nerdexam
Exams312-50V10Questions#795
EC-Council

312-50V10 · Question #795

312-50V10 Question #795: Real Exam Question with Answer & Explanation

The correct answer is D: tcp.dstport= = 514 && ip.dst= = 192.168.0.150. To capture traffic sent FROM the Snort machine (192.168.0.99) TO the Kiwi Syslog machine (192.168.0.150) on the standard syslog port 514, the Wireshark filter must match the destination IP and destination port.

Sniffing

Question

You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has snort installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perfrom a syn scan in your network, and you notice that kiwi syslog is not receiving the alert message from snort. You decide to run wireshark in the snort machine to check if the messages are going to the kiwi syslog machine. What Wireshark filter will show the connections from the snort machine to kiwi syslog machine?

Options

  • Atcp.srcport= = 514 && ip.src= = 192.168.0.99
  • Btcp.srcport= = 514 && ip.src= = 192.168.150
  • Ctcp.dstport= = 514 && ip.dst= = 192.168.0.99
  • Dtcp.dstport= = 514 && ip.dst= = 192.168.0.150

Explanation

To capture traffic sent FROM the Snort machine (192.168.0.99) TO the Kiwi Syslog machine (192.168.0.150) on the standard syslog port 514, the Wireshark filter must match the destination IP and destination port.

Common mistakes.

  • A. Filtering on tcp.srcport==514 and ip.src==192.168.0.99 looks for traffic originating FROM port 514 on the Snort machine, but Snort sends to port 514, it does not source from it.
  • B. In addition to using the wrong filter direction (srcport/src instead of dstport/dst), the IP address 192.168.150 is malformed and missing an octet.
  • C. Using ip.dst==192.168.0.99 filters for traffic destined back to the Snort machine itself, which is the reverse of what needs to be observed.

Concept tested. Wireshark display filters for syslog traffic analysis

Reference. https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html

Topics

#Wireshark filters#syslog#snort#packet capture analysis

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 312-50V10 Practice
You are a Network Security Officer. You have two machines. The... | 312-50V10 Q#795 Answer | NerdExam