Re: Please help interpret Sygate Personal Firewall traffic log (ndisuio.sys)

that remote MAC address is a Dlink product, who makes your router >? Look
at its MAC's and see if one matches.
NDisuio, you might want to right click it and choose properties and see who
wrote that file. Think you'll see it is a Microsoft file and installed date
is probably the date you or the manufacturer loaded windows.

You really should find yourself a Sygate forum.

"Susan" <miraweb@nihongo.org> wrote in message
news:1i08n2w088rn7$.1ntr15vcvg8h4.dlg@40tude.net...
> How do I interpret this Sygate Personal Firewall traffic log?
>
> Daily, I see hundreds of blocked incoming requests from NDISUIO.SYS. After
> googling for the keywords, I'm *still* almost as confused as I was before.
> The googling showed that the incoming requests are from something called a
> wireless zero configuration (yes, I am using a wireless card on Windows
> XP). My basic home network has a NAT router and only one WinXP computer
> which is set up to be wireless.
>
> What confuses me is the Sygate Personal Firewall blocked traffic log shows
> certain patterns, namely that these NDIS User Mode IO driver requests come
> from a variety of "Remote Host" IP addresses & a variety of "Remote Port"
> and "Local Port" addresses but always with the same "Remote MAC". I'm
> having trouble making any sense of this data.
>
> A typical blocked traffic log line (out of hundreds daily) would be:
>
> Action = Blocked (note it always reports blocked)
> Severity = 10 (the severity is always the same)
> Direction = Incoming (the direction is always the same)
> Protocol = UDP (most are UDP but many are ICMP if that matters)
> Remote Host = 196.206.235.196 (many different IP addresses are found)
> Remote MAC = 00-80-C8-A0-43-9B (this is always the same remote mac)
> Remote Port = 63875 (other ports show eg 11, 5093, 1900, 53, 137, etc)
> Local Host = 192.168.0.10 (only a few ip addresses show up here)
> Local MAC = 00-0D-60-34-5A-23 (only this & FF-FF-FF-FF-FF-FF show up)
> Local Port = 15744 (other ports show up eg 2049, 1032, 137, 138, etc)
> Application Name = C:\WINDOWS\system32\DRIVERS\ndisuio.sys (always same)
>
> Searching the registry I see NDIS Usermode I/O Protocol is found in
> HKLM\SYSTEM\ControlSet001\Services\Ndisuio (and others)
>
> Based on my googling, this ndisuio.sys file seems it might be related to
> the Nortel Extranet Access Protocol which reminded me that years ago a
> Nortel VPN program was installed but there is no vestige of it in the
> Windows XP Add and Remove Programs or in the Program Files directory so it
> must have been deleted long ago.
>
> A reverse IP search of each of the suspect addresses doesn't tell me much.
> http://ws.arin.net/whois/?queryinput=196.206.235.196 search
> OrgName: RIPE Network Coordination Centre
> OrgID: RIPE
> Address: P.O. Box 10096, Amsterdam, 1001EB, NL
>
> What confuses me the most is that the googling says ndisuio.sys is for
> wireless and it should not be blocked but I see no ill effects when I set
> my Sygate Personal Firewall to automatically block it. The windows xp
> machine and the wireless networking seems to be working just fine even
> with
> all these requests blocked.
>
> Can someone help me understand what the purpose of this driver is and how
> to stop it from making incoming requests hundreds of times a day?
>
> Should I just deleted the HKLM\SYSTEM\ControlSet001\Services\Ndisuio and
> related lines in the windows registry?
>
> Should I just delete the C:\WINDOWS\system32\DRIVERS\ndisuio.sys file?
>
> I'd prefer to understand at least a little bit about what's going on
> before
> getting itchy fingers to delete the registry and file. Any ideas?
Received on Mon May 1 00:51:32 2006