nerdexam
EC-Council

312-50V10 · Question #513

A possibly malicious sequence of packets that were sent to a web server has been captured by an Intrusion Detection System (IDS) and was saved to a PCAP file. As a network administrator, you need to d

The correct answer is C. Protocol analyzer. A protocol analyzer (such as Wireshark) is the correct tool for reading and inspecting an existing PCAP file to determine whether captured packet sequences are malicious.

Sniffing

Question

A possibly malicious sequence of packets that were sent to a web server has been captured by an Intrusion Detection System (IDS) and was saved to a PCAP file. As a network administrator, you need to determine whether this packets are indeed malicious. What tool are you going to use?

Options

  • AIntrusion Prevention System (IPS)
  • BVulnerability scanner
  • CProtocol analyzer
  • DNetwork sniffer

How the community answered

(21 responses)
  • A
    10% (2)
  • B
    5% (1)
  • C
    86% (18)

Why each option

A protocol analyzer (such as Wireshark) is the correct tool for reading and inspecting an existing PCAP file to determine whether captured packet sequences are malicious.

AIntrusion Prevention System (IPS)

An IPS operates inline on live network traffic to block threats in real time and cannot open or analyze a saved PCAP file.

BVulnerability scanner

A vulnerability scanner probes live systems for known weaknesses and misconfigurations; it does not analyze saved packet captures.

CProtocol analyzerCorrect

A protocol analyzer is specifically designed to open, decode, and inspect PCAP files by dissecting each packet's headers and payload across all network layers. Tools like Wireshark allow a network administrator to reconstruct sessions, inspect raw bytes, and identify anomalous patterns or known attack signatures within the captured traffic. This makes it the direct and appropriate tool for post-capture forensic analysis.

DNetwork sniffer

A network sniffer captures live traffic from the wire; it does not analyze pre-existing PCAP files, which is a read/decode operation.

Concept tested: Using a protocol analyzer for PCAP forensic analysis

Source: https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html

Topics

#protocol analyzer#PCAP analysis#network forensics#packet inspection

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice