Which set of fields constitutes the five-tuple used in network monitoring?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Study for the CCST Cybersecurity Test. Study with flashcards and multiple choice questions, each question has hints and explanations. Get ready for your exam!

Multiple Choice

Which set of fields constitutes the five-tuple used in network monitoring?

Explanation:
In network monitoring, a flow is identified by the combination of endpoints and transport characteristics: source IP address, destination IP address, source port, destination port, and the IP protocol number. This five-tuple lets monitoring systems distinguish between different conversations between the same hosts and different services on those hosts (for example, HTTP on port 80 versus SSH on port 22), even if the endpoints are the same. The ports indicate the specific application, and the protocol number shows whether the traffic uses TCP, UDP, or another protocol, while the IP addresses identify the communicating machines. Fields like source MAC, destination MAC, VLAN, and frame length pertain to the data-link layer and frame details, not the transport-flow identity used in IP-level monitoring. User name, session ID, and device ID are application or session identifiers, not the network flow identifiers used for tracking traffic. DNS name and IP address alone omit the ports and protocol, so they cannot uniquely define a transport-level flow. So the set that forms the five-tuple used in network monitoring is the one that includes source IP, destination IP, source port, destination port, and the IP protocol number.

In network monitoring, a flow is identified by the combination of endpoints and transport characteristics: source IP address, destination IP address, source port, destination port, and the IP protocol number. This five-tuple lets monitoring systems distinguish between different conversations between the same hosts and different services on those hosts (for example, HTTP on port 80 versus SSH on port 22), even if the endpoints are the same. The ports indicate the specific application, and the protocol number shows whether the traffic uses TCP, UDP, or another protocol, while the IP addresses identify the communicating machines.

Fields like source MAC, destination MAC, VLAN, and frame length pertain to the data-link layer and frame details, not the transport-flow identity used in IP-level monitoring. User name, session ID, and device ID are application or session identifiers, not the network flow identifiers used for tracking traffic. DNS name and IP address alone omit the ports and protocol, so they cannot uniquely define a transport-level flow.

So the set that forms the five-tuple used in network monitoring is the one that includes source IP, destination IP, source port, destination port, and the IP protocol number.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy