nerdexam
ExamsGCIHQuestions#698
GIAC

GCIH · Question #698

GCIH Question #698: Real Exam Question with Answer & Explanation

The correct answer is D: 08:54:07.424996 IP 192.168.1.14 > 8.8.8.8: ICMP echo request, id 36234, seq 3, length 64. The tcpdump BPF filter 'icmp and (dst host 8.8.8.8)' matches only ICMP packets where the destination IP address is exactly 8.8.8.8.

Question

Which of the following packets saved in the file pingout.pcap would be returned with the following Berkley Packet Filters? tcpdump -nn -r pingout.pcap '榠cmp and (dst host 8.8.8.8)'

Options

  • A09:31:00.928389 IP 192.168.1.14.63263 > 8.8.8.8.33595: UDP, length 24
  • B08:54:07.451392 IP 8.8.8.8 > 192.168.1.14: ICMP echo reply, id 36234, seq 3, length 64
  • C09:06:09.085200 IP 192.168.1.14.49655 > 8.8.8.8.22: Flags [S], seq 2144394082, win 65535,
  • D08:54:07.424996 IP 192.168.1.14 > 8.8.8.8: ICMP echo request, id 36234, seq 3, length 64

Explanation

The tcpdump BPF filter 'icmp and (dst host 8.8.8.8)' matches only ICMP packets where the destination IP address is exactly 8.8.8.8.

Common mistakes.

  • A. This packet uses the UDP protocol rather than ICMP, so it fails the 'icmp' portion of the filter regardless of destination.
  • B. While this is an ICMP packet, the destination host is 192.168.1.14 rather than 8.8.8.8, failing the 'dst host 8.8.8.8' condition.
  • C. This packet uses TCP as indicated by the SYN flag, not ICMP, so it fails the protocol portion of the filter.

Concept tested. tcpdump Berkeley Packet Filter ICMP and destination host filtering

Reference. https://www.tcpdump.org/manpages/pcap-filter.7.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GCIH Practice