Cisco Exam 300-215 Topic 1 Question 54 Discussion

would not agree with the published answer of B, "tls.handshake.type ==1," as this filter is specifically looking for TLS handshake packets with a type of "client hello." While this could be useful for analyzing network traffic related to a specific TLS connection, it may not necessarily be useful for identifying the HTTP request that caused the Ursnif banking Trojan binary to download. Out of the given options, the most relevant filter for identifying the HTTP request that caused the Ursnif banking Trojan binary to download is A, "http.request.uri matches." This filter allows the engineer to search for HTTP requests that match a specific URI pattern, which could be used to identify the request that triggered the download of the binary. The other two filters, C "tcp.port eq 25" and D "tcp.window_size ==0," are not likely to be relevant for identifying the HTTP request that caused the Ursnif banking Trojan binary to download, as they are specific to TCP traffic and do not directly relate to HTTP traffic. Overall, the choice of filter may depend on the specific details of the Wireshark file and the network traffic that it contains, but I would recommend A, "http.request.uri matches," as the most relevant filter for identifying the HTTP request of interest.