I used Comodo with ADSL at home without any problems. Yesterday I changed my ISP which is a LAN connection. Since then the tray icon changed to a red arrow (outgoing traffic i believe) and stays like that all the time, although there are no packets sent or received. The log is being updated with 3-4 entries every second similar to:
These IP addresses are probably from the other people on the network (people that live in the same street), but I do not want to be visible to them.
Is this normal? I have a rule which blocks all “System” In/Out traffic. Should I enable it? Or should I disable some service … ?
How can I stop these constant connection attempts? :-\
The best thing to do is provide use with a little more detail please. That way we can provide you with a better answer. So, to that end, I’d appreciate it, if you would post a section from your Logs that include the rogue packets.
Here’s how if your not sure:
Open Logs and right click anywhere in the window.
From the context menu, select “Clear all Logs”
Make sure the packets described above reappear
Then right click, select ‘Export to HTML’
Zip the file up and post it here as an attachment.
That’s from additional options on the post screen.
Hmm, I’m not sure how it works. As far as I know there is a “switch” and everyone in the area is connected to it. The call it internet via LAN over here
Essentially, you and your neighbours and on a LAN, which in turn is connected to the Internet via your ISP.
The reason your seeing the NetBIOS communications, is a direct cause of being attached to the LAN.
From the Log you attached, I see two entries reoccurring:
nbdgram(138) UDP IN
nbname(137) UDP IN
Both of these are IN entries; there appear to be no OUT entries. Both are being denied access, so CFP is doing it’s job
Just so that you know:
nbdgram - NetBIOS Datagram Service
This is used to send messages between PC’s on the same Network.
nbname - NetBIOS Name Service
This is used for a variety of reasons, but essentially it’s used by PC’s on a network to announce their availability and also to announce when they are removed.
The first thing to do, is make sure NetBios is disabled on your network adapter:
Open your Network Connections and right click the LAN adapter
Select Properties from the context manu
In the new window, select Internet Protocol (TCP/IP)
Select Properties
Select Advanced
Select The WINS Tab
Check the radio button for Disable NetBIOS over TCP/IP
Select OK and finish.
Lets see where that takes us.
By the way, do you have your own personal LAN or just a single PC?
Done. Now there is nothing in the log file But the tray icon still shows the red arrow all the time. A possible workaround is to disable the tray animation of course
But the tray icon still shows the red arrow all the time.
I'm a little curious about the tray icon, I've never actually seen it do that! It does seem indicative of traffic flow, but you say there is no activity on the connection?
No it's a single PC
Ok, that makes it easy. If you'd had a LAN we may have needed to set up a trusted Zone, but with a single PC, there should be no need.
If NetBIOS is disabled on your LAN adapter, then you should be invisible (NetBIOS wise) on the LAN.
I'm a little curious about the tray icon, I've never actually seen it do that! It does seem indicative of traffic flow, but you say there is no activity on the connection?
There is no activity on the connection. Maybe it would be easier if I posted some screenshots
Screenshot 1 & 2 are from the main CPF window shortly after starting the computer - here sometimes "System" appears for a brief moment and then dissappears
Screenshot 3 is the tray icon
I would expect there to be a small amount of activity directly after booting. If for no other reason, than to acquire an IP Address. That process uses svchost.exe, has services.exe as the parent, and uses UDP.
I have a feeling the information in the summary screen, is more an historical/statistical record of activity, rather than an accurate portrayal of what’s happening in real time.
Does the tray icon change when you do have ‘real’ activity?
Does the tray icon change when you do have 'real' activity?
Tt does, it shows a green and a red arrow. I see the shield (i.e. no activity) only when I set the Security Level to Block All. Once again - I did not have this problem with ADSL last month. It started with my new ISP and I find it very strange, because I don’t know the reason for that.
So, in essence, cfp believes there is traffic on the network, all of the time, unless you specifically block all. Yet you see nothing in the connections/logs to indicate any kind of activity?
Exactly. On the other hand in Task Manager, Networking tab → Network utilization column always shows a bit of activity like 0.01% (was 0.08% before I disabled NetBIOS)… I’m at work now and here it’s exactly 0% (unless I’m browsing the internet of course). I’ll ask at my ISP’s forum, maybe they know what’s going on
Ok here we go. After running some programs and reading the forums/Internet for two days, this is what I know:
It seems that the activity is caused (mostly) by ARP requests. ARP stands for “Address Resolution Protocol” and basically means that computers on a network “talk to eachother”. I get thousands of those every minute which is (according to the Internet) normal on a LAN network - hence the constant activity. DU meter shows me a constant “download speed” of 10 - 20 k/s, up to 120 k/s for brief periods of time. I’m not sure if this has any impact on download speeds though. I guess the best thing is to disable the tray icon animation for now …
I find that a little strange. Basically ARP is used for resolving an IP Address to a MAC address (the address of your network adapter). You can see the arp cache by typing arp -a from a command prompt.
Once an IP address has been resolved, its stored in the cache, this negates the need for constant lookups. So unless the clients on the LAN are constantly changing, you shouldn’t really see a great deal of activity.
I also find it a tad strange that cfp ‘sees’ the traffic, hence the arrow in the tray icon, but doesn’t report anything in the logs. I need to investigate that further.
Well I get between 5000 and 30000 ARP’s every minute. At least that’s what MS Network Monitor and Wireshark tell me. There are other entries as well, but I don’t know their meaning. It’s mostly ARP though.
(I can attach a logfile if you’re interested.)
