Jump to content

Incorrect Ethernet Packet


Recommended Posts

Appears it has something to do with IPv6 HTTPS to Microsoft direct or delegated servers. However, I have received the  "Incorrect Ethernet Packet" block when doing some testing in regards to DNS checking on other sites. So the problem might have an Eset SLL protocol scanning element to it. Normal browser connections are completely unaffected by the issue for the most part.

Eset_SSL.thumb.png.1450731dcc03133daeb316d9be1c71f5.png

Edited by itman
Link to comment
Share on other sites

Kurt, I do not think it has anything to do with IPv6.  I disabled it as part of my troubleshooting and it made no difference.

Also, my issue was  purely from pc to pc - accessing a folder on another  pc. My issue seems somewhat simpler than  some of the others mentioned here.

Edited by Joliet_tech
Add additional info
Link to comment
Share on other sites

Think I found a temporary solution until Eset has a fix for this.

Create an IDS "Unexpected Network Protocol" exception with no IP address specified and everything else set to "No." Note: "Direction" in the rule must be set to "Both." 

Initial test was to connect to Win Store and no Network log entries were generated. Although security-wise this is not an ideal solution, it is far better than totally disabling IDS protection.

Link to comment
Share on other sites

I am also starting to lean toward Port 0 usage by Microsoft as the possible culprit.

This would not be the first instance I had in that regard using Eset. I believe in ver. 11, Eset changed something in this regard. My ISP for reasons beyond me does ICMPv6 pinging against my router; probably for connectivity purposes. My Win firewall event log was expanding a phenomenal rate  from block activity related to this. That plus Eset's firewall wizard showed the same  phenomenal counts. I resolved this one by just creating firewall rules to allow the activity for the IPv6 IP addresses involved.

Edited by itman
Link to comment
Share on other sites

46 minutes ago, Marcos said:

Please somebody provide network protection advanced log as I requested earlier in this topic.

Attached are my complete diagnostic logs, hoping they can be somewhat useful. Note that this particular PC does not have the issues that caused me to visit this discussion (but I am also having the problematic errors with "incorrect ethernet packages")!

 

The reason for my visit: certain PCs from some customers of ours had issues accessing files on a network share (the share itself showed up, but accessing files was either painfully slow or caused the application to stop responding entirely. There are quite some differences between the networks and PC setups between the 3 "problematic cases" I have to deal with here, so I am not going into detail right now (but if you need to know anything specific, please ask away!).

I do not have logfiles from the customer PC(s) in question - they're currently trying to work on those machines - but I do have remote access and can collect logfiles and so on after business hours when necessary or helpful! :)

Diagnostics.zip

Link to comment
Share on other sites

Read the prior posts and reply with proper guidance Marcos and maybe I will.

Edited by Kurt
Link to comment
Share on other sites

On 4/11/2019 at 6:28 AM, Kurt said:
On 4/10/2019 at 11:06 AM, Kurt said:

I need guidance what disabling the IDS affects and what is my risk if I leave it disabled.

Once again

 

Link to comment
Share on other sites

On 4/11/2019 at 2:02 AM, Marcos said:

If possible, please provide logs generated as follows. Until then we cannot carry on and check what is causing the error:

- enable advanced logging under Help and support -> Details for technical support
- reboot Windows
- reproduce the error
- stop logging
- gather logs with ESET Log Collector and provide the generated archive.

 

On 4/11/2019 at 6:26 AM, Kurt said:

again, how is this done?  What is the log file name?  Your instructions do not properly  allow me to generate what you are looking for.

Please provide better instructions on how to provide the log files you are looking for.

 

Link to comment
Share on other sites

12.1.34.0 update is available.  go to Update-> Click "Check for updates" (lower right)

Issue still exists..

Edited by Kurt
Link to comment
Share on other sites

11 hours ago, Joliet_tech said:

Can you shine some light on your Port 0 usage comment.  I am unaware of this in any regard.  What is Port 0 or what  does it refer too? 

https://www.lifewire.com/port-0-in-tcp-and-udp-818145

Whereas the article states ISP's routinely block it, there is nothing to stop the ISP from using it as noted, to ping its own issued routers.

Link to comment
Share on other sites

37 minutes ago, Kurt said:

I need guidance what disabling the IDS affects and what is my risk if I leave it disabled. 

Did you try my prior posted workaround? I haven't received a Network log entry since implementing it.

I am also going to experiment a bit with it today by enabling alerting for it in an attempt to isolate the source processes. That way and hopefully, a like exception could be created for those processes alone.

