I have now resolved the initial problem.
In Comodo, turned off "Monitor DNS Queries" in Advanced -->
Application Behaviour Analysis.
This is supposed to stop and application making recursive DNS requests to the
windows service. I'm guessing that the application uses some windows service to
resolve an address, but I don't understand how this affects the data in the
packet. I guess a knock on effect.
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Chris
Swinney
Sent: 20 June 2008 14:22
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Running Wireshark on a PC with a
firewallinstalled (Comodo). Odd things happening with an H323 callvia a
gatekeeper.
This maybe the case, but of course it's not helping!!! Of
course, the scenario where the call works is the one with the firewall switched
off!
I was after a firewall that we could use for out
end-of-life products (read 2 years) so ideally it needs to be free. Free
firewalls are either incomplete, way too complex, or not configurable enough.
Comodo is a fairly good and highly configurable firewall for Windows that is
completely free. It allows for application, component and network monitoring,
but I can't find any information regarding the type of functionality you
suggest.
Would this type of functionality re-write such a specific
elements within the packet? Is there any way to figure out the information
actually coming out of the application, then trace its route down the stack and
see if anything is altered?
Chris
From: Pedro Tumusok [mailto:pedro.tumusok@xxxxxxxxx]
Sent: 20 June 2008 11:29
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Running Wireshark on a PC with a
firewallinstalled (Comodo). Odd things happening with an H323 callvia a
gatekeeper.
On Fri, Jun 20, 2008 at 11:45 AM, Chris Swinney <swin@xxxxxxxxxxxxx> wrote:
I have run a capture on the local machine initiating the
call. I seem to capture the same packet multiple times. Is these because
Wireshark captures packets at different points in the stack?
No matter how I capture the packets, it seems that the Video Conferencing
program is simply communicating in two different ways. The packet that is sent
for the H225 admissionRequest contains different information if the firewall is
set to "Allow ALL", or is turned on but with All ports and All
protocols allowed. I just can't figure out why this is so.
Chris
Could it not just be that there is an ALG in the firewall that tries to help
you with the H323 call? And its active in one scenario and not in the other
one?
Pedro
-----Original Message-----
From: Chris Swinney
Sent: 19 June 2008 01:42
To: Community support list for Wireshark
Subject: [Wireshark-users] Running Wireshark on a PC with a firewallinstalled
(Comodo). Odd things happening with an H323 callvia a gatekeeper.
Hi,
With Wireshark running on a PC with a firewall running (Comodo), will Wireshark
capture packets of information before or after the firewall has had an effect?
Something very odd is happening on a machine intended to be use for H323 video
conferences. I have run a trace using a in line network tap and found the
following to be true.
Something strange is going on here. It not that the packets are blocked (I
think), it's that the information in the call admission requests packet is
different. With Comodo set to "Allow ALL", the PC will send an H225
request to the gatekeeper. Some data within the packet is regarding the
destination of the call and one item set is called "dialedDigits"
with its payload being the number dialled, e.g. "111". The gatekeeper
then responds with a Accept admission and returns the ip address of the dialled
number. A call can then be placed.
However, when Comodo set in custom mode, the request is still made but the this
time the item set is "h323-ID" with the same payload, e.g.
"111". However, this time the gatekeeper doesn't understand the
request and rejects it. The calling PC then goes on to query DNS, that responds
with some IP so a second request is made using the returned IP from DNS, which
has no relevance to anything. The gatekeeper understands what an IP address is
though and so says OK, and the call is then attempted to be set up with this
random IP! Of course, it does not happen.
With me so far? I'm not sure if I am! I captured this information via sniffing
the traffic both from the PC and the return using an inline tap. I will also
run a Wireshark trace on the PC that has Comodo installed.
This is very repeatable, but I don't know what or why it is happening.
Chris
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users
--
Best regards / Mvh
Jan Pedro Tumusok
I know you love me
And you want to be Friends
And if you dont
at least you need to pretend