Please help interpret Sygate Personal Firewall traffic log (ndisuio.sys)

[Susan]

How do I interpret this Sygate Personal Firewall traffic log?

Daily, I see hundreds of blocked incoming requests from NDISUIO.SYS. After
googling for the keywords, I'm *still* almost as confused as I was before.
The googling showed that the incoming requests are from something called a
wireless zero configuration (yes, I am using a wireless card on Windows
XP). My basic home network has a NAT router and only one WinXP computer
which is set up to be wireless.

What confuses me is the Sygate Personal Firewall blocked traffic log shows
certain patterns, namely that these NDIS User Mode IO driver requests come
from a variety of "Remote Host" IP addresses & a variety of "Remote Port"
and "Local Port" addresses but always with the same "Remote MAC". I'm
having trouble making any sense of this data.

A typical blocked traffic log line (out of hundreds daily) would be:

Action = Blocked (note it always reports blocked)
Severity = 10 (the severity is always the same)
Direction = Incoming (the direction is always the same)
Protocol = UDP (most are UDP but many are ICMP if that matters)
Remote Host = 196.206.235.196 (many different IP addresses are found)
Remote MAC = 00-80-C8-A0-43-9B (this is always the same remote mac)
Remote Port = 63875 (other ports show eg 11, 5093, 1900, 53, 137, etc)
Local Host = 192.168.0.10 (only a few ip addresses show up here)
Local MAC = 00-0D-60-34-5A-23 (only this & FF-FF-FF-FF-FF-FF show up)
Local Port = 15744 (other ports show up eg 2049, 1032, 137, 138, etc)
Application Name = C:\WINDOWS\system32\DRIVERS\ndisuio.sys (always same)

Searching the registry I see NDIS Usermode I/O Protocol is found in
HKLM\SYSTEM\ControlSet001\Services\Ndisuio (and others)

Based on my googling, this ndisuio.sys file seems it might be related to
the Nortel Extranet Access Protocol which reminded me that years ago a
Nortel VPN program was installed but there is no vestige of it in the
Windows XP Add and Remove Programs or in the Program Files directory so it
must have been deleted long ago.

A reverse IP search of each of the suspect addresses doesn't tell me much.
http://ws.arin.net/whois/?queryinput=196.206.235.196 search
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096, Amsterdam, 1001EB, NL

What confuses me the most is that the googling says ndisuio.sys is for
wireless and it should not be blocked but I see no ill effects when I set
my Sygate Personal Firewall to automatically block it. The windows xp
machine and the wireless networking seems to be working just fine even with
all these requests blocked.

Can someone help me understand what the purpose of this driver is and how
to stop it from making incoming requests hundreds of times a day?

Should I just deleted the HKLM\SYSTEM\ControlSet001\Services\Ndisuio and
related lines in the windows registry?

Should I just delete the C:\WINDOWS\system32\DRIVERS\ndisuio.sys file?

I'd prefer to understand at least a little bit about what's going on before
getting itchy fingers to delete the registry and file. Any ideas?

 

[Susan]

I don't understand why you're getting into a panic over this thing?
There is obviously no foreign address connected to that port

I was trying to understand what my WinXP PC is doing with respect to
security issues.

To you, an expert, it's "obvious" that there is no foreign address
connected to that port - but to me, a social worker, it wasn't obvious at
all that an IP address of 0.0.0.0 actually refered to any network interface
on my machine that had the TCP/IP protocol stack bound to it (thanks to
experts Dom & Volker Birk & Eirik Seim).

The good news is we blocked port 1900 & 445 respectively by modifying:
HKLM\Software\Microsoft\DirectPlayNATHelp\DPNHUPnP\UPnPMode
HKLM\System\CurrentControlSet\Services\NetBT\Parameters\TransportBindName

But, while these steps may are obvious to all you experts, they are not
anywhere near obvious to me - so I much appreciate the help!

Now when I run netstat, TCP/IP ports 1900 & 445 are no longer listening!
c:\> netstat -abn | find "1900"
c:\> netstat -abn | find "445"

I wish I knew how to block ports using just the Sygate Personal Firewall or
the Dlink NAT router because then one method would work for all ports
instead of finding the cryptic (to me) registry key that kills the port.

I'll try to keep looking, asking, answering, and learning!
Susan

 

[Susan]

Yes to those, assuming the windows networking protocol (whatever
it's called, been a long day...) is bound to the interfaces.
What it means is that it's listening to every network interface
that has a suitable (TCP/IP) protocol stack associated with it.

