GCIH · Question #481
What is the best practice for analyzing network traffic in a production environment to minimize the risks associated with such activities?
The correct answer is C. Capture the traffic with tcpdump, then analyze the traffic with wireshark using an unprivileged. Tools which parse data from the network are susceptible to buffer overflows. And wireshark especially has a long history of having issues with buffer overflows. Sniffing traffic as a privileged user would give an attacker administrative access on the machine the network administr
Question
What is the best practice for analyzing network traffic in a production environment to minimize the risks associated with such activities?
Options
- AUse a passive monitoring tool like p0f to capture and analyze the traffic as a privileged user
- BUse the wireshark tool for both capturing and analyzing the traffic as a privileged user
- CCapture the traffic with tcpdump, then analyze the traffic with wireshark using an unprivileged
- DCapture the traffic with wireshark, then analyze the traffic with tcpdump using an unprivileged
How the community answered
(42 responses)- A2% (1)
- B5% (2)
- C90% (38)
- D2% (1)
Explanation
Tools which parse data from the network are susceptible to buffer overflows. And wireshark especially has a long history of having issues with buffer overflows. Sniffing traffic as a privileged user would give an attacker administrative access on the machine the network administrator was running on if the attacker were able to take advantage of a buffer overflow. The safest way to sniff traffic from a network is to use tcpdump to capture the data, as tcpdump has not had the many buffer overflow problems which wireshark has had over the years. After capturing the packets, the network administrator could analyze the pcap file offline using a wireshark as a non-privileged user. The p0f tool is used to identify and fingerprint systems, not identify unusual traffic.
Topics
Community Discussion
No community discussion yet for this question.