PE Not Showing All Traffic

Discussion in 'Port Explorer' started by Dazed_and_Confused, Jul 31, 2005.

Thread Status:
Not open for further replies.
  1. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Been using PE for over a year. Have not used it lately, and fired it up today. Something is not working right. :'(

    When I start a new application, such as Outlook Express, it displays the process correctly at first, showing it in green, with traffic displayed beliw in the logging window. Later when I press the OE send/receive button, nothing is displayed either in the top window, nor in the Logging window below. Same for Internet Explorer - PE is showing absolutely nothing.

    Tried adding the process to the packet sniffer utility, and it also displayed no traffic. Been working on this for a couple of hours - I'm at a loss. :doubt:

    I actually tried re-installing the app over the top of the existing install. Unless someone has an idea what might be causing the problem, I'm going to have to do a clean install. Any ideaso_O o_O
     
  2. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Update to post above: Now PE will not let me add a process to the packet sniffer utility. When I key the process ID to add it - nothing happens. When I try to add a process by right-clicking the process from the top PE window, nothing happens there also.

    Something really wierd is happening with PE. No other problems at all with other apps. Other than PE, all is working well. Which makes is more of a puzzle.
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Daisey,
    Sure you can look into your settings: are the logs set to display anything at all?
    Did you delete the capture.bin when you installed again?
    You can try and restart Port Explorer again.
    The capture.bin is recreated automatically when needed.

    If that doesn't help it looks like you messed and a clean install would help.
    Also in that case make sure you deleted the capture.bin before installing the new one.
     
  4. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks for getting back to me, Jooske. :) Been away for a couple of days. Sorry for the delay...

    Yes.

    Cannot find that file. Where is it located? I did a search on the entire C: drive.

    I assume you are suggesting I do this after deleting CAPTURE.BIN?

    That's what I'm going to do if all else fails.


    By the way, if I can't get it working, what other packet sniffer software would you suggest? Ethereal? NetworkActiv? Not that I'm giving up or anthing. I just need to do some packet sniffing ASAP.
     
  5. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    I have both PE and Ethereal and I tend to use Ethereal on the odd occasion when I need a packet sniffer.

    There are other tools that can show process to port mappings as well (while PE isn't working for you) one of them is SIW (found here). Its not a dynamic list but its better than nothing and adequate for occasional use...
    The other tool I use for port to process mapping is the Sysinternals one TCPView, I shouldn't forget that really

    PE has an edge in that you can specify just one process but a downside in that it doesn't use a standard packet capture format that you can then later open in ethereal (or other tool of choice).

    Regards

    NB: In SIW you click on the bidirectional green arrows or Network, Open Ports (either via the menu or the treeview)
     
    Last edited: Aug 4, 2005
  6. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks, gottadoit. :) I'm going to give Ethereal a try until Jooske gets back to me and we get PE up and running again.
     
  7. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Update...

    Tried uninstalling and reinstalling Port Explorer. Not sure what happened, but it really whacked my PC. o_O For some reason, after reinstalling PE, NOD32 gave me a message saying it had updated some type of setting and that I should restart PC for new settings to take effect. After that, everything went downhill FAST. It did something to Explorer. I could not start applications using the start menu; NOD32 icon was not showing in the system tray, etc. Nothing was working

    System Restore really saved my bacon, and that's the ONLY reason I'm talking to you now. Otherwise, I was looking at a complete reinstall of EVERYTHING. :'(

    Thinking about doing an uninstall of PE, and just keeping it that way.... :mad:
     
  8. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Another Update...

    Well, I have settled down now after that last unpleasant experience and brush with disaster.... :rolleyes:

    Because I love DCS and their products so much, I thought I would give PE one last chance. So I uninstalled it once again, and completely cleaned my registry of all traces of PE with all the tools at my disposal, AND set a new system restore point. Then reinstalled PE. Once again, NOD32 said this after restarting my PC:

    Time Module Event User: 8/4/2005 15:43:22 PM IMON The network configuration was changed and IMON failed to update the necessary settings. The network may not function properly.

    That does not sound good. Not only that, MJRW went CRAZY, informing me of numerous changes being made to my registry. I subsequently closed MJRW, and restarted my PC once again. This time, everything seems to be working correctly (knock on wood) :) , although I don't understand why - considering the message above.....except that PC startup seems to be taking quite a bit longer :doubt: , but PE is back to it's old self again. :D YESSSS!!

    There must be a conflict with PE and NOD32. That's my conclusion. ;) I just hope my NOD32 is working correctly. I would go without / uninstall a lot of apps before I would lose my precious NOD32.

    Just to make sure everything is working correctly, I'm going to try restarting my PC once again and see what happens. Wish me luck! :rolleyes:
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Daisey,
    There never was any incompatibility at all with NOD32, so ............

    At both un- and installing Port Explorer, are you sure all your other applications and their resident protection (NOD) were completely closed?
    This is really important with programs going deep like Port Explorer.
    Then either make sure you first unregister the .dll and continue uninstalling --for me always worked best to use the own Port Explorer uninstaller in it's directory.
    Normally with a new install Port Explorer installer would prompt for unregistering the .dll itself, but in case that doesn't happen you could unregister that dcsws2.dll yourself and continue following the prompts.
    After you can do best another reboot, again make sure all is closed, install, you're best rebooting after giving in the key if needed, and then all should run fine.

    Not sure what was blocking NOD, as Port Explorer is most certainly not blocking parts of the registry, it just displays all processes.

    NOD is just telling there were some changes made, which is correct if you (un)install your network monitor tool. And there should not be any changes to be made for NOD when Port Explorer is there no more or again. It just should not be running at all till Port Explorer is correctly installed.


    That you did not find the capture.bin in the Port Explorer directory is not strange since you deleted it. It is recreated next time you start spying on something; you can remove all content with the remove all button in the socket spy tool or can delete the capture.bin, rename it to save it for future review, anything.
     
  10. smf

    smf Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    31
  11. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Aah, but there is. See Marcos' post here.
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I said "was" . I really don't know what happens at this time, same kind of problem like yours. Maybe NOD32 changed anything which effects new Port Explorer installs, or maybe people forgot to close all and every protection including NOD32 items when (re)installing Port Explorer.
    At this moment i must leave the question to the techies of both companies to sort this out, if you are really sure you took those precautions.
    Maybe there is another program in this combination which could use some allowances and setttings looked after, like ProcessGuard for instance or RegDefend, or NOD32 must be granted some settings again. Did you try to install NOD32 again as well? (with all other protection down etc etc, maybe including the firewall so get off internet to do that)

    You're worling in a layered protection environment, i would thingk ProcessGuard and Port Explorer go deepest, after maybe the firewall, WormGuard, after the NOD32, etc.
    Maybe it could be a LSPfix issue?
     
  13. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks for all your help, Jooske. But I did get the problem resolved after posting in that same NOD thread that the post I referred to above resides. One has to take specific steps when installing PE and already running NOD. Not a problem, but it's something one has to know!;)
     
Thread Status:
Not open for further replies.