During a routine check, a security analyst notices that several outbound connections to unfamiliar external IP addresses have been made from a server within the company's network. There is no documented business need for these communications. Which tool should the analyst use to capture and analyze the traffic between the server and these IP addresses for further investigation?
Wireshark is the correct answer because it is widely used for packet capture and analysis, allowing the analyst to observe the data being transmitted to and from the server in question. This can help in determining the nature of the traffic and whether it is indeed malicious. tcpdump could also capture the traffic but lacks the comprehensive analysis features found in Wireshark, making it less suitable for deeper investigation in this scenario. SNMP is a management protocol used for network management and monitoring devices on IP networks, not for packet analysis. WHOIS is used for querying databases to obtain information about the registration of domain names and IP addresses, which might be a subsequent step but not the primary tool for capturing and analyzing live traffic.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Wireshark and how does it work?
Open an interactive chat with Bash
What are the differences between Wireshark and tcpdump?
Open an interactive chat with Bash
What is the purpose of WHOIS and how is it related to network security?