Network Logs
(OBJ 4.9)
Network Log example
Network Log from a router
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250725175054.png)
-
Interface
- Gi0/1, Gi0/2, or Gi0/3
- Three ports on our router
- Gi0/1, Gi0/2, or Gi0/3
-
Action
- ALLOW
- DENY
- ARP-REPLY
-
Details
- Where the traffic was coming from and going to
-
The exam avoids using public IP addresses and uses private ones to prevent any misunderstandings
- Still will be shown as public IP addresses
-
Lines 3, 4, 8, 9, and 11, 12 are a little suspicious
- Normally MAC address is hardcoded into your network adapter, and if it changes like this, somebody had to tell it to change.
- The fact that it is changing within just a couple of seconds of each other tells us that they may be using a MAC changing software to be able to spoof their MAC address.
-
Note 8.8.8.8 on UDP port 53 is totally okay since this is Google's DNS server
- 8.8.4.4 is as Google's secondary DNS server
This is a possible ARP spoof event
- "Look for the same IP address linked to different MAC addresses"