To view only IPsec ESP packets in Wireshark, which display filter would you use?

Prepare for the Wireshark Traffic Analysis Exam. Study with flashcards and multiple choice questions, each question includes hints and explanations. Ace your exam!

Multiple Choice

To view only IPsec ESP packets in Wireshark, which display filter would you use?

Explanation:
IPsec ESP is identified in the IP header by the protocol number 50. Filtering with ip.proto == 50 shows only packets where the IP header’s protocol field equals 50, which corresponds to ESP. ESP doesn’t use TCP or UDP ports, so filters like tcp.port or udp.port wouldn’t capture ESP traffic, and filtering by a source IP narrows by who sent the packet rather than by the protocol. So this filter is the correct way to view only ESP packets.

IPsec ESP is identified in the IP header by the protocol number 50. Filtering with ip.proto == 50 shows only packets where the IP header’s protocol field equals 50, which corresponds to ESP. ESP doesn’t use TCP or UDP ports, so filters like tcp.port or udp.port wouldn’t capture ESP traffic, and filtering by a source IP narrows by who sent the packet rather than by the protocol. So this filter is the correct way to view only ESP packets.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy