We have a machine in our datacenter that started stealing
ARP's request once we installed WinpCap and Traffic Statistic (http://www.trafficstatistic.com).
Marcel Bartels the author assures me it not related to his
application thus I'm wondering if any othe WinPCap users have heard of
this.
Basically it is answering ARP's from the switch for IP's that
are not assigned to the machine. This had the effect of DOS'ing other boxes on
the same switch for which the IP did belong to. It was intermittent because
obviously the real box that owned the IP would sometimes beat the rogue machine
with an ARP reply.
The very strange things is after winpcap and trafficstatstic
where uninstalled, it STILL continued to steal ARP's. Then we swapped out the
network card for an identical one, same problem. We eventually installed a
second card this time 1000mpbs Realtek and unplugged the 100mpbs from the
network. This solved it as a temporary measure.
Also Promiscuous and Brodacast mode where unchecked in the trafficstatistic
software.
Additional details:
OS: Windows 2003
Network: Realtek 100MBps
Other software: Netlimiter (installed 1 week before the incident and later
uninstalled too along with winpcap).
Off the top of my head I can suspect:
- buggy drivers
- winpcap bug
- some low-level registry setting changed
Thanks for any help
Regards, Matthew |
- RE: [WinPcap-users] Criritcal issue: NIC stealing all AR... Matthew Tagg
- RE: [WinPcap-users] Criritcal issue: NIC stealing a... Loris Degioanni
- Re: [WinPcap-users] Criritcal issue: NIC steali... Matthew Tagg
- Re: [WinPcap-users] Criritcal issue: NIC st... Rob Henningsgard
- Re: [WinPcap-users] Criritcal issue: NI... Matthew Tagg
- Re: [WinPcap-users] Criritcal issue: NIC stealing a... KanjiSoft Systems
- Re: [WinPcap-users] Criritcal issue: NIC steali... Matthew Tagg