- some process must intercepting ARP replies and sending out incorrect ARP reply packets
- either malware or some combination of programs or some program gone crazy
- a good virus/spyware program should find the malware
- winpcap being installed around the time the problem started makes one wonder if there was some sequence like (based on the fact that winpcap by itself does nothing)
-- program X installed
-- X intercepts ARP requests and replies to them but works OK in non-promiscuous mode (why? I don't know)
-- install winpcap, some programs sets the card in promiscuous mode
-- X now gets all ARP requests for all machines and sends replies- or it has been sending ARP replies all along and in promiscuous mode they actually get sent
-- the uninstall doesn't work (because it wasn't run or had errors or the wrong install or ...)
-- some service fires up on reboot and sets card in reboot mode (this explains why removing the card fixed the problem- the service could not find it?)
Where X could be netlimiter, trafficstatisic or something else
Things to do and questions
-- which uninstall was run? (winpcap or trafstatistics)
-- after uninstall if you searched the machine for the winpcap DLLs, were they found?
-- if winpcap and tra..statistics were installed and netlimiter was not installed, did the problem still occur?
-- did you run an anti-virus/spyware program?
Terry
Matthew Tagg wrote:
Ok I could try that.. but it is difficult because its a production machine. Can't risk it grabbing IP's again. I could image the drive, but then I couldnt be assured that with diff hardware it would happen.
It could have been a some arbitary process, however the fact that it happened straight after I installed trafficstatistic and WinPCap points almost undeniably to the source of the problem.
The fact that it continued *afterwards* I can conlcude then:
- In my haste I did not reset the switch after uninstalling and thus the switch was generating false ARP responses to the router. - Some low-level windows driver was modified in a permanent way by means of .ini /registry file. - The uninstall program failed and it was still capturing.
I can't think of any other plausible explanations.
The fact that no-one else has heard of this might indicate a unique software incompatibility that arose, eg between Netlimiter and WinPCap and the Realtek windows driver.
----- Original Message ----- From: "Stef" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, November 30, 2004 2:59 PM
Subject: Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.
wrote:I just realized - reading more of this thread - that you were experiencing the problem even when not running a capture program. Then look at my suggestion below the other way around: start with the state of "stealing" IPs, and remove - one at a time - various programs running, until the process stops (no more ARP responses). You can use pslist and pskill (http://www.sysinternals.com/ntw2k/freeware/pstools.shtml) for that (or task manager?!?), in conjunction with procexp ... a second non-IP bound trace could also help ...
Stef
On Tue, 30 Nov 2004 06:49:32 -0600, Stef <[EMAIL PROTECTED]> wrote:
Could you possibly run http://www.sysinternals.com/ntw2k/freeware/procexp.shtml then start a trace/capture from your system, and see who's the "perpetrator"? It would also be nice if you could run a second trace, from a system with no IP address associated with it (*nix/*BSD?!?), sniffing traffic on the same switch(es) your Win-based system tends to "steal" IPs from, to understand what is exactly the process of ARP response, "seen" from a "neutral" system?!?
Stef
On Tue, 30 Nov 2004 10:30:39 +0200, Matthew Tagg <[EMAIL PROTECTED]>
1. The refresh period is never generally > 5 minutes, and the problem
existed much longer than that.
2. We cleared ARP tables on the managed switch constantly.
3. We also cleared ARP on the windows machine "ARP -D *"
<snip>
================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/
To unsubscribe use mailto: [EMAIL PROTECTED] ==================================================================
================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/
To unsubscribe use mailto: [EMAIL PROTECTED]
==================================================================
================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/
To unsubscribe use mailto: [EMAIL PROTECTED]
==================================================================
