No Firewall & No attacks ?

Maybe a driver conflict?
Try again and report back any problems, I will monitor the thread for your possible reply.

It can be. To get better understanding there is a need to dig quite deep and start looking (for example) at TDI events.

 

@ Stem

Hi, thanks for standing by & being prepared to assist

Installed wireshark-win32-1.4.1.exe offline, after allowing Everything in ProcessGuard etc. Rebooted & launched it & got some errors





Discovered via TM that WinPcap wasn't running, even though i ticked Run on boot on the install ? Went to it's folder & DC'd it & allowed it through my FW.



Went online



Checked via TM it was running & closed & relaunched WS, but still got those errors = no capturing etc ?

Went to here - http://wiki.wireshark.org/CaptureSetup

Then

My version is 4.1.0.2001 which came with WS.

Not sure where i'm going wrong ?

No rush with this, so Please only advise etc at your convenience

TIA

 

Re: Wireshark

Winpcap is needed, and you have to be an admin for Wireshark to see the NICs, so RunAs administrator. Non-admin not allowed to snoop on the interfaces, and so Wireshark reports no interfaces.
If not an admin issue, then I don't know why interfaces don't show up.

Fabulous thread!

 

@ JRViejo

Thanks

The person on the other forum mentioned SMTP, but that's Port 25 !

epmap 135/tcp DCE endpoint resolution
epmap 135/udp DCE endpoint resolution

Yeah saw epmap listed in CurrPorts & DATA trying to get out via UDP many times, but blocked by ZA Don't know why it's happening though & my ongoing Prevx thread is related to this strangeness !

Was wondering though why port 135 on Rmus's OS, which is different to mine, should share the same Open port ? It "seems" to be by default by MS ?

I am in Admin, so it's a "bit" puzzling !

Thanks I hope others can gain something out of it too

 

Ah, you are on PPP.
As mentioned, you will need to run as Admin. But there can also be problems due to other NDIS drivers.


You could try the trial version of colasoft capsa http://www.colasoft.com/capsa/ , see if that works on your setup.

 

Microsoft has a network monitor - I used it on, I think W2k, and this seems to be the current link - they might be detecting my XP (FamilyID in link?), not sure about all other windows
http://www.microsoft.com/downloads/...=983b941d-06cb-4658-b7f6-3088333d062f&pf=true

Just checked, other windows supported

 

Yeah, P*** Poor Protocol, by the sounds of it

Why would i have those & how to check them ?

I did try it last year & had problems with that too Once again might have been me, but i'll give it another shot.

Thanks

 

@ act8192

Thanks

Re - Microsoft Network Monitor 3.4

So no go as i'm SP2 & staying with it

How about this instead ?

- https://www.microsoft.com/downloads/en/details.aspx?FamilyID=9F37302E-D491-4C69-B7CE-410C8784FD0C

Anyway i'm going to try Caspa again as Stem suggested, if that doesn't work i'll try MSN.

 

The same problems apply to (for example) PPTP (WAN miniport interfaces)

Not always easy. It depends on what you have installed. Other security applications and/or sniffers can install NDIS drivers.

I will just try a couple of tests on a Wan miniport /PPTP

 

Yes, since Win 2K SP4 which was the OS I used in 2005 for my firewall test I referred to earlier.

Some background:

DCOM & Port 135
http://accs-net.com/smallfish/dcom.htm

Well, as I investigated this issue years ago, I realized

1) The technical ins and outs were much beyond my comprehension.

2) Installing a firewall takes care of the problem without having to fiddle inside the OS or employ other tools to disable it.

Of course, the firewall has to be enabled, and to Microsoft's embarrassment, its own firewall was not enabled by default until WinXP SP2:

MS08-067 and the SDL
http://blogs.msdn.com/b/sdl/archive/2008/10/22/ms08-067.aspx

Indeed!

MS RPC, port 135, DCOM buffer overrun and the Blaster worm
http://www.keyfocus.net/kfsensor/help/AdminGuide/adm_RPC.php

Vulnerable at that time was also Port 445 for the intrusion of Conficker.A, the subsequent exploit against MS08-067.

Live and learn!


-rich

 

@CloneRanger,

Re:- Wireshark.

Looks like there is a bug in the latest Wireshark/Winpcap, causing it to not see Wan miniports.

You could try installing an earlier version of wireshark and/or Winpcap. I have an older wireshark version I have just installed, and that is seeing the Wan miniport interfaces OK.

EDIT:
Looks like the problem is in Winpcap V4.12. Uninstall that version from your setup. Go to Winpcap site and download V4 and install that.


- Stem

 

for wireshark it may be little helpful

http://www.youtube.com/watch?v=NHLTa29iovU


i dont have wireshark on windows so please follow Stem


there is another tool which give us idea what internal ports open and what services is running on them

its called nmap

https://www.wilderssecurity.com/showthread.php?t=295398

please follow above thread


i agree with stem that best way to avoid problems which i also follow in my linux systems is that disable services which are not needed


keep your system patched of vulnerability and download form save and secure locations prefer download direct form vendor site

http://secunia.com/vulnerability_scanning/personal/

another great tool for vulnerability scan

http://www.nessus.org/products/nessus

 

this thread is really going great on security accepts so hope you guys dont mind adding some more spices to it


http://en.wikipedia.org/wiki/Wireshark

http://en.wikipedia.org/wiki/Nessus_(software)

http://en.wikipedia.org/wiki/Nmap



@CloneRanger

 

Not just me then

Jeepers, what next can go wrong Newer versions of things aren't always the best

LATEST

Uninstalled Winpcap V4.12 & reinstalled v4. but got this error ?



