A host inside the network has a connection to a known malicious IP with TCP state TIME_WAIT. What is the most likely interpretation?
Correct. TIME_WAIT means the local side has sent FIN and received ACK, waiting for potential retransmission.
Why this answer
The TIME_WAIT TCP state indicates that the local host has initiated the closure of the connection and is waiting for any delayed packets to arrive before fully releasing the socket. This state is entered after the local host sends the final ACK in the four-way handshake, meaning the host has completed its communication with the remote IP. Therefore, the connection is finished, not ongoing.
Exam trap
Cisco often tests the misconception that TIME_WAIT implies ongoing activity or remote termination, when in fact it specifically indicates the local host has completed the connection closure.
How to eliminate wrong answers
Option B is wrong because TIME_WAIT is entered by the host that initiates the active close, not by the remote host; if the remote host terminated the connection, the local host would see CLOSE_WAIT or LAST_ACK states. Option C is wrong because a scanning tool typically uses SYN, SYN-ACK, or RST packets to probe ports, and TIME_WAIT is a normal termination state that does not indicate scanning activity. Option D is wrong because an active infection with ongoing communication would show ESTABLISHED state, not TIME_WAIT, which signifies that the TCP session has already been closed.