PG ethereal conflict

Discussion in 'ProcessGuard' started by poogimmal, Dec 8, 2005.

Thread Status:
Not open for further replies.
  1. poogimmal

    poogimmal Registered Member

    Joined:
    May 7, 2004
    Posts:
    79
    I installed ethereal 0.10.13 with winPcap 3.1
    on my w2k_sp4. during the install I had killed
    or disabled various security apps. post-install
    I rebooted and turned everything back on in orderly
    fashion and started ethereal. it did a few bumps
    with kerio 2.1.5 but I worked past those, and
    then started ethereal capture and *pooof*
    blackscreen shutdown reboot. after reboot I
    closed various security stuff and slowly started
    one, ran ethereal ok, started another, ok, so I
    was able to narrow the culprit down to...
    ProcessGuard 3.150. I've tried various settings
    in PG and always ethereal crashes w2k with PG
    running. turn off PG and ethereal is ok. curious
    as I have run prior versions of ethereal with PG
    in the past with no problem. so something is new
    and different (apparently) in current version of
    ethereal. any ideas how to tweak this combo other
    than disabling PG.
    I disabled PG when I installed ethereal.
    sidenote I also installed sun java jre 1.5.0.06 today
    but no evidence that java is causing any problems.
     
  2. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi poogimmal.
    Does PG enter anything in the log files saying it has blocked something,driver install/memory access etc.
     
  3. poogimmal

    poogimmal Registered Member

    Joined:
    May 7, 2004
    Posts:
    79
    not that I see, pasting a last entry which shows ethereal starting, it starts ok the crash only comes when I initiate a capture (some sort of winPcap conflict??)

    [EXECUTION] "c:\program files\ethereal\ethereal.exe" was allowed to run
    [EXECUTION] Started by "c:\winnt\explorer.exe" [268]
    [EXECUTION] Commandline - [ "c:\program files\ethereal\ethereal.exe" ]

    earlier I put ethereal into protection and told PG to allow it to install drivers, hooks... I baffled as I have not had any problems with PG since v3xxx came out.
     
  4. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    poogimmal,
    What version of PG are you using ?
    Is it the current production version 3.150 or the newer beta version, the reason I ask is because several people have reported issues with the beta so if you are using the new one you should see if you can reproduce it with 3.150....

    I have XP Pro and have used ethereal (0.10.13 and earlier versions + WinPcap 3.1) with the current production release of PG (3.150 registered version) with and without Kerio 4.x to capture without any problems at all. I know that this doesn't help you resolve your specific problem but at least you know that it does work with PG on XP so it might be a w2k+PG issue. I don't have PG (or Kerio) on this machine at the moment and I can't remember having to give ethereal any special permissions

    Doing a "Capture, Start" on this machine causes ethereal.exe to execute a second program so the conflict could be something happening with that
    Code:
    ethereal-capture -i \device\npf_{ae35eb70-b087-40e4-98fb-9b5392677abc} -b 1 -m "-*-lucida console-medium-r-*-*-*-100-*-*-*-*-*-*" -z sync:65 -z signal:66
    You could try and see if "Capture, Interfaces" works for you and shows the interface list and the packet counts going through. That dialog would probably be making use of the WinPcap interface in a more limited way and could show if it is working.

    If that works try clicking on Prepare for the real interface and perform a really basic capture; untick "Capture packets in promiscuous mode", untick all the Name Resolution boxes and untick "Update list of packets in real time", the click on Start (to execute ethereal-capture) and see what happens

    It will probably need someone from DCS to actually try it out on their side of things and see if they can reproduce it. This sounds like something that would probably be worth reporting via the contact page or email support@diamondcs.com.au

    If you got a dump after the crash then there is some after the fact information that you could send to DCS for them to look at
     
Thread Status:
Not open for further replies.