Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.
Hi Matthew. I've read all the messages trying to find out what could cause the problem. I want to add a couple of things: 1. winpcap does not install anything that modifies the behavior of a nic driver by changing registry entries or similar (although it does install a couple of registry entries for its own kernel driver npf.sys). Promiscuous mode is set when an adapter is open, when you close the adapter, promiscuous mode is disabled. 2. There is a sort of side effect in turning promiscuous mode on: basically the TCP/IP stack behaves differently with special promiscuous packets, and this "feature" is used by apps that are able to find the sniffers on a network. You can find a better explanation of this behavior here: http://www.securityfriday.com/promiscuous_detection_01.pdf 3. Some users suggested to use some sysinternals tools like pskill, pslist, process explorer, regmon. You can also use tcpview from sysinternals. Although it only shows tcp and udp infos, sometimes it's useful to discover "strange" applications that listen to some udp or tcp ports... Have you tried sniffing the traffic between the machine and the switch with a third machine? You can install a hub between the two machines, and then use a third machine running windows + winpcap (being careful to remove tcp/ip from the network card use to sniff, so that the sniffer is *completely* invisible) or linux/bsd + libpcap. Hope it helps GV - Original Message - From: Matthew Tagg To: [EMAIL PROTECTED] Sent: Monday, November 29, 2004 1:52 PM Subject: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests. We have a machine in our datacenter that started stealing ARP's request once we installed WinpCap and Traffic Statistic (http://www.trafficstatistic.com). Marcel Bartels the author assures me it not related to his application thus I'm wondering if any othe WinPCap users have heard of this. Basically it is answering ARP's from the switch for IP's that are not assigned to the machine. This had the effect of DOS'ing other boxes on the same switch for which the IP did belong to. It was intermittent because obviously the real box that owned the IP would sometimes beat the rogue machine with an ARP reply. The very strange things is after winpcap and trafficstatstic where uninstalled, it STILL continued to steal ARP's. Then we swapped out the network card for an identical one, same problem. We eventually installed a second card this time 1000mpbs Realtek and unplugged the 100mpbs from the network. This solved it as a temporary measure. Also Promiscuous and Brodacast mode where unchecked in the trafficstatistic software. Additional details: OS: Windows 2003 Network: Realtek 100MBps Other software: Netlimiter (installed 1 week before the incident and later uninstalled too along with winpcap). Off the top of my head I can suspect: - buggy drivers - winpcap bug - some low-level registry setting changed Thanks for any help Regards, Matthew
Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.
Mathew, Matthew Tagg wrote: Hi Terry My replies below. A couple of things as I read this thread- based on speculation as I try to understand what is going on. - some process must intercepting ARP replies and sending out incorrect ARP reply packets By this it take it you mean some application process? Can in not be the windows networking subsystem? This is a remote possibility of course, but unlikely at least in my thinking. I considered this and could come up with no reasonable scenario and it would be a major bug in the network code. One would *expect* the bug to have been found on other machines, by other users, so I would assign a low probability to this. Typically the drivers for a card are more suspect and changing the card type did fix your problem so perhaps there is some wierd interaction, but again I think this scenario is unlikely. If the other causes don't pan out then I would definitely try an experiment and see if the problem reoccurs when installed with a different driver. - winpcap being installed around the time the problem started makes one wonder if there was some sequence like (based on the fact that winpcap by itself does nothing) -- program X installed -- X intercepts ARP requests and replies to them but works OK in non-promiscuous mode (why? I don't know) -- install winpcap, some programs sets the card in promiscuous mode -- X now gets all ARP requests for all machines and sends replies- or it has been sending ARP replies all along and in promiscuous mode they actually get sent -- the uninstall doesn't work (because it wasn't run or had errors or the wrong install or ...) -- some service fires up on reboot and sets card in reboot mode (this explains why removing the card fixed the problem- the service could not find it?) Actually removing the card and replacing it with a different one (diff mac address) though exact same model, did NOT solve the problem. It was only when I added a second card (DIFFERENT model - 1000GBps this time) and disabled the first one did the problem go away. Sorry, I was unclear, I meant to say "changing the card type" rather than "removing the card". My thought is that a service would not be able to find the card/type/driver and would not be able to start successfully. Where X could be netlimiter, trafficstatisic or something else Things to do and questions -- which uninstall was run? (winpcap or trafstatistics) Both and netlimiter uninstall -- after uninstall if you searched the machine for the winpcap DLLs, were they found? No.. -- if winpcap and tra..statistics were installed and netlimiter was not installed, did the problem still occur? I never tried that - this was a very urgent situation - my may concern was to stop the DOS on the other machines while maintaining uptime on the rogue machine. -- did you run an anti-virus/spyware program? No I am going to run WinPCap and TrafficStatisic installs through a reg and file sniffer to see exactly what gets modified. Since Winpcap.dll was not found when arp packets, the only role I can imagine winpcap playing is that putting the card in promiscous mode contributed to the problem. As someone pointed out early in the discussion, some monitor programs will try to do poison arp so that they can see all frames, perhaps even if you are only monitoring one address,- so perhaps there is some interaction between the monitor program and the card being put in promiscuous mode. Having no experience with the programs involved I don't know if this is possible or not. If I was having the problem the other thing I would try is checking for malware. Good luck, It would be interesting to know the resolution .. Terry == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.
Hi Terry My replies below. > A couple of things as I read this thread- based on speculation as I try > to understand what is going on. > > - some process must intercepting ARP replies and sending out incorrect > ARP reply packets By this it take it you mean some application process? Can in not be the windows networking subsystem? > - winpcap being installed around the time the problem started makes one > wonder if there was some sequence like (based on the fact that winpcap > by itself does nothing) >-- program X installed >-- X intercepts ARP requests and replies to them but works OK in > non-promiscuous mode (why? I don't know) >-- install winpcap, some programs sets the card in promiscuous mode >-- X now gets all ARP requests for all machines and sends replies- or > it has been sending ARP replies all along and in promiscuous mode they > actually get sent >-- the uninstall doesn't work (because it wasn't run or had errors or > the wrong install or ...) >-- some service fires up on reboot and sets card in reboot mode (this > explains why removing the card fixed the problem- the service could not > find it?) Actually removing the card and replacing it with a different one (diff mac address) though exact same model, did NOT solve the problem. It was only when I added a second card (DIFFERENT model - 1000GBps this time) and disabled the first one did the problem go away. > Where X could be netlimiter, trafficstatisic or something else > > Things to do and questions > -- which uninstall was run? (winpcap or trafstatistics) Both and netlimiter uninstall > -- after uninstall if you searched the machine for the winpcap DLLs, > were they found? No.. > -- if winpcap and tra..statistics were installed and netlimiter was not > installed, did the problem still occur? I never tried that - this was a very urgent situation - my may concern was to stop the DOS on the other machines while maintaining uptime on the rogue machine. > -- did you run an anti-virus/spyware program? No I am going to run WinPCap and TrafficStatisic installs through a reg and file sniffer to see exactly what gets modified. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.
A couple of things as I read this thread- based on speculation as I try to understand what is going on. - some process must intercepting ARP replies and sending out incorrect ARP reply packets - either malware or some combination of programs or some program gone crazy - a good virus/spyware program should find the malware - winpcap being installed around the time the problem started makes one wonder if there was some sequence like (based on the fact that winpcap by itself does nothing) -- program X installed -- X intercepts ARP requests and replies to them but works OK in non-promiscuous mode (why? I don't know) -- install winpcap, some programs sets the card in promiscuous mode -- X now gets all ARP requests for all machines and sends replies- or it has been sending ARP replies all along and in promiscuous mode they actually get sent -- the uninstall doesn't work (because it wasn't run or had errors or the wrong install or ...) -- some service fires up on reboot and sets card in reboot mode (this explains why removing the card fixed the problem- the service could not find it?) Where X could be netlimiter, trafficstatisic or something else Things to do and questions -- which uninstall was run? (winpcap or trafstatistics) -- after uninstall if you searched the machine for the winpcap DLLs, were they found? -- if winpcap and tra..statistics were installed and netlimiter was not installed, did the problem still occur? -- did you run an anti-virus/spyware program? Terry Matthew Tagg wrote: Ok I could try that.. but it is difficult because its a production machine. Can't risk it grabbing IP's again. I could image the drive, but then I couldnt be assured that with diff hardware it would happen. It could have been a some arbitary process, however the fact that it happened straight after I installed trafficstatistic and WinPCap points almost undeniably to the source of the problem. The fact that it continued *afterwards* I can conlcude then: - In my haste I did not reset the switch after uninstalling and thus the switch was generating false ARP responses to the router. - Some low-level windows driver was modified in a permanent way by means of .ini /registry file. - The uninstall program failed and it was still capturing. I can't think of any other plausible explanations. The fact that no-one else has heard of this might indicate a unique software incompatibility that arose, eg between Netlimiter and WinPCap and the Realtek windows driver. - Original Message - From: "Stef" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 30, 2004 2:59 PM Subject: Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests. I just realized - reading more of this thread - that you were experiencing the problem even when not running a capture program. Then look at my suggestion below the other way around: start with the state of "stealing" IPs, and remove - one at a time - various programs running, until the process stops (no more ARP responses). You can use pslist and pskill (http://www.sysinternals.com/ntw2k/freeware/pstools.shtml) for that (or task manager?!?), in conjunction with procexp ... a second non-IP bound trace could also help ... Stef On Tue, 30 Nov 2004 06:49:32 -0600, Stef <[EMAIL PROTECTED]> wrote: Could you possibly run http://www.sysinternals.com/ntw2k/freeware/procexp.shtml then start a trace/capture from your system, and see who's the "perpetrator"? It would also be nice if you could run a second trace, from a system with no IP address associated with it (*nix/*BSD?!?), sniffing traffic on the same switch(es) your Win-based system tends to "steal" IPs from, to understand what is exactly the process of ARP response, "seen" from a "neutral" system?!? Stef On Tue, 30 Nov 2004 10:30:39 +0200, Matthew Tagg <[EMAIL PROTECTED]> wrote: 1. The refresh period is never generally > 5 minutes, and the problem existed much longer than that. 2. We cleared ARP tables on the managed switch constantly. 3. We also cleared ARP on the windows machine "ARP -D *" == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.
Ok I could try that.. but it is difficult because its a production machine. Can't risk it grabbing IP's again. I could image the drive, but then I couldnt be assured that with diff hardware it would happen. It could have been a some arbitary process, however the fact that it happened straight after I installed trafficstatistic and WinPCap points almost undeniably to the source of the problem. The fact that it continued *afterwards* I can conlcude then: - In my haste I did not reset the switch after uninstalling and thus the switch was generating false ARP responses to the router. - Some low-level windows driver was modified in a permanent way by means of .ini /registry file. - The uninstall program failed and it was still capturing. I can't think of any other plausible explanations. The fact that no-one else has heard of this might indicate a unique software incompatibility that arose, eg between Netlimiter and WinPCap and the Realtek windows driver. - Original Message - From: "Stef" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 30, 2004 2:59 PM Subject: Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests. > I just realized - reading more of this thread - that you were > experiencing the problem even when not running a capture program. Then > look at my suggestion below the other way around: start with the state > of "stealing" IPs, and remove - one at a time - various programs > running, until the process stops (no more ARP responses). You can use > pslist and pskill > (http://www.sysinternals.com/ntw2k/freeware/pstools.shtml) for that > (or task manager?!?), in conjunction with procexp ... a second non-IP > bound trace could also help ... > > Stef > > On Tue, 30 Nov 2004 06:49:32 -0600, Stef <[EMAIL PROTECTED]> wrote: > > Could you possibly run > > http://www.sysinternals.com/ntw2k/freeware/procexp.shtml > > then start a trace/capture from your system, and see who's the > > "perpetrator"? It would also be nice if you could run a second trace, > > from a system with no IP address associated with it (*nix/*BSD?!?), > > sniffing traffic on the same switch(es) your Win-based system tends to > > "steal" IPs from, to understand what is exactly the process of ARP > > response, "seen" from a "neutral" system?!? > > > > Stef > > > > On Tue, 30 Nov 2004 10:30:39 +0200, Matthew Tagg <[EMAIL PROTECTED]> wrote: > > > > > > 1. The refresh period is never generally > 5 minutes, and the problem > > > existed much longer than that. > > > 2. We cleared ARP tables on the managed switch constantly. > > > 3. We also cleared ARP on the windows machine "ARP -D *" > > > > > > > == > This is the WinPcap users list. It is archived at > http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ > > To unsubscribe use > mailto: [EMAIL PROTECTED] > == > == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.
