Windows Update traffic not noticed by CPF

I don’t know when it started, but I noticed it during installation of Vista SP1 and today again: the CPF network icon (the shield in the systray with green and red arrows) doesn’t recognize any traffic when downloading MS updates. Also ‘view active connections’ indicates no traffic whatsoever.

To make it even stranger… Windows update itself doesn’t notice any traffic either (only after say every 10-15% it updates its progress indicator, which it never used to do so slowly) AND the netwerk icon (the 2 monitors with a globe) doesn’t light up either.

I tried to capture traffic using Ethereal, but this suddenly cannot find any interface to capture.

In short, there is traffic, is comes in thru my wireless connection using my own wireless router connection (checked that), but nobody seems to notice.

Also, Windows update is terribly slow, 15 min for 26 Mb on a 6Mbit connection which usually gives my 3Mbit over http, 6 over ftp.


Windows Vista SP1
CPF 3.8…477
NOD32 4.0.424

Doesn’t ESET’s NOD32 have some sort of web proxy that it uses to scan for threats? I’m not sure (I’ve not run NOD32 in many years), but this could be the reason why you’re not seeing any traffic… maybe NOD32 is redirecting everything on local loopback.

Yes, ESET does have something like EKRN.EXE which redirects traffic from apps like browsers and email clients, even svchost.exe.
But even then, this is just indicated as traffic by ekrn.exe. Other apps, not going thru ekrn.exe, have their own traffic.
So in short, I don’t see why it shouldn’t be indicated, but this could be ignorance, of course.

Under CIS do you have “Enable Alerts for loopback requests” checked (Firewall - Advanced - Firewall Behavior - Alert Settings tab)? Otherwise, I don’t think CIS will see what NOD32 is doing with all the traffic. Assuming, of course, it is routing all the traffic through some sort of transparent local loopback proxy (which I’m not 100% certain of) & it’s like Avast’s proxy.

Maybe you can switch to Wireshark, Ethereal is the “old” version… and are you sure you started it as "Administrator " on Vista, otherwise you won’t see any adapter available to chose from… like you described.

Wireshark comes with an experimental service that allows “normal” users to capture traffic also but i have no experience with that as i always start is as Administrator :wink: