PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free CNFE Practice Questions

Pass your Mile2 Certified Network Forensics Examiner (CNFE) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

What does a Wireshark 'Expert Info' warning about 'TCP Retransmission' indicate in a forensic capture?

A
B
C
D
to track
Same family resources

Explore More Mile2 Cybersecurity Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Mile2 Certified AI Cybersecurity Officer (CAICSO)

Practice Questions

Mile2 Certified Cloud Security Officer (CCSO)

Practice Questions

Mile2 Certified Digital Forensics Examiner (CDFE)

Practice Questions

Mile2 Certified Disaster Recovery Engineer (CDRE)

Practice Questions

Mile2 Certified Information Systems Risk Manager (CISRM)

Practice Questions

Mile2 Certified Information Systems Security Officer (CISSO)

Practice Questions
2026 Statistics

Key Facts: CNFE Exam

100 questions

Exam Length

Mile2

70%

Passing Score

Mile2

2 hours

Time Limit

Mile2

20 modules

Course Coverage

Mile2

5 days

Course Duration

Mile2

MACS

Exam Platform

Mile2

The Mile2 CNFE is a 100-question online MCQ exam with a 2-hour time limit and 70% passing score. It covers 20 modules of network forensics including traffic acquisition, Wireshark analysis, SNORT rule writing, wireless frame forensics, and malware C2 detection. The backing 5-day course was originally developed for a U.S. classified government agency.

