A security analyst is investigating suspicious, repeated outbound connections from a client's workstation to a non-whitelisted external IP address. The analyst uses a packet capture tool to examine the traffic. What is the most effective method for the analyst to isolate packets related to this specific activity?
Capture all inbound traffic originating from the internet.
Apply a display filter for the external destination's IP address.
Apply a display filter for the internal client's IP address.
Start a new capture without any filters and manually search the results.
The most effective method is to apply a display filter that isolates traffic involving the specific external IP address. In a tool like Wireshark, using a filter such as 'ip.addr == x.x.x.x' (where x.x.x.x is the suspicious external IP) will display only the packets sent to or from that address. This eliminates irrelevant network traffic, allowing the analyst to focus efficiently on the potentially malicious communication. Filtering on the internal client's IP address is less effective as it shows all of that client's network activity, not just the suspicious connections. Capturing all traffic without a filter would be highly inefficient.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a network traffic analysis tool?
Open an interactive chat with Bash
How do filters work in network traffic analysis tools?
Open an interactive chat with Bash
Why is using an external destination filter more effective than other methods?