nerdexam
Exams312-50V9Questions#69
EC-Council

312-50V9 · Question #69

312-50V9 Question #69: Real Exam Question with Answer & Explanation

The correct answer is D: They use the same packet capture utility.. Wireshark (formerly Ethereal), TCPDump, and Snort all depend on libpcap (or WinPcap on Windows) as their shared underlying packet capture library.

Question

Which technical characteristic do Ethereal/Wireshark, TCPDump, and Snort have in common?

Options

  • AThey are written in Java.
  • BThey send alerts to security monitors.
  • CThey use the same packet analysis engine.
  • DThey use the same packet capture utility.

Explanation

Wireshark (formerly Ethereal), TCPDump, and Snort all depend on libpcap (or WinPcap on Windows) as their shared underlying packet capture library.

Common mistakes.

  • A. None of the three tools are written in Java; Wireshark, TCPDump, and Snort are all written in C.
  • B. TCPDump and Wireshark are passive analysis tools that do not send alerts to security monitors; only Snort has a rules-based alerting engine.
  • C. Each tool uses its own distinct analysis engine - Wireshark uses a dissector framework, Snort uses a rules-matching engine, and TCPDump uses BPF filter expressions - they do not share an analysis engine.

Concept tested. Shared libpcap packet capture library across security tools

Reference. https://www.tcpdump.org/manpages/pcap.3pcap.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 312-50V9 Practice