Joe, the security administrator, has determined that one of his web servers is under attack. Which of the
following can help determine where the attack originated from?

A.
Capture system image

B.
Record time offset

C.
Screenshots

D.
Network sniffing

Explanation:
Network sniffing is the process of capturing and analyzing the packets sent between systems on the
network. A network sniffer is also known as a Protocol Analyzer.
A Protocol Analyzer is a hardware device or more commonly a software program used to capture network
data communications sent between devices on a network. Capturing and analyzing the packets sent to
the web server will help determine the source IP address of the system sending the packets.
Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from
Microsoft and Wireshark (formerly Ethereal).
Incorrect Answers:
A: Capturing an image of the system is the process of making an exact copy of the contents of the hard
drive in the system. This would not help in determining the source of an attack on the system.
B: Recording the time offset of the system will determine the difference between the time on the system
compared to the actual current time. This would not help in determining the source of an attack on the
system.C: Taking screenshots of the system will not help in determining the source of an attack on the system. A
screenshot is a copy of what is displayed on the computer screen at the time of the screenshot.

http://en.wikipedia.org/wiki/Wireshark