Wireshark · Ethereal-users: Re: [Ethereal-users] Question: Excluding Terminal Services or VNC on remote scanning

[Ian Schorr <spamcontrol2@xxxxxxxxxxx>]

Since there are actually two fields matching tcp.port (source and destination address), your filter will only exclude traffic if BOTH ports are 3389.

Instead, try !(tcp.port==3389), which will exclude traffic if EITHER port is set to 3389.

Interesting little logic quirk.  You also run into the same type of thing if you try to use "ip.addr != 10.10.10.10", for example.

Ian

On Oct 8, 2003, at 3:23 PM, Bergin, Rob wrote:

> <x-tad-bigger>Hi all,</x-tad-bigger>
>
> <x-tad-bigger> </x-tad-bigger>
>
> <x-tad-bigger>First time poster, long time sniffer.</x-tad-bigger>
>
> <x-tad-bigger> </x-tad-bigger>
>
> <x-tad-bigger>I want to know that if I run Ethereal on a remote PC and then display the capture I want a way to exclude out all of the remote control software (i.e.Terminal Services TCP Port3389.</x-tad-bigger>
>
> <x-tad-bigger> </x-tad-bigger>
>
> <x-tad-bigger>I did some searching and I can see that I can do a capture filter and/or a display filter.  But I can’t get either to work.</x-tad-bigger>
>
> <x-tad-bigger> </x-tad-bigger>
>
> <x-tad-bigger>I tried:  tcp.port != 3389</x-tad-bigger>
>
> <x-tad-bigger> </x-tad-bigger>
>
> <x-tad-bigger>And it has not worked so far.</x-tad-bigger>
>
> <x-tad-bigger> </x-tad-bigger>
>
> <x-tad-bigger>Any thoughts, thanks in advance.</x-tad-bigger>
>
> <x-tad-bigger> </x-tad-bigger>
>
> <x-tad-bigger>Rob</x-tad-bigger>
>
> <x-tad-bigger> </x-tad-bigger>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users