kernel32.dll sending udp packets
Results 1 to 6 of 6

Thread: kernel32.dll sending udp packets

  1. #1
    Member
    Join Date
    May 2003
    Posts
    83

    Question kernel32.dll sending udp packets

    os:winme
    Kernel32.dll sending packets- pls help
    Firewall( sygate perssonal firewall)

    File name – kernel32.dll sending udp packets via port 137.139.138.with gui rules (GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP )
    As a solution I remove the bios service . but now am getting udp packets toward 137.138.139.68 ports
    I tied blocking that rules by doing this
    Rules: (GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP(
    Action: block this traffic
    Hosts : all
    Appliction : all [ internet explorer- included ]- pressing ok 4 saving that.

    Result :
    First I get this informtion alert frome the firewall [ appliction Win32 kernel core component
    has been blocked,file namekernel32.dll

    When I run the browser –IE- I get a firewall-informtion alert[ appliction internet explore has
    been blocked, file name iexplore.exe
    When I checkd the running appliction log :
    Appliction : internet explore.exe
    Protocol: udp
    Status : listen
    Local port : 1149
    Remot port : nothin here
    Ip address: 127.0.0.1->0.0.0.0
    Process: 4293025521
    Appliction path C:\ program files\ internet explore\ IEXPLORE.EXE.

    some rules which are records in the trafic log
    -------1--------
    rule: Block all
    application name: nothing here
    source port : 68
    source IP : 0.0.0.0 ( sorce port and source ip indication to my pc port and my ip )
    desttination host : 255.255.255.255
    source port : 67
    direction: incoming
    protocol: udp
    action : blocked
    -------2-------
    rule: allow non-first fragment ( 1st time seeing this rule since I use sygate firewall)
    application name: nothing here
    source port : 0
    source IP : x.x.x.x ( its not my ip)
    desttination host : x.x.x.255( the 1st 3 parts belong to the network that my pc connect to
    source port : 0
    direction: incoming
    protocol: udp
    action : allowed

    --------3---------
    rule: GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_100
    application name: nothing here
    source port : 137
    source IP : x.x.x.x( ip belonge to the network…etc)
    desttination host : x.x.x.255 ( same ip in no (2)
    source port : 137
    direction: incoming
    protocol: udp
    action : blocked
    when I allow the hall trafic ( both incoming \outgoing)one of the rule is
    rule: allow all ( i allow it)
    application name:C:\windows\system\kernel32.dll
    source port : 68
    source IP : 0.0.0.0
    desttination host : 255.255.255.255
    desttination port : 67
    direction: incoming
    protocol: udp
    action : outgoing
    --
    I need ur help in:
    Is that traffics ( udp packets) normal?( I saw that packets sent by the kernel32.dll in many diffrient pcs.
    blocking kernel32.dll.how?
    What if I dellet the file kernel32.dll?
    what is this rule about(allow non-first fragment)?
    Ips ( 0.0.0.0,255.255.255.255) when try to add a rule 4 blocking those ip .firewall alert its notcorrect ips, so why they seen in the firewall traffic log ?
    I copy and past the rules from the firewall log avoiding the mistakes.
    Sorry 4 the caps and thanx n advance.

    coolcamel

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    Re: kernel32.dll sending udp packets

    Originally posted here by coolcamel
    What if I dellet the file kernel32.dll?
    Your system will never boot again.

    If you are worried about this kind of (outbound) traffic unbind NetBIOS from your external inferface. Or, if you really don't need file/printer sharing, stop and disable the server service.

    Getting requests from the Internet to these ports is considered 'normal' traffic. Just block them on your firewall.

    0.0.0.0 and 255.255.255.255 are special addresses. 0.0.0.0 means your own ip on that interface and 255.255.255.255 is the broadcast address.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    I assume you are in windows 95/98/ME (because Windows NT/2000/XP does not have a kernel32.dll process)

    kernel32.dll sending udp packets via port 137 - 139
    It does that all the time. That is the Windows netbios name service, or network browser, or mailslot API or something else.

    It is normal, and cannot easily be stopped (maybe removing Windows File Sharing and Client for Microsoft Networks), and nothing to worry about.

    What if I dellet the file kernel32.dll?
    That is not advisable. It is a core component and I am certain that Windows would fail to boot very early on without it.

    what is this rule about(allow non-first fragment)?
    I think it allows applications to recieve broadcast packets. This is normally necessary for correct operation, and not a big security risk because few protocols use broadcasts, and they cannot be routed over the internet (Unless something is *really* wrong)

    Ips ( 0.0.0.0,255.255.255.255) when try to add a rule 4 blocking those ip .firewall alert its notcorrect ips, so why they seen in the firewall traffic log ?
    Neither of them is a "real" IP address. They might be used in DHCP requests though, hence you might see them.

    Those are not a problem because they are also non-routable. Don't block them, they are non-routable anyway.

  4. #4
    Member
    Join Date
    Feb 2002
    Posts
    99
    are you behind something thats using NAT? If so you **may** have a trojan.

    I had one on my computer a month back that as far as I could tell was designed as a device driver. Basically it would accept the API's of ALL running apps, and let through a select few so everything would *seem* normal and even hijacked a few. I put a rule in my firewall blocking ALL traffic to and from 0.0.0.0 then I started getting hits from all over the internet coming to my box. I inspected my Netgear MR314's web based admin console and found that somebody had set my computer to the default DMZ server. I'm not an expert at this by any means, but I would suggest you try to block all traffic, sit back, and watch your logs. You may be surprised at what you find, then again, you may find nothing. Hope this helps.

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    ALL traffic to and from 0.0.0.0
    Any Ip packet which is travelling around with 0.0.0.0 as a source or destination address should be dropped by the next router. If it has all 0s as the destination address, it can forget being routed anywhere anyway.

    Routers on the internet are supposed to drop any packet if they have unroutable source or dest addresses - which usually means either they're private (10.*, 192.168 etc), loopback (127.*) or invalid (all 0s, or all 255s)

    I don't understand how you can report packets with these nonexistent IPs on them.

  6. #6
    Member
    Join Date
    May 2003
    Posts
    83

    its really helped

    thanx for ur time and ur replies.

    coolcamel

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •