Network problem???

It's depressingly normal-looking. One more set of data that would be useful is the output of ipconfig /all from both ONE and SETI6.

But I think I know what machines the two IP addreses shown in the log are:

192.168.0.76 is SETI6
192.168.0.1 is ONE

Since you have a lockout on svchost.exe "Generic process for...", we can't tell what it was trying to do. I take it that having that lock set hasn't prevented dialouts, right?

The "destination" ports tell what was being done. 139 is part of Windows Networking. 53 is Domain Name Services, used to translate IP addresses into names.

So, in summary, all the traffic listed in both logs was between ONE and SETI6. And none of it should have triggered a dialout from ONE. The packets that would cause a dialout would have a destination address that doesn't begin with 192.168.0. That network represents your LAN.

And even the blocked traffic involving svchost.exe was headed for ONE. I wonder if we'll need to once again start looking at ONE, but this time with ZoneAlarm. Somwhere, something's trying to make a connection to the Internet. Even knowing what kind of connection would be a step in the right direction.

Here's a pretty good summary of what ZoneAlarm's various features do:

http://www.hackfix.org/software/configure/zone.html

Jim

Jim,

I haven't set the lock as I still don't know the program.  If I set the lock don't I lock out all of my programs?

Without the lock on and as soon as I disconnected from the Internet, the icon of the Generic Host... started to blink and the box for the Internet to connect came on at Computer ONE.

Will study Zone Alarm and will try to get a read out of ipconfig /all from both ONE and SETI 6.

Should I download Zone Alarn on Computer ONE also?

If I set the lock don't I lock out all of my programs?

Yes, the padlock will prevent all outbound connections, and that's not going to be useful, since we now know that the "interesting" outbound connections are the ones coming about via svchost.exe.

Without the lock on and as soon as I disconnected from the Internet, the icon of the Generic Host... started to blink and the box for the Internet to connect came on at Computer ONE.

Good...Well, good in that we've isolated svchost.exe as the process that's causing the connection attempts. Bad in that many things are implemented using svchost.exe. All we have to do is figure out which of about a dozen possibilities is causing the connection attempts on ONE.

Will study Zone Alarm and will try to get a read out of ipconfig /all from both ONE and SETI 6.

OK. Did I get the IP address assignments for SETI6 and ONE right?

Should I download Zone Alarm on Computer ONE also?

Yes. We haven't yet figured out what the outbound connections are trying to connect to by looking at SETI6, so we're going to have to start looking at ONE again. You'll need to unlock svchost.exe on SETI6 before we'll see what processes on ONE are trying to gain access on the Internet, though. If we can ever log the Internet destination IP addresses ports, we'll likely be able to "backtrack" and hopefully prevent these unwanted connections from happening.

Note that you don't need to download it from Zonelabs again. Just copy the installer from SETI6 to ONE over the LAN.

(edit) Vince, next time you post, rather than replying to this note, can you post a reply the first note in the thread?
If viewed in "threaded" mode, we've managed to cause scrolling. While this follows forum "etiquette", it's making it tough to read, since the recent posting subjects are all off to the far right in the "threaded" listing!

Jim

Message Edited by jimw on 03-05-2004 11:44 PM

Jim,

I believe the 192.168.0.1 is One. Not sure of the other address as I don't know where to find that Information.

Attempted to use the ipconfig /all on both machines but it does not work. The black screen comes up with information and immediatly goes away.

I will download the zone alarm to ONE from the internet as I don't know how to share information between my computers. Never had a need to do it.

 

I believe the 192.168.0.1 is One. Not sure of the other address as I don't know where to find that Information.

I'm pretty sure it is - but "ipconfig" will confirm it.

Attempted to use the ipconfig /all on both machines but it does not work. The black screen comes up with information and immediatly goes away.

Once again, I was too terse! Sorry... Like "netstat", "ipconfig" needs to be run from a "cmd.exe" window. So "Start/Run cmd.exe", and then in the window that opens, type ipconfig /all

I will download the zone alarm to ONE from the internet as I don't know how to share information between my computers. Never had a need to do it.

OK, good enough. Judging from the ZoneAlarm log, most of what's needed is already installed.

I had one thought on the ZoneAlarm log data - it may be that the Microsoft DNS client attempts to fetch information whenever a new network connection appears. There's evidence of DNS traffic (UDP destination port 53, destination IP address ONE's) in the log. From Start/Run services.msc stop the "DNS Client" service and change its Startup type to "Manual". All that can be done by right-clicking on the "DNS Client" entry, then selecting "Properties".

Jim

Jim,

Computer ONE, ipconfig /all

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\vincent f. splain>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : ONE
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Mixed
        IP Routing Enabled. . . . . . . . : Yes
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Network Bridge (Network Bridge) 10:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : MAC Bridge Miniport
        Physical Address. . . . . . . . . : 02-0C-6E-21-32-EB
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.0.1
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        IP Address. . . . . . . . . . . . : 2002:c97:ccb4:5:9476:1256:20f8:f020
        IP Address. . . . . . . . . . . . : 2002:c97:ccb4:5:c:6eff:fe21:32eb
        IP Address. . . . . . . . . . . . : fec0::5:c:6eff:fe21:32eb%2
        IP Address. . . . . . . . . . . . : fe80::c:6eff:fe21:32eb%5
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                            fec0:0:0:ffff::2%1
                                            fec0:0:0:ffff::3%1

PPP adapter pokynet.com:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 12.151.204.180
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 12.151.204.180
        DNS Servers . . . . . . . . . . . : 12.151.203.10
                                            12.151.203.11
        NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
        Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : fe80::5445:5245:444f%4
        Default Gateway . . . . . . . . . :
        NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter 6to4 Tunneling Pseudo-Interface:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : 6to4 Tunneling Pseudo-Interface
        Physical Address. . . . . . . . . : 0C-97-CC-B4
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 2002:c97:ccb4::c97:ccb4
        Default Gateway . . . . . . . . . : 2002:3eec:20cb::1
                                            2002:c058:6301::c058:6301
                                            2002:836b:213c:1:e0:8f08:f020:8
        DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                            fec0:0:0:ffff::2%1
                                            fec0:0:0:ffff::3%1
        NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Automatic Tunneling Pseudo-Interface:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface

        Physical Address. . . . . . . . . : 0C-97-CC-B4
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : fe80::5efe:12.151.204.180%2
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                            fec0:0:0:ffff::2%1
                                            fec0:0:0:ffff::3%1
        NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Automatic Tunneling Pseudo-Interface:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface

        Physical Address. . . . . . . . . : C0-A8-00-01
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : fe80::5efe:192.168.0.1%2
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                            fec0:0:0:ffff::2%1
                                            fec0:0:0:ffff::3%1
        NetBIOS over Tcpip. . . . . . . . : Disabled

C:\Documents and Settings\vincent f. splain>

Jim,

ipconfig /aa computer SETI 6

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\vincent splain>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : SETI6
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Mixed
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Network Bridge (Network Bridge) 9:

        Connection-specific DNS Suffix  . : mshome.net
        Description . . . . . . . . . . . : MAC Bridge Miniport
        Physical Address. . . . . . . . . : 12-58-46-F1-E6-77
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.0.76
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        IP Address. . . . . . . . . . . . : 2002:c97:ccb4:5:35a2:2cd7:2793:ef80
        IP Address. . . . . . . . . . . . : 2002:c97:ccb4:5:1058:46ff:fef1:e677
        IP Address. . . . . . . . . . . . : fec0::5:1058:46ff:fef1:e677%1
        IP Address. . . . . . . . . . . . : fe80::1058:46ff:fef1:e677%4
        Default Gateway . . . . . . . . . : 192.168.0.1
                                            fe80::c:6eff:fe21:32eb%4
        DHCP Server . . . . . . . . . . . : 192.168.0.1
        DNS Servers . . . . . . . . . . . : 192.168.0.1
                                            fec0:0:0:ffff::1%1
                                            fec0:0:0:ffff::2%1
                                            fec0:0:0:ffff::3%1
        Lease Obtained. . . . . . . . . . : Saturday, March 06, 2004 6:38:40 PM
        Lease Expires . . . . . . . . . . : Saturday, March 13, 2004 6:38:40 PM

Tunnel adapter Teredo Tunneling Pseudo-Interface:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
        Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : fe80::5445:5245:444f%5
        Default Gateway . . . . . . . . . :
        NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Automatic Tunneling Pseudo-Interface:

        Connection-specific DNS Suffix  . : mshome.net
        Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface

        Physical Address. . . . . . . . . : C0-A8-00-4C
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : fe80::5efe:192.168.0.76%2
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                            fec0:0:0:ffff::2%1
                                            fec0:0:0:ffff::3%1
        NetBIOS over Tcpip. . . . . . . . : Disabled

C:\Documents and Settings\vincent splain>

Jim,

Some how by using zone alarm on ONE I have blocked my SETI  6 computer. A soon as I find out what I did I will paste the igconfig /all file

Wow! I've not seen any IPv6 setups posted before! Am I correct that the Network Bridge on ONE includes the IPv6 tunnel adapters, and not the PPP dialup adapter?

Regarding the IP Version 4 part - yes, the IP addresses of ONE and SETI6 are what I expected them to be. You should tell ZoneAlarm, under the Firewall/Zones tab, that the network 192.168.0.0/255.255.255.0, is a trusted network - that's your LAN. That network should have been detected and set up when ZoneAlarm was installed. If it's not marked as "Trusted" on both machines, the entry should be edited and its status changed to "Trusted".

Can you also post the results of netstat -r from both machines? That will display the IP routing table, and needs to be run from a cmd.exe window, like ipconfig.

I don't think you're routing IPv6 over the PPP adapter, but given that there's a whole bunch more pseudoadapters present because IPv6 is installed, we'd better check.

Apparently a relatively recent Windows Update added IPv6 support, according to this thread at Tek-Tips.com. Here's a Microsoft article explaining what it's all about. If all of this comes as a surprise to you and you don't know what it's for, you may want to consider uninstalling IPv6 support. Its presence was a surprise to me!

I don't know whether ZoneAlarm supports IPv6. The issue's never arisen before.

I haven't found anything indicating when Microsoft released IPv6 for XP. I wonder if this all began when that update was installed.

(edit) Apparently the way to uninstall IPv6 is from a cmd.exe window. The incantation is ipv6 uninstall

Jim

Message Edited by jimw on 03-06-2004 06:33 PM

Jim,

Computer SETI 6

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\vincent splain>netstat r

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-e] [-n] [-o] [-s] [-p proto] [-r] [interval]

  -a            Displays all connections and listening ports.
  -e            Displays Ethernet statistics. This may be combined with the -s
                option.
  -n            Displays addresses and port numbers in numerical form.
  -o            Displays the owning process ID associated with each connection.
  -p proto      Shows connections for the protocol specified by proto; proto
                may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s
                option to display per-protocol statistics, proto may be any of:
                IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
  -r            Displays the routing table.
  -s            Displays per-protocol statistics.  By default, statistics are
                shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
                the -p option may be used to specify a subset of the default.
  interval      Redisplays selected statistics, pausing interval seconds
                between each display.  Press CTRL+C to stop redisplaying
                statistics.  If omitted, netstat will print the current
                configuration information once.

