Jump to content

Recommended Posts

Appears it has something to do with IPv6 HTTPS to Microsoft direct or delegated servers. However, I have received the  "Incorrect Ethernet Packet" block when doing some testing in regards to DNS checking on other sites. So the problem might have an Eset SLL protocol scanning element to it. Normal browser connections are completely unaffected by the issue for the most part.

Eset_SSL.thumb.png.1450731dcc03133daeb316d9be1c71f5.png

Edited by itman
Link to post
Share on other sites
  • Replies 92
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I am also having this issue and now I am unable to share files on the network.  This occurred after the most recent windows 10 update on 4-9-19.

Unblocking these "Incorrect ethernet packet" errors (and there were many, DNS, DHCP, Microsoft Publication Service (there were multiple of these), and  Akami) the network file share works, but they ar

Disabling Network Attack Protections (IDS) on the PC being accessed has addressed the issue of accessing the fileshare quickly and allowing access to the app hosting machine (screenshot reflects my PC

Posted Images

Kurt, I do not think it has anything to do with IPv6.  I disabled it as part of my troubleshooting and it made no difference.

Also, my issue was  purely from pc to pc - accessing a folder on another  pc. My issue seems somewhat simpler than  some of the others mentioned here.

Edited by Joliet_tech
Add additional info
Link to post
Share on other sites

Think I found a temporary solution until Eset has a fix for this.

Create an IDS "Unexpected Network Protocol" exception with no IP address specified and everything else set to "No." Note: "Direction" in the rule must be set to "Both." 

Initial test was to connect to Win Store and no Network log entries were generated. Although security-wise this is not an ideal solution, it is far better than totally disabling IDS protection.

Link to post
Share on other sites

I am also starting to lean toward Port 0 usage by Microsoft as the possible culprit.

This would not be the first instance I had in that regard using Eset. I believe in ver. 11, Eset changed something in this regard. My ISP for reasons beyond me does ICMPv6 pinging against my router; probably for connectivity purposes. My Win firewall event log was expanding a phenomenal rate  from block activity related to this. That plus Eset's firewall wizard showed the same  phenomenal counts. I resolved this one by just creating firewall rules to allow the activity for the IPv6 IP addresses involved.

Edited by itman
Link to post
Share on other sites
46 minutes ago, Marcos said:

Please somebody provide network protection advanced log as I requested earlier in this topic.

Attached are my complete diagnostic logs, hoping they can be somewhat useful. Note that this particular PC does not have the issues that caused me to visit this discussion (but I am also having the problematic errors with "incorrect ethernet packages")!

 

The reason for my visit: certain PCs from some customers of ours had issues accessing files on a network share (the share itself showed up, but accessing files was either painfully slow or caused the application to stop responding entirely. There are quite some differences between the networks and PC setups between the 3 "problematic cases" I have to deal with here, so I am not going into detail right now (but if you need to know anything specific, please ask away!).

I do not have logfiles from the customer PC(s) in question - they're currently trying to work on those machines - but I do have remote access and can collect logfiles and so on after business hours when necessary or helpful! :)

Diagnostics.zip

Link to post
Share on other sites
On 4/11/2019 at 6:28 AM, Kurt said:
On 4/10/2019 at 11:06 AM, Kurt said:

I need guidance what disabling the IDS affects and what is my risk if I leave it disabled.

Once again

 

Link to post
Share on other sites
On 4/11/2019 at 2:02 AM, Marcos said:

If possible, please provide logs generated as follows. Until then we cannot carry on and check what is causing the error:

- enable advanced logging under Help and support -> Details for technical support
- reboot Windows
- reproduce the error
- stop logging
- gather logs with ESET Log Collector and provide the generated archive.

 

On 4/11/2019 at 6:26 AM, Kurt said:

again, how is this done?  What is the log file name?  Your instructions do not properly  allow me to generate what you are looking for.

Please provide better instructions on how to provide the log files you are looking for.

 

Link to post
Share on other sites
11 hours ago, Joliet_tech said:

Can you shine some light on your Port 0 usage comment.  I am unaware of this in any regard.  What is Port 0 or what  does it refer too? 

https://www.lifewire.com/port-0-in-tcp-and-udp-818145

Whereas the article states ISP's routinely block it, there is nothing to stop the ISP from using it as noted, to ping its own issued routers.

Link to post
Share on other sites
37 minutes ago, Kurt said:

I need guidance what disabling the IDS affects and what is my risk if I leave it disabled. 

Did you try my prior posted workaround? I haven't received a Network log entry since implementing it.

