Do you see duplicated packets in just one direction (e.g. duplicated inbound
or outbound packets)? I mean, ALL the inbound and/or ALL the outbound
packets.
I remembered of people having such problems years ago with some personal
firewalls. I don't remember which firewalls. But it's been years since we
had reports of such problems on the WinPcap users mailing list.
The problem is usually due to how these firewalls operate. Instead of using
the documented methods to filter the packets (NDIS IM drivers or TDI
filters), they usually hijack the networking stack using hooks and similar,
and the overall effect is that the WinPcap kernel driver (the component that
actually captures the packets for Wireshark) gets notified twice of inbound
and/or outbound packets.
In this case there is no workaround to the problem apart from using a
different firewall :-(
Have a nice day
GV
----- Original Message -----
From: "Chris Swinney" <swin@xxxxxxxxxxxxx>
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Sent: Friday, June 20, 2008 2:45 AM
Subject: Re: [Wireshark-users] Running Wireshark on a PC with a
firewallinstalled (Comodo). Odd things happening with an H323 callvia a
gatekeeper.
I have run a capture on the local machine initiating the call. I seem to
capture the same packet multiple times. Is these because Wireshark captures
packets at different points in the stack?
No matter how I capture the packets, it seems that the Video Conferencing
program is simply communicating in two different ways. The packet that is
sent for the H225 admissionRequest contains different information if the
firewall is set to "Allow ALL", or is turned on but with All ports and All
protocols allowed. I just can't figure out why this is so.
Chris
-----Original Message-----
From: Chris Swinney
Sent: 19 June 2008 01:42
To: Community support list for Wireshark
Subject: [Wireshark-users] Running Wireshark on a PC with a
firewallinstalled (Comodo). Odd things happening with an H323 callvia a
gatekeeper.
Hi,
With Wireshark running on a PC with a firewall running (Comodo), will
Wireshark capture packets of information before or after the firewall has
had an effect?
Something very odd is happening on a machine intended to be use for H323
video conferences. I have run a trace using a in line network tap and found
the following to be true.
Something strange is going on here. It not that the packets are blocked (I
think), it's that the information in the call admission requests packet is
different. With Comodo set to "Allow ALL", the PC will send an H225 request
to the gatekeeper. Some data within the packet is regarding the destination
of the call and one item set is called "dialedDigits" with its payload being
the number dialled, e.g. "111". The gatekeeper then responds with a Accept
admission and returns the ip address of the dialled number. A call can then
be placed.
However, when Comodo set in custom mode, the request is still made but the
this time the item set is "h323-ID" with the same payload, e.g. "111".
However, this time the gatekeeper doesn't understand the request and rejects
it. The calling PC then goes on to query DNS, that responds with some IP so
a second request is made using the returned IP from DNS, which has no
relevance to anything. The gatekeeper understands what an IP address is
though and so says OK, and the call is then attempted to be set up with this
random IP! Of course, it does not happen.
With me so far? I'm not sure if I am! I captured this information via
sniffing the traffic both from the PC and the return using an inline tap. I
will also run a Wireshark trace on the PC that has Comodo installed.
This is very repeatable, but I don't know what or why it is happening.
Chris
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users