Sample CNFE Practice Questions

Try these sample questions to test your CNFE exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which of the following best describes the primary purpose of network forensics?
A.Capturing, recording, and analyzing network traffic to investigate security incidents
B.Configuring firewall rules to block unauthorized access
C.Deploying intrusion prevention systems on the network perimeter
D.Encrypting network traffic to prevent interception
Explanation: Network forensics is the discipline of capturing, recording, and analyzing network traffic and logs to investigate security incidents, reconstruct events, and gather digital evidence. It goes beyond prevention or filtering to focus on evidence collection and analysis.
2What is the 'order of volatility' principle in digital forensics, and why does it matter for network evidence?
A.It requires all network devices to be powered off before collection begins
B.It specifies the legal chain of custody for network logs submitted in court
C.It defines the sequence in which networks are partitioned during an investigation
D.It prioritizes collection of the most perishable evidence first, such as ARP caches and active connections before disk data
Explanation: The order of volatility (RFC 3227) mandates collecting the most transient data first — ARP caches, routing tables, active connections, and RAM — before less volatile sources like logs and disk images. Network evidence such as live traffic and ARP tables disappears immediately when a device is powered off.
3An investigator wants to capture all traffic on a switched network segment without modifying the suspect system. Which hardware-based method is most appropriate?
A.Installing Wireshark on the suspect workstation
B.Enabling port mirroring (SPAN) on the managed switch
C.Inserting a passive network tap on the wire between the switch and the suspect host
D.Configuring a software bridge on a third-party laptop
Explanation: A passive network tap is a hardware device inserted inline on the cable that creates an exact copy of all traffic without sending any packets itself. It is completely transparent to the network, cannot be detected by the suspect, and does not alter the suspect system — making it the gold standard for physical interception in forensic investigations.
4Which tcpdump command captures all TCP traffic on interface eth0 to and from host 192.168.1.100, writing results to a file?
A.tcpdump -i eth0 host 192.168.1.100 -w capture.pcap
B.tcpdump -r eth0 src 192.168.1.100 -o capture.pcap
C.tcpdump --interface eth0 --filter host 192.168.1.100 --save capture.pcap
D.tcpdump -l eth0 tcp and ip 192.168.1.100 > capture.pcap
Explanation: The correct syntax uses '-i eth0' to specify the interface, the BPF filter 'host 192.168.1.100' to match traffic to or from that IP, and '-w capture.pcap' to write packets to a file in libpcap format. This is one of the most common forensic collection commands.
5In Wireshark, which display filter would show only HTTP GET requests?
A.http.method=GET and tcp.dst==80
B.http.request.method == GET
C.http.request.method == "GET"
D.tcp.port == 80 and http.type == get
Explanation: Wireshark display filters use the syntax 'http.request.method == "GET"' with the string value in double quotes. This field-value comparison is case-sensitive and follows Wireshark's filter language syntax where string values require quotes.
6What does the TCP three-way handshake sequence SYN → SYN-ACK → ACK establish, and what forensic significance does it have?
A.It negotiates encryption algorithms for the session; the ACK confirms cipher selection
B.It assigns dynamic port numbers; the SYN-ACK assigns the ephemeral port to the client
C.It authenticates both endpoints using digital certificates; each step is logged by the firewall
D.It establishes a reliable connection by synchronizing sequence numbers; capturing these packets proves a TCP session was initiated between two hosts
Explanation: The TCP three-way handshake synchronizes initial sequence numbers (ISN) and formally opens a reliable connection. From a forensic perspective, capturing SYN/SYN-ACK/ACK packets provides proof that a deliberate connection was established between specific IP:port pairs, establishing communication timelines and session attribution.
7A forensic analyst examines a packet capture and notices many RST packets from an internal server targeting sequential port numbers on external hosts. What does this most likely indicate?
A.The server is performing a TCP SYN port scan against external hosts
B.The internal network is experiencing a broadcast storm
C.The server is completing a TLS session teardown
D.The server is responding to legitimate DNS queries
Explanation: A series of RST packets to sequential ports on external hosts is the signature of TCP SYN port scanning (often called 'half-open' scanning). The scanner sends SYN probes; closed ports reply RST immediately, open ports reply SYN-ACK. Multiple RSTs across sequential ports from one internal host strongly indicates outbound reconnaissance or lateral-movement scanning.
8What is the forensic value of capturing ARP traffic on a LAN segment?
A.ARP packets contain full application payload data for deep-content inspection
B.ARP traffic reveals MAC-to-IP mappings, can expose ARP poisoning/spoofing attacks, and helps identify rogue devices
C.ARP captures are used exclusively to reconstruct encrypted HTTPS sessions
D.ARP data provides the GPS location of network clients
Explanation: ARP (Address Resolution Protocol) maps IP addresses to MAC addresses at Layer 2. Forensically, ARP captures can reveal the presence of rogue devices, identify ARP cache poisoning/spoofing (where an attacker associates their MAC with a legitimate IP to intercept traffic), and build a map of which physical devices occupied which IP addresses at a given time.
9In network forensics, what is 'full packet capture' as opposed to 'flow data' collection (NetFlow/IPFIX)?
A.Full packet capture requires physical access to fiber; flow data can be collected remotely
B.Full packet capture records only IP headers; flow data includes application-layer payloads
C.Full packet capture stores the complete content of every packet; flow data stores only metadata (IPs, ports, byte counts, timestamps) without payload
D.Full packet capture works only on wireless networks; flow data works on wired connections
Explanation: Full packet capture (FPC) preserves the entire packet — headers plus payload — enabling deep content inspection and session reconstruction. Flow data (NetFlow/IPFIX/sFlow) aggregates connection statistics (source/destination IP, port, protocol, bytes, packets, timestamps) without storing payload content. FPC provides richer forensic evidence but requires far more storage.
10A SNORT rule reads: `alert tcp any any -> 192.168.1.0/24 80 (msg:"HTTP Inbound"; sid:1000001; rev:1;)`. What does this rule do?
A.It logs UDP traffic destined for port 80 on the 192.168.1.0 network
B.It drops HTTP packets originating from inside the 192.168.1.0/24 subnet
C.It blocks all TCP traffic from the 192.168.1.0/24 subnet on port 80
D.It generates an alert for any TCP traffic from any source to any host in 192.168.1.0/24 on destination port 80
Explanation: This SNORT rule action is 'alert' (generate an alert and log), the protocol is TCP, 'any any' means any source IP and port, '->' is the directional operator, '192.168.1.0/24 80' specifies the destination network and port, and the options block provides a message and unique SID. It fires on inbound HTTP traffic to that subnet.

About the CNFE Exam

The Mile2 Certified Network Forensics Examiner (CNFE) is a vendor-neutral certification originally developed for a U.S. classified government agency. It validates expertise in capturing, analyzing, and reconstructing network traffic evidence to investigate security incidents — covering physical interception, Wireshark/tcpdump analysis, wireless forensics, SNORT NIDS, centralized logging, and malware network behavior.

Questions

100 scored questions

Time Limit

2 hours

Passing Score

70%

Exam Fee

Varies by package — contact Mile2 for current pricing (Mile2 Cybersecurity Institute)

CNFE Exam Content Outline

~15%

Network Forensics Fundamentals & Methodology

Digital evidence concepts, investigative methodology, order of volatility, chain of custody, and legal considerations

~10%

Network Principles & Protocol Suite

TCP/IP stack, IP/TCP/UDP protocol analysis, packet header fields, and protocol behavior

~15%

Traffic Acquisition

Hardware taps, SPAN ports, tcpdump, live acquisition, full packet capture vs. NetFlow

~15%

Traffic Analysis

Wireshark display filters, session reconstruction, conversation analysis, tshark, and NetworkMiner

~10%

Wireless Forensics

802.11 frame types, monitor mode, aircrack-ng suite, WEP/WPA2/WPA3, and rogue AP detection

~15%

SNORT NIDS

Rule syntax, content matching, preprocessors, threshold/suppress, inline vs. passive, IDS evasion

~10%

Centralized Logging & Network Device Investigation

Syslog, router/switch forensics, routing tables, ACLs, NTP, DHCP log correlation

~5%

Web Proxies, Encryption & Network Tunneling

Proxy logs, HTTP analysis, TLS decryption, DNS/HTTP/ICMP tunneling detection

~5%

Malware Network Forensics

Beaconing patterns, C2 traffic, data exfiltration, fast-flux DNS, network IOCs

How to Pass the CNFE Exam

What You Need to Know

  • Passing score: 70%
  • Exam length: 100 questions
  • Time limit: 2 hours
  • Exam fee: Varies by package — contact Mile2 for current pricing

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CNFE Study Tips from Top Performers

1Master Wireshark display filter syntax — know how to filter by protocol, IP, port, and specific field values like http.request.method == "GET"
2Practice writing SNORT rules from scratch — understand content, nocase, offset, depth, threshold, and sid/rev requirements
3Know the tcpdump BPF filter syntax cold — 'port 53', 'host X', 'src net Y', '-w file.pcap', '-r file.pcap'
4Understand the full 802.11 connection sequence: probe request → probe response → authentication → association request → four-way handshake
5Study the order of volatility and be able to sequence evidence collection: ARP cache → routing table → active connections → running processes → memory → logs → disk

Frequently Asked Questions

What is the Mile2 CNFE exam format?

The CNFE exam consists of 100 multiple-choice questions with a 2-hour time limit. The passing score is 70% (70 correct out of 100). The exam is delivered online through Mile2's Assessment and Certification System (MACS). A DoD 8140-compliant proctored variant is also available.

What does the CNFE certification cover?

The CNFE covers 20 modules of network forensics: digital evidence concepts, network evidence challenges, forensic methodology, network principles, TCP/IP protocol suite, physical interception, traffic acquisition software (tcpdump, Wireshark), live acquisition, traffic analysis, Layer 2 protocols, wireless access points, wireless traffic capture and analysis, wireless attacks, SNORT NIDS, centralized logging/syslog, network device investigation, web proxies and encryption, network tunneling, and malware forensics.

What tools should I know for the CNFE exam?

Key tools include: Wireshark (display filters, Follow TCP Stream, Export Objects, Statistics), tcpdump (BPF filter syntax), SNORT (rule syntax, preprocessors, output plugins), the Aircrack-ng suite (airodump-ng, airmon-ng, aircrack-ng, aireplay-ng), NetworkMiner, tshark, and standard networking commands (arp -a, netstat, route print, Cisco IOS show commands).

What are the prerequisites for the CNFE exam?

Mile2 recommends 2 years of networking experience and 2 years of IT security background, along with solid TCP/IP knowledge. There is no formal prerequisite certification requirement, but candidates should be comfortable with network fundamentals before attempting the 5-day course or exam.

Is the Mile2 CNFE DoD 8140 approved?

Mile2 offers a DoD 8140 proctored exam variant for government candidates. The CNFE was originally developed for a U.S. classified government agency. Candidates should verify current DoD 8140/8570 approval status with Mile2 and their specific work role requirements.

How should I prepare for the CNFE exam?

Focus on hands-on practice with Wireshark (display filters, stream analysis, Export Objects), tcpdump BPF syntax, and SNORT rule writing. Study the 20 course modules with emphasis on traffic acquisition methods, 802.11 wireless forensics, and malware network behavior indicators. Practice with real PCAP files (Wireshark sample captures, PCAP repositories) to build analysis skills.