Exam CS0-003 topic 1 question 114 discussion

Correct The -n flag ensures that numeric IP addresses are not resolved to hostnames, and the -r flag specifies the input pcap file. The host [IP address] expression filters packets that involve the specified IP address, helping the security analyst detect connections to the suspicious IP address.

The command tcpdump -n -r packets.pcap host [IP address] is used to read packets from a packet capture file (packets.pcap) and display only those packets that involve the specified IP address. Here's a breakdown of the command options: tcpdump: The command itself, which is used to capture and analyze network traffic. -n: This option instructs tcpdump to display IP addresses numerically (in dotted-decimal notation) rather than resolving them to hostnames. -r packets.pcap: Specifies the input file (packets.pcap) from which to read packets. host [IP address]: Specifies a filter expression to display packets involving the specified IP address.

C) tcpdump TCPdump is used to collect packets, which is the tool the security analyst would be used.

C. tcpdump -n -r packets.pcap host [IP address]: This command uses tcpdump to read from the packets.pcap file (-r packets.pcap) and filters traffic to and from the specified host (host [IP address]). The -n flag prevents DNS name resolution, making the output easier to read. This is the most suitable option for this specific task.