nerdexam
Exams210-255Questions#195
Cisco

210-255 · Question #195

210-255 Question #195: Real Exam Question with Answer & Explanation

The correct answer is D: !tcp.port==25. In Wireshark display filters, !tcp.port==25 is the correct way to fully exclude all packets involving port 25, because the ! negation operator works correctly on multi-occurrence fields.

Network Intrusion Analysis

Question

Which command filters a port?

Options

  • Atcp.port equals 25
  • Btcp.port is 25
  • Ctcp.port != 25
  • D!tcp.port==25

Explanation

In Wireshark display filters, !tcp.port==25 is the correct way to fully exclude all packets involving port 25, because the ! negation operator works correctly on multi-occurrence fields.

Common mistakes.

  • A. tcp.port equals 25 is valid Wireshark syntax but it displays (includes) port 25 traffic rather than filtering it out.
  • B. tcp.port is 25 uses the keyword is, which is not valid Wireshark display filter syntax - the correct operators are == or equals.
  • C. tcp.port != 25 can behave unexpectedly on multi-occurrence fields - a packet with source port 25 and destination port 80 would still match because the destination port occurrence satisfies != 25, potentially showing packets that should be excluded.

Concept tested. Wireshark display filter negation on multi-occurrence fields

Reference. https://wiki.wireshark.org/DisplayFilters

Topics

#Wireshark display filters#port filtering#packet analysis#capture filters

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 210-255 Practice