312-50V10 · Question #790
An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was capture
The correct answer is A. Protocol analyzer. A protocol analyzer can open and inspect a saved PCAP file to decode and examine packet contents at multiple OSI layers, allowing an administrator to determine whether flagged traffic is genuinely malicious or a false positive.
Question
An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?
Options
- AProtocol analyzer
- BNetwork sniffer
- CIntrusion Prevention System (IPS)
- DVulnerability scanner
How the community answered
(48 responses)- A88% (42)
- B6% (3)
- C4% (2)
- D2% (1)
Why each option
A protocol analyzer can open and inspect a saved PCAP file to decode and examine packet contents at multiple OSI layers, allowing an administrator to determine whether flagged traffic is genuinely malicious or a false positive.
A protocol analyzer (such as Wireshark) is specifically designed to read PCAP capture files and decode packet contents across all protocol layers, enabling detailed inspection of headers, payloads, and sequences. This allows an administrator to manually examine the flagged packets and apply expert judgment to confirm or deny malicious intent.
A network sniffer captures live traffic from the wire and saves it, but by itself does not provide the deep protocol decoding and analysis needed to evaluate whether a specific saved sequence of packets is malicious.
An Intrusion Prevention System actively blocks traffic in real time based on signatures or rules, and cannot retroactively analyze a PCAP file to assess whether previously captured packets represent a false positive.
A vulnerability scanner probes systems to find known weaknesses and misconfigurations, and is not capable of inspecting packet capture files to evaluate the nature of specific traffic.
Concept tested: Protocol analyzer use for PCAP file analysis
Source: https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html
Topics
Community Discussion
No community discussion yet for this question.