Some weird ethernet traffic logged

Discussion in 'LnS English Forum' started by doktornotor, Apr 15, 2010.

Thread Status:
Not open for further replies.
  1. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Can someone tell me what's this? The MAC belongs to a local printserver (it's not a computer, it's something like HP JetDirect), I'd like to allow it to stop logging of this by the final "catchall" but really don't know what to allow? o_O
     

    Attached Files:

  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hi doktornotor,

    You can create a rule to match by MAC address, and set it to allow or block silently.



    Regards,
    Phant0m``
     
  3. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Thanks, I've allowed it since blocking all traffic from that MAC is not really an option, breaks printing. Still wondering what kind of traffic it is. :D
     
  4. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    When the Ethernet Type is below 1500, it is not a type but the length of the ethernet frame.
    So, it means a proprietary/specific protocol is used for that printer.

    I'm not sure this kind of packet would pass a router. Is your printer connected directly to the PC, or through a HUB ?

    Instead of allowing these packets (I don't know exactly if you allowed all traffic for that MAC address, or if you allowed all other ethernet packets), you can try to create a rule that will block all other ethernet types to see if it works anyway.

    Frederic
     
  5. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    It's a LAN printserver connected via a switch.

    Well yeah for the time being I allowed all the traffic from that particular MAC (and IP range matching the LAN) since I really lack the info to restrict this further. I'll look into disabling unneeded stuff on that printserver, but no idea where to start with so it's going to be try and see if it goes away more or less.
     
  6. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    With a right click on the last rule ("All other packets"), duplicate the rule, then edit it (not the last one, but the one before the last), and for "Ethernet Type" field select "Other", also change the name of the rule to differentiate it from the last one. Then, back to the ruleset list, block the packets with the Stop sign, and select the log attribute (!).
    If you disable the rule you have added to allow the MAC address (no need to remove it compleletly, just disable it with the tick on the left), normally the new rule (All other ethernet types) should now catch the packets that were initially blocked (your first post).

    If everything is all right (your printer working well), then you can disable the log attribute to have the packets blocked silently.

    If it doesn't work, then disable this new rule, and re-enable the MAC address based rule...

    Regards,

    Frederic
     
  7. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    this ability is unique to LnS of all software firewalls I've seen
     
  8. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Very powerful and light software firewall product. :D
     
  9. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, tried that and the rule didn't catch anything, I probably messed up the deny rule or it needs some different settings. Well whatever, the allow rule is fine for me. One feature suggestion I'd have would be a right-click action on a log entry which would stop further logging for that particular traffic that got logged.
     
Thread Status:
Not open for further replies.