On Jul 13, 2007, at 4:21 PM, Small, James wrote:
Dooh! That's a major bummer. Perhaps Zone Alarm then?
http://www.winpcap.org/misc/faq.htm#Q-10
"Q-10: Does WinPcap work in connection with personal firewalls?
A: We got several reports saying that WinPcap does not work well if a
personal firewall is installed on the same machine as WinPcap. The
typical problem is the impossibility to capture all or part of the
traffic from an adapter, but some users reported strange behaviors
(like some packets disappearing) on the transmit side too.
Most of the times, the problem is caused by non-standard interactions
between the firewall and the network stack of the OS, so there not a
lot to do on our side; the suggested remedy consists in uninstalling
the firewall.
Note: uninstalling, and not disabling, because some firewalls (like
ZoneAlarm) keep having strange behaviors even when they are disabled."
http://www.winpcap.org/pipermail/winpcap-users/2005-August/000266.html
"Dear WinPcap-users,
As I wrote in my original posting, I disabled the SP2 firewall and
other security tools before playing around with raw packets.
Unfortunately, my ZoneAlarm firewall kept checking/dropping despite
being disabled. Thus, below send/receive problem was gone as soon as
ZoneAlarm was completely uninstalled :-)
Apparently, ZoneAlarm has a NDIS intermediate driver, which is alive
all the time, even when set to state disabled... While browsing the
ZoneAlarm forums, I noticed similar complaints. E.g. the "ZA
interference even with everything is disabled" topic by clarke on
02-28-2005.
Thanks to the guys that took the time to help me out!
Tom."
How about this for a wish item - the ability to filter and/or identify
network traffic by process name/ID. Based on what I've seen from the
Sysinternals tools I believe it may be possible. What do you think?
It might be possible in some cases on some platforms. Not all traffic
received is going to a particular process, especially if you're
capturing in promiscuous mode; unless the traffic is being received by
a particular endpoint on the machine, or being sent by the machine,
you can't associate it with a particular process.
That might help identify the source of the DNS traffic. However,
running Wireshark along with TCPView:
http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx
might be sufficient in that case - look for the process with a UDP
endpoint with the same local and remote addresses and ports as the DNS
requests.
(Its output resembles that of netstat, probably intentionally. I
don't know whether any UN*Xes have tools such as that, i.e. either a
command-line or graphical netstat-plus-process-name - probably some do.)
