BigGT3Fan

Here's one for all you broadband users out there...

I've got Telewest BlueYonder at home, with a Linksys router connecting a couple of PCs to their Cable modem.

All was working swimmingly until recently, now I have a problem with one of the PCs . I will try and explain as concisely as I can

The scenario is two PCS (A & B) both running Windows 2000 Professional connected using DHCP to the router, allocated 192.168.1.100 and 192.168.1.101 (the default Linksys config).

Both can access the internet through the browser, and PC A works fine in all respects. The problem is PC B, there seems to be a small networking problem that doesn't knacker internet access, but does stop some bits working.

MSN Msgr (which I use to initiate Netmeetings) won't connect from PC B, though it does on PC A, and I can't PING the router or PC A from PC B.

I can ping the router from PC A but can't ping PC B. confused: confused: It seems as though some traffic from PC B (specifically PING and MSN) is not getting through, but HTTP is. All traffic from PC A gets through

This means that I also can't access the file systems on PC A from PC B or vica versa.

I completely re-installed firstly just the networking components, which had no effect.

Then I reinstalled Win2K on PC B, this made it work for a short time , but it has since reverted to its previous (mis)behaviour

Help!! Please!!

TIA,

Alex

dowser

What's the subnet masks you're using on the PC's (they should be the same)? Don't know the Linksys, is it a router with hub ports in it and a spare ethernet for a cable modem?

If it is, and the PC's are plugged into the hub ports, then the two PC's should be able to ping each other no problem (even without router-modem connection in place).....unles the hub's a switch and VLAN's have been configured somehow? Or is PC B running a personal firewall?

Are you sure you can get to the Internet from PC B (ie; not loading page from local cache)?

Try borrowing a mini-hub and two spare cables - hard-code the above addresses using a 255.255.255.0 mask. You should be able to ping between the PC's.

Weird

Richard

BigGT3Fan

Richard,

I agree it is totally wierd behaviour - hence me being completely stumped!

The subnet masks on both PCs are 255.255.255.0 (allocated to the PCs by the router via DHCP and reported when I type ipconfig)

I've tried disconnecting the Cable modem to no avail. As I say, I think it's a Windows networking problem on PC B as a re-install temporarily fixed it until I rebooted

I can definitely get to the net from both PCs, its not a browser cached page

No personal firewalls running - don't bother with them anymore since installing the router

I completely don't understand why i can't PING, I would have thought that if Net access worked, then PING must do

Alex

dowser

Alex

I can only guess it's a trojan on PC B. Compare a 'netstat' command on both PC's to see what ports are in operation. Also confirm routing entries from the command prompt (netstat -r will also show persistent routes....ie; added by someone manually).

If the above checks out, best would be a sniffer - see if the arp request is hitting the LAN in both directions.

Have fun

Richard

BigGT3Fan

Richard,

Thanks, will try the netstats when I get home.

So basically, correct me if I'm wrong, from cold boot up of both machines, if I do a netstat and netstat -r on each I should get no connections listed?

If there are connections, and there is a trojan on the PC, what do I do

dowser

Sorry Alex - typed before thinking

It could be a trojan that's done the damage. But if it is, it's self executing (I assume nothing from the outside is allowed in to PC A & B - only outgoing connections allowed?) and may not be active all the time.

If it's poorly written you might see it listening...but you'd need to know what port from many. netstat -a will show listening, but inactive, ports.

Best bet is to start with the netstat -r. Having a persistent route manually added pointing all traffic destined for 192.168.1.0/24 to somewhere incorrect would cause your problems. Compare it with the working box.

Maybe compare the netstat -a commands from both boxes too.

If this shows nothing irregular, borrow a mini-hub and new cables to try.

If it's still stuffed....dunno'! Try comparing registry entries or NIC/winsock type file sizes between the two PC's? Can PC B ping it's own address? Or 127.0.0.1?

(edited to say a X-over cable is probably quicker than a mini-hub/new cables )

Richard

[This message has been edited by dowser (edited 23 August 2001).]

Chris L

Just a thought Alex

You've said that the two addresses are 192.168.100 and .101 What is the default gateway address of the router?? Normally this would be .100 and any PC's using DHCP would be allocated from .101 upwards.

Have you also tried assigning static IP addresses to each of the PCs rather than letting them be allocated by DHCP? Just a thought in case the Linksys box is playing up.

On a separate note, putting my security consultant hat on for a moment - you've said that you have removed the personal firewalls now that you've got a router. A router is no substitute for a firewall... Stick Zonealarm on your PC's - it's free and won't harm the communication between your PCs and the router / Internet.

Cheers
Chris

BigGT3Fan

Thanks for all this guys,

More questions:

Richard - if it is a trojan, surely it would have spread to PC A as well?

Yes only outgoing connections are permitted from A & B. I'll try replacing the hub or using a cross over cable. and try pinging localhost ip address.

I still don't think it is the kit or the NICs because PC B is set up as a dual boot with WinME and that works fine.

I think it is a Windows 2000 networking software/drivers issue. I can completely disconnect the Cable Modem as if I was just implementing a 2 PC LAN and get identical behaviour.

Chris - the router gateway address is 192.168.1.1 (again the linksys default, I've not changed it).

I've tried setting all addresses static instead of using DHCP to no avail.

Correct me if I am wrong, but this device I have works as a firewall as well - as it does NAT between the internet and internal IP addresses I thought I didn't need to run Zonealarm.

Clearly I can run it if required, just seems extra resource overhead on each PC and it interferes with MSN Msgr & Netmeeting so I have to turn it off when using them anyway.

Bl**dy computers eh?


Alex

dowser

Hi Alex

If you've a trojan, it was most likely via email or some dodgy software you've downloaded Running something on PC B that's not on A?

I'd say check the netstat -r statement. You could replicate your exact problem with the following command on PC B;

route add <ip-pc-a> <192.168.1.109 - or any unused address on the same segment> (-p will make it last between reboots)

This will stop you being able to ping PC A, and vice-versa. Everything else will be OK.

I used to get users who'd p*ssed me off to run this as part of something else to wipe out a particular node on a LAN (proxy server for internet access ). Amazing how long it takes to trace sometimes

(edited to add that Chris is right - if you've a trojan, Zone Alarm would have picked up something trying to do something on an unusual port by now. The f/w capabilities of the router doesn't protect you against malicious email...but then ZA doesn't protect you from a hijacked http session either )

Richard

[This message has been edited by dowser (edited 24 August 2001).]

BigGT3Fan

OK, I'm convinced

Will turn ZoneAlarm on again on both PCs and try your suggestions tonight / over the weekend.

Thanks for all the help.

Will let you know what I find out, if anything!!


Alex

BigGT3Fan

Richard

Something else I just realised I should have said that may be important. It relates to the error I get when pinging.

Instead of the usual Request Timed Out times four messages that you get when you can't ping something, I am getting "PING transmit failed, error code 65" messages

Don't know if this is significant,

Going home now to check the netstats

Alex

dowser

Alex

Scrub all the above and read the below;

BigGT3Fan

Richard,

Billiant. Thanks mate

Permitting access across ZoneAlarm for PING and the other programs sorted it. Even though ZoneAlarm wasn't running (from the startup group) it was obviously blocking stuff

Alex