Ask Your Question
0

display filter is green, but capture shows up blank

asked 2022-05-27 14:07:08 +0000

2Tonz gravatar image

challenge.101 3.4 question How many frames have the TCP SYN bit set to 1? frame matches"(?!)set-cookie" is in the display filter when I hit enter it the sample capture comes in blank. How do I get the capture to display ?

edit retag flag offensive close merge delete

Comments

Can you add a link to the website where the challenge question comes from?

grahamb gravatar imagegrahamb ( 2022-05-28 11:08:00 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2022-05-28 21:38:28 +0000

André gravatar image

When a filter is 'green', it means that there is no syntax error in the filter itself. The result can still be empty.

Only if you filter for something that is actually present in the capture, the list won't be 'blank'.

TCP SYN bit set to 1: tcp.flags.syn==1

frame matches"(?!)set-cookie": did you mean contains? "(?!)" = Negative Lookahead, why?

edit flag offensive delete link more

Comments

If filtering from challenge 3-1 q&a why would the capture be blank ?

2Tonz gravatar image2Tonz ( 2022-08-10 16:18:31 +0000 )edit

If filtering from challenge 3-1 q&a

As asked before: where does the challenge question comes from?

why would the capture be blank ?

Only if you filter for something that is actually present in the capture, the list won't be 'blank'.

André gravatar imageAndré ( 2022-08-10 19:50:47 +0000 )edit

What you mean where the question comes from. The question is How many frames comes to and from 80.78.246.209. This is just a simple ip.addr==80.78.246.209 I apply the filter and the capture comes back blank.

2Tonz gravatar image2Tonz ( 2022-08-10 22:24:38 +0000 )edit

What you mean where the question comes from.

To quote grahamb comment on May 28th: "Can you add a link to the website where the challenge question comes from?"

You cannot assume we know about all challenges / trainings / courses / books out there that contain the word "Wireshark" in the title... So if you want support on a network capture you'll have to provide that here by sharing a link.

So you used ip.addr==80.78.246.209 as a display filter, then the answer is still valid:

  • It is 'green' because the syntax is correct.
  • When no frame in your network capture contains this IP-address, zero frames will be shown in the display when applied.
    Use Statistics / Endpoints to list what is present.
André gravatar imageAndré ( 2022-08-11 20:10:31 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2022-05-27 14:06:15 +0000

Seen: 476 times

Last updated: May 28 '22

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2