This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Who is using “tsclient” on my network?

0

Hello, I respectfully ask if someone can assist me in sniffing out who is "tsclient" on my network.

asked 02 May '12, 10:31

crobinso777's gravatar image

crobinso777
1111
accept rate: 0%

where did you find that string. Please provide as much information as possible.

BTW: if you are talking about the linux "Terminal Server Client [tsclient]", there is no chance to detect that with wireshark, as tsclient is just a GUI wrapper for rdesktop and other remote access tools.

(02 May '12, 10:42) Kurt Knochner ♦

thanks for your reply!!! not sure what it is linux. just see it on the network on and off. Currently, it's back on the network. Can't ping it, can't remote to it, can't resolve an ip from it....

(02 May '12, 13:24) crobinso777

where do you see it on the network? Where do you see that string?

(02 May '12, 23:17) Kurt Knochner ♦

Hello Kurt. actually it is not a string. From a Windows 7 PC, i open up Windows Explorer and browse the "Network" folder. Within that folder I see all of the computers, servers and print devices on my network. I also see "tsclient" in the listing as though it was a computer on my network. However, I cannot ping it, i cannot remote to it, i cannot do anything to it. It's there sometimes and then it is not there. So my goal is to utilize a tool such as Wireshark to help me with monitoring this estranged "tsclient".

(03 May '12, 06:42) crobinso777

One Answer:

0

>> From a Windows 7 PC, i open up Windows Explorer and browse the "Network" folder

O.K. that's the important information. Indeed, it could be a system on your network. You can't ping it because name resolution might not work for that machine (DNS and/or Netbios), or it simply does not answer.

If you see that name again, run Wireshark without any capture filter for a few minutes. Then browse the network again. Stop wireshark and try to find that name in the capture file. I'm not sure if you will find anything, as that depends on your networks structure (Domain: yes/no, Windows 2008 Server: yes/no, etc.). In parallel run these commands in a DOS box:

nbtstat -n
nbtstat -r
arp -a
ipconfig /displaydns

If you can't interpret all that information yourself, do what you can and come back with that information.

Any further ideas?

Regards
Kurt

answered 03 May '12, 07:29

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Great help, Kurt!!! I was able to do "process of elimination" and found the culprit; a Windows Vista machine doing remote sessions. i found this forum session to be very helpful! i am still going to setup a capture to learn more about packet types associated with remote desktop. Thanks again for being responsive, Kurt!! Chris R.

(03 May '12, 08:45) crobinso777

I'm glad I was able to help.

Could you please comment how you actually found the problem?

Thank you!

Regards
Kurt

(03 May '12, 09:27) Kurt Knochner ♦

Well Kurt, all i can say is what I mentioned before regarding seeing tsclient in the network directory from time to time. I began to get a little suspicious in that i could not identify this device on the network and wanted to see what kind of traffic was going to/from this device. At the same time i googled the problem and some of the responses mentioned "Vist Machine". I only have one on the network so I turned the machine off and noticed "tsclient" went away. Turned it back on and there it was again. Strange, but that's what i did. CR

(07 May '12, 12:59) crobinso777