Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.

[Gianluca Varenni]

Hi Matthew.   I've read all the messages trying to find out what could cause the problem.   I want to add a couple of things: 1. winpcap does not install anything that modifies the behavior of a nic driver by changing registry entries or similar (although it does install a couple of registry entries for its own kernel driver npf.sys). Promiscuous mode is set when an adapter is open, when you close the adapter, promiscuous mode is disabled. 2. There is a sort of side effect in turning promiscuous mode on: basically the TCP/IP stack behaves differently with special promiscuous packets, and this "feature" is used by apps that are able to find the sniffers on a network. You can find a better explanation of this behavior here:   http://www.securityfriday.com/promiscuous_detection_01.pdf   3. Some users suggested to use some sysinternals tools like pskill, pslist, process explorer, regmon. You can also use tcpview from sysinternals. Although it only shows tcp and udp infos, sometimes it's useful to discover "strange" applications that listen to some udp or tcp ports...   Have you tried sniffing the traffic between the machine and the switch with a third machine? You can install a hub between the two machines, and then use a third machine running windows + winpcap (being careful to remove tcp/ip from the network card use to sniff, so that the sniffer is *completely* invisible) or linux/bsd + libpcap.   Hope it helps GV   ----- Original Message ----- From: Matthew Tagg To: [EMAIL PROTECTED] Sent: Monday, November 29, 2004 1:52 PM Subject: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests. We have a machine in our datacenter that started stealing ARP's request once we installed WinpCap and Traffic Statistic (http://www.trafficstatistic.com). Marcel Bartels the author  assures me it not related to his application thus I'm wondering if any othe WinPCap users have heard of this.   Basically it is answering ARP's from the switch for IP's that are not assigned to the machine. This had the effect of DOS'ing other boxes on the same switch for which the IP did belong to. It was intermittent because obviously the real box that owned the IP would sometimes beat the rogue machine with an ARP reply.   The very strange things is after winpcap and trafficstatstic where uninstalled, it STILL continued to steal ARP's. Then we swapped out the network card for an identical one, same problem. We eventually installed a second card this time 1000mpbs Realtek and unplugged the 100mpbs from the network. This solved it as a temporary measure.   Also Promiscuous and Brodacast mode where unchecked in the trafficstatistic software.   Additional details: OS: Windows 2003 Network: Realtek 100MBps Other software: Netlimiter (installed 1 week before the incident and later uninstalled too along with winpcap).   Off the top of my head I can suspect: - buggy drivers - winpcap bug - some low-level registry setting changed   Thanks for any help Regards, Matthew