312-50V11 · Question #790
An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was capture
The correct answer is A. Protocol analyzer. A protocol analyzer can open and decode PCAP files to inspect packet contents and determine whether IDS-flagged traffic is genuinely malicious or a false positive.
Question
An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?
Options
- AProtocol analyzer
- BNetwork sniffer
- CIntrusion Prevention System (IPS)
- DVulnerability scanner
How the community answered
(37 responses)- A81% (30)
- B5% (2)
- C11% (4)
- D3% (1)
Why each option
A protocol analyzer can open and decode PCAP files to inspect packet contents and determine whether IDS-flagged traffic is genuinely malicious or a false positive.
A protocol analyzer such as Wireshark is specifically designed to read PCAP files and fully dissect each packet's headers, protocol fields, and payload to reveal whether the traffic matches known attack signatures or benign behavior. Unlike tools that act on live traffic, a protocol analyzer allows detailed post-capture forensic inspection of the exact packet sequence that triggered the IDS alert. This makes it the correct tool for manually validating or refuting an IDS alert against saved network evidence.
A network sniffer captures live traffic in real time and cannot retroactively analyze packets already saved in a PCAP file.
An IPS operates inline on live traffic to block or permit packets in real time and provides no facility for inspecting saved PCAP files.
A vulnerability scanner probes hosts for known software weaknesses and does not analyze captured packet data to assess malicious intent.
Concept tested: Protocol analyzer use for PCAP file inspection
Source: https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html
Topics
Community Discussion
No community discussion yet for this question.