A security analyst is reviewing a packet capture in wireshar - CompTIA CySA+ CSO-003

The correct answer is: C. Change the display filter to ftp-data and follow the TCP streams

• This is the correct answer because ftp-data refers to the data channel used in an FTP session for transferring files. In FTP, there are two channels: the control channel (usually on port 21) for sending commands (like RETR) and the data channel for transferring actual files.
• When a file is transferred, it's done through the data channel (ftp-data), which is often on a dynamic port, and Wireshark might not show the data packets by default with just a filter on ftp. By changing the filter to ftp-data, the analyst can see the actual file transfer packets. Using the "Follow TCP Stream" option will allow the analyst to view the entire content of the transferred file in the conversation.

Why the Other Options Are Incorrect:

Change the display filter to ftp.active.port

• This is incorrect because ftp.active.port is not a standard Wireshark display filter. FTP typically operates using a dynamic port for the data transfer in active mode, but this filter would not specifically isolate the file transfer data. It's not the most effective approach to view the file content.

Change the display filter to tcp.port==20

• This is incorrect because TCP port 20 is commonly used for FTP data in active mode, but it is not a definitive filter for capturing the data channel in modern FTP sessions, especially if passive mode (using dynamic ports) is being used for the file transfer. Filtering by TCP port 20 will only show traffic related to FTP data transfers in active mode, and it might miss passive mode traffic.

Navigate to the File menu and select FTP from the Export objects option

• This is incorrect because the Export Objects option in Wireshark is typically used to extract files from HTTP or other protocols where objects are explicitly served by the server. FTP file transfers do not work in the same manner as HTTP, so this option would not apply to FTP sessions, and it won't show the contents of the files that were transferred.