nerdexam
GIAC

GCIH · Question #481

What is the best practice for analyzing network traffic in a production environment to minimize the risks associated with such activities?

The correct answer is C. Capture the traffic with tcpdump, then analyze the traffic with wireshark using an unprivileged. Tools which parse data from the network are susceptible to buffer overflows. And wireshark especially has a long history of having issues with buffer overflows. Sniffing traffic as a privileged user would give an attacker administrative access on the machine the network administr

Reconnaissance, Scanning, and Enumeration

Question

What is the best practice for analyzing network traffic in a production environment to minimize the risks associated with such activities?

Options

  • AUse a passive monitoring tool like p0f to capture and analyze the traffic as a privileged user
  • BUse the wireshark tool for both capturing and analyzing the traffic as a privileged user
  • CCapture the traffic with tcpdump, then analyze the traffic with wireshark using an unprivileged
  • DCapture the traffic with wireshark, then analyze the traffic with tcpdump using an unprivileged

How the community answered

(42 responses)
  • A
    2% (1)
  • B
    5% (2)
  • C
    90% (38)
  • D
    2% (1)

Explanation

Tools which parse data from the network are susceptible to buffer overflows. And wireshark especially has a long history of having issues with buffer overflows. Sniffing traffic as a privileged user would give an attacker administrative access on the machine the network administrator was running on if the attacker were able to take advantage of a buffer overflow. The safest way to sniff traffic from a network is to use tcpdump to capture the data, as tcpdump has not had the many buffer overflow problems which wireshark has had over the years. After capturing the packets, the network administrator could analyze the pcap file offline using a wireshark as a non-privileged user. The p0f tool is used to identify and fingerprint systems, not identify unusual traffic.

Topics

#network traffic analysis#tcpdump#wireshark#privilege separation

Community Discussion

No community discussion yet for this question.

Full GCIH Practice