C:\Documents and Settings\vincent splain>

Computer ONE

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\vincent f. splain>netstat -r

Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...02 0c 6e 21 32 eb ...... MAC Bridge Miniport - Packet Scheduler Minip
ort
0x920004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   12.151.204.180  12.151.204.180       1
   12.151.204.130  255.255.255.255   12.151.204.180  12.151.204.180       1
   12.151.204.180  255.255.255.255        127.0.0.1       127.0.0.1       50
   12.255.255.255  255.255.255.255   12.151.204.180  12.151.204.180       50
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.0.0    255.255.255.0      192.168.0.1     192.168.0.1       20
      192.168.0.1  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.0.255  255.255.255.255      192.168.0.1     192.168.0.1       20
        224.0.0.0        240.0.0.0      192.168.0.1     192.168.0.1       20
        224.0.0.0        240.0.0.0   12.151.204.180  12.151.204.180       1
  255.255.255.255  255.255.255.255      192.168.0.1     192.168.0.1       1
Default Gateway:    12.151.204.180
===========================================================================
Persistent Routes:
  None

C:\Documents and Settings\vincent f. splain>

 

So you recommend that I delete the ipv6 file. Have that on all computers as I generally download most of the up-dates on a regular basis.

Jim,

Correct information from SETI 6

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\vincent splain>netstat -r

Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...12 58 46 f1 e6 77 ...... MAC Bridge Miniport - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.76       10
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.0.0    255.255.255.0     192.168.0.76    192.168.0.76       10
     192.168.0.76  255.255.255.255        127.0.0.1       127.0.0.1       10
    192.168.0.255  255.255.255.255     192.168.0.76    192.168.0.76       10
        224.0.0.0        240.0.0.0     192.168.0.76    192.168.0.76       10
  255.255.255.255  255.255.255.255     192.168.0.76    192.168.0.76       1
Default Gateway:       192.168.0.1
===========================================================================
Persistent Routes:
  None

C:\Documents and Settings\vincent splain>

OK, both those look normal. The dialup connection was active on ONE at the time you ran "netstat -r" on ONE.

So you recommend that I delete the ipv6 file. Have that on all computers as I generally download most of the up-dates on a regular basis.

What I generally do is wait a few days after critical updates are released, and check the Dell Forums and other places to make sure there aren't any problems introduced by the updates. As far as non-critical updates are concerned, I only install them if I know I need the features they add, or that I have the problems they correct.

The addition of IPv6 support to XP was a major upgrade to XP's networking capabilities. Very few ISPs support IPv6 yet. In order for the tunneling interfaces to work, the ISP needs to support IPv6. The benefits to LANs are nonexistent.

The reason IPv6 is not appearing in the "netstat -r" output is that the feature "tunnels" IPv6 traffic over an IPv4 connection. Therefore it doesn't show up in the routing table. IPv6 may not be causing any problems. But it adds complexity to the network setup on all the systems on which it's installed. It's also very new to XP, so if it introduces problems, they may not yet have been widely reported.

I think the decision to remove it should include an analysis of when the IPv6 upgrade was installed versus the time the dialout problem began. It was apparently released some time last fall, but I can't tell when Microsoft made it available via Windows Update.

My recommendation would be to uninstall it. It sounds like Microsoft hasn't provided much more than a command-line uninstall as of now. But, unless the time when the IPv6 upgrade was installed corresponds to the time the dialout problems began, it isn't likely that removing IPv6 support will stop the dialouts.

Are you having any luck with ZoneAlarm on ONE? We still haven't trapped anything that's bringing up the dialup.

Jim

Jim,

Completed the uninstall of ivp6 support on Computer ONE. No problems. Had to reboot. After rebooting the computer ONE connected back to the Internet. Zone Alarm then asked

 "do you want generia host process for win32 services to acept connection from the internet?

source IP :192.168.0.11 Port 68

Application : SVchost.exe

Version : 5.1 2600.0 (xpclient, 010817-148.

HAD TO ACCEPT AS I COULDN'T GET AN ACTIVE WEB PAGE ON THE INTERNET.

SHORTLY AFTER GOT THIS FROM ZONE ALARM

Blocked access to computer ( net BIOS Name) from 68.219.41.21 CDP port 27)

Zone alarm has just now blocked (TCP Port 135) from 12150.142.14 (TCP Port 4249) [TCP flags: S].

Don't unstand this stuff yet.

Vince