/ Forside / Teknologi / Internet / Sikkerhed / Nyhedsindlæg
Login
Glemt dit kodeord?
Brugernavn

Kodeord


Reklame
Top 10 brugere
Sikkerhed
#NavnPoint
stl_s 37026
arlet 26827
miritdk 20260
o.v.n. 12167
als 8951
refi 8694
tedd 8272
BjarneD 7338
Klaudi 7257
10  molokyle 6481
firewall - Win NT logon ?
Fra : Brian k


Dato : 27-11-04 14:05

Hej

Nogen der kan forklare denne advarsel fra Sygate Firewall:

File Version : 5.1.2600.2180
File Description : Windows NT-logonprogram (winlogon.exe)
File Path : C:\WINDOWS\system32\winlogon.exe
Process ID : 0x22C (Heximal) 556 (Decimal)

Connection origin : local initiated
Protocol : ICMP
Local Address : 10.0.0.2
ICMP Type : 11 (Time Exceeded for Datagram)
ICMP Code : 1 (Fragment Reassembly Timer Expired - from host)
Remote Name :
Remote Address : 63.205.196.187

Ethernet packet details:
Ethernet II (Packet Length: 84)
Destination: 00-02-4b-df-6b-b3
Source: 00-10-5a-0f-87-3c
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x1 (ICMP - Internet Control Message Protocol)
Header checksum: 0x819f (Correct)
Source: 10.0.0.2
Destination: 63.205.196.187
Internet Control Message Protocol
Type: 11 (Time Exceeded for Datagram)
Code: 1 (Fragment Reassembly Timer Expired - from host)
Data (32 bytes)

Binary dump of the packet:
0000: 00 02 4B DF 6B B3 00 10 : 5A 0F 87 3C 08 00 45 00 | ..K.k...Z..<..E.
0010: 00 38 8C B9 00 00 80 01 : 9F 81 0A 00 00 02 3F CD | .8............?.
0020: C4 BB 0B 01 23 DE 00 00 : 00 00 45 00 05 D4 20 AF | ....#.....E... .
0030: 20 00 6E 06 F7 EA 3F CD : C4 BB 0A 00 00 02 10 5B | .n...?........[
0040: C4 1D 69 38 93 6F B8 6B : 20 6B 70 84 32 36 BB 9D | ..i8.o.k kp.26..
0050: 18 E3 5D D6 : | ..].
Og lige bagefter kom denne:

File Version : 5.1.2600.2180
File Description : Tjenester og controllerprogrammer (services.exe)
File Path : C:\WINDOWS\system32\services.exe
Process ID : 0x258 (Heximal) 600 (Decimal)

Connection origin : local initiated
Protocol : ICMP
Local Address : 10.0.0.2
ICMP Type : 11 (Time Exceeded for Datagram)
ICMP Code : 1 (Fragment Reassembly Timer Expired - from host)
Remote Name :
Remote Address : 63.205.196.187

Ethernet packet details:
Ethernet II (Packet Length: 84)
Destination: 00-02-4b-df-6b-b3
Source: 00-10-5a-0f-87-3c
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x1 (ICMP - Internet Control Message Protocol)
Header checksum: 0xf75e (Correct)
Source: 10.0.0.2
Destination: 63.205.196.187
Internet Control Message Protocol
Type: 11 (Time Exceeded for Datagram)
Code: 1 (Fragment Reassembly Timer Expired - from host)
Data (32 bytes)

Binary dump of the packet:
0000: 00 02 4B DF 6B B3 00 10 : 5A 0F 87 3C 08 00 45 00 | ..K.k...Z..<..E.
0010: 00 38 CD 43 00 00 80 01 : 5E F7 0A 00 00 02 3F CD | .8.C....^.....?.
0020: C4 BB 0B 01 0F 06 00 00 : 00 00 45 00 05 D4 29 66 | ..........E...)f
0030: 20 00 6E 06 EF 33 3F CD : C4 BB 0A 00 00 02 0D DD | .n..3?.........
0040: C4 1D 42 1B D1 E2 EE 5D : 40 07 48 09 40 D6 23 96 | ..B....]@.H.@.#.
0050: 7A D3 9A 19 : | z...


Jeg sagde naturligvis nej til begge.



 
 
Lars Møller (29-11-2004)
Kommentar
Fra : Lars Møller


Dato : 29-11-04 08:55

Brian k skrev:
> Hej
>
> Nogen der kan forklare denne advarsel fra Sygate Firewall:
>
> File Version : 5.1.2600.2180
> File Description : Windows NT-logonprogram (winlogon.exe)
> File Path : C:\WINDOWS\system32\winlogon.exe
> Process ID : 0x22C (Heximal) 556 (Decimal)
>
> Connection origin : local initiated
> Protocol : ICMP
> Local Address : 10.0.0.2
> ICMP Type : 11 (Time Exceeded for Datagram)
> ICMP Code : 1 (Fragment Reassembly Timer Expired - from host)
> Remote Name :
> Remote Address : 63.205.196.187

Ja. 63.205.196.187 har modtaget en strøm af fragmenterede IP-pakker fra
dig, hvor en af dem er gået tabt. Derfor kan den ikke sætte dem sammen igen.

Applikationen vil typisk reagere ved at gensende, men da du nu har
blokeret for denne, så gør den ikke det.

Hvorfor så Winlogon sender er pakke til:

[Querying whois.arin.net]
[whois.arin.net]
Pac Bell Internet Services PBI-NET-7 (NET-63-192-0-0-1)
63.192.0.0 - 63.207.255.255
SCRM01 ADSL Rback5 PPPoX SBCIS-100426-101541 (NET-63-205-196-0-1)
63.205.196.0 - 63.205.199.255

# ARIN WHOIS database, last updated 2004-11-28 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Er et godt spørgsmål. Måske skulle din softwarefirewall have blokeret
for den meddelelse det lå forud for denne.

Med venlig hilsen

Lars P. Møller

--
http://www.sikker-it.dk






Søg
Reklame
Statistik
Spørgsmål : 177577
Tips : 31968
Nyheder : 719565
Indlæg : 6409068
Brugere : 218888

Månedens bedste
Årets bedste
Sidste års bedste