VoIP packet sent on the old AP's channel to the first VoIP packet sent on the new AP's channel by selecting these two packets and looking at their delta values. The other timing columns are not suitable for this measurement because they do not show the time difference between two specific packets. Roaming is a column that shows whether a packet belongs to a roaming event or not. Relative is a column that shows the time elapsed since the beginning of the capture file.Absolute is a column that shows the date and time when a packet was captured5Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 57

CWAP-404 Objectives, Section 2.4: Analyze timing values

Answer : D

The most likely issue that can be identified from the spectrum analysis is a power mismatch between the APs and the clients. A power mismatch occurs when the APs transmit at a higher power level than the clients, or vice versa. This can cause asymmetric communication, where one side can hear the other, but not vice versa. This can result in poor performance, disconnections, or packet loss. A spectrum analysis can reveal a power mismatch by showing different signal amplitudes or RSSI values for the APs and the clients on the same channel or frequency. The other options are not correct, as they cannot be identified from the spectrum analysis alone. The tablets' SSID, power save mode, and noise floor can be determined by using other tools or methods, such as protocol analysis, site survey, or device configuration.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 3: Spectrum Analysis, page 79-80

Answer : D

A Reassociation Request frame is sent every time a STA roams from one AP to another within the same ESS. A Reassociation Request frame is similar to an Association Request frame, but it also contains the BSSID of the current AP that the STA is leaving. This allows the new AP to coordinate with the old AP and transfer the STA's context information, such as security keys, QoS parameters, and buffered frames. This way, the STA can maintain its connectivity and session continuity during roaming . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 195; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 196.

Answer : C

A capture visualization tool is a software application that can open a packet capture file and display various graphs, charts, tables, and statistics that illustrate the characteristics and behavior of the wireless network. A capture visualization tool can help a network administrator with little knowledge of 802.11 protocols to evaluate the overall health and performance of their wireless network by providing a visual and intuitive representation of the captured data. A spectrum analyzer is a hardware device that measures the radio frequency signals in a given frequency range and displays their amplitude, frequency, and modulation. A spectrum analyzer can help identify sources of interference and noise in the wireless environment, but it cannot open a packet capture file. Python is a programming language that can be used to write scripts or applications that manipulate or analyze packet capture files, but it requires coding skills and knowledge of 802.11 protocols. A WLAN scanner is a software application that scans for available wireless networks and displays information such as SSID, BSSID, channel, signal strength, security type, and vendor.A WLAN scanner can help discover wireless networks and their basic parameters, but it cannot open a packet capture file345Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 63

CWAP-404 Objectives, Section 2.5: Use capture visualization tools

CWAP-404 Study Guide, Chapter 4: Spectrum Analysis and Troubleshooting, page 117

CWAP-404 Objectives, Section 4.1: Use spectrum analysis tools

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 33

CWAP-404 Objectives, Section 2.2: Analyze field values

Answer : A

A hexadecimal value is a value that uses base 16 notation, which means it can have digits from 0 to 9 and letters from A to F. A hexadecimal value is usually preceded by 0x to indicate that it is hexadecimal and not decimal or binary. For example, 0x0A is hexadecimal for 10 in decimal or 00001010 in binary. The other options are not valid prefixes for hexadecimal values. Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 35

CWAP-404 Objectives, Section 2.2: Analyze field values

Answer : D

The first step in any troubleshooting process is to define the problem. This involves gathering information from various sources, such as users, network administrators, network documentation, and network monitoring tools.Defining the problem helps to narrow down the scope of the issue and identify the symptoms, causes, and effects of the problem12Reference:

CWAP-403 Study Guide, Chapter 1: Troubleshooting Methodology, page 7

CWAP-403 Objectives, Section 1.1: Define the problem

Answer : C

An HE TB PPDU (High Efficiency Trigger-Based Packet Data Unit) is used to respond with an uplink transmission to an MU-RTS trigger frame in the 802.11ax PHY (Physical Layer). An MU-RTS trigger frame is a frame that initiates a multi-user transmission opportunity (MU-TXOP) by requesting multiple stations (STAs) to send clear-to-send (CTS) frames on different spatial streams or resource units (RUs). An HE TB PPDU is a frame that contains data from multiple STAs that have been allocated RUs by an MU-RTS trigger frame or another type of trigger frame. An HE SU PPDU (High Efficiency Single User Packet Data Unit) is a frame that contains data from a single STA using all available spatial streams or RUs. An HE MU PPDU (High Efficiency Multi User Packet Data Unit) is a frame that contains data from multiple STAs using different spatial streams or RUs without being triggered by another frame. A VHT PPDU (Very High Throughput Packet Data Unit) is a frame that uses the 802.11ac PHY and does not support multi-user transmissions. Reference:

CWAP-404 Study Guide, Chapter 3: 802.11 MAC Layer Frame Formats and Technologies, page 101

CWAP-404 Objectives, Section 3.4: Analyze multi-user transmissions

CWAP-404 Study Guide, Chapter 3: 802.11 MAC Layer Frame Formats and Technologies, page 99

Answer : C

A PHY header is added to the PSDU at the PHY layer. A PHY header is a part of the PPDU that contains information such as modulation, coding, and data rate. The PHY header is added by the PHY layer when it converts a PSDU to a PPDU for transmission, or removed by the PHY layer when it converts a PPDU to a PSDU for reception. The other layers do not add or remove a PHY header.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 4: 802.11 Physical Layer, page 97-98

Answer : D

A VoIP phone, using WMM Power Save, requests data frames buffered at the AP by transmitting a trigger frame, which is a QoS Null frame or a QoS Data frame. WMM Power Save is a power saving mode that allows a STA (station) to conserve battery power by periodically sleeping and waking up. WMM Power Save is based on WMM (Wi-Fi Multimedia), which is a QoS (Quality of Service) enhancement that provides prioritized and differentiated access to the medium for different types of traffic. When a STA sleeps, it cannot receive any data frames from the AP, so it informs the AP of its power save status by setting a bit in its MAC header. The AP then buffers any data frames destined for the sleeping STA until it wakes up. When a STA wakes up, it sends a trigger frame to the AP, indicating its AC (Access Category), which is a logical queue that corresponds to its QoS level. A trigger frame can be either a QoS Null frame or a QoS Data frame, depending on whether it has any payload or not. The AP then responds with one or more data frames from the same AC as the trigger frame, followed by an ACK or BA (Block Acknowledgement) frame from the STA. The other options are not correct, as they are not used by a VoIP phone using WMM Power Save to request data frames buffered at the AP. A PS-Poll (Power Save Poll) frame is used by a STA using legacy power save mode, not WMM Power Save mode, to request data frames buffered at the AP. A PS-Poll frame does not indicate any AC or QoS information. Setting the More Data bit in the MAC header to 1 does not request any data frames from the AP, but indicates that there are more data frames to be sent by the STA or received by the STA. Transmitting a WMM Action frame does not request any data frames from the AP, but performs various management actions related to WMM features, such as admission control, parameter update, etc.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 7: QoS Analysis, page 198-199

Answer : B

The most likely cause of higher airtime utilization on the first 20 MHz of the 80 MHz channel is non-Wi-Fi interference. Non-Wi-Fi interference can prevent an AP from using its full channel width, as it will degrade the signal quality and increase the noise floor on some parts of the channel. This will force the AP to fall back to a narrower channel width, such as 20 MHz or 40 MHz, to maintain communication with its clients. The waterfall plot can help identify non-Wi-Fi interference by showing spikes or bursts of RF energy on specific frequencies or sub-channels. The other options are not correct, as they do not explain why only the first 20 MHz of the channel has higher airtime utilization.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 74-75

Answer : B

802.11k Neighbor Requests and Neighbor Reports are sent in Action frames. An Action frame is a Management frame that is used to perform various operations or functions related to the operation or maintenance of a wireless network. An Action frame consists of a Category field that indicates the type of action being performed, and a variable-length Action Details field that contains specific information related to the action. For example, an Action frame with a Category field value of 5 indicates a Radio Measurement action, and the Action Details field may contain a Neighbor Request or a Neighbor Report subelement . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 207; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 208; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 12: 802.11k/v/r/u/w/ai Amendments, page 434.

