Wireshark · Ethereal-users: Re: [Ethereal-users] Re: double packets on Win 2000

[Andrew Hood <ajhood@xxxxxxxxx>]

ronnie sahlberg wrote:
> I dont think it is an exploit.
> 
> Do you see the two identical packets twice with a timestamp difference of us?
> 
> I bet you have something like BlackIce installed.
> Some of those products will cause this "effect" for many sniffers,   
> outgoing packets are captured twice.
> 
> 
> 
> On 6/24/05, Steven Masters <Steven.Masters@xxxxxxxxxxxx> wrote:
> 
>>Any body reporting when capturing your own machine that Win 2000 pro
>>(client) sends the same packet twice. Maybe a new exploit that has gotten
>>us? I haven't verified if this is indeed what the wire see by spanning the
>>switch port, but maybe this is a bug in Win2000????

Harry Moyes and I had this discussion a few week back for Windows XP.
You should be able to find it in the archives and the summary I made of
our offline research.

The behaviour seems to be related to firewalls and specific drivers. It
appears that some drivers cause packets to pass the tap point twice if
"Net Firewall Service" is enabled. We had to disable "Net Firewall
Service" to stop it.

I upgraded my Intel PRO/1000 MT drivers to the latest version then
available from Intel and it stopped duping packets, whether "Net
Firewall Service" was on or off.

Harry who has the same hardware & patch levels tried it and it didn't
work for him. He had to leave "Net Firewall Service" disabled.

We tried a number of other Ethernet cards all with Microsoft drivers and
none of them duped packets.

-- 
There's no point in being grown up if you can't be childish sometimes.
                -- Dr. Who