I just realized - reading more of this thread - that you were experiencing the problem even when not running a capture program. Then look at my suggestion below the other way around: start with the state of "stealing" IPs, and remove - one at a time - various programs running, until the process stops (no more ARP responses). You can use pslist and pskill (http://www.sysinternals.com/ntw2k/freeware/pstools.shtml) for that (or task manager?!?), in conjunction with procexp ... a second non-IP bound trace could also help ... Stef On Tue, 30 Nov 2004 06:49:32 -0600, Stef <[EMAIL PROTECTED]> wrote: > Could you possibly run > http://www.sysinternals.com/ntw2k/freeware/procexp.shtml > then start a trace/capture from your system, and see who's the > "perpetrator"? It would also be nice if you could run a second trace, > from a system with no IP address associated with it (*nix/*BSD?!?), > sniffing traffic on the same switch(es) your Win-based system tends to > "steal" IPs from, to understand what is exactly the process of ARP > response, "seen" from a "neutral" system?!? > > Stef > > On Tue, 30 Nov 2004 10:30:39 +0200, Matthew Tagg <[EMAIL PROTECTED]> wrote: > > > > 1. The refresh period is never generally > 5 minutes, and the problem > > existed much longer than that. > > 2. We cleared ARP tables on the managed switch constantly. > > 3. We also cleared ARP on the windows machine "ARP -D *" > > == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.
Does the behavior repeat itself if you put the problem systems on a hub? In other words, is the problem on the switch? If so, then that would eliminate any software installed on the pc's. mcd Matthew Tagg wrote: 1. The refresh period is never generally > 5 minutes, and the problem existed much longer than that. 2. We cleared ARP tables on the managed switch constantly. 3. We also cleared ARP on the windows machine "ARP -D *" - Original Message - *From:* KanjiSoft Systems <mailto:[EMAIL PROTECTED]> *To:* [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> *Sent:* Tuesday, November 30, 2004 3:46 AM *Subject:* Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests. Matthew, Switches keep track of which mac addresses are on which port for that switch, i.e. you have a table on the switch of mac address/port. It's possible that there are two entries in the switch table for the same mac address but different port. This could happen if you switched a mac card, for example. Switch tables are supposed automatically obselete their entries after a while, not sure on the details. Another idea is clear the arp table on your originating host, which will trigger an arp broadcast which might reset the switch table entry for the mac address in question. mcd - Original Message - *From:* Matthew Tagg <mailto:[EMAIL PROTECTED]> *To:* [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> *Sent:* Monday, November 29, 2004 7:52 AM *Subject:* [WinPcap-users] Criritcal issue: NIC stealing all ARP requests. We have a machine in our datacenter that started stealing ARP's request once we installed WinpCap and Traffic Statistic (http://www.trafficstatistic.com). Marcel Bartels the author assures me it not related to his application thus I'm wondering if any othe WinPCap users have heard of this. Basically it is answering ARP's from the switch for IP's that are not assigned to the machine. This had the effect of DOS'ing other boxes on the same switch for which the IP did belong to. It was intermittent because obviously the real box that owned the IP would sometimes beat the rogue machine with an ARP reply. The very strange things is after winpcap and trafficstatstic where uninstalled, it STILL continued to steal ARP's. Then we swapped out the network card for an identical one, same problem. We eventually installed a second card this time 1000mpbs Realtek and unplugged the 100mpbs from the network. This solved it as a temporary measure. Also Promiscuous and Brodacast mode where unchecked in the trafficstatistic software. Additional details: OS: Windows 2003 Network: Realtek 100MBps Other software: Netlimiter (installed 1 week before the incident and later uninstalled too along with winpcap). Off the top of my head I can suspect: - buggy drivers - winpcap bug - some low-level registry setting changed Thanks for any help Regards, Matthew == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.