Answer : D

The difference between a Data frame and a QoS-Data frame is that QoS Data frames include a QoS control field. A Data frame is a type of data frame that is used to carry user data or upper layer protocol data between STAs and APs. A QoS Data frame is a type of data frame that is used to carry user data or upper layer protocol data between STAs and APs that support QoS (Quality of Service) features. QoS features allow different types of traffic to be prioritized and handled differently according to their QoS requirements, such as delay, jitter, throughput, etc. QoS Data frames include a QoS control field in their MAC header, which contains information such as traffic identifier (TID), queue size (TXOP), acknowledgment policy (ACK), etc., that are used for QoS purposes. The other options are not correct, as they do not describe the difference between Data and QoS Data frames. QoS Data frames do not include a DSCP (Differentiated Services Code Point) control field, which is part of the IP header in the network layer, not the MAC header in the data link layer. QoS Data frames do not include a QoS information element (IE), which is part of some management frames that indicate QoS capabilities or parameters, not data frames. QoS Data frames do not include an 802.1Q VLAN tag, which is part of some Ethernet frames that indicate VLAN membership or priority, not wireless frames.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 5: 802.11 MAC Sublayer, page 118-119

Answer : B

The Group Key Handshake consists of two frames excluding any Ack frames that may be required. The Group Key Handshake is used to distribute and update the Group Temporal Key (GTK) for encrypting broadcast and multicast traffic. The AP initiates the Group Key Handshake by sending a Group Key Message 1 frame to a STA, which contains the new GTK and other information. The STA responds with a Group Key Message 2 frame to the AP, which confirms the receipt of the GTK and other information. After this, both the AP and the STA can use the new GTK for encryption and decryption of broadcast and multicast traffic . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 7: 802.11 Security, page 246; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 7: 802.11 Security, page 247.

Answer : A

The Swept Spectrogram plot is a spectrum analysis plot that shows the RF power present at a particular frequency over the course of time. It can help identify trends and patterns in the RF spectrum over a longer period of time. It can also show how the RF environment changes over time and how different sources of RF signals affect each other. The other options are not correct, as they describe different types of plots or information that are not related to the Swept Spectrogram plot.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 72-73

Answer : D

Receive sensitivity is the minimum signal level that a receiver can detect and decode. Different devices may have different receive sensitivity levels depending on their hardware specifications and antenna configurations. In this scenario, the portable analyzer has a lower receive sensitivity than the AP, meaning that it requires a stronger signal to capture the packets from the client STA. The AP, on the other hand, has a higher receive sensitivity and can receive the packets from the client STA even if they have a weaker signal.This explains why the portable analyzer can only see unidirectional traffic from the AP to the client when capturing near the AP5Reference:

CWAP-403 Study Guide, Chapter 4: PHY Layer Analysis, page 121

CWAP-403 Objectives, Section 4.3: Analyze PHY layer metrics

Answer : D

A Reassociation Request frame is sent every time a STA roams from one AP to another within the same ESS. A Reassociation Request frame is similar to an Association Request frame, but it also contains the BSSID of the current AP that the STA is leaving. This allows the new AP to coordinate with the old AP and transfer the STA's context information, such as security keys, QoS parameters, and buffered frames. This way, the STA can maintain its connectivity and session continuity during roaming . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 195; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 196.

Answer : D

The most likely issue that can be identified from the spectrum analysis is a power mismatch between the APs and the clients. A power mismatch occurs when the APs transmit at a higher power level than the clients, or vice versa. This can cause asymmetric communication, where one side can hear the other, but not vice versa. This can result in poor performance, disconnections, or packet loss. A spectrum analysis can reveal a power mismatch by showing different signal amplitudes or RSSI values for the APs and the clients on the same channel or frequency. The other options are not correct, as they cannot be identified from the spectrum analysis alone. The tablets' SSID, power save mode, and noise floor can be determined by using other tools or methods, such as protocol analysis, site survey, or device configuration.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 3: Spectrum Analysis, page 79-80

Answer : A

Real-time packet decodes are not a consideration when configuring a long-term, forensic packet capture and saving all packets to disk. Real-time packet decodes are useful for live analysis and troubleshooting, but they consume CPU and memory resources that could affect the performance of the capture process. For a long-term, forensic packet capture, it is more important to consider the analyzer location, the total capture storage space, and the individual trace file size.These factors affect the quality and quantity of the captured packets and the ease of post-capture analysis34Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 49

CWAP-404 Objectives, Section 2.1: Configure protocol analyzers

Answer : D

The first step in any troubleshooting process is to define the problem. This involves gathering information from various sources, such as users, network administrators, network documentation, and network monitoring tools.Defining the problem helps to narrow down the scope of the issue and identify the symptoms, causes, and effects of the problem12Reference:

CWAP-403 Study Guide, Chapter 1: Troubleshooting Methodology, page 7

CWAP-403 Objectives, Section 1.1: Define the problem

Answer : C

A PHY header is added to the PSDU at the PHY layer. A PHY header is a part of the PPDU that contains information such as modulation, coding, and data rate. The PHY header is added by the PHY layer when it converts a PSDU to a PPDU for transmission, or removed by the PHY layer when it converts a PPDU to a PSDU for reception. The other layers do not add or remove a PHY header.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 4: 802.11 Physical Layer, page 97-98

Answer : D

The best way to test the theory of microwave interference from the New York office is to use a remote spectrum analyzer. By placing one of the London APs into spectrum analyzer mode, you can capture and analyze the RF spectrum in the London office over lunch time. You can then look for any signs of microwave interference, such as high duty cycle, high amplitude, or frequency hopping on the 2.4 GHz band. This method does not require any physical access to the microwave or any changes to its frequency.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 64

Answer : C

A capture visualization tool is a software application that can open a packet capture file and display various graphs, charts, tables, and statistics that illustrate the characteristics and behavior of the wireless network. A capture visualization tool can help a network administrator with little knowledge of 802.11 protocols to evaluate the overall health and performance of their wireless network by providing a visual and intuitive representation of the captured data. A spectrum analyzer is a hardware device that measures the radio frequency signals in a given frequency range and displays their amplitude, frequency, and modulation. A spectrum analyzer can help identify sources of interference and noise in the wireless environment, but it cannot open a packet capture file. Python is a programming language that can be used to write scripts or applications that manipulate or analyze packet capture files, but it requires coding skills and knowledge of 802.11 protocols. A WLAN scanner is a software application that scans for available wireless networks and displays information such as SSID, BSSID, channel, signal strength, security type, and vendor.A WLAN scanner can help discover wireless networks and their basic parameters, but it cannot open a packet capture file345Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 63

CWAP-404 Objectives, Section 2.5: Use capture visualization tools

CWAP-404 Study Guide, Chapter 4: Spectrum Analysis and Troubleshooting, page 117

CWAP-404 Objectives, Section 4.1: Use spectrum analysis tools

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 33

CWAP-404 Objectives, Section 2.2: Analyze field values

Answer : A

A hexadecimal value is a value that uses base 16 notation, which means it can have digits from 0 to 9 and letters from A to F. A hexadecimal value is usually preceded by 0x to indicate that it is hexadecimal and not decimal or binary. For example, 0x0A is hexadecimal for 10 in decimal or 00001010 in binary. The other options are not valid prefixes for hexadecimal values. Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 35

