Jump to content

Incorrect Ethernet Packet

Purpleroses
 Share

Recommended Posts

itman

itman 1,659

Posted
Posted (edited)
16 minutes ago, Kurt said:

I am also required to disable the IDS to allow access to my hosting machine for an internal app which I still have not received an answer to why that is happening.

Leave Firewall and IDS alone for the time being.

Refer to the below screen shot. Right click on one of the related Network log entries and select "Don't block similar events in the future." This should create an IDS exception for this activity. See if that stops your logging and corresponding network share performance issues. I am not going to do so presently since I not getting that many log entries; only for Win Store related activity.

Eset_Ethernet.thumb.png.3aab190314c371a5a46817203d95a8a9.png

Edited by itman
Link to comment
Share on other sites
Kurt

Kurt 4

Posted
Posted

I did do this and I still was required to disable IDS.  Log entries decreased, but occasionally still happened.

Link to comment
Share on other sites
Kurt

Kurt 4

Posted
Posted
59 minutes ago, itman said:

Connected to the Store and performed a manual update. Ended up with a bunch of new Eset Network Protection log entries. 

Can you share steps to accomplish this?

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)
16 minutes ago, Kurt said:

I got it, I am seeing the same additional log entries.

Forgot to mention that when the IDS exception is created, it will only create the exception for the IP address associated with the log event. Refer to the below screen shot. Open IDS Exceptions in the Network Attack Protection section of the Eset GUI  . Then edit the existing exception removing the existing Remote IP address. This will then apply the exception to all IP addresses. 

Eset_Exceptions.thumb.png.46839a180d29b3000a0a36c4e5e4129e.png 

Edited by itman
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)
32 minutes ago, Kurt said:

Can you share steps to accomplish this?

https://www.thewindowsclub.com/check-for-windows-store-app-updates

-EDIT- Another way to do so: https://support.microsoft.com/en-us/help/4026259/microsoft-store-check-updates-for-apps-and-games

Edited by itman
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

I also noticed something else odd.

For some reason, "Filtering" was enabled on my Eset Network protection log. I know I didn't manually do so. I have since disabled it and will wait if that somehow has something to do with this unexpected protocol data issue.

-EDIT- Nope. No relation to this very odd Eset behavior.

Edited by itman
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted

Damn it - another Eset bug.

I just noticed the IDS exception created by right clicking on the Network log entry is not the correct one! It created an "Unexpected Network Protocol" exception instead of an "Incorrect Ethernet Packet" exception. So you will have to manual delete the "Unexpected Network Protocol" exception and add an "Incorrect Ethernet Packet" exception.

Now see if the blocked network activity stops.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

I finally got "Incorrect Ethernet Packet" IDS exception to work. I had to set the Direction in the rule to "Both" and presently doing it by detected IP address; after verifying the IP address is associated with a Win Store connection.

Sure hope Eset figures out what the problem here is proto. 

-EDIT- Forget any exceptions. When I set direction to Both I started seeing blocked Google server connections appearing whose IP addresses were never seen before.

Appears to me something serious is borked in IDS detection.

Edited by itman
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,069

Posted
  • Administrators
Posted

If possible, please provide logs generated as follows. Until then we cannot carry on and check what is causing the error:

- enable advanced logging under Help and support -> Details for technical support
- reboot Windows
- reproduce the error
- stop logging
- gather logs with ESET Log Collector and provide the generated archive.

Link to comment
Share on other sites
Kurt

Kurt 4

Posted
Posted

again, how is this done?  What is the log file name?  Your instructions do not properly  allow me to generate what you are looking for.

Please provide better instructions on how to provide the log files you are looking for.

Link to comment
Share on other sites
Kurt

Kurt 4

Posted
Posted
19 hours ago, Kurt said:

I need guidance what disabling the IDS affects and what is my risk if I leave it disabled.

Once again

Link to comment
Share on other sites
Kurt

Kurt 4

Posted
Posted
17 hours ago, Kurt said:

What is the name of the file, there are many generated in the diagnostics folder.

Once again.

