GIAC Certified Enterprise Defender (GCED) — Question 2

An analyst will capture traffic from an air-gapped network that does not use DNS. The analyst is looking for unencrypted Syslog data being transmitted. Which of the following is most efficient for this purpose?

Answer options

• A. tcpdump –s0 –i eth0 port 514
• B. tcpdump –nnvvX –i eth0 port 6514
• C. tcpdump –nX –i eth0 port 514
• D. tcpdump –vv –i eth0 port 6514

Correct answer: B

Explanation

The correct answer is B because it includes the necessary flags to capture and display detailed packet information along with the payload, which is essential for identifying unencrypted Syslog data over port 6514. Options A and C focus on port 514, which is typically used for unencrypted Syslog, but they lack the detailed verbosity needed for thorough analysis. Option D captures data on the correct port but does not provide the additional details that the analyst requires.