Rebooted, Winpcap not running so found it & started it ok, then launched WS. Got the Exact same errors as before ?

Also i installed Colasoft as you suggested capsa_free_7.2.1.2299(2).exe. Had to email them to get it registered for it to work, but got a Delivery Status Notification ? I'm going to PM Colasoft & see if they can sort it !

What a palava, hey

Thanks

That's the one

DCOM = Not good

Mine too

Both are nice = Extra safety etc

You're not kidding

We try

@ mack_guy911

Thanks for the links etc

Think i might go for the 3 year deal



https://store.tenable.com/?main_page=index&cPath=1

 

@ CloneRanger

Aren't you using an USB 3G device to connect to the Internet? If you are, you're out of luck with Wireshark and Microsoft Network Monitor. I don't think anything has changed since I last tried them both.

 

Yes sir i am. Maybe some people missed that detail, from earlier on in the thread

Oh dear Wonder if others can confirm the "seemingly" bad news, and/or recommend something that will be compatable

 

I had an ancient XP disk from like 2002, right after it came out. Of course, this version didn't include SP2 and the firewall, a couple times several years ago I reformatted using this disk and directly connected to the internet and by the time I went to download.com and installed an AV and downloaded spybot the system was already infected. I mean instantly infected with tons of stuff. It was caused by either going w/o a firewall or going online with an ancient version of IE, I'm putting most the blame on the lack of firewall though.

Next time I reformatted but had SP2 on a disk, still connected to the net with ancient IE version, but was able to update windows and go to download.com and download a few basics like an AV, MBAM, and CCleaner. After reformatting this way scans came up clean. My .02

 

Bad news confirmed.
http://www.winpcap.org/misc/faq.htm#Q-5

Perhaps a really ancient version of winpcap would work?

 

Well, not actually sure then. I did see (reproduce) the problem you are having (not seeing Wan miniports) with the latest Wireshark/winpcap installation.
I actually installed an older version of Wireshark(which shows as installing winpcap 4). That then showed the Wan miniport, I then replace wireshark with the latest version.

This is what I see on starting wireshark:-



edit:

Once the Wan miniport is active: this is the list



Capture from Wan(PPP) miniport works ok (well, on that setup)




- Stem

 

I think the free version only captures from Ethernet, possibly not from Wan miniport/PPP. It is why I mentioned try the "Trial version" (of the full application).

There is the colasoft support forum here at Wilders https://www.wilderssecurity.com/forumdisplay.php?f=92, so you could post there for confirmation if their sniffer captures PPP


- Stem

 

I agree. If you had saved a copy of your FW etc to CD or another partition, you could have installed before going online, that's what i used to do & do.

Re SP2

Seems to confirm things

Yeah Thanks though.

Re - WinPcap 3.1

Sounded like it "might" work at first, but then no

Now does that mean PPP & VPN together, or, and/or ?

Wonder what it is about PPP that's incompatable with WinCap on so many OS's ?

Which V ?

Interesting, so on part way through installing the earlier version of WS, at the WinCap prompt you just cancelled it & the installed without it, then installed WinCap v.4 ?

Brilliant Thanks for doing that

Sorry must have missed that

Will do, thanks

 

Wireshark-setup-0.99.5.exe

After seeing the problem with the latest version. I remove Ws and its winpcap installation.
I installed 0.99.5 with the winpcap version it was packed with, that winpcap version showed as V4, and the setup worked with the Wan miniport. So I then removed the WS installation leaving winpcap installed, and installed the latest version of WS(not installing the winpcap that came with it). That then still worked with my setup/Wan miniport.

See if you can get hold of 0.99.5. But make sure you remove all other sniffers you have installed previously (just to cut down the chance of any conflict).

[ Just for clarity. I made the setup on Win XP pro (sp2) ]


- Stem

 

So does that mean Uninstalling v0.99.5 didn't remove Everything, & thereby reinstalling the latest version of WS added to "something/s" that were still left over ? Otherwise i don't understand how it would make a difference & work when it didn't before ?

Did that, & got it from WS www Wireshark-setup-0.99.5.exe



The version of WinCap i installed before was v4.0.0.755. Today with v0.99.5 it's Exactly the same, so i'm thinking of just leaving it alone ?

OK.

LATEST

Success with v0.99.5 & the included WinCap v4.0.0.755

Before going online







Online but NO www & i think i had FF launched, but on a blank startup page, as usual.



The ************ looks wierd, to me anyway & it wasn't in my FW log ?

 

Oh, good news finally.

Re that odd IP, by domaintools

NetRange: 1.0.0.0 - 1.255.255.255
CIDR: 1.0.0.0/8
OriginAS:
NetName: APNIC-1
NetHandle: NET-1-0-0-0-1
Parent:
NetType: Allocated to APNIC
Comment: This IP address range is not registered in the ARIN database.

OR

Could be reverse DNS
http://whois.domaintools.com/217.171.132.1
is in UK

You can change columns displays by adding local and destination ports.

Are you sure packets 19 and 22 come from your ISP and not your own computer? They look like broadcasts to get IP. Then again I have no idea what DHCP inform is, so I better stop picking on you right now.