CWAP-404 Objectives, Section 2.2: Analyze field values

Answer : D

The interframe space that would be expected between a CTS (Clear to Send) and a Data frame is SIFS (Short Interframe Space). A SIFS is the shortest interframe space that is used for high-priority transmissions, such as ACKs (Acknowledgements), CTSs, or data frames that are part of a fragmentation or aggregation process. A SIFS is a fixed value that depends on the PHY type and channel width. A CTS and a Data frame are part of a virtual carrier sense mechanism called RTS/CTS (Request to Send/Clear to Send), which is used to avoid collisions and hidden node problems in wireless transmissions. When a STA (station) wants to send a data frame, it first sends an RTS frame to the intended receiver, indicating the duration of the transmission. The receiver then responds with a CTS frame, also indicating the duration of the transmission. The other STAs in the vicinity hear either the RTS or the CTS frame and update their NAV (Network Allocation Vector) timers accordingly, deferring their access to the medium until the transmission is over. The sender then sends the data frame after waiting for a SIFS, followed by an ACK frame from the receiver after another SIFS. The other options are not correct, as they are not used between a CTS and a Data frame. A PIFS (PCF Interframe Space) is used for medium access by the PCF (Point Coordination Function), which is an optional and rarely implemented polling-based mechanism that provides contention-free service for time-sensitive traffic. An AIFS (Arbitration Interframe Space) is used for medium access by different ACs (Access Categories), which are logical queues that correspond to different QoS (Quality of Service) levels for different types of traffic. An AIFS is a variable interframe space that depends on the AIFSN (Arbitration Interframe Space Number) value of each AC. A DIFS (Distributed Interframe Space) is used for medium access by the DCF (Distributed Coordination Function), which is the default and mandatory contention-based mechanism that provides best-effort service for normal traffic.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 6: 802.11 Frame Exchanges, page 166-167; Chapter 7: QoS Analysis, page 194-195

Answer : D

A VoIP phone, using WMM Power Save, requests data frames buffered at the AP by transmitting a trigger frame, which is a QoS Null frame or a QoS Data frame. WMM Power Save is a power saving mode that allows a STA (station) to conserve battery power by periodically sleeping and waking up. WMM Power Save is based on WMM (Wi-Fi Multimedia), which is a QoS (Quality of Service) enhancement that provides prioritized and differentiated access to the medium for different types of traffic. When a STA sleeps, it cannot receive any data frames from the AP, so it informs the AP of its power save status by setting a bit in its MAC header. The AP then buffers any data frames destined for the sleeping STA until it wakes up. When a STA wakes up, it sends a trigger frame to the AP, indicating its AC (Access Category), which is a logical queue that corresponds to its QoS level. A trigger frame can be either a QoS Null frame or a QoS Data frame, depending on whether it has any payload or not. The AP then responds with one or more data frames from the same AC as the trigger frame, followed by an ACK or BA (Block Acknowledgement) frame from the STA. The other options are not correct, as they are not used by a VoIP phone using WMM Power Save to request data frames buffered at the AP. A PS-Poll (Power Save Poll) frame is used by a STA using legacy power save mode, not WMM Power Save mode, to request data frames buffered at the AP. A PS-Poll frame does not indicate any AC or QoS information. Setting the More Data bit in the MAC header to 1 does not request any data frames from the AP, but indicates that there are more data frames to be sent by the STA or received by the STA. Transmitting a WMM Action frame does not request any data frames from the AP, but performs various management actions related to WMM features, such as admission control, parameter update, etc.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 7: QoS Analysis, page 198-199

Answer : A

The Swept Spectrogram plot is a spectrum analysis plot that shows the RF power present at a particular frequency over the course of time. It can help identify trends and patterns in the RF spectrum over a longer period of time. It can also show how the RF environment changes over time and how different sources of RF signals affect each other. The other options are not correct, as they describe different types of plots or information that are not related to the Swept Spectrogram plot.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 72-73

Answer : D

The difference between a Data frame and a QoS-Data frame is that QoS Data frames include a QoS control field. A Data frame is a type of data frame that is used to carry user data or upper layer protocol data between STAs and APs. A QoS Data frame is a type of data frame that is used to carry user data or upper layer protocol data between STAs and APs that support QoS (Quality of Service) features. QoS features allow different types of traffic to be prioritized and handled differently according to their QoS requirements, such as delay, jitter, throughput, etc. QoS Data frames include a QoS control field in their MAC header, which contains information such as traffic identifier (TID), queue size (TXOP), acknowledgment policy (ACK), etc., that are used for QoS purposes. The other options are not correct, as they do not describe the difference between Data and QoS Data frames. QoS Data frames do not include a DSCP (Differentiated Services Code Point) control field, which is part of the IP header in the network layer, not the MAC header in the data link layer. QoS Data frames do not include a QoS information element (IE), which is part of some management frames that indicate QoS capabilities or parameters, not data frames. QoS Data frames do not include an 802.1Q VLAN tag, which is part of some Ethernet frames that indicate VLAN membership or priority, not wireless frames.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 5: 802.11 MAC Sublayer, page 118-119

Answer : D

The most likely issue that can be identified from the spectrum analysis is a power mismatch between the APs and the clients. A power mismatch occurs when the APs transmit at a higher power level than the clients, or vice versa. This can cause asymmetric communication, where one side can hear the other, but not vice versa. This can result in poor performance, disconnections, or packet loss. A spectrum analysis can reveal a power mismatch by showing different signal amplitudes or RSSI values for the APs and the clients on the same channel or frequency. The other options are not correct, as they cannot be identified from the spectrum analysis alone. The tablets' SSID, power save mode, and noise floor can be determined by using other tools or methods, such as protocol analysis, site survey, or device configuration.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 3: Spectrum Analysis, page 79-80

Answer : D

Delta is the timing column in the packet view that measures the time difference between two consecutive packets in a capture file. Delta can be used to measure the roaming time from the last VoIP packet sent on the old AP's channel to the first VoIP packet sent on the new AP's channel by selecting these two packets and looking at their delta values. The other timing columns are not suitable for this measurement because they do not show the time difference between two specific packets. Roaming is a column that shows whether a packet belongs to a roaming event or not. Relative is a column that shows the time elapsed since the beginning of the capture file.Absolute is a column that shows the date and time when a packet was captured5Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 57

CWAP-404 Objectives, Section 2.4: Analyze timing values

Answer : C

An HE TB PPDU (High Efficiency Trigger-Based Packet Data Unit) is used to respond with an uplink transmission to an MU-RTS trigger frame in the 802.11ax PHY (Physical Layer). An MU-RTS trigger frame is a frame that initiates a multi-user transmission opportunity (MU-TXOP) by requesting multiple stations (STAs) to send clear-to-send (CTS) frames on different spatial streams or resource units (RUs). An HE TB PPDU is a frame that contains data from multiple STAs that have been allocated RUs by an MU-RTS trigger frame or another type of trigger frame. An HE SU PPDU (High Efficiency Single User Packet Data Unit) is a frame that contains data from a single STA using all available spatial streams or RUs. An HE MU PPDU (High Efficiency Multi User Packet Data Unit) is a frame that contains data from multiple STAs using different spatial streams or RUs without being triggered by another frame. A VHT PPDU (Very High Throughput Packet Data Unit) is a frame that uses the 802.11ac PHY and does not support multi-user transmissions. Reference:

CWAP-404 Study Guide, Chapter 3: 802.11 MAC Layer Frame Formats and Technologies, page 101

CWAP-404 Objectives, Section 3.4: Analyze multi-user transmissions

CWAP-404 Study Guide, Chapter 3: 802.11 MAC Layer Frame Formats and Technologies, page 99

Answer : B

The Group Key Handshake consists of two frames excluding any Ack frames that may be required. The Group Key Handshake is used to distribute and update the Group Temporal Key (GTK) for encrypting broadcast and multicast traffic. The AP initiates the Group Key Handshake by sending a Group Key Message 1 frame to a STA, which contains the new GTK and other information. The STA responds with a Group Key Message 2 frame to the AP, which confirms the receipt of the GTK and other information. After this, both the AP and the STA can use the new GTK for encryption and decryption of broadcast and multicast traffic . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 7: 802.11 Security, page 246; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 7: 802.11 Security, page 247.

