Hi Terry

My replies below.

> A couple of things as I read this thread- based on speculation as I try
> to understand what is going  on.
>
> - some process must intercepting ARP replies and sending out incorrect
> ARP reply packets

By this it take it you mean some application process? Can in not be the
windows networking subsystem?

> - winpcap being installed around the time the problem started makes one
> wonder if there was some sequence like (based on the fact that winpcap
> by itself does nothing)
>    -- program X installed
>    -- X intercepts ARP requests and replies to them but works OK in
> non-promiscuous mode (why? I don't know)
>    -- install winpcap, some programs sets the card in promiscuous mode
>    -- X now gets all ARP requests for all machines and sends replies- or
> it has been sending ARP replies all along and in promiscuous mode they
> actually get sent
>    -- the uninstall doesn't work (because it wasn't run or had errors or
> the wrong install or ...)
>    -- some service fires up on reboot and sets card in reboot mode (this
> explains why removing the card fixed the problem- the service could not
> find it?)

Actually removing the card and replacing it with a different one (diff mac
address) though exact same model, did NOT solve the problem. It was only
when I added a second card (DIFFERENT model - 1000GBps this time) and
disabled the first one did the problem go away.

> Where X could be netlimiter, trafficstatisic or something else
>
> Things to do and questions
> -- which uninstall was run? (winpcap or trafstatistics)

Both and netlimiter uninstall

> -- after uninstall if you searched the machine for the winpcap DLLs,
> were they found?

No..

> -- if winpcap and tra..statistics were installed and netlimiter was not
> installed, did the problem still occur?

I never tried that - this was a very urgent situation - my may concern was
to stop the DOS on the other machines while maintaining uptime on the rogue
machine.

> -- did you run an anti-virus/spyware program?

No

I am going to run WinPCap and TrafficStatisic installs through a reg and
file sniffer to see exactly what gets modified.



==================================================================
 This is the WinPcap users list. It is archived at
 http://www.mail-archive.com/winpcap-users@winpcap.polito.it/

 To unsubscribe use 
 mailto: [EMAIL PROTECTED]
==================================================================

Reply via email to