GIAC Certified Incident Handler (GCIH) — Question 144

Which of the following packets saved in the file pingout.pcap would be returned with the following Berkley Packet Filters? tcpdump -nn -r pingout.pcap `˜icmp and (dst host 8.8.8.8)'

Answer options

• A. 09:31:00.928389 IP 192.168.1.14.63263 > 8.8.8.8.33595: UDP, length 24
• B. 08:54:07.451392 IP 8.8.8.8 > 192.168.1.14: ICMP echo reply, id 36234, seq 3, length 64
• C. 09:06:09.085200 IP 192.168.1.14.49655 > 8.8.8.8.22: Flags [S], seq 2144394082, win 65535, options [mss 1460,sackOK,eol], length 0
• D. 08:54:07.424996 IP 192.168.1.14 > 8.8.8.8: ICMP echo request, id 36234, seq 3, length 64

Correct answer: A

Explanation

The correct answer is A, which is a UDP packet and does not match the ICMP filter. Options B and D are ICMP packets, but B is an ICMP echo reply and D is an ICMP echo request, both of which do not meet the criteria of being 'returned' as per the filter. Option C is a TCP packet and also does not match the filter criteria.