GCIH Question #447: Real Exam Question with Answer & Explanation

The correct answer is D: A TAP, because you cannot easily sniff network traffic through a switch. A network TAP (Test Access Point) is a passive hardware device that physically intercepts network traffic and copies it to a monitoring port without disrupting the live connection. It is the preferred tool for capturing full-fidelity network traffic during an incident. The key pr

Incident Response & Cyber Kill Chain

Question

Which of the following is recommended to include in your incident response jump bag?

Options

AA switch, because they will not route malicious arp packets
BA hub, because they are far more reliable than switches
CA router, because they enable you to monitor a network without being detected
DA TAP, because you cannot easily sniff network traffic through a switch

Explanation

A network TAP (Test Access Point) is a passive hardware device that physically intercepts network traffic and copies it to a monitoring port without disrupting the live connection. It is the preferred tool for capturing full-fidelity network traffic during an incident. The key problem with switches is that they are intelligent - they forward frames only to the intended destination port using MAC address tables, so a device plugged into one port cannot see traffic destined for other ports. A TAP bypasses this limitation entirely by operating at the physical layer. Hubs (Option B) do broadcast all traffic to all ports, but they are obsolete, degrade network performance, and are unreliable in modern environments. A switch (Option A) does not prevent malicious ARP packets and is not useful for passive monitoring. A router (Option C) does not enable stealthy monitoring. A TAP is the industry-standard choice for non-intrusive packet capture during forensic investigation.

Topics

#incident response#network TAP#jump bag#passive monitoring

Community Discussion

No community discussion yet for this question.

Full GCIH Practice