next »

[classicmanpro]

Salutare... 

De sărbători mi-am luat o replica de Nokia N97 Dual Sim cu WIFI si TV pe care intentionez sa-l folosesc ca platforma de test pentru aplicații JAVA. Telefonul funcționează asa cum ma așteptam: conectivitate WiFi (Opera Mini 4.x, Opera Mini 5 Beta), Radio & TV, suport pentru aplicații JAVA ... însa are o mica problema, dacă ii pot spune problema... 

Atunci când il conectez la o rețea, toate XP-urile din acea retea au BSOD si le cedeaza driverul de retea. Fratilor, acele XP-uri au BitDefender/KIS si cad ca muștele după ce ai dat cu FLIT. 

Are cineva vreo idee de ce se întâmpla asta? Adică, ma îndoiesc ca in el traiesc gnomi cu certificare cisco care știu sa hăcuiască... 

PS: Din păcate in Sinaia nu sunt hotspot-uri gratuite ca sa efectuez mai multe teste. O sa încerc sa vad daca NetBSD-ul sau Slack-ul au problema asta.

[gheorghe]

Shit happens. Au toate acelasi driver de retea? Eventual fa o captura cu wireshark/tcpdump. Antivirusul e irelevant, in moment ce probabil crapa inainte sa ajunga datele la el.

[classicmanpro]

Asta este eroarea care apare la toate ... cu mici diferente la adresele de memorie. Ținând cont ca nu ma încântă BSOD-urile am evitat sa mai generez eroarea, însa consider ca screenshot-ul este destul de relevant. NDIS.sys cedează.

[gheorghe]

Interesant. Pai baga si tu cand ai timp un linux in retea sau ceva si dai un

tcpdump -s 1500 -w out.cap -i eth0

in timp ce faci asta. Si apoi poti sa analizezi cu wireshark captura. Daca poti, vezi daca se intampla si cu alte routere wireless/ap-uri sau doar cu ala.

P.S. verifica si dmesg in linux dupa ce faci asta, poate apar ceva erori de la driverul de retea

[~Empathy~]

Poza cu BSOD-ul este irelevanta. Rulat cu driver verifier, respectiv un !analyze -v la dump sau un minidump în sine pot fi relevante.

[classicmanpro]

Am activat arpwatch și a dat mesajul de mai jos:

Code:

Dec 27 12:05:40 classicmanpro arpwatch: bogon 0.0.0.0 *:*:*:*:*:*
Dec 27 12:05:43 classicmanpro last message repeated 6 times
Dec 27 12:05:44 classicmanpro arpwatch: bogon 192.168.1.120 *:*:*:*:*:*

PS: Revin și cu tcpdump dar mai întâi sa învăț sa-l folosesc.

[classicmanpro]

Am pus tcpdump sa logheze apoi am început sa navighez pe LinuxSoft.ro si iată rezultatul:

Code:

12:40:37.175967 arp who-has 192.168.1.110 tell 192.168.1.254
12:40:37.965439 IP example.com.64946 > 192.168.1.254.domain: 34821+ PTR? 110.1.168.192.in-addr.arpa. (44)
12:40:38.169381 arp who-has 192.168.1.110 tell 192.168.1.254
12:40:38.318496 IP 192.168.1.254.domain > example.com.64946: 34821 NXDomain 0/1/0 (121)
12:40:38.318976 IP example.com.64945 > 192.168.1.254.domain: 34822+ PTR? 254.1.168.192.in-addr.arpa. (44)
12:40:38.684637 IP 192.168.1.254.domain > example.com.64945: 34822 NXDomain 0/1/0 (121)
12:40:39.169393 arp who-has 192.168.1.110 tell 192.168.1.254
12:40:40.600944 arp who-has 192.168.1.110 tell 192.168.1.254
12:40:41.599378 arp who-has 192.168.1.110 tell 192.168.1.254
12:40:42.599423 arp who-has 192.168.1.110 tell 192.168.1.254
12:40:43.309367 arp who-has example.com tell 192.168.1.254
12:40:43.309405 arp reply example.com is-at *:*:*:*:*:* (oui Unknown)
12:40:45.130263 IP example.com.ntp > cro.opti.ro.ntp: NTPv4, Client, length 48
12:40:45.142141 IP cro.opti.ro.ntp > example.com.ntp: NTPv4, Server, length 48
12:40:45.679524 IP example.com.64944 > 192.168.1.254.domain: 34823+ PTR? 126.60.33.89.in-addr.arpa. (43)
12:40:46.042114 IP 192.168.1.254.domain > example.com.64944: 34823 1/0/0 (68)
12:40:52.130256 IP example.com.ntp > mail.madnet.ro.ntp: NTPv4, Client, length 48
12:40:52.174907 IP mail.madnet.ro.ntp > example.com.ntp: NTPv4, Server, length 48
12:40:53.039449 IP example.com.64943 > 192.168.1.254.domain: 34824+ PTR? 253.87.181.81.in-addr.arpa. (44)
12:40:53.485065 IP 192.168.1.254.domain > example.com.64943: 34824 1/0/0 (72)
12:40:58.563928 arp who-has 192.168.1.110 tell 192.168.1.254
12:40:59.559529 arp who-has 192.168.1.110 tell 192.168.1.254
12:41:00.559540 arp who-has 192.168.1.110 tell 192.168.1.254
12:41:15.092481 IP global-4-lvs-seele.opera-mini.net.socks > 192.168.1.120.49947: . ack 3809886989 win 90 <nop,nop,timestamp 1572238926 34265543>
12:41:15.479363 IP example.com.64942 > 192.168.1.254.domain: 34825+ PTR? 120.1.168.192.in-addr.arpa. (44)
12:41:15.914020 IP 192.168.1.254.domain > example.com.64942: 34825 NXDomain 0/1/0 (121)
12:41:15.914455 IP example.com.64941 > 192.168.1.254.domain: 34826+ PTR? 253.242.239.80.in-addr.arpa. (45)
12:41:16.388098 IP 192.168.1.254.domain > example.com.64941: 34826 1/0/0 (92)
12:41:20.089646 arp who-has 192.168.1.120 tell 192.168.1.254
12:41:30.655519 arp who-has 0.0.0.0 tell 0.0.0.0
12:41:30.877567 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from *:*:*:*:*:* (oui Unknown), length 269
12:41:30.878691 IP 192.168.1.254.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 548
12:41:31.379231 IP example.com.64940 > 192.168.1.254.domain: 34827+ PTR? 0.0.0.0.in-addr.arpa. (38)
12:41:31.617946 IP 192.168.1.254.domain > example.com.64940: 34827 NXDomain 0/1/0 (105)
12:41:31.618354 IP example.com.64939 > 192.168.1.254.domain: 34828+ PTR? 255.255.255.255.in-addr.arpa. (46)
12:41:31.846649 IP 192.168.1.254.domain > example.com.64939: 34828 NXDomain 0/1/0 (113)
12:41:33.871741 arp who-has 192.168.1.254 (Broadcast) tell 0.0.0.0
12:41:33.873107 arp who-has 192.168.1.254 (Broadcast) tell 0.0.0.0
12:41:33.875304 arp who-has 192.168.1.254 (Broadcast) tell 0.0.0.0
12:41:33.875356 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from *:*:*:*:*:* (oui Unknown), length 281
12:41:33.876380 IP 192.168.1.254.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 548
12:41:33.887235 arp who-has 192.168.1.120 (Broadcast) tell 0.0.0.0
12:41:33.887242 arp who-has 192.168.1.120 (Broadcast) tell 0.0.0.0
12:41:33.888071 arp who-has 192.168.1.120 (Broadcast) tell 0.0.0.0
12:41:34.389116 arp who-has 192.168.1.120 (Broadcast) tell 192.168.1.120
12:41:34.390684 IP 192.168.1.120 > 255.255.255.255: icmp
12:41:35.786304 arp who-has 192.168.1.110 tell 192.168.1.254
12:41:36.609761 arp who-has example.com tell 192.168.1.254
12:41:36.609803 arp reply example.com is-at *:*:*:*:*:* (oui Unknown)
12:41:36.779756 arp who-has 192.168.1.110 tell 192.168.1.254
12:41:37.385491 IP 192.168.1.120 > 255.255.255.255: icmp
12:41:37.779741 arp who-has 192.168.1.110 tell 192.168.1.254
12:41:40.375107 IP 192.168.1.120 > 255.255.255.255: icmp
12:41:41.129978 IP example.com.ntp > ntp2.usv.ro.ntp: NTPv4, Client, length 48
12:41:41.149489 IP ntp2.usv.ro.ntp > example.com.ntp: NTPv4, Server, length 48
12:41:41.839205 IP example.com.64938 > 192.168.1.254.domain: 34829+ PTR? 252.120.96.80.in-addr.arpa. (44)
12:41:42.240063 IP 192.168.1.254.domain > example.com.64938: 34829 1/0/0 (69)
12:41:43.364485 IP 192.168.1.120 > 255.255.255.255: icmp
12:41:44.874453 arp who-has 192.168.1.110 tell 192.168.1.254
12:41:45.869831 arp who-has 192.168.1.110 tell 192.168.1.254
12:41:46.869828 arp who-has 192.168.1.110 tell 192.168.1.254
12:41:48.782273 arp who-has 192.168.1.110 tell 192.168.1.254
12:41:49.779826 arp who-has 192.168.1.110 tell 192.168.1.254
12:41:50.779897 arp who-has 192.168.1.110 tell 192.168.1.254
12:41:53.317657 arp who-has 192.168.1.110 tell 192.168.1.254
