nerdexam
EC-Council

312-50V10 · Question #790

An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was capture

The correct answer is A. Protocol analyzer. A protocol analyzer can open and inspect a saved PCAP file to decode and examine packet contents at multiple OSI layers, allowing an administrator to determine whether flagged traffic is genuinely malicious or a false positive.

Sniffing

Question

An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?

Options

  • AProtocol analyzer
  • BNetwork sniffer
  • CIntrusion Prevention System (IPS)
  • DVulnerability scanner

How the community answered

(48 responses)
  • A
    88% (42)
  • B
    6% (3)
  • C
    4% (2)
  • D
    2% (1)

Why each option

A protocol analyzer can open and inspect a saved PCAP file to decode and examine packet contents at multiple OSI layers, allowing an administrator to determine whether flagged traffic is genuinely malicious or a false positive.

AProtocol analyzerCorrect

A protocol analyzer (such as Wireshark) is specifically designed to read PCAP capture files and decode packet contents across all protocol layers, enabling detailed inspection of headers, payloads, and sequences. This allows an administrator to manually examine the flagged packets and apply expert judgment to confirm or deny malicious intent.

BNetwork sniffer

A network sniffer captures live traffic from the wire and saves it, but by itself does not provide the deep protocol decoding and analysis needed to evaluate whether a specific saved sequence of packets is malicious.

CIntrusion Prevention System (IPS)

An Intrusion Prevention System actively blocks traffic in real time based on signatures or rules, and cannot retroactively analyze a PCAP file to assess whether previously captured packets represent a false positive.

DVulnerability scanner

A vulnerability scanner probes systems to find known weaknesses and misconfigurations, and is not capable of inspecting packet capture files to evaluate the nature of specific traffic.

Concept tested: Protocol analyzer use for PCAP file analysis

Source: https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html

Topics

#protocol analyzer#PCAP analysis#IDS alerts#false positive investigation

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice