Capture filter remains in capture options after removing/reinstalling


At some point before a capture I added a capture filter in the capture options window (I don't recall that I ever saved the filter itself). After closing and reopening wireshark, the capture filter remains in the capture options window. I have removed wireshark (running on Windows XP), reinstalled, and the same filter still appears. I downgraded and upgraded wireshark versions with no luck- the filter remains. I've searched the registry but cannot find any reg entry that exist with this filter in it. I've copied cfilters from other systems, but that filter keeps showing up. Any ideas of how to get rid of it without reloading the OS?

One Answer:


Are you by any chance accessing the system you run Wireshark on remotely (by RDP or X over SSH)? In that case, Wireshark will fill in a default filter to not capture the RDP or SSH traffic. That's something built into Wireshark and it is not configurable (at the moment).

Actually yes. The capture filter is 'not tcp port 3389'. After logging into the same box via the console and launching wireshark, the capture filter is, of course, not there. Many thanks SYNbit.

You're welcome!

Noted and again, thanks for the help.

