nerdexam
EC-Council

312-50V11 · Question #790

An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was capture

The correct answer is A. Protocol analyzer. A protocol analyzer can open and decode PCAP files to inspect packet contents and determine whether IDS-flagged traffic is genuinely malicious or a false positive.

Sniffing

Question

An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?

Options

  • AProtocol analyzer
  • BNetwork sniffer
  • CIntrusion Prevention System (IPS)
  • DVulnerability scanner

How the community answered

(37 responses)
  • A
    81% (30)
  • B
    5% (2)
  • C
    11% (4)
  • D
    3% (1)

Why each option

A protocol analyzer can open and decode PCAP files to inspect packet contents and determine whether IDS-flagged traffic is genuinely malicious or a false positive.

AProtocol analyzerCorrect

A protocol analyzer such as Wireshark is specifically designed to read PCAP files and fully dissect each packet's headers, protocol fields, and payload to reveal whether the traffic matches known attack signatures or benign behavior. Unlike tools that act on live traffic, a protocol analyzer allows detailed post-capture forensic inspection of the exact packet sequence that triggered the IDS alert. This makes it the correct tool for manually validating or refuting an IDS alert against saved network evidence.

BNetwork sniffer

A network sniffer captures live traffic in real time and cannot retroactively analyze packets already saved in a PCAP file.

CIntrusion Prevention System (IPS)

An IPS operates inline on live traffic to block or permit packets in real time and provides no facility for inspecting saved PCAP files.

DVulnerability scanner

A vulnerability scanner probes hosts for known software weaknesses and does not analyze captured packet data to assess malicious intent.

Concept tested: Protocol analyzer use for PCAP file inspection

Source: https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html

Topics

#IDS alerts#PCAP analysis#protocol analyzer#false positive

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice