An investigator needs to capture network traffic from a live network segment without altering the traffic flow. Which technique should they use?
Trap 1: Enable NetFlow on the router and capture flows
NetFlow provides traffic metadata, not full packet captures.
Trap 2: Deploy an ARP spoofing tool to redirect traffic
ARP spoofing manipulates traffic, altering the flow and potentially causing disruption.
Trap 3: Set the NIC to promiscuous mode on the forensic workstation
Promiscuous mode alone does not capture traffic from other switch ports without a tap or mirror.
- A
Enable NetFlow on the router and capture flows
Why wrong: NetFlow provides traffic metadata, not full packet captures.
- B
Configure a SPAN port on the switch
Port mirroring (SPAN) copies traffic to a monitor port without interrupting the original flow.
- C
Deploy an ARP spoofing tool to redirect traffic
Why wrong: ARP spoofing manipulates traffic, altering the flow and potentially causing disruption.
- D
Set the NIC to promiscuous mode on the forensic workstation
Why wrong: Promiscuous mode alone does not capture traffic from other switch ports without a tap or mirror.