312-50V13 · Question #31
You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has snort installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perform a syn sca
The correct answer is D. tcp.dstport= = 514 && ip.dst= = 192.168.0.150. This question requires a Wireshark filter to capture traffic originating from the Snort machine (source) and destined for the Kiwi Syslog machine (destination) on the standard syslog port.
Question
Options
- Atcp.srcport= = 514 && ip.src= = 192.168.0.99
- Btcp.srcport= = 514 && ip.src= = 192.168.150
- Ctcp.dstport= = 514 && ip.dst= = 192.168.0.99
- Dtcp.dstport= = 514 && ip.dst= = 192.168.0.150
How the community answered
(39 responses)- A8% (3)
- B3% (1)
- C15% (6)
- D74% (29)
Why each option
This question requires a Wireshark filter to capture traffic originating from the Snort machine (source) and destined for the Kiwi Syslog machine (destination) on the standard syslog port.
This filter incorrectly specifies the source port as 514, implying Snort is sending from that port, and captures traffic originating from the Snort machine regardless of its destination.
This filter incorrectly identifies the source IP as the syslog machine and specifies a source port of 514, which is not how logs are typically sent.
This filter incorrectly sets the destination IP to the Snort machine (192.168.0.99) and looks for traffic destined to port 514 on the source, rather than from source to destination.
Kiwi Syslog is the destination for the logs, so its IP address (192.168.0.150) should be specified as the `ip.dst`. Syslog typically uses port 514, which would be the `tcp.dstport` for TCP-based syslog, ensuring the filter captures traffic sent to the syslog server on the correct port.
Concept tested: Wireshark filter for source/destination IP and port
Source: https://www.wireshark.org/docs/wsug_html_chunked/ChBuildDisplayFilter.html
Topics
Community Discussion
No community discussion yet for this question.