Ethereal-users: Re: [Ethereal-users] Re: double packets on Win 2000

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Andrew Hood <ajhood@xxxxxxxxx>
Date: Wed, 29 Jun 2005 23:04:07 +1000
Steven Masters wrote:
> See below for entire e-mail conversations:
> 
> This did not occur on our XP box, we have shown this on all Win2000 boxes
> tested so far.

I beg to differ. We found the same error on XP. It did not happen with
all drivers. In particular I did not find the problem with any Microsoft
supplied driver for any card I had to test.

>                Time stamps on each duplicate entry is different.

By an amount small enough to reflect having passed through some more of
the protocol stack, but not enough to have got onto the wire.

>                                                                  It is not
> happening on the wire, we spanned the switch port and it is not on the
> port. We also did captures using OPNET and it shows up there also. We are
> now reviewing some old traces to see if this is something new.  While some
> of these boxes have sygate running, mine and another  box tested does not
> have firewalls up. Now while our standard image does install sygate, we
> (the 2 users without firewalls) use the frequency hopping wireless NIC
> which when used in combination together causes the PC to crash, so we
> de-installed sygate. 

Did you try disabling "Net Firewall Service"? I could leave ZoneLabs
running and the duplication stopped.

>                      Did it leave some DLL's? Could have. We are getting
> our LAN and Desktop group to build up a new PC and will start there to see
> what might be causing this issue. We still don't know
>
> Here is the answer back from OPNET, but I am not comfortable with their
> answer yet.
> "Microsoft networking protocols uses the Network Device Interface
> Specification (NDIS) to communicate with network card drivers. Much of the
> OSI model link layer functionality is implemented in the protocol stack.
> 
> As explained in FAQ 812 OPNET capture agent as well as most other windows
> based capture agents uses this Interface (NDIS) to capture traces. Now a
> VPN setup running on Windows 2000 with NDIS interface causes the capture of
> duplicate packets in the OPNET capturing agents. Same would be the case for
> any other capture agent running on the same setup (VPN & Win2000). So it is
> a Win2000 specific issue."

As stated above I disagree. It appears to be specific to certain
versions of certain drivers in both Win2K and XP. And probably Win2k3.

> Here is a typical screen shot of our traces and what we are seeing.
> (Embedded image moved to file: pic24484.jpg)
> 
> 
> ronnie sahlberg wrote:
> 
>>I dont think it is an exploit.
>>
>>Do you see the two identical packets twice with a timestamp difference of
> 
> us?
> 
>>I bet you have something like BlackIce installed.
>>Some of those products will cause this "effect" for many sniffers,
>>outgoing packets are captured twice.
>>
>>
>>
>>On 6/24/05, Steven Masters <Steven.Masters@xxxxxxxxxxxx> wrote:
>>
>>
>>>Any body reporting when capturing your own machine that Win 2000 pro
>>>(client) sends the same packet twice. Maybe a new exploit that has gotten
>>>us? I haven't verified if this is indeed what the wire see by spanning
> 
> the
> 
>>>switch port, but maybe this is a bug in Win2000????
> 
> 
> Harry Moyes and I had this discussion a few week back for Windows XP.
> You should be able to find it in the archives and the summary I made of
> our offline research.
> 
> The behaviour seems to be related to firewalls and specific drivers. It
> appears that some drivers cause packets to pass the tap point twice if
> "Net Firewall Service" is enabled. We had to disable "Net Firewall
> Service" to stop it.
> 
> I upgraded my Intel PRO/1000 MT drivers to the latest version then
> available from Intel and it stopped duping packets, whether "Net
> Firewall Service" was on or off.
> 
> Harry who has the same hardware & patch levels tried it and it didn't
> work for him. He had to leave "Net Firewall Service" disabled.
> 
> We tried a number of other Ethernet cards all with Microsoft drivers and
> none of them duped packets.



-- 
There's no point in being grown up if you can't be childish sometimes.
                -- Dr. Who