Computer Hacking Forensic Investigator (CHFI v10) — Question 407

As a Computer Hacking Forensics Investigator, you are analyzing a TCP dump of network traffic during a suspected breach. During the investigation, you noticed that the “Packets dropped by kernel” count was unusually high. Given that the network has a high load, what could be the most probable reason for this situation?

Answer options

• A. The Tcpdump tool was run without the -c flag, causing it to capture packets indefinitely
• B. The TCP packets were not matching the input expression of Tcpdump
• C. The Boolean expression used with Tcpdump was too restrictive, missing some packets
• D. The buffer space in the OS running Tcpdump was insufficient, leading to dropped packets

Correct answer: D

Explanation

The correct answer is D because insufficient buffer space can lead to packet loss when the network load is high, causing the kernel to drop packets. Option A is incorrect as running Tcpdump without the -c flag doesn't directly relate to packet drops; it captures indefinitely but doesn't affect buffer size. Option B is misleading since it implies filtering could be the issue, but the high drop count points more towards buffer capacity. Option C suggests a restrictive Boolean expression, which could cause packet filtering but doesn't explain the high drop count in the context of network load.