Link to comment
Share on other sites
Kurt

Kurt 4

Posted
Posted
17 hours ago, Kurt said:

I need guidance on what disabling the IDS affects and what is my risk if I leave it disabled.  Doing this solves my issues other than Incorrect "Ethernet packet errors" on all machines. 

Once again.

Link to comment
Share on other sites
Kurt

Kurt 4

Posted
Posted

Thanks Itman.

I appreciate your troubleshooting help.  I think your initial thoughts that the router is bad may have some merit.  I think the firmware on my modem/router maybe outdated and not correctly passing and/or sharing IPv6 addresses correctly confusing ESET and blocking the communications.  I am working with my internet provider to check the firmware and possibly replace the modem to remove that piece of the puzzle.

I have built my internal routing table to address intrAnet communications so PC to PC communication is now working.

Thanks again.

 

 

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted

A new update today.

Observed Eset Networking log activity at today's first cold boot. It's not just Win Store network activity causing the Eset IDS detection logging, but all outbound activity to Microsoft. For example, BackgroundTaskHost.exe, etc.. In total, 45 event log entries created.

I also did a hard reset on my router last night to no avail. All Eset has to do to duplicate this on a Win 10 1809 build is to reboot the device.

The question now is only Win 10 1809 affected or are prior Win 10 versions also?

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)
18 minutes ago, Kurt said:

I think your initial thoughts that the router is bad may have some merit. 

I don't believe that is the problem since multiple Eset users are having the issue.

Microsoft has changed something on at least Win 10 1809 in regards to its server communication and that is what Eset needs to concentrate on.

Also why when an IDS exception for an "Incorrect Ethernet Packet" log event is created, does Eset generate an "Unexpected Network Protocol" exception? Note the Eset definition for this:

Quote

Detected unexpected data in protocol – Improperly formatted ARP, DNS or ICMP echo packets. Or zero port in TCP/UDP/.

"My money" at this point is on Microsoft has changed something in their DNS protocol requests and Eset can't handle it.

Edited by itman
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

@Marcos these are the IP addresses connections from Microsoft related Windows processes running at boot time. None are domain routable addresses from what I can determine:

2600:141f:8000:195::4106

Akamai Aggregate 
location - United States 
ptr - g2600-141f-8000-0195-0000-0000-0000-4106.deploy.static.akamaitechnologies.com

2a01:111:200a:8::ff04 - Microsoft V6

2a01:111:f330:1790::a01 - Microsoft V6

Edited by itman
Link to comment
Share on other sites
Joliet_tech

Joliet_tech 0

Posted
Posted
On 4/10/2019 at 10:06 AM, Kurt said:

Disabling Network Attack Protections (IDS) on the PC being accessed has addressed the issue of accessing the fileshare quickly and allowing access to the app hosting machine (screenshot reflects my PC which has IDS still enabled, but is initiating the access).

I need guidance what disabling the IDS affects and what is my risk if I leave it disabled.

IDS.png

 

Link to comment
Share on other sites
Joliet_tech

Joliet_tech 0

Posted
Posted

I disabled the Network Attach Protection on the pc hosting the data and it resolved the issue completely. Thank you.  And Thank  you Microsoft.....grrrrrrrr.

What is still baffling me though is that I have another  pc in the office that similarly has mapped drives on the same pc's as above and there was NEVER any slow down.  Access to pc-A was always  good while access to pc-E was bad.   I checked and both of these pc's (A and E) that have drives mapped TO THEM had the same update on 4/9 (KB4493509).  Does anyone have  an idea  of  why this occurred this  way?

Link to comment
Share on other sites
Kurt

Kurt 4

Posted
Posted
7 hours ago, Kurt said:

I need guidance on what disabling the IDS affects and what is my risk if I leave it disabled.  Doing this solves my issues other than Incorrect "Ethernet packet errors" on all machines. 

Anything yet?

Link to comment
Share on other sites
Kurt

Kurt 4

Posted
Posted

Installed a new cable modem/router, no difference.  It is likely ESET or Microsoft or both.

Time for ESET to start collaborating and fix the issue with Network Attack Protection (IDS) and IPv6...

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...