An organization’s security team has detected network spikes coming from the internal network. An investigation has concluded that the spike in traffic was from intensive network scanning. How should the analyst collect the traffic to isolate the suspicious host?
A. based on the most used applications
B. by most active source IP
C. by most used ports
D. based on the protocols used
