CompTIA CySA+ (CS0-003) — Question 478

A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself. Which of the following can the analyst perform to see the entire contents of the downloaded files?

Answer options

• A. Change the display filter to ftp.active.port
• B. Change the display filter to tcp.port==20
• C. Change the display filter to ftp-data and follow the TCP streams
• D. Navigate to the File menu and select FTP from the Export objects option

Correct answer: C

Explanation

The correct answer is C because the ftp-data filter specifically captures the data transfer packets associated with the FTP protocol, allowing the analyst to see the actual file contents. Option A is incorrect as ftp.active.port does not filter for data transfer packets. Option B focuses on the control connection and not the data transfer, while option D is about exporting objects rather than filtering the display for analysis.