Wireshark-users: Re: [Wireshark-users] Why is default filter 'not tcp port 3389' ?
From: Ulf Lamping <ulf.lamping@xxxxxx>
Date: Mon, 28 Aug 2006 10:08:32 +0200
Gerald Combs wrote:
Andrew Schweitzer wrote:
Jee Kay wrote:
On 26/08/06, Ben Stover <bxstover@xxxxxxxxxxx> wrote:

After the installation of WireShark the default Capture filter is set to
'not tcp port 3389'
Why ?
Because you're connecting to the machine via RDP.
I always wondered that myself. Are you saying you are making a connection to your own machine over RDP?

The filter is set automatically if the CLIENTNAME environment variable
is set.  It's supposed to keep you from overrunning your capture with
traffic generated by your Terminal Server / Remote Desktop / RDP
session.  We do something similar for SSH and X11 sessions as well.

According to the TechNet article at

http://technet2.microsoft.com/WindowsServer/en/library/6caf87bf-3d70-4801-9485-87e9ec3df0171033.mspx?mfr=true

CLIENTNAME should only be set for remote sessions.  Is this not the case?
This feature should be explained in the User's Guide.

As I don't know this feature well, could someone write a description how this is working (in a user related view). Just in plain text, I'll reformat it into docbook/XML then.

Regards, ULFL