nerdexam
Exams312-50V9Questions#96
EC-Council

312-50V9 · Question #96

312-50V9 Question #96: Real Exam Question with Answer & Explanation

The correct answer is D: tcp.port == 25 and ip.host == 192.168.0.125. Wireshark display filters use a field-based syntax with comparison operators and logical keywords to isolate traffic by protocol, port, and IP address.

Question

What is the correct PCAP filter to capture all TCP traffic going to or from host 192.168.0.125 on port 25?

Options

  • Atcp.src == 25 and ip.host == 192.168.0.125
  • Bhost 192.168.0.125:25
  • Cport 25 and host 192.168.0.125
  • Dtcp.port == 25 and ip.host == 192.168.0.125

Explanation

Wireshark display filters use a field-based syntax with comparison operators and logical keywords to isolate traffic by protocol, port, and IP address.

Common mistakes.

  • A. The field 'tcp.src == 25' matches only traffic where port 25 is the source port, missing inbound traffic, and 'ip.host' alone does not correctly filter bidirectional host traffic in standard Wireshark syntax.
  • B. The syntax 'host 192.168.0.125:25' is not valid in either BPF capture filter or Wireshark display filter notation and would produce a parse error.
  • C. 'port 25 and host 192.168.0.125' is valid BPF capture filter syntax but does not restrict traffic to TCP specifically, and it uses BPF notation rather than Wireshark display filter field syntax.

Concept tested. Wireshark display filter syntax for TCP port and host

Reference. https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 312-50V9 Practice