Could you possibly run http://www.sysinternals.com/ntw2k/freeware/procexp.shtml then start a trace/capture from your system, and see who's the "perpetrator"? It would also be nice if you could run a second trace, from a system with no IP address associated with it (*nix/*BSD?!?), sniffing traffic on the same switch(es) your Win-based system tends to "steal" IPs from, to understand what is exactly the process of ARP response, "seen" from a "neutral" system?!? Stef On Tue, 30 Nov 2004 10:30:39 +0200, Matthew Tagg <[EMAIL PROTECTED]> wrote: > > 1. The refresh period is never generally > 5 minutes, and the problem > existed much longer than that. > 2. We cleared ARP tables on the managed switch constantly. > 3. We also cleared ARP on the windows machine "ARP -D *" == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.
1. The refresh period is never generally > 5 minutes, and the problem existed much longer than that. 2. We cleared ARP tables on the managed switch constantly. 3. We also cleared ARP on the windows machine "ARP -D *" - Original Message - From: KanjiSoft Systems To: [EMAIL PROTECTED] Sent: Tuesday, November 30, 2004 3:46 AM Subject: Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests. Matthew, Switches keep track of which mac addresses are on which port for that switch, i.e. you have a table on the switch of mac address/port. It's possible that there are two entries in the switch table for the same mac address but different port. This could happen if you switched a mac card, for example. Switch tables are supposed automatically obselete their entries after a while, not sure on the details. Another idea is clear the arp table on your originating host, which will trigger an arp broadcast which might reset the switch table entry for the mac address in question. mcd - Original Message - From: Matthew Tagg To: [EMAIL PROTECTED] Sent: Monday, November 29, 2004 7:52 AM Subject: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests. We have a machine in our datacenter that started stealing ARP's request once we installed WinpCap and Traffic Statistic (http://www.trafficstatistic.com). Marcel Bartels the author assures me it not related to his application thus I'm wondering if any othe WinPCap users have heard of this. Basically it is answering ARP's from the switch for IP's that are not assigned to the machine. This had the effect of DOS'ing other boxes on the same switch for which the IP did belong to. It was intermittent because obviously the real box that owned the IP would sometimes beat the rogue machine with an ARP reply. The very strange things is after winpcap and trafficstatstic where uninstalled, it STILL continued to steal ARP's. Then we swapped out the network card for an identical one, same problem. We eventually installed a second card this time 1000mpbs Realtek and unplugged the 100mpbs from the network. This solved it as a temporary measure. Also Promiscuous and Brodacast mode where unchecked in the trafficstatistic software. Additional details: OS: Windows 2003 Network: Realtek 100MBps Other software: Netlimiter (installed 1 week before the incident and later uninstalled too along with winpcap). Off the top of my head I can suspect: - buggy drivers - winpcap bug - some low-level registry setting changed Thanks for any help Regards, Matthew
Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.
