Wireshark-dev: [Wireshark-dev] Remote Desktop Default Filter Change For Windows
From: Matthew <[email protected]>
Date: Thu, 9 Jul 2015 16:30:35 +0100
Hi Wireshark Devs,

In newer versions of Windows® that support the Remote Desktop Protocol
(RDP) version 8.0 or later, Remote Desktop now uses UDP (and falls back
on TCP if unavailable).

In "ui_util.c" on line 331 is:
>        g_string_printf(filter_str, "not tcp port 3389");

This should probably be changed to:
>        g_string_printf(filter_str, "not port 3389");

"When connecting to remote desktop servers running Windows® 8, Windows®
Server 2012, or the RDP 8.0 update for Windows® 7 SP1 via Windows®
Server 2012 RD Gateway, UDP connections may be utilized to improve WAN

I can confirm this is also the case for Windows® Server 2012 R2 (which
came out after that article was written).

For those interested in dissection, a protocol spec. on RDP via UDP is
also available here : https://msdn.microsoft.com/en-us/library/hh536846.aspx

Of course you could add more intelligent logic in to detect if the user
is running an OS version that supports UDP transport (Windows® 7 SP1 and
above), but that's up for debate.

Hope this helps,