New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Eccouncil 312-38 Exam - Topic 9 Question 109 Discussion

Actual exam question for Eccouncil's 312-38 exam
Question #: 109
Topic #: 9
[All 312-38 Questions]

A network administrator is monitoring the network traffic with Wireshark. Which of the following filters will she use to view the packets moving without setting a flag to detect TCP Null Scan attempts?

Show Suggested Answer Hide Answer
Suggested Answer: A

In Wireshark, to detect TCP Null Scan attempts, the filter used istcp.flags==0. This filter will show packets where no TCP flags are set, which is indicative of a TCP Null Scan. A TCP Null Scan is a type of network reconnaissance technique where the attacker sends TCP packets with no flags set to the target system. If the target system responds with a RST packet, it indicates that the port is closed, while no response suggests that the port is open or filtered. This method is used because some systems do not log these null packets, allowing the scan to go unnoticed.


by Jacklyn at Jul 14, 2025, 03:07 AM

Limited Time Offer

25%

Off

Get Premium 312-38 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Andra
2 months ago
Wait, why would anyone use a Null Scan? Sounds sketchy!
upvoted 0 times
...
Refugia
2 months ago
Totally agree, A is the way to go!
upvoted 0 times
...
Nettie
3 months ago
I thought B was correct for some reason.
upvoted 0 times
...
Slyvia
3 months ago
C is just for echo requests, not related to flags.
upvoted 0 times
...
Corinne
3 months ago
A is the right filter for TCP Null Scan.
upvoted 0 times
...
Ronnie
3 months ago
I vaguely recall that TCP flags can be tricky; I might lean towards option B since it has a specific flag value, but I'm not confident.
upvoted 0 times
...
Marguerita
4 months ago
I thought the Null Scan was when no flags are set, so option A seems like the right choice, but I could be mixing it up with another question.
upvoted 0 times
...
Loren
4 months ago
I remember practicing with Wireshark filters, and I feel like option D might be relevant since it involves TCP flags, but I'm not entirely sure.
upvoted 0 times
...
Remona
4 months ago
I think the filter for detecting TCP Null Scan attempts is related to the flags being set to zero, so maybe option A?
upvoted 0 times
...
Brandon
4 months ago
Okay, I've got it! The question is asking for a filter to view packets without a TCP Null Scan, so we want to look for packets with no TCP flags set. That means the answer is A, TCRflags==0x000.
upvoted 0 times
...
Casie
4 months ago
I think the key here is to look for packets with no TCP flags set. So option D, tcp.flags==0x003, seems like the right choice since that would match packets with no flags.
upvoted 0 times
...
Vincenza
4 months ago
Hmm, I'm a bit confused on this one. I'm not sure if the flags in the answers refer to the TCP flags or something else. I'll have to think about this one a bit more.
upvoted 0 times
...
Marylyn
5 months ago
I'm pretty sure the answer is A. The question is asking for a filter to view packets without setting a flag, and TCRflags==0x000 should match packets with no flags set.
upvoted 0 times
...
Janna
5 months ago
Wireshark, huh? Bet the network admin is having a blast filtering through all those packets. Reminds me of the time I had to debug a router issue... talk about a needle in a haystack!
upvoted 0 times
Willie
5 months ago
Yeah, the right filter makes all the difference. What's the go-to?
upvoted 0 times
...
Lacey
5 months ago
I think Tcp.flags==0x000 is a solid choice for that.
upvoted 0 times
...
Lenna
5 months ago
For sure! I once spent hours troubleshooting with it.
upvoted 0 times
...
Katie
5 months ago
Wireshark can be overwhelming sometimes. So many filters!
upvoted 0 times
...
...
Thurman
6 months ago
C. Tcp.dstport==7 is a bit too specific, I doubt that's the answer we're looking for.
upvoted 0 times
Gerry
5 months ago
B) Tcp.flags==0X029
upvoted 0 times
...
Stefania
5 months ago
A) TCRflags==0x000
upvoted 0 times
...
...
Germaine
6 months ago
Haha, B. Tcp.flags==0X029 is just a random hex number, that can't be right!
upvoted 0 times
...
Alberta
6 months ago
Hmm, D. Tcp.flags==0x003 looks good too. Maybe that's the more direct way to check for the flag?
upvoted 0 times
Deeanna
5 months ago
A: I think A) TCRflags==0x000 is the correct filter to use.
upvoted 0 times
...
...
Christiane
7 months ago
Well, I remember from my studies that a TCP Null Scan has the flag set to 0x003, so that's why I think D is the correct answer.
upvoted 0 times
...
Blondell
7 months ago
But why do you think that? Can you explain your rationale?
upvoted 0 times
...
Telma
7 months ago
I think the answer is A. TCRflags==0x000 since it's specifically mentioned as detecting TCP Null Scan attempts.
upvoted 0 times
Matt
5 months ago
Actually, the correct filter to use is D. Tcp.flags==0x003 to detect TCP Null Scan attempts.
upvoted 0 times
...
Cathrine
5 months ago
I'm not sure, but I think B. Tcp.flags==0X029 might be the correct filter to use for detecting TCP Null Scan attempts.
upvoted 0 times
...
Scarlet
6 months ago
No, I believe the correct answer is D. Tcp.flags==0x003 because it is the flag used to detect TCP Null Scan attempts.
upvoted 0 times
...
Giovanna
6 months ago
I think the answer is A. TCRflags==0x000 since it's specifically mentioned as detecting TCP Null Scan attempts.
upvoted 0 times
...
Tamar
7 months ago
User1: I think the answer is A. TCRflags==0x000 since it's specifically mentioned as detecting TCP Null Scan attempts.
upvoted 0 times
...
...
Christiane
7 months ago
I disagree, I believe the correct answer is D) Tcp.flags==0x003.
upvoted 0 times
...
Blondell
7 months ago
I think the answer is A) TCRflags==0x000.
upvoted 0 times
...

Save Cancel