Link to comment
Share on other sites

13 minutes ago, itman said:

I am also going to experiment a bit with it today by enabling alerting for it in an attempt to isolate the source processes. That way and hopefully, a like exception could be created for those processes alone.

Problem is much worse than initially thought.

A check for Win Update status via Win 10 System Settings will trigger the "Unexpected Network Protocol" detection. The app though not shown is svchost.exe - windows update service, I believe.

Link to comment
Share on other sites

So if I don't make any changes to rules etc.  Is it alright just to leave it  blocking unknown devices?  My computer is not at risk with this continuing  to block unknown devices?  I will just have tons of logs in my network protection.

Link to comment
Share on other sites

  • Administrators
19 minutes ago, Purpleroses said:

So if I don't make any changes to rules etc.  Is it alright just to leave it  blocking unknown devices?  My computer is not at risk with this continuing  to block unknown devices?  I will just have tons of logs in my network protection.

Not sure what you mean by blocking unknown devices. Do you have advanced logging turned off and logging verbosity set to informative (default) and not to "diagnostic"? What kind of records are being created in your firewall log?

Link to comment
Share on other sites

26 minutes ago, Purpleroses said:

So if I don't make any changes to rules etc.  Is it alright just to leave it  blocking unknown devices?  My computer is not at risk with this continuing  to block unknown devices?  I will just have tons of logs in my network protection.

As I stated previously if your network perimeter is protected with a router is stateful and employs NAT, DoS, and other like protections, Eset's protections in regards to unknown protocol detection is redundant.

Edited by itman
Link to comment
Share on other sites

Time to get things into a broader perspective.

Avast users on Win 7 are getting boot blue screens "up the wazoo" after the last cumulative update. Avira user systems have "slowed to a crawl" on both Win 7 and 10 after last cumulative update with symptoms similar to that reported in this this thread.

Perhaps Microsoft has implemented its "hardball" strategy against third party AV vendors? 

Link to comment
Share on other sites

What I meant to say is that when I have the ethernet on I get unknown devices blocked and then it says incorrect ethernet packet in network protection logs.  So If I don't change any rules etc then I should be alright? I posted an image also

EsetForum.PNG

Link to comment
Share on other sites

3 minutes ago, Purpleroses said:

What I meant to say is that when I have the ethernet on I get unknown devices blocked and then it says incorrect ethernet packet in network protection logs. 

If you click on the "Unblock" tab, Eset will create an  "Unexpected Network Protocol" IDS exception.

The problem is it won't stop this activity since the exception rule created "Direction" mode specifies "In"; i.e. Inbound traffic. You will have to edit the IDS exception and change the "Direction" mode to "Both" as I previously posted here: https://forum.eset.com/topic/19197-incorrect-ethernet-packet/?do=findComment&comment=93725 .

Link to comment
Share on other sites

37 minutes ago, itman said:

If you click on the "Unblock" tab, Eset will create an  "Unexpected Network Protocol" IDS exception.

The problem is it won't stop this activity since the exception rule created "Direction" mode specifies "In"; i.e. Inbound traffic. You will have to edit the IDS exception and change the "Direction" mode to "Both" as I previously posted here: https://forum.eset.com/topic/19197-incorrect-ethernet-packet/?do=findComment&comment=93725 .

So I have more then one unknown device blocked with incorrect ethernet packets. Do I have to click on unblock each one to create Unexpected Network Protocol" IDS exception.EBefore.PNG.f62f59d75198cd18579a900e5c7bb6d7.PNG

Link to comment
Share on other sites

21 minutes ago, Purpleroses said:

So I have more then one unknown device blocked with incorrect ethernet packets. Do I have to click on unblock each one to create Unexpected Network Protocol" IDS exception.

Sorry. I forgot to mention that when you click on "Unblock" in the screen you show, it will only create an IDS exception for that given IP address shown.

Just click on one of the blocked communication events shown to create the IDS exception. Then besides editing the "Direction" to "Both" in the created IDS exception as previously posted , remove the IP address reference in the exception. In other words, the field should be blank. This will result in the IDS exception applying to all inbound and outbound traffic from the device.

Below is a screen shot of how the IDS exception should appear after all editing is completed:

Eset_Exception.thumb.png.16487a0c0a81ecbf83531107a6f9453e.png

Edited by itman
Link to comment
Share on other sites

Thank you itman for the advice it worked like a charm.  But is it safe to do this and does Marco think it is alright to do this also?  Plus it is not putting my computer at risk for creating a rule to IDS exception?

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...