Answer : A

A hexadecimal value is a value that uses base 16 notation, which means it can have digits from 0 to 9 and letters from A to F. A hexadecimal value is usually preceded by 0x to indicate that it is hexadecimal and not decimal or binary. For example, 0x0A is hexadecimal for 10 in decimal or 00001010 in binary. The other options are not valid prefixes for hexadecimal values. Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 35

CWAP-404 Objectives, Section 2.2: Analyze field values

Answer : A

Real-time packet decodes are not a consideration when configuring a long-term, forensic packet capture and saving all packets to disk. Real-time packet decodes are useful for live analysis and troubleshooting, but they consume CPU and memory resources that could affect the performance of the capture process. For a long-term, forensic packet capture, it is more important to consider the analyzer location, the total capture storage space, and the individual trace file size.These factors affect the quality and quantity of the captured packets and the ease of post-capture analysis34Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 49

CWAP-404 Objectives, Section 2.1: Configure protocol analyzers

Answer : D

The best way to test the theory of microwave interference from the New York office is to use a remote spectrum analyzer. By placing one of the London APs into spectrum analyzer mode, you can capture and analyze the RF spectrum in the London office over lunch time. You can then look for any signs of microwave interference, such as high duty cycle, high amplitude, or frequency hopping on the 2.4 GHz band. This method does not require any physical access to the microwave or any changes to its frequency.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 64

Answer : B

The most likely cause of higher airtime utilization on the first 20 MHz of the 80 MHz channel is non-Wi-Fi interference. Non-Wi-Fi interference can prevent an AP from using its full channel width, as it will degrade the signal quality and increase the noise floor on some parts of the channel. This will force the AP to fall back to a narrower channel width, such as 20 MHz or 40 MHz, to maintain communication with its clients. The waterfall plot can help identify non-Wi-Fi interference by showing spikes or bursts of RF energy on specific frequencies or sub-channels. The other options are not correct, as they do not explain why only the first 20 MHz of the channel has higher airtime utilization.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 74-75

Answer : D

Receive sensitivity is the minimum signal level that a receiver can detect and decode. Different devices may have different receive sensitivity levels depending on their hardware specifications and antenna configurations. In this scenario, the portable analyzer has a lower receive sensitivity than the AP, meaning that it requires a stronger signal to capture the packets from the client STA. The AP, on the other hand, has a higher receive sensitivity and can receive the packets from the client STA even if they have a weaker signal.This explains why the portable analyzer can only see unidirectional traffic from the AP to the client when capturing near the AP5Reference:

CWAP-403 Study Guide, Chapter 4: PHY Layer Analysis, page 121

CWAP-403 Objectives, Section 4.3: Analyze PHY layer metrics

Answer : A

The FFT plot is a spectrum analysis plot that shows the RF power present at a particular frequency over a short period of time. It can help identify the sources and characteristics of RF signals in the spectrum. By looking at the FFT plot, you can determine which ZigBee channels are used by the lighting system and whether they overlap with the WLAN channels in the 2.4 GHz band. ZigBee channels are 5 MHz wide and WLAN channels are 20 MHz or 40 MHz wide, so there is a possibility of overlap and interference between them. The other questions cannot be answered by looking at the FFT plot alone, as they require other types of plots or analysis tools, such as duty cycle plot, airtime utilization plot, or protocol analyzer.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 69-70

Answer : C

A PHY header is added to the PSDU at the PHY layer. A PHY header is a part of the PPDU that contains information such as modulation, coding, and data rate. The PHY header is added by the PHY layer when it converts a PSDU to a PPDU for transmission, or removed by the PHY layer when it converts a PPDU to a PSDU for reception. The other layers do not add or remove a PHY header.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 4: 802.11 Physical Layer, page 97-98

Answer : C

An HE TB PPDU (High Efficiency Trigger-Based Packet Data Unit) is used to respond with an uplink transmission to an MU-RTS trigger frame in the 802.11ax PHY (Physical Layer). An MU-RTS trigger frame is a frame that initiates a multi-user transmission opportunity (MU-TXOP) by requesting multiple stations (STAs) to send clear-to-send (CTS) frames on different spatial streams or resource units (RUs). An HE TB PPDU is a frame that contains data from multiple STAs that have been allocated RUs by an MU-RTS trigger frame or another type of trigger frame. An HE SU PPDU (High Efficiency Single User Packet Data Unit) is a frame that contains data from a single STA using all available spatial streams or RUs. An HE MU PPDU (High Efficiency Multi User Packet Data Unit) is a frame that contains data from multiple STAs using different spatial streams or RUs without being triggered by another frame. A VHT PPDU (Very High Throughput Packet Data Unit) is a frame that uses the 802.11ac PHY and does not support multi-user transmissions. Reference:

CWAP-404 Study Guide, Chapter 3: 802.11 MAC Layer Frame Formats and Technologies, page 101

CWAP-404 Objectives, Section 3.4: Analyze multi-user transmissions

CWAP-404 Study Guide, Chapter 3: 802.11 MAC Layer Frame Formats and Technologies, page 99

Answer : A

The Swept Spectrogram plot is a spectrum analysis plot that shows the RF power present at a particular frequency over the course of time. It can help identify trends and patterns in the RF spectrum over a longer period of time. It can also show how the RF environment changes over time and how different sources of RF signals affect each other. The other options are not correct, as they describe different types of plots or information that are not related to the Swept Spectrogram plot.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 72-73

Answer : D

A Reassociation Request frame is sent every time a STA roams from one AP to another within the same ESS. A Reassociation Request frame is similar to an Association Request frame, but it also contains the BSSID of the current AP that the STA is leaving. This allows the new AP to coordinate with the old AP and transfer the STA's context information, such as security keys, QoS parameters, and buffered frames. This way, the STA can maintain its connectivity and session continuity during roaming . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 195; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 196.

Answer : D

The interframe space that would be expected between a CTS (Clear to Send) and a Data frame is SIFS (Short Interframe Space). A SIFS is the shortest interframe space that is used for high-priority transmissions, such as ACKs (Acknowledgements), CTSs, or data frames that are part of a fragmentation or aggregation process. A SIFS is a fixed value that depends on the PHY type and channel width. A CTS and a Data frame are part of a virtual carrier sense mechanism called RTS/CTS (Request to Send/Clear to Send), which is used to avoid collisions and hidden node problems in wireless transmissions. When a STA (station) wants to send a data frame, it first sends an RTS frame to the intended receiver, indicating the duration of the transmission. The receiver then responds with a CTS frame, also indicating the duration of the transmission. The other STAs in the vicinity hear either the RTS or the CTS frame and update their NAV (Network Allocation Vector) timers accordingly, deferring their access to the medium until the transmission is over. The sender then sends the data frame after waiting for a SIFS, followed by an ACK frame from the receiver after another SIFS. The other options are not correct, as they are not used between a CTS and a Data frame. A PIFS (PCF Interframe Space) is used for medium access by the PCF (Point Coordination Function), which is an optional and rarely implemented polling-based mechanism that provides contention-free service for time-sensitive traffic. An AIFS (Arbitration Interframe Space) is used for medium access by different ACs (Access Categories), which are logical queues that correspond to different QoS (Quality of Service) levels for different types of traffic. An AIFS is a variable interframe space that depends on the AIFSN (Arbitration Interframe Space Number) value of each AC. A DIFS (Distributed Interframe Space) is used for medium access by the DCF (Distributed Coordination Function), which is the default and mandatory contention-based mechanism that provides best-effort service for normal traffic.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 6: 802.11 Frame Exchanges, page 166-167; Chapter 7: QoS Analysis, page 194-195

Answer : D

The most likely issue that can be identified from the spectrum analysis is a power mismatch between the APs and the clients. A power mismatch occurs when the APs transmit at a higher power level than the clients, or vice versa. This can cause asymmetric communication, where one side can hear the other, but not vice versa. This can result in poor performance, disconnections, or packet loss. A spectrum analysis can reveal a power mismatch by showing different signal amplitudes or RSSI values for the APs and the clients on the same channel or frequency. The other options are not correct, as they cannot be identified from the spectrum analysis alone. The tablets' SSID, power save mode, and noise floor can be determined by using other tools or methods, such as protocol analysis, site survey, or device configuration.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 3: Spectrum Analysis, page 79-80

Answer : B

The Group Key Handshake consists of two frames excluding any Ack frames that may be required. The Group Key Handshake is used to distribute and update the Group Temporal Key (GTK) for encrypting broadcast and multicast traffic. The AP initiates the Group Key Handshake by sending a Group Key Message 1 frame to a STA, which contains the new GTK and other information. The STA responds with a Group Key Message 2 frame to the AP, which confirms the receipt of the GTK and other information. After this, both the AP and the STA can use the new GTK for encryption and decryption of broadcast and multicast traffic . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 7: 802.11 Security, page 246; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 7: 802.11 Security, page 247.

Answer : C

A capture visualization tool is a software application that can open a packet capture file and display various graphs, charts, tables, and statistics that illustrate the characteristics and behavior of the wireless network. A capture visualization tool can help a network administrator with little knowledge of 802.11 protocols to evaluate the overall health and performance of their wireless network by providing a visual and intuitive representation of the captured data. A spectrum analyzer is a hardware device that measures the radio frequency signals in a given frequency range and displays their amplitude, frequency, and modulation. A spectrum analyzer can help identify sources of interference and noise in the wireless environment, but it cannot open a packet capture file. Python is a programming language that can be used to write scripts or applications that manipulate or analyze packet capture files, but it requires coding skills and knowledge of 802.11 protocols. A WLAN scanner is a software application that scans for available wireless networks and displays information such as SSID, BSSID, channel, signal strength, security type, and vendor.A WLAN scanner can help discover wireless networks and their basic parameters, but it cannot open a packet capture file345Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 63

CWAP-404 Objectives, Section 2.5: Use capture visualization tools

CWAP-404 Study Guide, Chapter 4: Spectrum Analysis and Troubleshooting, page 117

CWAP-404 Objectives, Section 4.1: Use spectrum analysis tools

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 33

CWAP-404 Objectives, Section 2.2: Analyze field values

Answer : B

The most likely cause of higher airtime utilization on the first 20 MHz of the 80 MHz channel is non-Wi-Fi interference. Non-Wi-Fi interference can prevent an AP from using its full channel width, as it will degrade the signal quality and increase the noise floor on some parts of the channel. This will force the AP to fall back to a narrower channel width, such as 20 MHz or 40 MHz, to maintain communication with its clients. The waterfall plot can help identify non-Wi-Fi interference by showing spikes or bursts of RF energy on specific frequencies or sub-channels. The other options are not correct, as they do not explain why only the first 20 MHz of the channel has higher airtime utilization.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 74-75

Answer : C

A PHY header is added to the PSDU at the PHY layer. A PHY header is a part of the PPDU that contains information such as modulation, coding, and data rate. The PHY header is added by the PHY layer when it converts a PSDU to a PPDU for transmission, or removed by the PHY layer when it converts a PPDU to a PSDU for reception. The other layers do not add or remove a PHY header.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 4: 802.11 Physical Layer, page 97-98

Answer : A

Real-time packet decodes are not a consideration when configuring a long-term, forensic packet capture and saving all packets to disk. Real-time packet decodes are useful for live analysis and troubleshooting, but they consume CPU and memory resources that could affect the performance of the capture process. For a long-term, forensic packet capture, it is more important to consider the analyzer location, the total capture storage space, and the individual trace file size.These factors affect the quality and quantity of the captured packets and the ease of post-capture analysis34Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 49

CWAP-404 Objectives, Section 2.1: Configure protocol analyzers

Answer : D

A VoIP phone, using WMM Power Save, requests data frames buffered at the AP by transmitting a trigger frame, which is a QoS Null frame or a QoS Data frame. WMM Power Save is a power saving mode that allows a STA (station) to conserve battery power by periodically sleeping and waking up. WMM Power Save is based on WMM (Wi-Fi Multimedia), which is a QoS (Quality of Service) enhancement that provides prioritized and differentiated access to the medium for different types of traffic. When a STA sleeps, it cannot receive any data frames from the AP, so it informs the AP of its power save status by setting a bit in its MAC header. The AP then buffers any data frames destined for the sleeping STA until it wakes up. When a STA wakes up, it sends a trigger frame to the AP, indicating its AC (Access Category), which is a logical queue that corresponds to its QoS level. A trigger frame can be either a QoS Null frame or a QoS Data frame, depending on whether it has any payload or not. The AP then responds with one or more data frames from the same AC as the trigger frame, followed by an ACK or BA (Block Acknowledgement) frame from the STA. The other options are not correct, as they are not used by a VoIP phone using WMM Power Save to request data frames buffered at the AP. A PS-Poll (Power Save Poll) frame is used by a STA using legacy power save mode, not WMM Power Save mode, to request data frames buffered at the AP. A PS-Poll frame does not indicate any AC or QoS information. Setting the More Data bit in the MAC header to 1 does not request any data frames from the AP, but indicates that there are more data frames to be sent by the STA or received by the STA. Transmitting a WMM Action frame does not request any data frames from the AP, but performs various management actions related to WMM features, such as admission control, parameter update, etc.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 7: QoS Analysis, page 198-199

Answer : D

The first step in any troubleshooting process is to define the problem. This involves gathering information from various sources, such as users, network administrators, network documentation, and network monitoring tools.Defining the problem helps to narrow down the scope of the issue and identify the symptoms, causes, and effects of the problem12Reference:

CWAP-403 Study Guide, Chapter 1: Troubleshooting Methodology, page 7

CWAP-403 Objectives, Section 1.1: Define the problem

Answer : D

Delta is the timing column in the packet view that measures the time difference between two consecutive packets in a capture file. Delta can be used to measure the roaming time from the last VoIP packet sent on the old AP's channel to the first VoIP packet sent on the new AP's channel by selecting these two packets and looking at their delta values. The other timing columns are not suitable for this measurement because they do not show the time difference between two specific packets. Roaming is a column that shows whether a packet belongs to a roaming event or not. Relative is a column that shows the time elapsed since the beginning of the capture file.Absolute is a column that shows the date and time when a packet was captured5Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 57

CWAP-404 Objectives, Section 2.4: Analyze timing values

Answer : D

The difference between a Data frame and a QoS-Data frame is that QoS Data frames include a QoS control field. A Data frame is a type of data frame that is used to carry user data or upper layer protocol data between STAs and APs. A QoS Data frame is a type of data frame that is used to carry user data or upper layer protocol data between STAs and APs that support QoS (Quality of Service) features. QoS features allow different types of traffic to be prioritized and handled differently according to their QoS requirements, such as delay, jitter, throughput, etc. QoS Data frames include a QoS control field in their MAC header, which contains information such as traffic identifier (TID), queue size (TXOP), acknowledgment policy (ACK), etc., that are used for QoS purposes. The other options are not correct, as they do not describe the difference between Data and QoS Data frames. QoS Data frames do not include a DSCP (Differentiated Services Code Point) control field, which is part of the IP header in the network layer, not the MAC header in the data link layer. QoS Data frames do not include a QoS information element (IE), which is part of some management frames that indicate QoS capabilities or parameters, not data frames. QoS Data frames do not include an 802.1Q VLAN tag, which is part of some Ethernet frames that indicate VLAN membership or priority, not wireless frames.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 5: 802.11 MAC Sublayer, page 118-119

Answer : C

A capture visualization tool is a software application that can open a packet capture file and display various graphs, charts, tables, and statistics that illustrate the characteristics and behavior of the wireless network. A capture visualization tool can help a network administrator with little knowledge of 802.11 protocols to evaluate the overall health and performance of their wireless network by providing a visual and intuitive representation of the captured data. A spectrum analyzer is a hardware device that measures the radio frequency signals in a given frequency range and displays their amplitude, frequency, and modulation. A spectrum analyzer can help identify sources of interference and noise in the wireless environment, but it cannot open a packet capture file. Python is a programming language that can be used to write scripts or applications that manipulate or analyze packet capture files, but it requires coding skills and knowledge of 802.11 protocols. A WLAN scanner is a software application that scans for available wireless networks and displays information such as SSID, BSSID, channel, signal strength, security type, and vendor.A WLAN scanner can help discover wireless networks and their basic parameters, but it cannot open a packet capture file345Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 63

CWAP-404 Objectives, Section 2.5: Use capture visualization tools

CWAP-404 Study Guide, Chapter 4: Spectrum Analysis and Troubleshooting, page 117

CWAP-404 Objectives, Section 4.1: Use spectrum analysis tools

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 33

CWAP-404 Objectives, Section 2.2: Analyze field values

Answer : D

The interframe space that would be expected between a CTS (Clear to Send) and a Data frame is SIFS (Short Interframe Space). A SIFS is the shortest interframe space that is used for high-priority transmissions, such as ACKs (Acknowledgements), CTSs, or data frames that are part of a fragmentation or aggregation process. A SIFS is a fixed value that depends on the PHY type and channel width. A CTS and a Data frame are part of a virtual carrier sense mechanism called RTS/CTS (Request to Send/Clear to Send), which is used to avoid collisions and hidden node problems in wireless transmissions. When a STA (station) wants to send a data frame, it first sends an RTS frame to the intended receiver, indicating the duration of the transmission. The receiver then responds with a CTS frame, also indicating the duration of the transmission. The other STAs in the vicinity hear either the RTS or the CTS frame and update their NAV (Network Allocation Vector) timers accordingly, deferring their access to the medium until the transmission is over. The sender then sends the data frame after waiting for a SIFS, followed by an ACK frame from the receiver after another SIFS. The other options are not correct, as they are not used between a CTS and a Data frame. A PIFS (PCF Interframe Space) is used for medium access by the PCF (Point Coordination Function), which is an optional and rarely implemented polling-based mechanism that provides contention-free service for time-sensitive traffic. An AIFS (Arbitration Interframe Space) is used for medium access by different ACs (Access Categories), which are logical queues that correspond to different QoS (Quality of Service) levels for different types of traffic. An AIFS is a variable interframe space that depends on the AIFSN (Arbitration Interframe Space Number) value of each AC. A DIFS (Distributed Interframe Space) is used for medium access by the DCF (Distributed Coordination Function), which is the default and mandatory contention-based mechanism that provides best-effort service for normal traffic.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 6: 802.11 Frame Exchanges, page 166-167; Chapter 7: QoS Analysis, page 194-195

Answer : C

An HE TB PPDU (High Efficiency Trigger-Based Packet Data Unit) is used to respond with an uplink transmission to an MU-RTS trigger frame in the 802.11ax PHY (Physical Layer). An MU-RTS trigger frame is a frame that initiates a multi-user transmission opportunity (MU-TXOP) by requesting multiple stations (STAs) to send clear-to-send (CTS) frames on different spatial streams or resource units (RUs). An HE TB PPDU is a frame that contains data from multiple STAs that have been allocated RUs by an MU-RTS trigger frame or another type of trigger frame. An HE SU PPDU (High Efficiency Single User Packet Data Unit) is a frame that contains data from a single STA using all available spatial streams or RUs. An HE MU PPDU (High Efficiency Multi User Packet Data Unit) is a frame that contains data from multiple STAs using different spatial streams or RUs without being triggered by another frame. A VHT PPDU (Very High Throughput Packet Data Unit) is a frame that uses the 802.11ac PHY and does not support multi-user transmissions. Reference:

CWAP-404 Study Guide, Chapter 3: 802.11 MAC Layer Frame Formats and Technologies, page 101

CWAP-404 Objectives, Section 3.4: Analyze multi-user transmissions

CWAP-404 Study Guide, Chapter 3: 802.11 MAC Layer Frame Formats and Technologies, page 99

Answer : D

Receive sensitivity is the minimum signal level that a receiver can detect and decode. Different devices may have different receive sensitivity levels depending on their hardware specifications and antenna configurations. In this scenario, the portable analyzer has a lower receive sensitivity than the AP, meaning that it requires a stronger signal to capture the packets from the client STA. The AP, on the other hand, has a higher receive sensitivity and can receive the packets from the client STA even if they have a weaker signal.This explains why the portable analyzer can only see unidirectional traffic from the AP to the client when capturing near the AP5Reference:

CWAP-403 Study Guide, Chapter 4: PHY Layer Analysis, page 121

CWAP-403 Objectives, Section 4.3: Analyze PHY layer metrics

Answer : A

A hexadecimal value is a value that uses base 16 notation, which means it can have digits from 0 to 9 and letters from A to F. A hexadecimal value is usually preceded by 0x to indicate that it is hexadecimal and not decimal or binary. For example, 0x0A is hexadecimal for 10 in decimal or 00001010 in binary. The other options are not valid prefixes for hexadecimal values. Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 35

CWAP-404 Objectives, Section 2.2: Analyze field values

Answer : A

The FFT plot is a spectrum analysis plot that shows the RF power present at a particular frequency over a short period of time. It can help identify the sources and characteristics of RF signals in the spectrum. By looking at the FFT plot, you can determine which ZigBee channels are used by the lighting system and whether they overlap with the WLAN channels in the 2.4 GHz band. ZigBee channels are 5 MHz wide and WLAN channels are 20 MHz or 40 MHz wide, so there is a possibility of overlap and interference between them. The other questions cannot be answered by looking at the FFT plot alone, as they require other types of plots or analysis tools, such as duty cycle plot, airtime utilization plot, or protocol analyzer.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 69-70

Answer : A

The Swept Spectrogram plot is a spectrum analysis plot that shows the RF power present at a particular frequency over the course of time. It can help identify trends and patterns in the RF spectrum over a longer period of time. It can also show how the RF environment changes over time and how different sources of RF signals affect each other. The other options are not correct, as they describe different types of plots or information that are not related to the Swept Spectrogram plot.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 72-73

Answer : D

The best way to test the theory of microwave interference from the New York office is to use a remote spectrum analyzer. By placing one of the London APs into spectrum analyzer mode, you can capture and analyze the RF spectrum in the London office over lunch time. You can then look for any signs of microwave interference, such as high duty cycle, high amplitude, or frequency hopping on the 2.4 GHz band. This method does not require any physical access to the microwave or any changes to its frequency.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 64

Answer : D

The difference between a Data frame and a QoS-Data frame is that QoS Data frames include a QoS control field. A Data frame is a type of data frame that is used to carry user data or upper layer protocol data between STAs and APs. A QoS Data frame is a type of data frame that is used to carry user data or upper layer protocol data between STAs and APs that support QoS (Quality of Service) features. QoS features allow different types of traffic to be prioritized and handled differently according to their QoS requirements, such as delay, jitter, throughput, etc. QoS Data frames include a QoS control field in their MAC header, which contains information such as traffic identifier (TID), queue size (TXOP), acknowledgment policy (ACK), etc., that are used for QoS purposes. The other options are not correct, as they do not describe the difference between Data and QoS Data frames. QoS Data frames do not include a DSCP (Differentiated Services Code Point) control field, which is part of the IP header in the network layer, not the MAC header in the data link layer. QoS Data frames do not include a QoS information element (IE), which is part of some management frames that indicate QoS capabilities or parameters, not data frames. QoS Data frames do not include an 802.1Q VLAN tag, which is part of some Ethernet frames that indicate VLAN membership or priority, not wireless frames.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 5: 802.11 MAC Sublayer, page 118-119

Answer : B

802.11k Neighbor Requests and Neighbor Reports are sent in Action frames. An Action frame is a Management frame that is used to perform various operations or functions related to the operation or maintenance of a wireless network. An Action frame consists of a Category field that indicates the type of action being performed, and a variable-length Action Details field that contains specific information related to the action. For example, an Action frame with a Category field value of 5 indicates a Radio Measurement action, and the Action Details field may contain a Neighbor Request or a Neighbor Report subelement . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 207; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 208; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 12: 802.11k/v/r/u/w/ai Amendments, page 434.

Answer : D

The first step in any troubleshooting process is to define the problem. This involves gathering information from various sources, such as users, network administrators, network documentation, and network monitoring tools.Defining the problem helps to narrow down the scope of the issue and identify the symptoms, causes, and effects of the problem12Reference:

CWAP-403 Study Guide, Chapter 1: Troubleshooting Methodology, page 7

CWAP-403 Objectives, Section 1.1: Define the problem

Answer : B

The Group Key Handshake consists of two frames excluding any Ack frames that may be required. The Group Key Handshake is used to distribute and update the Group Temporal Key (GTK) for encrypting broadcast and multicast traffic. The AP initiates the Group Key Handshake by sending a Group Key Message 1 frame to a STA, which contains the new GTK and other information. The STA responds with a Group Key Message 2 frame to the AP, which confirms the receipt of the GTK and other information. After this, both the AP and the STA can use the new GTK for encryption and decryption of broadcast and multicast traffic . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 7: 802.11 Security, page 246; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 7: 802.11 Security, page 247.

Answer : C

A PHY header is added to the PSDU at the PHY layer. A PHY header is a part of the PPDU that contains information such as modulation, coding, and data rate. The PHY header is added by the PHY layer when it converts a PSDU to a PPDU for transmission, or removed by the PHY layer when it converts a PPDU to a PSDU for reception. The other layers do not add or remove a PHY header.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 4: 802.11 Physical Layer, page 97-98

Answer : D

Delta is the timing column in the packet view that measures the time difference between two consecutive packets in a capture file. Delta can be used to measure the roaming time from the last VoIP packet sent on the old AP's channel to the first VoIP packet sent on the new AP's channel by selecting these two packets and looking at their delta values. The other timing columns are not suitable for this measurement because they do not show the time difference between two specific packets. Roaming is a column that shows whether a packet belongs to a roaming event or not. Relative is a column that shows the time elapsed since the beginning of the capture file.Absolute is a column that shows the date and time when a packet was captured5Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 57

CWAP-404 Objectives, Section 2.4: Analyze timing values

Answer : C

An HE TB PPDU (High Efficiency Trigger-Based Packet Data Unit) is used to respond with an uplink transmission to an MU-RTS trigger frame in the 802.11ax PHY (Physical Layer). An MU-RTS trigger frame is a frame that initiates a multi-user transmission opportunity (MU-TXOP) by requesting multiple stations (STAs) to send clear-to-send (CTS) frames on different spatial streams or resource units (RUs). An HE TB PPDU is a frame that contains data from multiple STAs that have been allocated RUs by an MU-RTS trigger frame or another type of trigger frame. An HE SU PPDU (High Efficiency Single User Packet Data Unit) is a frame that contains data from a single STA using all available spatial streams or RUs. An HE MU PPDU (High Efficiency Multi User Packet Data Unit) is a frame that contains data from multiple STAs using different spatial streams or RUs without being triggered by another frame. A VHT PPDU (Very High Throughput Packet Data Unit) is a frame that uses the 802.11ac PHY and does not support multi-user transmissions. Reference:

CWAP-404 Study Guide, Chapter 3: 802.11 MAC Layer Frame Formats and Technologies, page 101

CWAP-404 Objectives, Section 3.4: Analyze multi-user transmissions

CWAP-404 Study Guide, Chapter 3: 802.11 MAC Layer Frame Formats and Technologies, page 99

Answer : D

A Reassociation Request frame is sent every time a STA roams from one AP to another within the same ESS. A Reassociation Request frame is similar to an Association Request frame, but it also contains the BSSID of the current AP that the STA is leaving. This allows the new AP to coordinate with the old AP and transfer the STA's context information, such as security keys, QoS parameters, and buffered frames. This way, the STA can maintain its connectivity and session continuity during roaming . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 195; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 196.

Answer : A

The FFT plot is a spectrum analysis plot that shows the RF power present at a particular frequency over a short period of time. It can help identify the sources and characteristics of RF signals in the spectrum. By looking at the FFT plot, you can determine which ZigBee channels are used by the lighting system and whether they overlap with the WLAN channels in the 2.4 GHz band. ZigBee channels are 5 MHz wide and WLAN channels are 20 MHz or 40 MHz wide, so there is a possibility of overlap and interference between them. The other questions cannot be answered by looking at the FFT plot alone, as they require other types of plots or analysis tools, such as duty cycle plot, airtime utilization plot, or protocol analyzer.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 69-70

Answer : D

The most likely issue that can be identified from the spectrum analysis is a power mismatch between the APs and the clients. A power mismatch occurs when the APs transmit at a higher power level than the clients, or vice versa. This can cause asymmetric communication, where one side can hear the other, but not vice versa. This can result in poor performance, disconnections, or packet loss. A spectrum analysis can reveal a power mismatch by showing different signal amplitudes or RSSI values for the APs and the clients on the same channel or frequency. The other options are not correct, as they cannot be identified from the spectrum analysis alone. The tablets' SSID, power save mode, and noise floor can be determined by using other tools or methods, such as protocol analysis, site survey, or device configuration.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 3: Spectrum Analysis, page 79-80

Answer : A

Real-time packet decodes are not a consideration when configuring a long-term, forensic packet capture and saving all packets to disk. Real-time packet decodes are useful for live analysis and troubleshooting, but they consume CPU and memory resources that could affect the performance of the capture process. For a long-term, forensic packet capture, it is more important to consider the analyzer location, the total capture storage space, and the individual trace file size.These factors affect the quality and quantity of the captured packets and the ease of post-capture analysis34Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 49

