Ok I could try that.. but it is difficult because its a production machine. Can't risk it grabbing IP's again. I could image the drive, but then I couldnt be assured that with diff hardware it would happen.
It could have been a some arbitary process, however the fact that it happened straight after I installed trafficstatistic and WinPCap points almost undeniably to the source of the problem. The fact that it continued *afterwards* I can conlcude then: - In my haste I did not reset the switch after uninstalling and thus the switch was generating false ARP responses to the router. - Some low-level windows driver was modified in a permanent way by means of .ini /registry file. - The uninstall program failed and it was still capturing. I can't think of any other plausible explanations. The fact that no-one else has heard of this might indicate a unique software incompatibility that arose, eg between Netlimiter and WinPCap and the Realtek windows driver. ----- Original Message ----- From: "Stef" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 30, 2004 2:59 PM Subject: Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests. > I just realized - reading more of this thread - that you were > experiencing the problem even when not running a capture program. Then > look at my suggestion below the other way around: start with the state > of "stealing" IPs, and remove - one at a time - various programs > running, until the process stops (no more ARP responses). You can use > pslist and pskill > (http://www.sysinternals.com/ntw2k/freeware/pstools.shtml) for that > (or task manager?!?), in conjunction with procexp ... a second non-IP > bound trace could also help ... > > Stef > > On Tue, 30 Nov 2004 06:49:32 -0600, Stef <[EMAIL PROTECTED]> wrote: > > Could you possibly run > > http://www.sysinternals.com/ntw2k/freeware/procexp.shtml > > then start a trace/capture from your system, and see who's the > > "perpetrator"? It would also be nice if you could run a second trace, > > from a system with no IP address associated with it (*nix/*BSD?!?), > > sniffing traffic on the same switch(es) your Win-based system tends to > > "steal" IPs from, to understand what is exactly the process of ARP > > response, "seen" from a "neutral" system?!? > > > > Stef > > > > On Tue, 30 Nov 2004 10:30:39 +0200, Matthew Tagg <[EMAIL PROTECTED]> wrote: > > > > > > 1. The refresh period is never generally > 5 minutes, and the problem > > > existed much longer than that. > > > 2. We cleared ARP tables on the managed switch constantly. > > > 3. We also cleared ARP on the windows machine "ARP -D *" > > <snip> > > > > > ================================================================== > This is the WinPcap users list. It is archived at > http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ > > To unsubscribe use > mailto: [EMAIL PROTECTED] > ================================================================== > ================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==================================================================