I am also going to experiment a bit with it today by enabling alerting for it in an attempt to isolate the source processes. That way and hopefully, a like exception could be created for those processes alone.

Link to post
Share on other sites
13 minutes ago, itman said:

I am also going to experiment a bit with it today by enabling alerting for it in an attempt to isolate the source processes. That way and hopefully, a like exception could be created for those processes alone.

Problem is much worse than initially thought.

A check for Win Update status via Win 10 System Settings will trigger the "Unexpected Network Protocol" detection. The app though not shown is svchost.exe - windows update service, I believe.

Link to post
Share on other sites

So if I don't make any changes to rules etc.  Is it alright just to leave it  blocking unknown devices?  My computer is not at risk with this continuing  to block unknown devices?  I will just have tons of logs in my network protection.

Link to post
Share on other sites
  • Administrators
19 minutes ago, Purpleroses said:

So if I don't make any changes to rules etc.  Is it alright just to leave it  blocking unknown devices?  My computer is not at risk with this continuing  to block unknown devices?  I will just have tons of logs in my network protection.

Not sure what you mean by blocking unknown devices. Do you have advanced logging turned off and logging verbosity set to informative (default) and not to "diagnostic"? What kind of records are being created in your firewall log?

Link to post
Share on other sites
26 minutes ago, Purpleroses said:

So if I don't make any changes to rules etc.  Is it alright just to leave it  blocking unknown devices?  My computer is not at risk with this continuing  to block unknown devices?  I will just have tons of logs in my network protection.

As I stated previously if your network perimeter is protected with a router is stateful and employs NAT, DoS, and other like protections, Eset's protections in regards to unknown protocol detection is redundant.

Edited by itman
Link to post
Share on other sites

Time to get things into a broader perspective.

Avast users on Win 7 are getting boot blue screens "up the wazoo" after the last cumulative update. Avira user systems have "slowed to a crawl" on both Win 7 and 10 after last cumulative update with symptoms similar to that reported in this this thread.

Perhaps Microsoft has implemented its "hardball" strategy against third party AV vendors? 

Link to post
Share on other sites

What I meant to say is that when I have the ethernet on I get unknown devices blocked and then it says incorrect ethernet packet in network protection logs.  So If I don't change any rules etc then I should be alright? I posted an image also

EsetForum.PNG

Link to post
Share on other sites
3 minutes ago, Purpleroses said:

What I meant to say is that when I have the ethernet on I get unknown devices blocked and then it says incorrect ethernet packet in network protection logs. 

If you click on the "Unblock" tab, Eset will create an  "Unexpected Network Protocol" IDS exception.

The problem is it won't stop this activity since the exception rule created "Direction" mode specifies "In"; i.e. Inbound traffic. You will have to edit the IDS exception and change the "Direction" mode to "Both" as I previously posted here: https://forum.eset.com/topic/19197-incorrect-ethernet-packet/?do=findComment&comment=93725 .

Link to post
Share on other sites
37 minutes ago, itman said:

If you click on the "Unblock" tab, Eset will create an  "Unexpected Network Protocol" IDS exception.

The problem is it won't stop this activity since the exception rule created "Direction" mode specifies "In"; i.e. Inbound traffic. You will have to edit the IDS exception and change the "Direction" mode to "Both" as I previously posted here: https://forum.eset.com/topic/19197-incorrect-ethernet-packet/?do=findComment&comment=93725 .

So I have more then one unknown device blocked with incorrect ethernet packets. Do I have to click on unblock each one to create Unexpected Network Protocol" IDS exception.EBefore.PNG.f62f59d75198cd18579a900e5c7bb6d7.PNG

Link to post
Share on other sites
21 minutes ago, Purpleroses said:

So I have more then one unknown device blocked with incorrect ethernet packets. Do I have to click on unblock each one to create Unexpected Network Protocol" IDS exception.

Sorry. I forgot to mention that when you click on "Unblock" in the screen you show, it will only create an IDS exception for that given IP address shown.

Just click on one of the blocked communication events shown to create the IDS exception. Then besides editing the "Direction" to "Both" in the created IDS exception as previously posted , remove the IP address reference in the exception. In other words, the field should be blank. This will result in the IDS exception applying to all inbound and outbound traffic from the device.

Below is a screen shot of how the IDS exception should appear after all editing is completed:

Eset_Exception.thumb.png.16487a0c0a81ecbf83531107a6f9453e.png

Edited by itman
Link to post
Share on other sites

Thank you itman for the advice it worked like a charm.  But is it safe to do this and does Marco think it is alright to do this also?  Plus it is not putting my computer at risk for creating a rule to IDS exception?

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.


×
×
  • Create New...