Emule (kademila connection) problem search with "Network Monitor"

Help for v2
1

With the “Network Monitor” turned on the searches through the kademila network give only 25 results.
With the “Network Monitor” turned off the searches through the kademila network give 300 results (the maximum allowed by emule).

The latest beta has the same problem with the official version for the search through KAD.

Another thing that maybe has something to do with this problem is the difficulty of downloading an image through internet. When I open an image at the forum with opera browser the image is sometimes half-loaded and I have to press the refresh button to load it completely.

Does these two facts means that some data gets lost or become corrupted, when the “Network Monitor” is invastigating the traffic?

Egemen could you please explain why it happens?

Thanks

ps. the user “Negativ” has noticed the fact of the search with kad and posted it here
Chiarimento su ricerca kadu in Emule
https://forums.comodo.com/index.php/topic,1087.0.html

2

Network monitor does not change ot block solicited packets. what do your logs say about this? Do they show something blocked?
That partial image loading seems to be related to ICMP Fragmentation stuff. Do you have that rule?

We need to analyze the logs to see whats happening. Can you please activate logging for all rules so that we can have a good traffic map?

Egemen

3

CPF seems that not blocks anything.
I had all my rules, both allow and block to log what is happening. Here are the logs created during the search through kad:

Date/Time :2006-07-19 03:06:48
Severity :Low
Reporter :Network Monitor
Description: Information (Access Granted, IP = 192.168.1.3, Port = 4672)
Protocol: UDP Incoming
Source: 138.100.10.146:http(80)
Remote: 192.168.1.3:4672
Reason: Network Control Rule ID = 3
Date/Time :2006-07-19 03:06:48
Severity :Low
Reporter :Network Monitor
Description: Information (Access Granted, IP = 192.168.1.3, Port = 4672)
Protocol: UDP Incoming
Source: 82.60.139.67:4672
Remote: 192.168.1.3:4672
Reason: Network Control Rule ID = 3
Date/Time :2006-07-19 03:06:38
Severity :Low
Reporter :Network Monitor
Description: Information (Access Granted, IP = 192.168.1.3, Port = 4672)
Protocol: UDP Incoming
Source: 88.155.25.88:6672
Remote: 192.168.1.3:4672
Reason: Network Control Rule ID = 3
Date/Time :2006-07-19 03:06:38
Severity :Low
Reporter :Network Monitor
Description: Information (Access Granted, IP = 192.168.1.3, Port = 4672)
Protocol: UDP Incoming
Source: 190.45.61.73:4672
Remote: 192.168.1.3:4672
Reason: Network Control Rule ID = 3
Date/Time :2006-07-19 03:06:33
Severity :Low
Reporter :Network Monitor
Description: Information (Access Granted, IP = 192.168.1.3, Port = 4672)
Protocol: UDP Incoming
Source: 151.37.22.98:4672
Remote: 192.168.1.3:4672
Reason: Network Control Rule ID = 3
Date/Time :2006-07-19 03:06:23
Severity :Low
Reporter :Network Monitor
Description: Information (Access Granted, IP = 61.149.222.129, Port = 4672)
Protocol: UDP Outgoing
Source: 192.168.1.3:4672
Remote: 61.149.222.129:4672
Reason: Network Control Rule ID = 6
Date/Time :2006-07-19 03:06:18
Severity :Low
Reporter :Network Monitor
Description: Information (Access Granted, IP = 192.168.1.3, Port = 4672)
Protocol: UDP Incoming
Source: 80.203.126.152:4672
Remote: 192.168.1.3:4672
Reason: Network Control Rule ID = 3
Date/Time :2006-07-19 03:06:17
Severity :Low
Reporter :Network Monitor
Description: Information (Access Granted, IP = 192.168.1.3, Port = 4672)
Protocol: UDP Incoming
Source: 213.44.180.9:1100
Remote: 192.168.1.3:4672
Reason: Network Control Rule ID = 3
Date/Time :2006-07-19 03:06:12
Severity :Low
Reporter :Network Monitor
Description: Information (Access Granted, IP = 192.168.1.3, Port = 4662)
Protocol: TCP Incoming
Source: 216.55.223.14:2657
Remote: 192.168.1.3:4662
TCP Flags: SYN
Reason: Network Control Rule ID = 2
Date/Time :2006-07-19 03:06:12
Severity :Low
Reporter :Network Monitor
Description: Information (Access Granted, IP = 192.168.1.3, Port = 4672)
Protocol: UDP Incoming
Source: 222.172.21.75:6260
Remote: 192.168.1.3:4672
Reason: Network Control Rule ID = 3
Date/Time :2006-07-19 03:06:02
Severity :Low
Reporter :Network Monitor
Description: Information (Access Granted, IP = 59.113.54.23, Port = 4672)
Protocol: UDP Outgoing
Source: 192.168.1.3:4672
Remote: 59.113.54.23:4672
Reason: Network Control Rule ID = 6
Date/Time :2006-07-19 03:05:57
Severity :Low
Reporter :Network Monitor
Description: Information (Access Granted, IP = 192.168.1.3, Port = 4672)
Protocol: UDP Incoming
Source: 81.202.76.167:6770
Remote: 192.168.1.3:4672
Reason: Network Control Rule ID = 3
Date/Time :2006-07-19 03:05:57
Severity :Low
Reporter :Network Monitor
Description: Information (Access Granted, IP = 85.54.142.140, Port = 4672)
Protocol: UDP Outgoing
Source: 192.168.1.3:4672
Remote: 85.54.142.140:4672
Reason: Network Control Rule ID = 6