12:41:54.309854 arp who-has 192.168.1.110 tell 192.168.1.254
12:41:55.309855 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:00.793009 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:01.789905 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:02.789904 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:03.070686 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 308
12:42:03.180470 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 308
12:42:03.239055 IP example.com.64937 > 192.168.1.254.domain: 34830+ PTR? 250.255.255.239.in-addr.arpa. (46)
12:42:03.290471 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 317
12:42:03.400533 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 317
12:42:03.510505 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 380
12:42:03.606471 IP 192.168.1.254.domain > example.com.64937: 34830 NXDomain 0/1/0 (103)
12:42:03.620489 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 380
12:42:03.733946 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 362
12:42:03.801562 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:03.850494 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 362
12:42:03.966567 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 317
12:42:04.080485 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 317
12:42:04.190491 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 356
12:42:04.300498 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 356
12:42:04.413683 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 388
12:42:04.520498 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 388
12:42:04.636020 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 317
12:42:04.740513 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 317
12:42:04.799922 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:04.850533 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 376
12:42:04.960979 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 376
12:42:05.073806 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 370
12:42:05.180505 IP 192.168.1.254.av-emb-config > 239.255.255.250.ssdp: UDP, length 370
12:42:05.799970 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:08.197418 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:09.189954 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:10.189976 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:11.191331 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:12.189976 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:13.189971 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:15.292933 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:16.289993 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:17.289997 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:19.703624 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:20.700026 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:21.700097 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:25.564159 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:26.560108 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:27.560106 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:29.887216 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:30.880091 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:31.880099 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:33.685260 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:34.680117 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:35.680125 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:36.892329 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:37.890137 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:38.890144 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:40.340346 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:41.340156 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:42.350227 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:46.308219 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:47.300196 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:48.300210 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:55.129583 IP example.com.ntp > cro.opti.ro.ntp: NTPv4, Client, length 48
12:42:55.140357 IP cro.opti.ro.ntp > example.com.ntp: NTPv4, Server, length 48
12:42:56.944785 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:57.940269 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:58.940273 arp who-has 192.168.1.110 tell 192.168.1.254
12:42:59.942792 arp who-has 192.168.1.110 tell 192.168.1.254
12:43:00.129527 IP example.com.ntp > mail.madnet.ro.ntp: NTPv4, Client, length 48
12:43:00.174591 IP mail.madnet.ro.ntp > example.com.ntp: NTPv4, Server, length 48
12:43:00.940287 arp who-has 192.168.1.110 tell 192.168.1.254
12:43:01.940289 arp who-has 192.168.1.110 tell 192.168.1.254
12:43:05.942644 arp who-has 192.168.1.110 tell 192.168.1.254
12:43:06.940326 arp who-has 192.168.1.110 tell 192.168.1.254

@~Empathy~ Pe Windows n-am nici o șansa sa fac ceva. Asta cred ca a fost făcut de Torvalds... 

[~Empathy~]

Cum adică n-ai nici o șansă să faci ceva?

[classicmanpro]

Testul de mai sus l-am făcut pe NetBSD ... XP-ul da BSOD imediat ce conectez telefonul la net.

[~Empathy~]

Ce legătură are asta cu ce am spus eu? Eu am spus să rulezi verifier.exe (pe XP) și să postezi outputul la !analyze -v în WinDbg sau Kd după bugcheck. Alternativ, poți să postezi direct minidump-ul din %WINDIR%\Minidump.

[gheorghe]

Classicmanpro, ti-am spus exact sintaxa, trebuie doar sa rulezi comanda aia, apoi iei outputul si il bagi in wireshark, unde poti filtra outputul ca sa nu mai vezi toate gunoaiele si eventual o sa-ti spuna chiar wireshark cand vede un frame nu atat de sanatos. Vrei sa capturezi frame-ul in intregime, nu doar headerul, ce-ti arata tcpdump by default.

Oricum, e destul de clar ca e o problema layer 2 care afecteaza ori hardware-ul placii de retea, ori driverul ei ori o combinatie a celor 2.

[classicmanpro]

@gheorghe WireShark mi-a tot cauzat probleme în trecut. Ba se bloca sistemul, ba se restarta și ... colac peste pupăza ... BitDefender îl tot vede ca troian/virus. Prefer sa caut o alternativa pe NetBSD ... sunt sigur ca voi găsi ceva în colecția de pachete.

@~Empathy~ Am anunțat populația în LAN (WoW-erii) ca fac teste apoi "am generat" un BSOD/MiniDump. O sa-mi instalez în seara asta "Debugging Tools for Windows" si revin cu rezultatele pe care le-ai cerut.

... Am o întrebare totuși ... Teoretic, dacă ar fi sa-l leg "pe direct" la net ... Anomalia asta se poate întâmpla în rețeaua providerului?

[gheorghe]

Dar nu folosesti wireshark ca sa capturezi pachete, il folosesti doar ca sa vizualizezi captura facuta cu tcpdump, nu stiu nici un program mai bun.

Anomalia asta ar putea functiona doar intr-un vlan, ar putea afecta si providerul tau, depinde de switch.

[classicmanpro]

Code:

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000008, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: ba5d1858, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS:  00000008

CURRENT_IRQL:  2

FAULTING_IP:
NDIS!NdisReturnPackets+48
ba5d1858 8b7308          mov     esi,dword ptr [ebx+8]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0xD1

PROCESS_NAME:  System

LAST_CONTROL_TRANSFER:  from b98987f3 to ba5d1858

STACK_TEXT:
ba421d24 b98987f3 ba421d40 00000001 ba421d5c NDIS!NdisReturnPackets+0x48
WARNING: Stack unwind information not available. Following frames may be wrong.
ba421d34 b989eab9 8fa04dd8 89fbb9b8 806595c8 bdfndisf+0x17f3
ba421d5c b989eca7 88d8f778 00000001 d1f03534 bdfndisf+0x7ab9
ba421d80 b989a1d6 00000000 8a428910 00000000 bdfndisf+0x7ca7
ba421dac 805cff72 00000000 00000000 00000000 bdfndisf+0x31d6
ba421ddc 805460ee b989a188 00000000 00000000 nt!IopQueryReconfiguration+0x25
ba421df8 00000000 00000000 00000000 00001f80 nt!ExpRemovePoolTracker+0x7b


STACK_COMMAND:  kb

FOLLOWUP_IP:
bdfndisf+17f3
b98987f3 ??              ???

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  bdfndisf+17f3

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: bdfndisf

IMAGE_NAME:  bdfndisf.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4a853cdc

FAILURE_BUCKET_ID:  0xD1_bdfndisf+17f3

BUCKET_ID:  0xD1_bdfndisf+17f3

Followup: MachineOwner
---------

[gheorghe]

Mda, si totusi, ce placa de retea si ce driver e asta?