Wireshark-users: Re: [Wireshark-users] Why is default filter 'not tcp port 3389' ?
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Mon, 28 Aug 2006 10:12:53 +0200 (CEST)
Hi,

There's a nice commentblock in util.c that explains this:

/* Try to figure out if we're remotely connected, e.g. via ssh or
   Terminal Server, and create a capture filter that matches aspects of the
   connection.  We match the following environment variables:

   SSH_CONNECTION (ssh): <remote IP> <remote port> <local IP> <local port>
   SSH_CLIENT (ssh): <remote IP> <remote port> <local port>
   REMOTEHOST (tcsh, others?): <remote name>
   DISPLAY (x11): [remote name]:<display num>
   CLIENTNAME (terminal server): <remote name>
 */

Thanx,
Jaap

On Mon, 28 Aug 2006, Ulf Lamping wrote:

> Gerald Combs wrote:
> > Andrew Schweitzer wrote:
> >
> >> Jee Kay wrote:
> >>
> >>> On 26/08/06, Ben Stover <bxstover@xxxxxxxxxxx> wrote:
> >>>
> >>>
> >>>> After the installation of WireShark the default Capture filter is set to
> >>>> 'not tcp port 3389'
> >>>> Why ?
> >>>>
> >>> Because you're connecting to the machine via RDP.
> >>>
> >> I always wondered that myself. Are you saying you are making a
> >> connection to your own machine over RDP?
> >>
> >
> > The filter is set automatically if the CLIENTNAME environment variable
> > is set.  It's supposed to keep you from overrunning your capture with
> > traffic generated by your Terminal Server / Remote Desktop / RDP
> > session.  We do something similar for SSH and X11 sessions as well.
> >
> > According to the TechNet article at
> >
> > http://technet2.microsoft.com/WindowsServer/en/library/6caf87bf-3d70-4801-9485-87e9ec3df0171033.mspx?mfr=true
> >
> > CLIENTNAME should only be set for remote sessions.  Is this not the case?
> >
> This feature should be explained in the User's Guide.
>
> As I don't know this feature well, could someone write a description how
> this is working (in a user related view). Just in plain text, I'll
> reformat it into docbook/XML then.
>
> Regards, ULFL
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>