Wireshark-users: Re: [Wireshark-users] Why is default filter 'not tcp port 3389' ?
From: "Jim Young" <sysjhy@xxxxxxxxxxxxxxx>
Date: Sun, 27 Aug 2006 23:33:10 -0400
Hello Gerald,

>>> Gerald Combs <gerald@xxxxxxxxxxxxx> 08/27/06 10:31 PM >>>
> [snip]
> The filter is set automatically if the CLIENTNAME environment
variable
> is set.  It's supposed to keep you from overrunning your capture
with
> traffic generated by your Terminal Server / Remote Desktop / RDP
> session.  We do something similar for SSH and X11 sessions as well.
> [snip]
> CLIENTNAME should only be set for remote sessions.  Is this not the
case?

I submitted a message to the ethereal-dev list back in February about
a
change to util.c's get_conn_cfilter() that occurred in SVN 16826:

  http://www.ethereal.com/lists/ethereal-dev/200602/msg00080.html

I believe the current logic creates the capture filter 'not tcp port
3389' if 
the environment variable "CLIENTNAME" exists regardless of its value.

Prior to the SVN 16826 change, the test was more than simply a
presence
test for the "CLIENTNAME" environment but also included a test to see
if the 
CLIENTNAME variable had the value of "Console" (e.g.
CLIENTNAME=Console).  

The capture filter of 'not tcp port 3389' would NOT be defined if the 
"CLIENTNAME" had the (case insignificant) value of "Console".

Short of making source level changes, one workaround for this problem
is to 
start Wireshark with the -f command line option with an empty capture
filter:  
e.q. "-f ".   It's important to include the ASCII space character after
the -f 
option to supress the insertion of the 'not tcp port 3389' capture
filter.

I hope you find this info useful.

Sinccerely,

Jim Young