See below for entire e-mail conversations:
This did not occur on our XP box, we have shown this on all Win2000 boxes
tested so far. Time stamps on each duplicate entry is different. It is not
happening on the wire, we spanned the switch port and it is not on the
port. We also did captures using OPNET and it shows up there also. We are
now reviewing some old traces to see if this is something new. While some
of these boxes have sygate running, mine and another box tested does not
have firewalls up. Now while our standard image does install sygate, we
(the 2 users without firewalls) use the frequency hopping wireless NIC
which when used in combination together causes the PC to crash, so we
de-installed sygate. Did it leave some DLL's? Could have. We are getting
our LAN and Desktop group to build up a new PC and will start there to see
what might be causing this issue. We still don't know
Here is the answer back from OPNET, but I am not comfortable with their
answer yet.
"Microsoft networking protocols uses the Network Device Interface
Specification (NDIS) to communicate with network card drivers. Much of the
OSI model link layer functionality is implemented in the protocol stack.
As explained in FAQ 812 OPNET capture agent as well as most other windows
based capture agents uses this Interface (NDIS) to capture traces. Now a
VPN setup running on Windows 2000 with NDIS interface causes the capture of
duplicate packets in the OPNET capturing agents. Same would be the case for
any other capture agent running on the same setup (VPN & Win2000). So it is
a Win2000 specific issue."
Here is a typical screen shot of our traces and what we are seeing.
(Embedded image moved to file: pic24484.jpg)
Steve Masters
Network Analyst, Senior
(w) 717-240-5561
(c) 717-385-4829
steven.masters@xxxxxxxxxxxx
Andrew Hood
<ajhood@xxxxxxxxx
> To
Sent by: ronnie sahlberg
ethereal-users-bo <ronniesahlberg@xxxxxxxxx>,
unces@xxxxxxxxxxx Ethereal user support
m <ethereal-users@xxxxxxxxxxxx>
cc
06/24/2005 10:34 Subject
PM Re: [Ethereal-users] Re: double
packets on Win 2000
Please respond to
Ethereal user
support
<ethereal-users@e
thereal.com>
ronnie sahlberg wrote:
> I dont think it is an exploit.
>
> Do you see the two identical packets twice with a timestamp difference of
us?
>
> I bet you have something like BlackIce installed.
> Some of those products will cause this "effect" for many sniffers,
> outgoing packets are captured twice.
>
>
>
> On 6/24/05, Steven Masters <Steven.Masters@xxxxxxxxxxxx> wrote:
>
>>Any body reporting when capturing your own machine that Win 2000 pro
>>(client) sends the same packet twice. Maybe a new exploit that has gotten
>>us? I haven't verified if this is indeed what the wire see by spanning
the
>>switch port, but maybe this is a bug in Win2000????
Harry Moyes and I had this discussion a few week back for Windows XP.
You should be able to find it in the archives and the summary I made of
our offline research.
The behaviour seems to be related to firewalls and specific drivers. It
appears that some drivers cause packets to pass the tap point twice if
"Net Firewall Service" is enabled. We had to disable "Net Firewall
Service" to stop it.
I upgraded my Intel PRO/1000 MT drivers to the latest version then
available from Intel and it stopped duping packets, whether "Net
Firewall Service" was on or off.
Harry who has the same hardware & patch levels tried it and it didn't
work for him. He had to leave "Net Firewall Service" disabled.
We tried a number of other Ethernet cards all with Microsoft drivers and
none of them duped packets.
--
There's no point in being grown up if you can't be childish sometimes.
-- Dr. Who
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
Attachment:
pic24484.jpg
Description: JPEG image
