In CEH v13 Module 02: Footprinting and Reconnaissance, and Module 03: Scanning Networks, several tools and techniques are introduced for analyzing public IP addresses when investigating a security alert.
Let’s evaluate the options:
A. DNS: Domain Name System (DNS) is essential in mapping IPs to domains. Reverse DNS lookups can reveal if the IP is associated with a malicious domain, and forward lookups can confirm legitimacy.
B. Whois: WHOIS records are crucial for identifying IP ownership, registration data, and abuse contacts. It helps assess if the IP belongs to a known threat actor or suspicious hosting provider.
C. Geolocation: Helps you understand where the IP is physically located. If the IP is in a country known for cybercrime or doesn’t match your user's location, it raises red flags.
D. ARP (Address Resolution Protocol): ❌ ARP is local to Layer 2 and works only within a LAN (Local Area Network). ARP cannot resolve or analyze public IP addresses which operate in Layer 3 of the OSI model.
Thus, ARP is the least relevant when analyzing a public IP address, as it deals with MAC-to-IP mapping only in local environments.
[Reference:, Module 02 – Public IP Analysis Tools (WHOIS, DNS, IP Lookup), CEH iLabs: IP Attribution and Threat Hunting using WHOIS & Geolocation, , ]
