Wireshark-dev: Re: [Wireshark-dev] Remote Desktop Default Filter Change For Windows
From: Pascal Quantin <[email protected]>
Date: Wed, 15 Jul 2015 12:47:57 +0200

2015-07-09 17:30 GMT+02:00 Matthew <[email protected]>:
Hi Wireshark Devs,

In newer versions of Windows® that support the Remote Desktop Protocol
(RDP) version 8.0 or later, Remote Desktop now uses UDP (and falls back
on TCP if unavailable).

In "ui_util.c" on line 331 is:
>        g_string_printf(filter_str, "not tcp port 3389");

This should probably be changed to:
>        g_string_printf(filter_str, "not port 3389");

"When connecting to remote desktop servers running Windows® 8, Windows®
Server 2012, or the RDP 8.0 update for Windows® 7 SP1 via Windows®
Server 2012 RD Gateway, UDP connections may be utilized to improve WAN

I can confirm this is also the case for Windows® Server 2012 R2 (which
came out after that article was written).

For those interested in dissection, a protocol spec. on RDP via UDP is
also available here : https://msdn.microsoft.com/en-us/library/hh536846.aspx

Of course you could add more intelligent logic in to detect if the user
is running an OS version that supports UDP transport (Windows® 7 SP1 and
above), but that's up for debate.

Hope this helps,

Hi Matthew,

thanks for the report. I uploaded your suggested patch to https://code.wireshark.org/review/#/c/9642 for review.

Best regards,