CWAP-404 Objectives, Section 2.1: Configure protocol analyzers

Answer : A

The Swept Spectrogram plot is a spectrum analysis plot that shows the RF power present at a particular frequency over the course of time. It can help identify trends and patterns in the RF spectrum over a longer period of time. It can also show how the RF environment changes over time and how different sources of RF signals affect each other. The other options are not correct, as they describe different types of plots or information that are not related to the Swept Spectrogram plot.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 72-73

Answer : D

A VoIP phone, using WMM Power Save, requests data frames buffered at the AP by transmitting a trigger frame, which is a QoS Null frame or a QoS Data frame. WMM Power Save is a power saving mode that allows a STA (station) to conserve battery power by periodically sleeping and waking up. WMM Power Save is based on WMM (Wi-Fi Multimedia), which is a QoS (Quality of Service) enhancement that provides prioritized and differentiated access to the medium for different types of traffic. When a STA sleeps, it cannot receive any data frames from the AP, so it informs the AP of its power save status by setting a bit in its MAC header. The AP then buffers any data frames destined for the sleeping STA until it wakes up. When a STA wakes up, it sends a trigger frame to the AP, indicating its AC (Access Category), which is a logical queue that corresponds to its QoS level. A trigger frame can be either a QoS Null frame or a QoS Data frame, depending on whether it has any payload or not. The AP then responds with one or more data frames from the same AC as the trigger frame, followed by an ACK or BA (Block Acknowledgement) frame from the STA. The other options are not correct, as they are not used by a VoIP phone using WMM Power Save to request data frames buffered at the AP. A PS-Poll (Power Save Poll) frame is used by a STA using legacy power save mode, not WMM Power Save mode, to request data frames buffered at the AP. A PS-Poll frame does not indicate any AC or QoS information. Setting the More Data bit in the MAC header to 1 does not request any data frames from the AP, but indicates that there are more data frames to be sent by the STA or received by the STA. Transmitting a WMM Action frame does not request any data frames from the AP, but performs various management actions related to WMM features, such as admission control, parameter update, etc.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 7: QoS Analysis, page 198-199

Answer : D

The first step in any troubleshooting process is to define the problem. This involves gathering information from various sources, such as users, network administrators, network documentation, and network monitoring tools.Defining the problem helps to narrow down the scope of the issue and identify the symptoms, causes, and effects of the problem12Reference:

CWAP-403 Study Guide, Chapter 1: Troubleshooting Methodology, page 7

CWAP-403 Objectives, Section 1.1: Define the problem

Answer : B

The Group Key Handshake consists of two frames excluding any Ack frames that may be required. The Group Key Handshake is used to distribute and update the Group Temporal Key (GTK) for encrypting broadcast and multicast traffic. The AP initiates the Group Key Handshake by sending a Group Key Message 1 frame to a STA, which contains the new GTK and other information. The STA responds with a Group Key Message 2 frame to the AP, which confirms the receipt of the GTK and other information. After this, both the AP and the STA can use the new GTK for encryption and decryption of broadcast and multicast traffic . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 7: 802.11 Security, page 246; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 7: 802.11 Security, page 247.

Answer : D

The interframe space that would be expected between a CTS (Clear to Send) and a Data frame is SIFS (Short Interframe Space). A SIFS is the shortest interframe space that is used for high-priority transmissions, such as ACKs (Acknowledgements), CTSs, or data frames that are part of a fragmentation or aggregation process. A SIFS is a fixed value that depends on the PHY type and channel width. A CTS and a Data frame are part of a virtual carrier sense mechanism called RTS/CTS (Request to Send/Clear to Send), which is used to avoid collisions and hidden node problems in wireless transmissions. When a STA (station) wants to send a data frame, it first sends an RTS frame to the intended receiver, indicating the duration of the transmission. The receiver then responds with a CTS frame, also indicating the duration of the transmission. The other STAs in the vicinity hear either the RTS or the CTS frame and update their NAV (Network Allocation Vector) timers accordingly, deferring their access to the medium until the transmission is over. The sender then sends the data frame after waiting for a SIFS, followed by an ACK frame from the receiver after another SIFS. The other options are not correct, as they are not used between a CTS and a Data frame. A PIFS (PCF Interframe Space) is used for medium access by the PCF (Point Coordination Function), which is an optional and rarely implemented polling-based mechanism that provides contention-free service for time-sensitive traffic. An AIFS (Arbitration Interframe Space) is used for medium access by different ACs (Access Categories), which are logical queues that correspond to different QoS (Quality of Service) levels for different types of traffic. An AIFS is a variable interframe space that depends on the AIFSN (Arbitration Interframe Space Number) value of each AC. A DIFS (Distributed Interframe Space) is used for medium access by the DCF (Distributed Coordination Function), which is the default and mandatory contention-based mechanism that provides best-effort service for normal traffic.Reference:[Wireless Analysis Professional Study Guide CWAP-404], Chapter 6: 802.11 Frame Exchanges, page 166-167; Chapter 7: QoS Analysis, page 194-195

Answer : D

Receive sensitivity is the minimum signal level that a receiver can detect and decode. Different devices may have different receive sensitivity levels depending on their hardware specifications and antenna configurations. In this scenario, the portable analyzer has a lower receive sensitivity than the AP, meaning that it requires a stronger signal to capture the packets from the client STA. The AP, on the other hand, has a higher receive sensitivity and can receive the packets from the client STA even if they have a weaker signal.This explains why the portable analyzer can only see unidirectional traffic from the AP to the client when capturing near the AP5Reference:

CWAP-403 Study Guide, Chapter 4: PHY Layer Analysis, page 121

CWAP-403 Objectives, Section 4.3: Analyze PHY layer metrics

Answer : B

802.11k Neighbor Requests and Neighbor Reports are sent in Action frames. An Action frame is a Management frame that is used to perform various operations or functions related to the operation or maintenance of a wireless network. An Action frame consists of a Category field that indicates the type of action being performed, and a variable-length Action Details field that contains specific information related to the action. For example, an Action frame with a Category field value of 5 indicates a Radio Measurement action, and the Action Details field may contain a Neighbor Request or a Neighbor Report subelement . Reference: CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 207; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 6: MAC Sublayer Frame Exchanges, page 208; CWAP-404 Certified Wireless Analysis Professional Study and Reference Guide, Chapter 12: 802.11k/v/r/u/w/ai Amendments, page 434.

Answer : D

Delta is the timing column in the packet view that measures the time difference between two consecutive packets in a capture file. Delta can be used to measure the roaming time from the last VoIP packet sent on the old AP's channel to the first VoIP packet sent on the new AP's channel by selecting these two packets and looking at their delta values. The other timing columns are not suitable for this measurement because they do not show the time difference between two specific packets. Roaming is a column that shows whether a packet belongs to a roaming event or not. Relative is a column that shows the time elapsed since the beginning of the capture file.Absolute is a column that shows the date and time when a packet was captured5Reference:

CWAP-404 Study Guide, Chapter 2: Protocol Analysis, page 57

CWAP-404 Objectives, Section 2.4: Analyze timing values

Answer : D

The best way to test the theory of microwave interference from the New York office is to use a remote spectrum analyzer. By placing one of the London APs into spectrum analyzer mode, you can capture and analyze the RF spectrum in the London office over lunch time. You can then look for any signs of microwave interference, such as high duty cycle, high amplitude, or frequency hopping on the 2.4 GHz band. This method does not require any physical access to the microwave or any changes to its frequency.Reference:[Wireless Analysis Professional Study Guide], Chapter 3: Spectrum Analysis, page 64