3. A MAC address does not uniquely identify an IP address.
4. NICs can be made with duplicate MAC addresses.
a. 1 and 2
b. 2 and 3
c. 1 and 4
d. 1, 2, 3, and 4
186. d. Each frame of media access control/medium access control (MAC) contains two MAC addresses, which indicate the MAC address of the NIC that just routed the frame and the MAC address of the next NIC that the frame is being sent to. Besides the MAC addresses, each frame’s payload contains either Internet protocol (IP) or address resolution protocol (ARP). When IP is used, each IP address maps to a particular MAC address. Multiple IP addresses can map to a single MAC address, so a MAC address does not uniquely identify an IP address. There have been cases in which manufacturers have accidentally created network interface cards (NICs) with duplicate MAC addresses, leading to networking problems and spoofing attacks.
187. For network data analysis, a host computer can be identified by which of the following?
a. Analyzing physical components
b. Reviewing logical aspects
c. Mapping an IP address to the MAC address of a NIC
d. Mapping multiple IP addresses
187. c. For events within a network, an analyst can map an Internet protocol (IP) address (i.e., logical identifiers at the IP layer) to the media access control/medium access control (MAC) address of a particular network interface card (NIC) (i.e., physical identifier at the physical layer), thereby identifying a host of interest. Analyzing physical components and reviewing logical aspects are a partial approach. Mapping multiple IP addresses does not identify a host.
188. Regarding network data analysis, which of the following can tell a security analyst which application was most likely used or targeted?
a. IP number and port numbers
b. Network interface card
c. NIC and MAC address
d. IP and ARP
188. a. The combination of the Internet protocol (IP) number (IP layer field) and port numbers (transport layer fields) can tell an analyst which application was most likely used or targeted.
Network interface card (NIC) is incorrect because it is a physical device and a part of the data link layer; it cannot tell a security analyst which application was most likely used or targeted.
Media access control/medium access control (MAC) address is incorrect because it is a part of the data link layer and cannot tell a security analyst which application was most likely used or targeted.
Address resolution protocol (ARP) is incorrect because it is a part of the hardware layer (data link layer) and cannot tell a security analyst which application was most likely used or targeted.
189. For network traffic data sources, firewalls and routers do not typically record which of the following?
a. Date and time the packet was processed
b. Source IP address
c. Destination IP address
d. Packet contents
189. d. Firewalls and routers do not record the contents of packets. Instead, they are usually configured to log basic information for most or all denied connection attempts and connectionless packets; some log every packet. Information logged typically includes the date and time the packet was processed, the source and destination IP addresses, and the transport layer protocol (e.g., TCP, UDP, and ICMP) and basic protocol information (e.g., TCP or UDP port numbers and ICMP type and code).
190. Packet sniffers are commonly used to capture network traffic data for which of the following purposes?
1. Troubleshooting purposes
2. Investigative purposes
3. Marketing purposes
4. Strategic purposes
a. 1 only
b. 2 only
c. 1 and 2
d. 3 and 4
190. c. Packet sniffers are designed to monitor network traffic on wired or wireless networks and capture packets. Packet sniffers are commonly used to capture a particular type of traffic for troubleshooting (operational) or investigative (legal) purposes, which are technical purposes. For example, if IDS alerts indicate unusual network activity between two hosts, a packet sniffer could record all the packets between the hosts, potentially providing additional information for analysts. The marketing and strategic purposes are not relevant here because the question refers to the operational and legal purposes.
191. A network-based intrusion detection system (IDS) does not do or contain which of the following?
a. Perform packet sniffing
b. Analyze network traffic
c. Possess correction capabilities
d. Possess prevention capabilities
