CompTIA CySA+ (CS0-003) — Question 44

A systems administrator receives reports of an internet-accessible Linux server that is running very sluggishly. The administrator examines the server, sees a high amount of memory utilization, and suspects a DoS attack related to half-open TCP sessions consuming memory. Which of the following tools would best help to prove whether this server was experiencing this behavior?

Answer options

• A. Nmap
• B. TCPDump
• C. SIEM
• D. EDR

Correct answer: B

Explanation

TCPDump is a powerful packet analysis tool that allows the administrator to capture and analyze network traffic, making it effective for identifying half-open TCP connections that can indicate a DoS attack. Nmap is primarily used for network mapping and scanning, SIEM is focused on security event management, and EDR is designed for endpoint detection and response, none of which specifically target analyzing TCP traffic like TCPDump does.