Ethereal-users: Re: [Ethereal-users] Re: double packets on Win 2000

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Steven Masters <Steven.Masters@xxxxxxxxxxxx>
Date: Tue, 28 Jun 2005 08:34:17 -0400
See below for entire e-mail conversations:

This did not occur on our XP box, we have shown this on all Win2000 boxes
tested so far. Time stamps on each duplicate entry is different. It is not
happening on the wire, we spanned the switch port and it is not on the
port. We also did captures using OPNET and it shows up there also. We are
now reviewing some old traces to see if this is something new.  While some
of these boxes have sygate running, mine and another  box tested does not
have firewalls up. Now while our standard image does install sygate, we
(the 2 users without firewalls) use the frequency hopping wireless NIC
which when used in combination together causes the PC to crash, so we
de-installed sygate. Did it leave some DLL's? Could have. We are getting
our LAN and Desktop group to build up a new PC and will start there to see
what might be causing this issue. We still don't know

Here is the answer back from OPNET, but I am not comfortable with their
answer yet.
"Microsoft networking protocols uses the Network Device Interface
Specification (NDIS) to communicate with network card drivers. Much of the
OSI model link layer functionality is implemented in the protocol stack.

As explained in FAQ 812 OPNET capture agent as well as most other windows
based capture agents uses this Interface (NDIS) to capture traces. Now a
VPN setup running on Windows 2000 with NDIS interface causes the capture of
duplicate packets in the OPNET capturing agents. Same would be the case for
any other capture agent running on the same setup (VPN & Win2000). So it is
a Win2000 specific issue."

Here is a typical screen shot of our traces and what we are seeing.
(Embedded image moved to file: pic24484.jpg)




Steve Masters
Network Analyst, Senior
(w) 717-240-5561
(c) 717-385-4829
steven.masters@xxxxxxxxxxxx


                                                                           
             Andrew Hood                                                   
             <ajhood@xxxxxxxxx                                             
             >                                                          To 
             Sent by:                  ronnie sahlberg                     
             ethereal-users-bo         <ronniesahlberg@xxxxxxxxx>,         
             unces@xxxxxxxxxxx         Ethereal user support               
             m                         <ethereal-users@xxxxxxxxxxxx>       
                                                                        cc 
                                                                           
             06/24/2005 10:34                                      Subject 
             PM                        Re: [Ethereal-users] Re: double     
                                       packets on Win 2000                 
                                                                           
             Please respond to                                             
               Ethereal user                                               
                  support                                                  
             <ethereal-users@e                                             
               thereal.com>                                                
                                                                           
                                                                           




ronnie sahlberg wrote:
> I dont think it is an exploit.
>
> Do you see the two identical packets twice with a timestamp difference of
us?
>
> I bet you have something like BlackIce installed.
> Some of those products will cause this "effect" for many sniffers,
> outgoing packets are captured twice.
>
>
>
> On 6/24/05, Steven Masters <Steven.Masters@xxxxxxxxxxxx> wrote:
>
>>Any body reporting when capturing your own machine that Win 2000 pro
>>(client) sends the same packet twice. Maybe a new exploit that has gotten
>>us? I haven't verified if this is indeed what the wire see by spanning
the
>>switch port, but maybe this is a bug in Win2000????

Harry Moyes and I had this discussion a few week back for Windows XP.
You should be able to find it in the archives and the summary I made of
our offline research.

The behaviour seems to be related to firewalls and specific drivers. It
appears that some drivers cause packets to pass the tap point twice if
"Net Firewall Service" is enabled. We had to disable "Net Firewall
Service" to stop it.

I upgraded my Intel PRO/1000 MT drivers to the latest version then
available from Intel and it stopped duping packets, whether "Net
Firewall Service" was on or off.

Harry who has the same hardware & patch levels tried it and it didn't
work for him. He had to leave "Net Firewall Service" disabled.

We tried a number of other Ethernet cards all with Microsoft drivers and
none of them duped packets.

--
There's no point in being grown up if you can't be childish sometimes.
                -- Dr. Who

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

Attachment: pic24484.jpg
Description: JPEG image