nerdexam
GIAC

GPEN · Question #218

GPEN Question #218: Real Exam Question with Answer & Explanation

The correct answer is D. Data link layer. Network sniffers operate at the Data Link layer (Layer 2) because they capture raw Ethernet frames directly from the network interface by placing the NIC in promiscuous mode.

Question

In which layer of the OSI model does a sniffer operate?

Options

  • ANetwork layer
  • BSession layer
  • CPresentation layer
  • DData link layer

Explanation

Network sniffers operate at the Data Link layer (Layer 2) because they capture raw Ethernet frames directly from the network interface by placing the NIC in promiscuous mode.

Common mistakes.

  • A. The Network layer (Layer 3) handles IP routing and logical addressing; sniffers do not operate here because they capture frames before IP processing occurs.
  • B. The Session layer (Layer 5) manages dialog control between applications and has no role in raw packet capture at the hardware/frame level.
  • C. The Presentation layer (Layer 6) handles data formatting and encryption/decryption, which is above the frame-capture level where sniffing takes place.

Concept tested. OSI layer at which network sniffers operate

Reference. https://learn.microsoft.com/en-us/windows-hardware/drivers/network/ndis-packet-coalescing

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GPEN Practice