Matthew, Switches keep track of which mac addresses are on which port for that switch, i.e. you have a table on the switch of mac address/port. It's possible that there are two entries in the switch table for the same mac address but different port. This could happen if you switched a mac card, for example. Switch tables are supposed automatically obselete their entries after a while, not sure on the details. Another idea is clear the arp table on your originating host, which will trigger an arp broadcast which might reset the switch table entry for the mac address in question. mcd - Original Message - From: Matthew Tagg To: [EMAIL PROTECTED] Sent: Monday, November 29, 2004 7:52 AM Subject: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests. We have a machine in our datacenter that started stealing ARP's request once we installed WinpCap and Traffic Statistic (http://www.trafficstatistic.com). Marcel Bartels the author assures me it not related to his application thus I'm wondering if any othe WinPCap users have heard of this. Basically it is answering ARP's from the switch for IP's that are not assigned to the machine. This had the effect of DOS'ing other boxes on the same switch for which the IP did belong to. It was intermittent because obviously the real box that owned the IP would sometimes beat the rogue machine with an ARP reply. The very strange things is after winpcap and trafficstatstic where uninstalled, it STILL continued to steal ARP's. Then we swapped out the network card for an identical one, same problem. We eventually installed a second card this time 1000mpbs Realtek and unplugged the 100mpbs from the network. This solved it as a temporary measure. Also Promiscuous and Brodacast mode where unchecked in the trafficstatistic software. Additional details: OS: Windows 2003 Network: Realtek 100MBps Other software: Netlimiter (installed 1 week before the incident and later uninstalled too along with winpcap). Off the top of my head I can suspect: - buggy drivers - winpcap bug - some low-level registry setting changed Thanks for any help Regards, Matthew
Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.
Pardon me for jumping in, but if you're trying to keep traffic statistics while connected to a switch port (as opposed to a hub), how does your traffic statistic program convince the switch to forward all of the network's packets to its port? I am far from expert in this area, but it seems to me that the switch would _have_ to "think" that machines of all active IP's existed on that leg, or it would never forward the packets to it. Isn't that why they call it a "switch" in the first place? This hint might shed a glimmer of light on the problem (and then again, it probably won't). Rob--- == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.
Hi Loris, Thanks or your help, much appreciated. The wierd thing is the problem occured within 10 minutes of installing WinPCap and trafficstatstic, with no other configuration changes on the machine. Is it not possible that there is some undocumented windows registry setting that could have been modified related to the way packets are handled? If not I guess it must lie with Marcel Bartel's application. At first I thought it was promiscuous mode gone wrong - Original Message - From: "Loris Degioanni" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, November 29, 2004 8:41 PM Subject: RE: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests. > Matthew, > WinPcap by itself is not able at all to answer to ARP requests: winpcap is a > packet library that receives and sends raw traffic. An application that uses > WinPcap could answer to ARP requests, by I think this is not your case, > because it looks that the problems persists even if you uninstall WinPcap. > Check if you have other programs installed on your machine, and if the > Windows networking doesn't have misconfigurations. > > Loris > Also Promiscuous and Brodacast mode where unchecked in the trafficstatistic > software. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.
Matthew, WinPcap by itself is not able at all to answer to ARP requests: winpcap is a packet library that receives and sends raw traffic. An application that uses WinPcap could answer to ARP requests, by I think this is not your case, because it looks that the problems persists even if you uninstall WinPcap. Check if you have other programs installed on your machine, and if the Windows networking doesn't have misconfigurations. Loris From: Matthew Tagg [mailto:[EMAIL PROTECTED] Sent: Monday, November 29, 2004 4:52 AM To: [EMAIL PROTECTED] Subject: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests. We have a machine in our datacenter that started stealing ARP's request once we installed WinpCap and Traffic Statistic (http://www.trafficstatistic.com). Marcel Bartels the author assures me it not related to his application thus I'm wondering if any othe WinPCap users have heard of this. Basically it is answering ARP's from the switch for IP's that are not assigned to the machine. This had the effect of DOS'ing other boxes on the same switch for which the IP did belong to. It was intermittent because obviously the real box that owned the IP would sometimes beat the rogue machine with an ARP reply. The very strange things is after winpcap and trafficstatstic where uninstalled, it STILL continued to steal ARP's. Then we swapped out the network card for an identical one, same problem. We eventually installed a second card this time 1000mpbs Realtek and unplugged the 100mpbs from the network. This solved it as a temporary measure. Also Promiscuous and Brodacast mode where unchecked in the trafficstatistic software. Additional details: OS: Windows 2003 Network: Realtek 100MBps Other software: Netlimiter (installed 1 week before the incident and later uninstalled too along with winpcap). Off the top of my head I can suspect: - buggy drivers - winpcap bug - some low-level registry setting changed Thanks for any help Regards, Matthew == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==