TechSpot

Fragmented IP Packets?

By TimeParadoX
Aug 16, 2007
  1. My comodo Firewall keeps getting High Severity Alerts about fake TCP packets or Fragment IP Packets, My firewall blocks them all but is it something I should be worried about or is it ok?

    If I happens again ( I usually delete the alerts it says ) i'll give a screenshot of it.
     
  2. BlameCanada

    BlameCanada TS Rookie Posts: 320

    I have Comodo and don`t get those alerts.

    That doesn`t answer your question,but is

    relevant.I think Comodo is a bit too bothersome,

    even so.
     
  3. TimeParadoX

    TimeParadoX TS Rookie Topic Starter Posts: 2,273

    Well it's not alerts but it's a "Alert Event" in the comodo UI, like it doesn't popup

    It's probably just some kid who learned how to make TCP/IP Packets and trying to send it around :haha:

    Ok here is the alerts that happen:

    [​IMG]

    If you notice they are both from the same Source ( I deleted the destination so you don't know my IP ;) )
     
  4. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    You shouldn't worry about this. Most likely someone has adjusted their MTU.
    Actually, dropping fragments may make your network connections unreliable - dropped packets mean lost data that has to be resent (and may be dropped again).

    Did you look up the source IP of this dropped packet? It's from fpsgameservers.com
    Do you play there?
     
  5. TimeParadoX

    TimeParadoX TS Rookie Topic Starter Posts: 2,273

    Yeah I played on FPSGameservers.com servers a few times on CS but that's about it

    Ok well now I keep getting these alerts:

    [​IMG]

    In the desc. they say the port is used for the BackDoors.

    I got about 60 of them already, I usually delete them once they appear. Also they are all from the same IP address
     
  6. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    Again, check the source IP address. Which machine on your LAN has 192.168.1.101?

    The destination address is a broadcast address, meaning "send to everyone". The 1.101 machine is probably doing some sort of discovery.

    Yes, it could be malware looking for peers, but it may as well be a game looking for a server or whatever. The answer lies in the machine with the source address.
     
  7. TimeParadoX

    TimeParadoX TS Rookie Topic Starter Posts: 2,273

    none of my computers have .101 at the end Nodsu

    And I haven't played any CS for awhile so I don't think it would be a game server
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    What antivirus programme are you running? It wouldn`t happen to be Kaspersky would it?

    Regards Howard :)
     
  9. TimeParadoX

    TimeParadoX TS Rookie Topic Starter Posts: 2,273

    No howard, it's AVG :D
     
  10. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    Well, that packet had to come from somewhere. You can find out the MAC address of the sending device by running "arp -a" at Windows command line (right after receiving the alert).

    Maybe someone is piggybacking your wifi?
     
  11. TimeParadoX

    TimeParadoX TS Rookie Topic Starter Posts: 2,273

    [​IMG]

    That's what came up Nodsu

    Also when I rebooted today my COMODO firewall was on Allow-All and my internet firewall was Disabled, I put the firewall to Block-all and turned off my internet and ran for scans and all that, nothing found so it was probably just something that happened on boot...


    That is possible, my neighbor used my internet before I got some security on my router ( my mom didn't think it was necessary till I showed her a video about how people WarDive your wifi and use it for stuff )


    Also is it normal to have way more packets received then sent?

    [​IMG]
     
  12. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    The ARP cache didn't show the 1.101 address probably because it was too long since the last communication. You could try pinging that address and then try arp -a again.

    Yes, usually you download much more data than you upload and you don't always acknowledge the arrived packets one by one.
     
  13. TimeParadoX

    TimeParadoX TS Rookie Topic Starter Posts: 2,273

    Here nodsu, I pinged it and it appeared

    [​IMG]

    I didn't know if I should include the port number
     
  14. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Type the following code into the Windows command line on all the computers in your network:
    Code:
    ipconfig /all
    Check the resulting physical address against the physical address for 192.168.111.101. I think that it's possible for one computer to have two mapped IP addresses; it seemed to happen in my network once.
     
  15. TimeParadoX

    TimeParadoX TS Rookie Topic Starter Posts: 2,273

    Well I checked mine and my sister's computer, the front computer is so bad and full of useless crap I couldn't even get to the CMD without it crashing to BSOD :haha:

    I don't see how this happened to begin with, last week it didn't get these alerts every 2 seconds, I think it started happening when I reformatted my computer and reinstalled my wireless PCI card
     
  16. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Have you tried updating the wireless card's drivers?
     
  17. TimeParadoX

    TimeParadoX TS Rookie Topic Starter Posts: 2,273

    Do I download a new firmwire for the Router or the wireless card drivers? ( I cant find the drivers for the card )
     
  18. jobeard

    jobeard TS Ambassador Posts: 9,334   +622

    you should ALWAYS drop fragmented packets -- these are often used to reassemble
    data used to breach your firewall rules. Any system sending packets too large
    will be adjusted automatically to fit your MTU size, so it's a normal condition.
    I set my MTU to 1492 by intent to avoid fragmentation of the stupid 1500 default value.
    In a dial-up connnection, the MTU is best set at a minimum 496 anyway --
    so just think how many sites have to readjust values for those users!
     
  19. TimeParadoX

    TimeParadoX TS Rookie Topic Starter Posts: 2,273

    How would I changed the MTU of the firewall to 1492?
     
  20. jobeard

    jobeard TS Ambassador Posts: 9,334   +622

    Depends on mfg/model, but it's on the config --- somewhere.
     
  21. jobeard

    jobeard TS Ambassador Posts: 9,334   +622

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...