4

Even if I set all the rules to allow the result is the same.

For making kad search to work I have to disable the “Network Monitor”.

5

Hmmm. Let me test it as well.

Edit : With eMule 0.4.7, i could not reproduce the issue. Whats your network configuration? Or what application r u using for p2p?

6

I can think of 1 case Security->Advanced->Block Fragmented IP Datagrams option. Can you try to disable it? Perhabs it is the reason.

7

Hi egemen!
Same problem here. I use an italian internet connection named “Fastweb”.
For p2p i use a special optimized version of Emule, called Emule Adunanza, developed for Fastweb’s users. I can however use the standard version of Emule, but i can only to obtain a low-id connection with non fastweb users because this internet connection is like a very very big private lan.
Anyway with comodo firewall i can’t search anything using Kad. No results or just a couple of these.
With normal server search i have no problem at all.
If i stop network control rules the problem goes away.
I use the last beta version of comodo and in network rules i have the default Icmp rule.

I tried to disable the Block Fragmented ip datagrams option, but same issue occur.

This problem occur in Jetico firewall too, but it has an option " Deny all fragmented packets " and if i disable it Emule works correctly.
Thank you

8

I am using the mod xtreme 5.2 wich is a variant of the official 0.47a

I have also tested it with the official and had the same results.

I made the tests with 3 configurations:

  1. pc → modem-router
  2. pc → normal modem adsl
  3. pc → modem 56k

All had the same results

I can think of 1 case Security->Advanced->Block Fragmented IP Datagrams option. Can you try to disable it? Perhabs it is the reason.

That was my first thought also. I had tried it with no success. Can it be that although it seems disabled, in reality it isn’t?

9

Hi Egemen. I installed CPF 2.3.2.21 beta and tried again a search trhough the KAD network.
This version reports what is blocked, excellent job ;D

Here is the new log

Date/Time :2006-07-26 02:28:08 Severity :Medium Reporter :Network Monitor Description:Inbound Policy Violation (Access Denied, ICMP = TIME EXCEEDED IN TRANSIT) Protocol:ICMP Incoming Source: 213.205.19.114 Remote: 192.168.1.3 Message: TIME EXCEEDED IN TRANSIT Reason: Network Control Rule ID = 7 Date/Time :2006-07-26 02:28:03 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 217.132.216.164:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3000 bytes) do not match Date/Time :2006-07-26 02:28:03 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 217.132.216.164:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2966 bytes) do not match Date/Time :2006-07-26 02:28:03 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 217.132.216.164:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3144 bytes) do not match Date/Time :2006-07-26 02:28:03 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 217.132.216.164:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2640 bytes) do not match Date/Time :2006-07-26 02:28:03 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 217.132.216.164:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2900 bytes) do not match Date/Time :2006-07-26 02:28:03 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 222.150.216.191:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3015 bytes) do not match Date/Time :2006-07-26 02:28:03 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 222.150.216.191:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2666 bytes) do not match Date/Time :2006-07-26 02:28:03 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 222.150.216.191:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2671 bytes) do not match Date/Time :2006-07-26 02:28:03 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 222.150.216.191:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2858 bytes) do not match Date/Time :2006-07-26 02:28:03 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fragmented IP Packet) Direction: IP Incoming Source: 217.132.216.164 Remote: 192.168.1.3 Protocol : UDP Reason: Fragmented IP packets are not allowed Date/Time :2006-07-26 02:28:03 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 217.132.216.164:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2754 bytes) do not match Date/Time :2006-07-26 02:28:03 Severity :Medium Reporter :Network Monitor Description:Inbound Policy Violation (Access Denied, ICMP = TIME EXCEEDED IN TRANSIT) Protocol:ICMP Incoming Source: 213.205.19.114 Remote: 192.168.1.3 Message: TIME EXCEEDED IN TRANSIT Reason: Network Control Rule ID = 7 Date/Time :2006-07-26 02:28:03 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 222.150.216.191:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3069 bytes) do not match Date/Time :2006-07-26 02:28:03 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fragmented IP Packet) Direction: IP Incoming Source: 222.150.216.191 Remote: 192.168.1.3 Protocol : UDP Reason: Fragmented IP packets are not allowed Date/Time :2006-07-26 02:28:03 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 222.150.216.191:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2887 bytes) do not match Date/Time :2006-07-26 02:27:58 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 213.39.146.28:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2863 bytes) do not match Date/Time :2006-07-26 02:27:58 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 213.39.146.28:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3081 bytes) do not match Date/Time :2006-07-26 02:27:58 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 213.39.146.28:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3121 bytes) do not match Date/Time :2006-07-26 02:27:58 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 213.39.146.28:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3002 bytes) do not match Date/Time :2006-07-26 02:27:58 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 213.39.146.28:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3015 bytes) do not match Date/Time :2006-07-26 02:27:58 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fragmented IP Packet) Direction: IP Incoming Source: 213.39.146.28 Remote: 192.168.1.3 Protocol : UDP Reason: Fragmented IP packets are not allowed Date/Time :2006-07-26 02:27:58 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 213.39.146.28:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2759 bytes) do not match Date/Time :2006-07-26 02:27:58 Severity :Medium Reporter :Network Monitor Description:Inbound Policy Violation (Access Denied, ICMP = TIME EXCEEDED IN TRANSIT) Protocol:ICMP Incoming Source: 213.205.19.114 Remote: 192.168.1.3 Message: TIME EXCEEDED IN TRANSIT Reason: Network Control Rule ID = 7 Date/Time :2006-07-26 02:27:58 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fragmented IP Packet) Direction: IP Incoming Source: 172.185.107.30 Remote: 192.168.1.3 Protocol : UDP Reason: Fragmented IP packets are not allowed Date/Time :2006-07-26 02:27:58 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 172.185.107.30:6672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2888 bytes) do not match Date/Time :2006-07-26 02:27:53 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 172.185.107.30:6672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2777 bytes) do not match Date/Time :2006-07-26 02:27:53 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 172.185.107.30:6672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3369 bytes) do not match Date/Time :2006-07-26 02:27:53 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 172.185.107.30:6672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2865 bytes) do not match Date/Time :2006-07-26 02:27:53 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 172.185.107.30:6672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2949 bytes) do not match Date/Time :2006-07-26 02:27:53 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fragmented IP Packet) Direction: IP Incoming Source: 172.185.107.30 Remote: 192.168.1.3 Protocol : UDP Reason: Fragmented IP packets are not allowed Date/Time :2006-07-26 02:27:53 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 172.185.107.30:6672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2954 bytes) do not match Date/Time :2006-07-26 02:27:53 Severity :Medium Reporter :Network Monitor Description:Inbound Policy Violation (Access Denied, ICMP = TIME EXCEEDED IN TRANSIT) Protocol:ICMP Incoming Source: 213.205.19.114 Remote: 192.168.1.3 Message: TIME EXCEEDED IN TRANSIT Reason: Network Control Rule ID = 7 Date/Time :2006-07-26 02:27:48 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 201.32.230.16:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3198 bytes) do not match Date/Time :2006-07-26 02:27:48 Severity :Medium Reporter :Network Monitor Description:Inbound Policy Violation (Access Denied, ICMP = HOST UNREACHABLE) Protocol:ICMP Incoming Source: 151.37.70.226 Remote: 192.168.1.3 Message: HOST UNREACHABLE Reason: Network Control Rule ID = 7 Date/Time :2006-07-26 02:27:48 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 201.32.230.16:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3236 bytes) do not match Date/Time :2006-07-26 02:27:48 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 201.32.230.16:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3125 bytes) do not match Date/Time :2006-07-26 02:27:48 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 82.251.12.197:7571 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2870 bytes) do not match Date/Time :2006-07-26 02:27:48 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 201.32.230.16:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3038 bytes) do not match Date/Time :2006-07-26 02:27:48 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 82.251.12.197:7571 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3195 bytes) do not match Date/Time :2006-07-26 02:27:48 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 82.251.12.197:7571 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3148 bytes) do not match Date/Time :2006-07-26 02:27:48 Severity :Medium Reporter :Network Monitor Description:Inbound Policy Violation (Access Denied, ICMP = TIME EXCEEDED IN TRANSIT) Protocol:ICMP Incoming Source: 213.205.19.114 Remote: 192.168.1.3 Message: TIME EXCEEDED IN TRANSIT Reason: Network Control Rule ID = 7 Date/Time :2006-07-26 02:27:48 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fragmented IP Packet) Direction: IP Incoming Source: 201.32.230.16 Remote: 192.168.1.3 Protocol : UDP Reason: Fragmented IP packets are not allowed Date/Time :2006-07-26 02:27:48 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 201.32.230.16:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2860 bytes) do not match Date/Time :2006-07-26 02:27:48 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 83.213.111.78:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3066 bytes) do not match Date/Time :2006-07-26 02:27:48 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fragmented IP Packet) Direction: IP Incoming Source: 82.251.12.197 Remote: 192.168.1.3 Protocol : UDP Reason: Fragmented IP packets are not allowed Date/Time :2006-07-26 02:27:48 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 82.251.12.197:7571 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3208 bytes) do not match Date/Time :2006-07-26 02:27:48 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fragmented IP Packet) Direction: IP Incoming Source: 83.213.111.78 Remote: 192.168.1.3 Protocol : UDP Reason: Fragmented IP packets are not allowed Date/Time :2006-07-26 02:27:48 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 83.213.111.78:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2796 bytes) do not match Date/Time :2006-07-26 02:27:43 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 83.213.111.78:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2811 bytes) do not match Date/Time :2006-07-26 02:27:43 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fragmented IP Packet) Direction: IP Incoming Source: 201.32.230.16 Remote: 192.168.1.3 Protocol : UDP Reason: Fragmented IP packets are not allowed Date/Time :2006-07-26 02:27:43 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 201.32.230.16:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2749 bytes) do not match Date/Time :2006-07-26 02:27:43 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 69.182.21.178:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3087 bytes) do not match Date/Time :2006-07-26 02:27:43 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 82.251.12.197:7571 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3040 bytes) do not match Date/Time :2006-07-26 02:27:43 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 69.182.21.178:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2632 bytes) do not match Date/Time :2006-07-26 02:27:43 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 69.182.21.178:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3129 bytes) do not match Date/Time :2006-07-26 02:27:43 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 83.213.111.78:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2997 bytes) do not match Date/Time :2006-07-26 02:27:43 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 69.182.21.178:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2978 bytes) do not match Date/Time :2006-07-26 02:27:43 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 69.182.21.178:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2836 bytes) do not match Date/Time :2006-07-26 02:27:43 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fragmented IP Packet) Direction: IP Incoming Source: 82.251.12.197 Remote: 192.168.1.3 Protocol : UDP Reason: Fragmented IP packets are not allowed Date/Time :2006-07-26 02:27:43 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 82.251.12.197:7571 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2755 bytes) do not match Date/Time :2006-07-26 02:27:43 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fragmented IP Packet) Direction: IP Incoming Source: 69.182.21.178 Remote: 192.168.1.3 Protocol : UDP Reason: Fragmented IP packets are not allowed Date/Time :2006-07-26 02:27:43 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 69.182.21.178:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2958 bytes) do not match Date/Time :2006-07-26 02:27:43 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 83.213.111.78:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(3226 bytes) do not match Date/Time :2006-07-26 02:27:43 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fragmented IP Packet) Direction: IP Incoming Source: 83.213.111.78 Remote: 192.168.1.3 Protocol : UDP Reason: Fragmented IP packets are not allowed Date/Time :2006-07-26 02:27:43 Severity :High Reporter :Network Monitor Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet) Direction: UDP Incoming Source: 83.213.111.78:4672 Remote: 192.168.1.3:4672 Reason: UDP packet length and the size on the wire(2892 bytes) do not match Date/Time :2006-07-26 02:27:43 Severity :Medium Reporter :Network Monitor Description:Inbound Policy Violation (Access Denied, ICMP = TIME EXCEEDED IN TRANSIT) Protocol:ICMP Incoming Source: 213.205.19.114 Remote: 192.168.1.3 Message: TIME EXCEEDED IN TRANSIT Reason: Network Control Rule ID = 7
10

