This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark on Windows 7 VM not capturing RDP packets?

0

I am investigating an issue where my Windows 7 VM host is suddenly resetting RDP connections after about 20 minutes. I set up Wireshark captures on both the Client and the VM simultaneously. The captures taken from the client are showing the behavior I expected to see, however when I look at the captures from the VM no RDP traffic is present in the capture at all. If I ping from the client to the VM, the ICMP packets are captured by wireshark. I can also see from netstat command that there is an active TCP connection between my client port and port 3398 on the VM but still no RDP packets appearing in the packet capture.

My suspicion is that the VMs NIC is not passing the RDP packets up to winpcap, would this be an appropriate explanation? Or could something else be going on? Also curious to see if anyone has experienced the sudden resetting of RCP streams by a VM host.

asked 25 Nov '14, 15:31

Nick-14's gravatar image

Nick-14
11113
accept rate: 0%

edited 25 Nov '14, 15:56

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118


One Answer:

3

Are you using RDP to connect to the VM in order to run Wireshark? Wireshark attempts to determine if you have a remote connection to the machine you're running Wireshark on, and if so, it automatically applies a capture filter to block the remote session traffic.

You can read about this here on the Wireshark Wiki. Scroll down to the heading "Default Capture Filters." You'll see that when Wireshark detects an RDP session, at applies a capture filter of "not tcp port 3389". If this is what's happening, you'll need to go to the Capture Options dialog and clear the capture filter before you start capturing in order to see the RDP traffic.

answered 25 Nov '14, 15:44

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Thanks a lot Jim, this is exactly what has been happening, cheers.

(25 Nov '14, 15:58) Nick-14