CompTIA CySA+ (CS0-003) — Question 46
A security analyst is trying to detect connections to a suspicious IP address by collecting the packet captures from the gateway. Which of the following commands should the security analyst consider running?
Answer options
- A. grep [IP address] packets.pcap
- B. cat packets.pcap | grep [IP Address]
- C. tcpdump -n -r packets.pcap host [IP address]
- D. strings packets.pcap | grep [IP Address]
Correct answer: C
Explanation
The correct command is C because tcpdump is specifically designed to read packet capture files and filter traffic based on specified hosts. Option A and B utilize grep, which is not tailored for analyzing packet captures as effectively as tcpdump. Option D, while it uses strings to extract readable content, does not provide the necessary filtering capabilities to identify specific IP connections.