Interesting Traces - Personal Firewall Problems

Blue Bar separator

The following are two sets of traces that show first, DHCP failing and then DNS queries failing. You can tell this from the repeated DHCP and DNS requests. Ordinarily this wouldn't be very interesting except that you can see the DHCP server offer an address and the name server respond with an address. OK, you say there is a problem that prevents the responses from getting to the client. Well yes, but the traces were taken with Etherpeek on the client so the responses are getting to through.

The problem was that the client system (Windows XP home) had a personal firewall installed that blocked all incomming UDP packets destined to one of the svchost.exe processes. The user didn't recongize that the DHCP and DNS requests would go to the svchost process so he blocked all traffic to them. Luckly, he didn't block outgoing traffic from the process or we would never have see the queries in the first place.

Packet   Source       Destination   Delta Time  Protocol   Summary   
1      0.0.0.0        IP Broadcast              DHCP   C DISCOVER 10.111.183.75 armada
2      10.111.183.1   IP Broadcast  00.020057   DHCP   R OFFER 10.111.183.75 
3      0.0.0.0        IP Broadcast  03.984161   DHCP   C DISCOVER 10.111.183.75 armada
4      0.0.0.0        IP Broadcast  08.001517   DHCP   C DISCOVER 10.111.183.75 armada
5      10.111.183.1   IP Broadcast  00.017475   DHCP   R OFFER 10.111.183.75 
6      0.0.0.0        IP Broadcast  14.993391   DHCP   C DISCOVER 10.111.183.75 armada
7      10.111.183.1   IP Broadcast  00.018899   DHCP   R OFFER 10.111.183.75 
After changing the firewall to allow UDP packets from port 68 we can use DHCP to get an address.
Packet   Source       Destination   Delta Time  Protocol   Summary   
1      0.0.0.0        IP Broadcast              DHCP   C DISCOVER 10.111.183.75 armada
2      10.111.183.1   IP Broadcast  00.035034   DHCP   R OFFER 10.111.183.75 
3      0.0.0.0        IP Broadcast  02.967518   DHCP   C DISCOVER 10.111.183.75 armada
4      10.111.183.1   IP Broadcast  00.015339   DHCP   R OFFER 10.111.183.75 
5      0.0.0.0        IP Broadcast  01.206816   DHCP   C REQUEST 10.111.183.75 armada
6      10.111.183.1   IP Broadcast  00.015400   DHCP   R ACK  
And now have the same problem with DNS on port 53.
Packet   Source       Destination   Delta Time  Protocol   Summary   
1      10.111.183.75  10.110.96.5               DNS    C QUERY NAME=www.cnn.com
2      10.110.96.5    10.111.183.75 00.017760   DNS    R QUERY STATUS=OK NAME=www.cnn.com 
3      10.111.183.75  10.110.96.5   00.982493   DNS    C QUERY NAME=www.cnn.com
4      10.110.96.5    10.111.183.75 00.017610   DNS    R QUERY STATUS=OK NAME=www.cnn.com 
5      10.111.183.75  10.110.96.5   00.983689   DNS    C QUERY NAME=www.cnn.com
6      10.110.96.5    10.111.183.75 00.021240   DNS    R QUERY STATUS=OK NAME=www.cnn.com 
7      10.111.183.75  10.110.96.2   01.981631   DNS    C QUERY NAME=www.cnn.com
8      10.111.183.75  10.110.96.5   00.000173   DNS    C QUERY NAME=www.cnn.com
9      10.110.96.2    10.111.183.75 00.017870   DNS    R QUERY STATUS=OK NAME=www.cnn.com 
After changing the firewall to allow UDP packets from port 53 we can get DNS responses
Packet   Source       Destination   Delta Time  Protocol   Summary   
1      10.111.183.75  10.110.96.5               DNS    C QUERY NAME=www.cnn.com
2      10.110.96.5    10.111.183.75 00.017598   DNS    R QUERY STATUS=OK NAME=www.cnn.com 
Note that while in this case the user had a personal firewall the same thing (and same traces) can happen Under MS Windows 2000/XP/2003 if the user uses the TCP/IP filtering setting on the options tab of the Advanced TCP/IP setting dialog box to filter all UDP traffic.

Blue Bar separator
This page was last modified on 03-11-25
mailbox Send comments and suggestions
to ndav1@cox.net