Which protocol is expected to have NTP a user agent, host, and referrer headers in a packet capture?
A. NTP
B. HTTP
C. DNS
D. SSH
Which protocol is expected to have NTP a user agent, host, and referrer headers in a packet capture?
Which protocol is expected to have NTP a user agent, host, and referrer headers in a packet capture?
A. NTP
B. HTTP
C. DNS
D. SSH
We can break the question up to make this easier to understand.
First, the end of the questions tells you “Packet Capture” or a PCAP, this will be used with either TCPDUMP or Wireshark.
Next let’s look at the start of the question: ” Which Protocol is expected to have USER, HOST, and Reference HEADERS”
DNS and NTP do not carry HOST or User Headers so they are out. That leaves HTTP | SSH.
Deeper into the USER side, we see we need USER “agent” information, from Cisco Firepower information we get this information detail:
application protocols such as HTTP and SSH, which represent communications between hosts
The protocol data of SSH, does not hold protocol data with USER AGENT, thus leaving only HTTP as the answer from the section:
Client: HTTP – Type is User Agent
Source: https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Application_Detection.html
This further aligns with SAN: The User Agent Field: “The requirement is to extract all unique user agent fields in the HTTP request headers and also extract HTTP request headers that do not contain user agents”
https://www.sans.org/reading-room/whitepapers/malicious/user-agent-field-analyzing-detecting-abnormal-malicious-organization-33874
i think the nearest one to be the right answer is B
the real question should be
Which protocol is expected to have a user agent, host, and referrer headers in a packet capture?
That is HTTP, if you ever look an and HTTP pcap file , you will find mos of the time a user agent( browser and OS ) , a host and referer (url where this request came from)
I just attended the test, NTP should be removed from the question and HTTP is a valid answer/option on the test
Hi Geek,
Are these questions still valid?
Thanks.
some one attempt the exam and he say there is no HTTP in the answers it is HTIP .
also some people say the right answer is “C”
honestly i don’t know what is the write answer
It’s B, the question has a typo, so remove “NTP” from the question.
The HTTP referer is a HTTP request header. In the HTTP header field it identifies the address of the webpage that linked to the resource being requested.
Fields in the header are User-Agent, Host and Referer.
does anyone know why the answer is B?