Thank you for the explanation of 0.0.0.0:0 (it sure was confusing to me
that something that looked like a blank IP address actually referred to a
network interface).

Now that I've eliminated dozens of services and closed up a few ports by
judicious (if cryptic) modifications of the Windows XP registry (see thread
above for detaqils), and even eliminated the eacfilt.sys problem which
nobody on the Intenet who had that problem seems to have accomplished
according to the google record, I am sorry to say I am *still* left with
trying to better understand the original issue which combines three things:
- Port 1900
- ndisuio.sys
- Upnp

Even though I turned off port 1900 and UpnP, I still see:

NDIS User mode I/O driver (ndisuio.sys) has received a Multicast packet
from the remote machine [192.168.0.10]. Do you want to allow this program
to access the network?

File Version : 5.1.2600.2180
File Description : NDIS User mode I/O Driver (ndisuio.sys)
File Path : C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Connection origin : remote initiated
Protocol : UDP
Local Address : 239.255.255.250
Local Port : 1900 (SSDP - Simple Service Discovery Protocol)
Remote Name :
Remote Address : 192.168.0.10
Remote Port : 1900
Ethernet packet details:
Ethernet II (Packet Length: 294)
Destination: ff-ff-ff-ff-ff-ff
Source: 00-80-c8-a0-43-9b
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 127
Protocol: 0x11 (UDP - User Datagram Protocol)
Header checksum: 0x3a5c (Correct)
Source: 192.168.0.10
Destination: 239.255.255.250
User Datagram Protocol
Source port: 1900
Destination port: 1900
Length: 8
Checksum: 0x26bc (Correct)
Data (260 Bytes)

Binary dump of the packet:
0000: FF FF FF FF FF FF 00 80 : C8 A0 43 9B 08 00 45 00 | ..........i...E.
0010: 01 18 2D F7 00 00 7F 11 : 5C 3A C0 A8 00 01 EF FF | ..-.....\:......
0020: FF FA 07 6C 07 6C 01 04 : BC 26 4E 4F 54 49 46 59 | ...l.l...&NOTIFY
0030: 20 2A 20 48 54 54 50 2F : 31 2E 31 0D 0A 48 4F 53 | * HTTP/1.1..HOS
0040: 54 3A 32 33 39 2E 32 35 : 35 2E 32 35 35 2E 32 35 | T:239.255.255.25
0050: 30 3A 31 39 30 30 0D 0A : 43 41 43 48 45 2D 43 4F | 0:1900..CACHE-CO
0060: 4E 54 52 4F 4C 3A 6D 61 : 78 2D 61 67 65 3D 31 32 | NTROL:max-age=12
0070: 30 0D 0A 4C 4F 43 41 54 : 49 4F 4E 3A 68 74 74 70 | 0..LOCATION:http
0080: 3A 2F 2F 31 39 32 2E 31 : 36 38 2E 30 2E 41 3A 35 | :/192.168.0.10:5
0090: 36 37 38 2F 69 67 64 2E : 78 6D 6C 0D 0A 4E 54 3A | 678/igd.xml..NT:
00A0: 75 70 6E 70 3A 72 6F 6F : 74 64 65 76 69 63 65 0D | upnp:rootdevice.
00B0: 0A 4E 54 53 3A 73 73 64 : 70 3A 61 6C 69 76 65 0D | .NTS:ssdp:alive.
00C0: 0A 53 45 52 56 45 52 3A : 45 6D 62 65 64 64 65 64 | .SERVER:Embedded
00D0: 20 55 50 6E 50 2F 31 2E : 30 0D 0A 55 53 4E 3A 75 | UPnP/1.0..USN:u
00E0: 75 69 64 3A 75 70 6E 70 : 2D 49 6E 74 65 72 6E 65 | uid:upnp-Interne
00F0: 74 47 61 74 65 77 61 79 : 44 65 76 69 63 65 2D 31 | tGatewayDevice-1
0100: 5F 30 2D 31 32 33 34 35 : 36 37 38 39 30 30 30 30 | _0-1234567890000
0110: 31 3A 3A 75 70 6E 70 3A : 72 6F 6F 74 64 65 76 69 | 1::upnp:rootdevi
0120: 63 65 0D 0A 0D 0A : | ce....

I can't delete ndisio.sys (I tried, it just comes back).
I block these requests automatically in Sygate Personal Firewall.

But, what is all that stuff in this log above trying to tell me?

And, is there a way to block this stuff at the Dlink NAT router so it never
even gets to my Windows XP PC?

Less confused than when I started but still confused a bit,
Susan