First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

display filter is green, but capture shows up blank

  • retag add tags

challenge.101 3.4 question How many frames have the TCP SYN bit set to 1? frame matches"(?!)set-cookie" is in the display filter when I hit enter it the sample capture comes in blank. How do I get the capture to display ?

2Tonz's avatar
1
2Tonz
asked 2022-05-27 14:07:08 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Can you add a link to the website where the challenge question comes from?

grahamb's avatar grahamb (2022-05-28 11:08:00 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

When a filter is 'green', it means that there is no syntax error in the filter itself. The result can still be empty.

Only if you filter for something that is actually present in the capture, the list won't be 'blank'.

TCP SYN bit set to 1: tcp.flags.syn==1

frame matches"(?!)set-cookie": did you mean contains? "(?!)" = Negative Lookahead, why?

André's avatar
176
André
answered 2022-05-28 21:38:28 +0000
edit flag offensive 0 remove flag delete link
more

Comments

If filtering from challenge 3-1 q&a why would the capture be blank ?

2Tonz's avatar 2Tonz (2022-08-10 16:18:31 +0000) edit
more
  • delete

If filtering from challenge 3-1 q&a

As asked before: where does the challenge question comes from?

why would the capture be blank ?

Only if you filter for something that is actually present in the capture, the list won't be 'blank'.

André's avatar André (2022-08-10 19:50:47 +0000) edit
more
  • delete

What you mean where the question comes from. The question is How many frames comes to and from 80.78.246.209. This is just a simple ip.addr==80.78.246.209 I apply the filter and the capture comes back blank.

2Tonz's avatar 2Tonz (2022-08-10 22:24:38 +0000) edit
more
  • delete

What you mean where the question comes from.

To quote grahamb comment on May 28th: "Can you add a link to the website where the challenge question comes from?"

You cannot assume we know about all challenges / trainings / courses / books out there that contain the word "Wireshark" in the title... So if you want support on a network capture you'll have to provide that here by sharing a link.

So you used ip.addr==80.78.246.209 as a display filter, then the answer is still valid:

  • It is 'green' because the syntax is correct.
  • When no frame in your network capture contains this IP-address, zero frames will be shown in the display when applied.
    Use Statistics / Endpoints to list what is present.
André's avatar André (2022-08-11 20:10:31 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer