Need help with logs [Resolved]

In looking at the logs it seems my pc is getting probed constantly by the same 3or4 things. 1) Inbound violation (access denied, ip=10.98.32.1, port dhcp (68) 2) Inbound violation (access denied, protocol=IGMP) 3) Inbound violation(access denied, ICPM port unreachable) 4) Outbound violation (access denied, ICMP=router solicitation). I have no clue as to what any of this means as to who/what is trying to access in or out every few seconds. Hope someone can enlighten me. If item 4 is referring to something like a wireless router I don’t have one on my system. Thanks in advance

Hello seadog.

A question for you, how do you connect t the Internet, is it via a router?

the IP Address is part of a private range, reserved for use behind NAT’s 10.0.0.0/24 also 172.16.0.0/16 and 192.168.0.0/16.

DHCP is Dynamic Host Configuration Protocol, essentially its a method by which IP Addresses may be allocated to client computers automatically on a network, such as a LAN or the Internet.

The port number (68) is the port used by the client to communicate with a DHCP server, the server uses port 67. So It would seem that you have a DHCP server on your network that’s trying to issue your PC with an IP address and is being denied. This ‘violation’ has not originated from the Internet.

IGMP stands for Internet Group Management Protocol and is used in multicasts. That is, applications where a number of users all receive the same data simultaneously, such has IP/TV.

ICMP is the Internet Control Message Protocol and is used for many things. For example, when you ‘PING’ another computer its ICMP that returns the response. ICMP is also used as a means to transfer routing table information between routers.

In CPF there are default Network Monitor rules that will either Allow or Block certain types of traffic, such as ICMP.

If you could post a picture or your Network Monitor rules it would help.

Toggie

Hello Toggie,

Thanks for the info…it is very helpful.
I had a Linksys wireless router several years ago but it died. I am now hard wired direct to cable modem. 1 pc no network.
I too thought the DHCP server was trying to issue an ip address to my pc. The reason I thought so was 2 days ago I lost my connection to the web. In the Windows event viewer I found an error warning re: DHCP not being able to renew my pc ip address. It read “operation cancelled by user” so I figured the firewall killed it. I rebooted the pc & all has been working ok. I thought it strange that rebooting would solve the problem if the firewall was stopping it.
I would like to post the screen shot you requested but I have yet to learn how. (lot’s of new tricks for an old dog to learn) I can tell you that I have changed nothing on the setup so I am using the default rules. As far as the pop ups go I have permenately allowed all my programs access. I don’t believe I disallowed anything. Hope that helps in your trouble shooting the issue. Again thank you for your time and knowledge.

Seadog. It would be interesting to know where the DHCP lease offer is coming from…

Would you do one thing for me please:

I guess your using W2K/XP/Vista?

Open a command window (One way to to this: Start Menu/Run - Type CMD - press enter)

Once you have the window open type:

Ipconfig /all - press enter.

once you have the information could you let me know what It says under the Ethernet section.

Toggie

seadog.

I just noticed, there is another thread here:

https://forums.comodo.com/index.php/topic,6321.0.html

Where the problem outlined is very similar to yours. It would probably be worth while reading through the steps outlined there.

Toggie

I’d love to know how a 10.X.X.X non-routable address is inbound, let alone why it’s trying to do something with DHCP. This is the second reported case of private addresses attempting a DHCP related incoming request. Very odd. Very suspicious.

Ewen :slight_smile:

Toggie…and panic. Thank you both for the replies. I very much appreciate the help. My brain is dead tonight so if you don’t mind I will answer in the am after I reboot my brain.

Toggie,
I have the ipconfig info you requested as follows:

  1. connection-specific dns suffix: hawaii.rr.com 2) description…intel (r) pro/100 ve network connection. 3) physical address…xx-xx-xx-xx-xx-xx. 4) dhcp enabled…yes. 5) auto configuration…yes. 6)ip address…66.x.xxx.xx9 7)submask…255.255.248.0 8) default gateway…66.x.xxx.1 9) dhcp server…10.98.32.1 9) dns servers…66.xx.xx.90 & 66.xx.xxx.89 10) lease obtained…3/26/07 [ at ] 6:29 am 11) expires…3/26/07 [ at ] 3:59 pm.

I read the thread from the link you provided…sounds like the identical issue. I too had the 2.3 version with no problems until I updated to 2.4 when it was released. Had lots of issues so I uninstalled & did a clean install without antivirus or spyware apps. Reinstalled av & sw apps. all seem well except for this one issue.

Panic…While this doesn’t seem to be causing any problems except for the log issues it would be nice to know what is causing it. There must be many others having the same issue even though they havent posted.

Thanks again to you both for your time and knowledge.

seadog:

The key piece of information here is the DHCP Server, which has the reserved address of 10.98.32.1. The question is, where is it? The problem is, that without taking a packet filter to examine the complete DHCP request process, its almost impossible to tell from here.

The way I see this, it has two possibilities:

  1. The DHCP server is located at your ISP and is part of a LAN to which your cable modem connects. Even though it has a reserved address, it has been configured to allocate valid Internet IP addresses in the 66.x.xxx… (and possible other scopes) range. To be honest, this configuration seems a bit weird to me…

  2. The modem/device that you use has a basic DHCP Server capability, i.e. it can lease one or possibly a few IP addresses. As DHCP requests from clients, are generally answered by the nearest available DHCP Server, the modem is answering before your ISP.

I really am not sure which, if either, is correct as both sound a bit strange and both have problems.

What is the make/model of your cable modem?

I read the thread from the link you provided....sounds like the identical issue. I too had the 2.3 version with no problems until I updated to 2.4 when it was released. Had lots of issues so I uninstalled & did a clean install without antivirus or spyware apps. Reinstalled av & sw apps. all seem well except for this one issue.

Looks like something changed in 2.4 that concerns this area. I’ll leave that to someone closer to Comodo to answer.

Panic...While this doesn't seem to be causing any problems except for the log issues it would be nice to know what is causing it. There must be many others having the same issue even though they havent posted.

I don’t believe it is a problem to be concerned about, but I too would like to understand where the DHCP server is

Toggie

The thing I’m noting is that they’re both cable connections.

As I advised innerpeace in the other thread, I’d suggest contacting your ISP and ask them about this showing up as your DHCP Server. If they confirm it, find out why/how

LM

PS: I edited your IP info for privacy.

Little Mac…thanks for editing my last post. Being new at this I didn’t know any better so I just put it all out there. I called my isp, gave them all the info from ipconfig /all and they confimed it as valid. Aside from that they weren’t much help.

Toggie…I think you may be on to something re one or both items in your last post.
tried to discuss both those issues with isp but they were 0 help. They didn’t want to discuss it. Told me to contact comodo. I think it may have been above their pay grade.

cable modem: Toshiba DAZ8823A

Thanks again for your time and knowledge

Okay, so a partial explanation…

I really think it has something to do with the CMTS thing. https://forums.comodo.com/index.php/topic,6321.msg48876.html#msg48876 But of course, that’s above my pay grade… ;D

Have you filed a ticket with Comodo Support? They might be able to provide more help. If you do so, give them a link to this topic, and keep us posted on their response. http://support.comodo.com/

LM

one possible way to determine if the modem is acting as a DHCP server, might be as follows.

  1. Disconnect the modem from the Internet, but leave it connected to your PC.
  2. Open a command prompt (start menu/run type cmd press enter)
  3. type ipconfig /release - press enter
  4. type ipconfig /renew - press enter
  5. type ipconfig /all - press enter

See what information you have for the IP Address and DHCP Server.

Just a thought.

Toggie

Toggie…here are the results.

cable off>ipconfig /release=0 cable off>ipconfig /renew=0
cable off>ipconfig /all=auto configuration ip= 169.xxx.xx.xxx submask=255.255.0.0 cable on> ipconfig /renew>ipconfig /all= same as post #7. Hope this tell you what you are looking for.

Little Mac…Just checked the logs & of the 4 inbound violations that I originally posted only the “access denied, protocol=IGMP” keeps repeating every minute over and over again non stop.

The more I learn the more I learn how much I don’t know. I will write a support ticket as soon as I learn how to give them the link back to here. I will let you know when I make some progress.

Once again thank you for your knowledge and patience.

Thanks seadog, it speaks volumes :slight_smile:

With the cable unplugged your system went in a mode called APIPA (Automatic Private IP Addressing). This can be seen from the 169 address. This range is:

169.254.0.1 - 169.254.255.254.

This block of Class B addresses are reserved for Microsoft. Basically, when your system is configured to ‘look’ for an IP address and it can’t find a DHCP server, it assigns an address from the above range. This range of addresses, however, have no meaning on the Internet and are only for use on a LAN.

I think its possible to assume that the modem is not a DHCP server, so that leaves us with your ISP or something we haven’t thought of…

Toggie

Toggie…I think I will try a call to my isp again tomorrow. Perhaps I can phrase my questions to them differently & get a more useful response from them than I did today. I did file a support ticket with Comodo although I didn’t figure out how to link them back to here. A lesson for another day. I still find it interesting that like Innerpeace in the other thread, this issue only started when we both upgraded from version 2.3 to 2.4. It also seems strange that more users don’t seem to be having this issue.

Thanks again for you time,knowledge & patience…It’s people like you who keep people like me plowing ahead in search of answers.

seadog,

When you speak with your ISP, if you’re not getting the answers you’re looking for, you can always request to escalate to a higher level tech. They should comply with that, even if they don’t want to; you are the customer, after all.

Regarding the link for the Comodo support ticket, here’s what you can do: The red title/subject line on each post is an embedded link to that specific post. So if you go to your first post in this thread, right-click on that subject, and select Copy. Then go to Support, and open your existing ticket. You can create a reply to them, and just Paste the link you’ve copied into it; mention that’s your post in the forums.

Computers and software issues can be confusing, because they frequently are inconsistent. Sometimes problems crop up just because of minute details of the hardware & software configuration; only one person out of 1000 may have a given problem. That’s why tech guys get paid so much… it can be a real pain to resolve issues, and a lot of it can be almost pure guesswork! ;D

LM

Little Mac… I spoke with my isp 2 times again today and the first person I spoke with assured me the probes were not coming from my isp. When I called a second time I spoke with someone else who told me that the ICMP, IGMP, & the other probes coming from 10.98.32.1 where in fact coming from their server & the behavior was normal. Said it is supposed to ping me every minute to make sure I still have a internet connection & no need for concern. How does this mesh with your knowledge of such things? Thanks again

PS…re the link info. I figured it would be a copy/paste, I just wasn’t aware the subject line was an embedded link.

seadog,

My knowledge is not the best, but a server regularly “pings” the known clients to verify that they’re still active. This is not disallowed by CFP’s default rules - that’s the rule to Allow ICMP In… where message is ICMP Echo Request. If they don’t get a response, the lease for your IP address won’t renew.

This does not appear to be what is happening, unless you’ve removed that rule. Even at that, though, your alerts have a different message than that. I’m not familiar with IGMP being used for this purpose, that’s kinda odd.

Here’s a thing. If you create a block rule as discussed before, and block those connections, see if you have any problem keeping your connection active, or if it shows that you’ve lost the connection (say, if you leave the computer on overnight). If it does, there may be some validity to what they’re telling you; it’s possible, I guess, that cable’s different. If your connection stays solid and active, then I’d say they’re blowing smoke…

I think it’s kind of odd as well, that they have told you different things, depending on the person you talk to. :THNK

LM

seadog.

Its very common for ISP’s to ‘PING’ their clients. As the tech guy said, its generally no cause for concern.

DHCP is a slightly different issue. When you obtain an IP Address via DHCP it has a finite life. You can see this from your post earlier:

lease obtained…3/26/07 [ at ] 6:29 am
expires…3/26/07 [ at ] 3:59 pm.

A DHCP Client will attempt to contact a DHCP server at specific intervals to renew its ‘lease’ Generally the first attempt will be when the lease is half way through its lease period.

An IP Address issued by a DHCP server is not a ‘push’ based mechanism its actually ‘request’ based . On a windows based system this dialogue is generally handled by a generic windows service called svchost.exe.

If you suspect something is not quite right, then we need to delve deeper to establish where the problem is coming from.

At least we now know where the DHCP server is and what its address is :slight_smile:

Toggie