Wireshark-users: Re: [Wireshark-users] Running Wireshark on a PC with afirewallinstalled (Comodo)
From: "Chris Swinney" <[email protected]>
Date: Fri, 20 Jun 2008 20:37:34 +0100
Well, funnily enough I am dealing with an old system. It is based on
Windows 2000 with Comodo v2 personal firewall working on the NDIS
driver. The duplicate packets are seen just in the outbound traffic, and
although they are a little disconcerting, I am not worried about them
too much. I was more interested to know what was going on. It doesn't
happen with every packet, mainly the initial SYN packets etc.

I read in another post the Wireshark sits across many layers of the OSI
system, so thought that this might have something to do with it, but I
understand your description of what might be happening. 

As a side note, there is an advanced feature in the firewall to turn on
advanced packet analysis to application that use other protocols such as
Wincap - according the help that is. I have not tried this with a packet
capture as it takes more processing and I have solved the original issue
(see in anther post).

I don't think I have seen another fire for windows that is so
configurable, yet simple to use and best of all is totally FREE for all
use.

Chris 

-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Gianluca
Varenni
Sent: 20 June 2008 16:52
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Running Wireshark on a PC with
afirewallinstalled (Comodo). Odd things happening with an H323callvia a
gatekeeper.

Do you see duplicated packets in just one direction (e.g. duplicated
inbound 
or outbound packets)? I mean, ALL the inbound and/or ALL the outbound 
packets.

I remembered of people having such problems years ago with some personal

firewalls. I don't remember which firewalls. But it's been years since
we 
had reports of such problems on the WinPcap users mailing list.

The problem is usually due to how these firewalls operate. Instead of
using 
the documented methods to filter the packets (NDIS IM drivers or TDI 
filters), they usually hijack the networking stack using hooks and
similar, 
and the overall effect is that the WinPcap kernel driver (the component
that 
actually captures the packets for Wireshark) gets notified twice of
inbound 
and/or outbound packets.
In this case there is no workaround to the problem apart from using a 
different firewall :-(

Have a nice day
GV

----- Original Message ----- 
From: "Chris Swinney" <[email protected]>
To: "Community support list for Wireshark"
<[email protected]>
Sent: Friday, June 20, 2008 2:45 AM
Subject: Re: [Wireshark-users] Running Wireshark on a PC with a 
firewallinstalled (Comodo). Odd things happening with an H323 callvia a 
gatekeeper.


I have run a capture on the local machine initiating the call. I seem to

capture the same packet multiple times. Is these because Wireshark
captures 
packets at different points in the stack?

No matter how I capture the packets, it seems that the Video
Conferencing 
program is simply communicating in two different ways. The packet that
is 
sent for the H225 admissionRequest contains different information if the

firewall is set to "Allow ALL", or is turned on but with All ports and
All 
protocols allowed. I just can't figure out why this is so.

Chris

-----Original Message-----
From: Chris Swinney
Sent: 19 June 2008 01:42
To: Community support list for Wireshark
Subject: [Wireshark-users] Running Wireshark on a PC with a 
firewallinstalled (Comodo). Odd things happening with an H323 callvia a 
gatekeeper.

Hi,

With Wireshark running on a PC with a firewall running (Comodo), will 
Wireshark capture packets of information before or after the firewall
has 
had an effect?

Something very odd is happening on a machine intended to be use for H323

video conferences. I have run a trace using a in line network tap and
found 
the following to be true.

Something strange is going on here. It not that the packets are blocked
(I 
think), it's that the information in the call admission requests packet
is 
different. With Comodo set to "Allow ALL", the PC will send an H225
request 
to the gatekeeper. Some data within the packet is regarding the
destination 
of the call and one item set is called "dialedDigits" with its payload
being 
the number dialled, e.g. "111". The gatekeeper then responds with a
Accept 
admission and returns the ip address of the dialled number. A call can
then 
be placed.

However, when Comodo set in custom mode, the request is still made but
the 
this time the item set is "h323-ID" with the same payload, e.g. "111". 
However, this time the gatekeeper doesn't understand the request and
rejects 
it. The calling PC then goes on to query DNS, that responds with some IP
so 
a second request is made using the returned IP from DNS, which has no 
relevance to anything. The gatekeeper understands what an IP address is 
though and so says OK, and the call is then attempted to be set up with
this 
random IP! Of course, it does not happen.
With me so far? I'm not sure if I am! I captured this information via 
sniffing the traffic both from the PC and the return using an inline
tap. I 
will also run a Wireshark trace on the PC that has Comodo installed.

This is very repeatable, but I don't know what or why it is happening.

Chris



_______________________________________________
Wireshark-users mailing list
[email protected]
https://wireshark.org/mailman/listinfo/wireshark-users 

_______________________________________________
Wireshark-users mailing list
[email protected]
https://wireshark.org/mailman/listinfo/wireshark-users