Anti-ARP problem in the local network environment

Discussion in 'LnS English Forum' started by myownsky, Apr 26, 2007.

Thread Status:
Not open for further replies.
  1. myownsky

    myownsky Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    18
    I've added two rules, am I right?

    thanks for anyone who could help me.
     

    Attached Files:

    • 1.JPG
      1.JPG
      File size:
      11.8 KB
      Views:
      436
    • 2.JPG
      2.JPG
      File size:
      125.3 KB
      Views:
      8
    • 3.JPG
      3.JPG
      File size:
      129.7 KB
      Views:
      2
  2. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi myownsky :)

    Arp packets are transmitted locally NOT on internet...

    Arp poisonning is possible in wide area networks when a bad guy makes spoofed arp packets with spoofed MAC addresses from a machine inside this network.

    But we're talking about a local network with TWO PCs.

    The probability of such attacks is near 0 ...

    Have a nice day.

    :)
     
  3. myownsky

    myownsky Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    18

    thank you very much.

    Now I have three problem. The first is whether the rules added by me are still effective provided that there are plenty of PCs in the local net?

    the other is when the another PC in my local network is using P2P software such as Bitcomet, there are many logs that show the packets was blocked by the rules added by me which don't come from ADSL but the another PC in my net, including the broadcast packets and the packets directly sending to me from the another PC. What is the reason?

    the third problem is whether the LNS' filter rules work stablely? when I have installed CHX 3.0 and LNS in my PC---finishing to install CHX 3.0 and then to install LNS, I find there are logs of Anti-ARP packets at first in both CHX 3.0 and LNS, but later the same logs could be found only in CHX 3.0 and there is nothing in the LNS. Why?
     

    Attached Files:

    • 4.JPG
      4.JPG
      File size:
      163.2 KB
      Views:
      2
    • 5.JPG
      5.JPG
      File size:
      177.5 KB
      Views:
      1
    • 6.JPG
      6.JPG
      File size:
      180 KB
      Views:
      1
    Last edited: Apr 26, 2007
  4. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi myownsky :)



    I'm very skeptical about this. The only way to be sure is to test it in a real multi stations environment.
    What you can do on your side is to try to spoof some packets to see whats happen...

    You may used Packetyzer which allow to edit and resend packets...
    http://www.networkchemistry.com/products/packetyzer.php


    Your screen captures shows a lot of NetBios packets. May be there is some rules to be added or modified.
    If you're using file sharing you have to follow these instructions:

    http://www.looknstop.com/En/faq_configuration.htm#lan
    http://www.looknstop.com/En/rules/rules.htm#Partage


    CHX 3.0 ? What's this please? A packet sniffer?
    The packets filtered by CHX (or any other packets sniffer) are matched with the ones checked by LNS.
    The options for LNS log must be enabled and an exclamation mark put in the third column of each rule
    to have an entry each time the rule is applied.

    Compare the list of the LNS log with the one of Packetyzer
    (it's a sample of a connection to Wilders securuty forum.
    The order in the lists are reversed...
    the # 1 in Packetyzer correspond to D-21792 in the LNS log and the # 18 to the D-21809 ...)
    The anti-flood for the LNS log was enabled. With this option disable the packets will match the one in the packet sniffer...
    But here it's only for an example. Right?


    Simply removed these "anti-arp" rules or at least disabled them.
    To troubleshoot you have to reduce the number of parameters to check.
    Keep it simple myownsky ;-)
     

    Attached Files:

    Last edited: Apr 27, 2007
  5. myownsky

    myownsky Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    18
    Thank you very much.


    yes, I've prohibited file sharing.

    Regarding CHX 3.0, I could send you the software and it's tutorial if you give me your e-mail.

    BEST REGRDS FOR YOU.
     
Thread Status:
Not open for further replies.