Ethereal-users: Re: [Ethereal-users] Re: double packets on Win 2000
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Steven Masters <Steven.Masters@xxxxxxxxxxxx>
Date: Wed, 29 Jun 2005 12:54:28 -0400
> This did not occur on our XP box, we have shown this on all Win2000 boxes
> tested so far.
>I beg to differ. We found the same error on XP. It did not happen with
>all drivers. In particular I did not find the problem with any Microsoft
>supplied driver for any card I had to test.
We are entirely WIN2000 shop except 1 user with XP, so in my case this did
not occur on our XP box
On some older traces from March on WIN2000 box with no firewall ever loaded
we don't see this same behavior so this
We are building some boxes from scratch and start to test.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>Did you try disabling "Net Firewall Service"? I could leave ZoneLabs
>running and the duplication stopped.
Where do I find "Net Firewall Service" on an WIN2000 box?
Steve Masters
Network Analyst, Senior
(w) 717-240-5561
(c) 717-385-4829
steven.masters@xxxxxxxxxxxx
Andrew Hood
<ajhood@xxxxxxxxx
> To
Sent by: Ethereal user support
ethereal-users-bo <ethereal-users@xxxxxxxxxxxx>
unces@xxxxxxxxxxx cc
m
Subject
Re: [Ethereal-users] Re: double
06/29/2005 09:04 packets on Win 2000
AM
Please respond to
Ethereal user
support
<ethereal-users@e
thereal.com>
Steven Masters wrote:
> See below for entire e-mail conversations:
>
> This did not occur on our XP box, we have shown this on all Win2000 boxes
> tested so far.
I beg to differ. We found the same error on XP. It did not happen with
all drivers. In particular I did not find the problem with any Microsoft
supplied driver for any card I had to test.
> Time stamps on each duplicate entry is different.
By an amount small enough to reflect having passed through some more of
the protocol stack, but not enough to have got onto the wire.
> It is
not
> happening on the wire, we spanned the switch port and it is not on the
> port. We also did captures using OPNET and it shows up there also. We are
> now reviewing some old traces to see if this is something new. While
some
> of these boxes have sygate running, mine and another box tested does not
> have firewalls up. Now while our standard image does install sygate, we
> (the 2 users without firewalls) use the frequency hopping wireless NIC
> which when used in combination together causes the PC to crash, so we
> de-installed sygate.
Did you try disabling "Net Firewall Service"? I could leave ZoneLabs
running and the duplication stopped.
> Did it leave some DLL's? Could have. We are getting
> our LAN and Desktop group to build up a new PC and will start there to
see
> what might be causing this issue. We still don't know
>
> Here is the answer back from OPNET, but I am not comfortable with their
> answer yet.
> "Microsoft networking protocols uses the Network Device Interface
> Specification (NDIS) to communicate with network card drivers. Much of
the
> OSI model link layer functionality is implemented in the protocol stack.
>
> As explained in FAQ 812 OPNET capture agent as well as most other windows
> based capture agents uses this Interface (NDIS) to capture traces. Now a
> VPN setup running on Windows 2000 with NDIS interface causes the capture
of
> duplicate packets in the OPNET capturing agents. Same would be the case
for
> any other capture agent running on the same setup (VPN & Win2000). So it
is
> a Win2000 specific issue."
As stated above I disagree. It appears to be specific to certain
versions of certain drivers in both Win2K and XP. And probably Win2k3.
> Here is a typical screen shot of our traces and what we are seeing.
> (Embedded image moved to file: pic24484.jpg)
>
>
> ronnie sahlberg wrote:
>
>>I dont think it is an exploit.
>>
>>Do you see the two identical packets twice with a timestamp difference of
>
> us?
>
>>I bet you have something like BlackIce installed.
>>Some of those products will cause this "effect" for many sniffers,
>>outgoing packets are captured twice.
>>
>>
>>
>>On 6/24/05, Steven Masters <Steven.Masters@xxxxxxxxxxxx> wrote:
>>
>>
>>>Any body reporting when capturing your own machine that Win 2000 pro
>>>(client) sends the same packet twice. Maybe a new exploit that has
gotten
>>>us? I haven't verified if this is indeed what the wire see by spanning
>
> the
>
>>>switch port, but maybe this is a bug in Win2000????
>
>
> Harry Moyes and I had this discussion a few week back for Windows XP.
> You should be able to find it in the archives and the summary I made of
> our offline research.
>
> The behaviour seems to be related to firewalls and specific drivers. It
> appears that some drivers cause packets to pass the tap point twice if
> "Net Firewall Service" is enabled. We had to disable "Net Firewall
> Service" to stop it.
>
> I upgraded my Intel PRO/1000 MT drivers to the latest version then
> available from Intel and it stopped duping packets, whether "Net
> Firewall Service" was on or off.
>
> Harry who has the same hardware & patch levels tried it and it didn't
> work for him. He had to leave "Net Firewall Service" disabled.
>
> We tried a number of other Ethernet cards all with Microsoft drivers and
> none of them duped packets.
--
There's no point in being grown up if you can't be childish sometimes.
-- Dr. Who
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
- References:
- Re: [Ethereal-users] Re: double packets on Win 2000
- From: Andrew Hood
- Re: [Ethereal-users] Re: double packets on Win 2000
- Prev by Date: Re: [Ethereal-users] error when running ethereal 0.10.10
- Next by Date: RE: [Ethereal-users] error when running ethereal 0.10.10
- Previous by thread: Re: [Ethereal-users] Re: double packets on Win 2000
- Next by thread: Re: [MOST LIKELY SPAM] Re: [Ethereal-users] modem sniffing
- Index(es):
- Get Wireshark
- Download
- Code of Conduct