Hi Pandlouk,

Can you use a sniffer such as www.packetyzer.com so that we can see what the packets are. Specifically, those UDP packets dropped. You can paste the output of sniffer here.

Thx,
Egemen

11

Ok I just finished. I made several tests with network monitor first enabled and then disabled. With N.M. activated I did not succed to identify the packets. I guess that CPF blocks them before they reach packetizer.
With N.M. disabled I identified these packets by comparing them with the previous results.

I attached a zip with a “capture session” file and a “blocked” file. The capture is the complete report and the blocked has only the dropped packets.

Hope it helps :slight_smile:

[attachment deleted by admin]

12

Thank you for the logs. Tomorrow’s BETA should solve this problem if fragmented packets are allowed.

Egemen

13

Great. Thanks egemen

14

Hi everybody,

I have to raise this topic again, so short version, just the facts:

0.) CPF version 2.3.5.62, tested with and without ‘block fragmented IP datagrams’
1.) NAT for TCP/UDP ports is set
2.) rules for ‘TCP in’ and ‘UDP in’ on the needed ports are set and at #0 and #1
3.) eMule Xtreme [mod, latest version], successfully connects
4.) high id on servers and connect to kademlia without problems
5.) searching on servers without problem
6.) searching on kademlia => ■■■■ :wink:

Lots of ‘Fake or Malformed UDP Packet’ log messages and no search results.
I tested with searching ‘sex’, so there should be results. :wink:

I cleared the log, captured a complete search cycle with WireShark and exported the capture and the log for the search cycle. (see attachment)

If anybody needs an export of the WireShark log (to .txt, .ps, anything else), just let me know!

I really hope anybody can help with this! (:SAD)

Thank you

mjpm

[attachment deleted by admin]

15

addition:
Checking further on it if found out, that the only way to make search work is to completely disable protocol analysis. Even checking ‘skip advanced security checks’ for emule does not work.

So, still looking for any ideas to make it work.

mjpm

16

Hi,
the problem still exists with the new version (2.3.6.81).

It can’t be that nobody has an idea about this. :frowning:

Regards,
Marcel

17

Before performing a serche in kademila you must disable the option to block fragmented packets, or disable for 1-2 seconds the network monitor. This will do the trick ;D

18

But isn’t that quite difficult? Is there a way to someone edit the code someway that you could change application monitor rights for example for emule so that you could enable every connection and every packet fragmented or not? This would be very useful and a solve to this problem.

19

Do you know if they have any plan to fix this ?

20

Hello,

disabling the network monitor is a bad thing :wink: as it disables all rules so free entry for everyone.
Allowing fragmented ip datagrams only resolves the problem with…guess what… log alerts about fragmented packets but the alerts that keep kad from searching a alerts about “bad or malformed udp packets” with the length not beeing the same in the packet and on the wire, so this does not work for me. As I wrote before the only thing which works for me is disabling protocol analysis.

I even tested if the MTU between my router and pc changes because I thought maybe my router would fragment packets, with no results.

And what seems most curious to me is that WireShark does not show any fragmented/malformed/changed packets at all when searching at kad. It just shows normal ip and edonkey protocol packets with the length beeing the same on packet and on wire.

At the moment this is a real no-go about CF. :frowning:

Regards,
Marcel