This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture filter remains in capture options after removing/reinstalling

0

At some point before a capture I added a capture filter in the capture options window (I don't recall that I ever saved the filter itself). After closing and reopening wireshark, the capture filter remains in the capture options window. I have removed wireshark (running on Windows XP), reinstalled, and the same filter still appears. I downgraded and upgraded wireshark versions with no luck- the filter remains. I've searched the registry but cannot find any reg entry that exist with this filter in it. I've copied cfilters from other systems, but that filter keeps showing up. Any ideas of how to get rid of it without reloading the OS?

asked 09 Mar '11, 11:15

ethertype0x9000's gravatar image

ethertype0x9000
6112
accept rate: 0%


One Answer:

1

Are you by any chance accessing the system you run Wireshark on remotely (by RDP or X over SSH)? In that case, Wireshark will fill in a default filter to not capture the RDP or SSH traffic. That's something built into Wireshark and it is not configurable (at the moment).

answered 09 Mar '11, 11:45

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Actually yes. The capture filter is 'not tcp port 3389'. After logging into the same box via the console and launching wireshark, the capture filter is, of course, not there. Many thanks SYNbit.

(09 Mar '11, 11:56) ethertype0x9000

You're welcome!

(I converted your "answer" into a "comment" as that's the way this site works, see the FAQ. You might also want to "accept" the answer by clicking on the check-mark next to the answer, that way the question will not show up in the list of unanswered questions :-))

(09 Mar '11, 12:11) SYN-bit ♦♦

Noted and again, thanks for the help.

(09 Mar '11, 12:23) ethertype0x9000