forum.wfiltericf.com

Hello,



I am testing out the blocking feature.



I was running emule on my computer and WFilter correctly detected this activity and blocked as per the policy settings.



I then closed emule on my computer however the online blocking is continuing to report that emule activity is being detected and blocked (but emule is not running so this cannot be correct).



This looks like a bug or I have stuffed up the configuration somewhere.



Would appreciate advice on how to troubleshoot.



Thanks



VW

There are two possibilities:

1. Even you have exited the emule desktop application, it also can have background processes running for uploading/downloading. Please run "windows task manager" to check your processes.

2. Some p2p programs support both UDP and TCP traffic. TCP connections will be terminated when application is shutdown. However, UDP traffic is connectionless, remote peers will keep push UDP traffic even the application is closed. This will happen for a while(several minutes) for all remote peers to get "target not available" responses.

gengw2000 wrote: There are two possibilities:

1. Even you have exited the emule desktop application, it also can have background processes running for uploading/downloading. Please run "windows task manager" to check your processes.

I checked that at the time, definitely not the case.

2. Some p2p programs support both UDP and TCP traffic. TCP connections will be terminated when application is shutdown. However, UDP traffic is connectionless, remote peers will keep push UDP traffic even the application is closed. This will happen for a while(several minutes) for all remote peers to get "target not available" responses.

This must be the case then.



Thanks for the clarification. I found those entries on the WFilter logs disconcerting.

Actually I think there is a third possibility.



It looks to me as if TeamViewer (TeamViewer 7) is being identified as Edonkey,Emule and that's why I had all those entries in the logs after I had closed Emule.



Everytime I switch from the Default blocking policy to High on my computer, TeamViewer stops working and I get Edonkey,Emule entries in the Real-time blocking log.



I don't want to block TeamViewer, but I do want to block unknown.

we will check this ASAP.

If you have edonkey/emule running, WFilter will over blocking some unknown traffic.

For no blocking of teamviewer, please add the teamviewer protocol into "Customize Protocols" of WFilter. Then it will not be over blocked.



Check this blog topic: http://blog.imfirewall.us/How+To+Block+TeamViewer+On+My+Network+Using+WFilter.aspx

gengw2000 wrote: If you have edonkey/emule running, WFilter will over blocking some unknown traffic.

For no blocking of teamviewer, please add the teamviewer protocol into "Customize Protocols" of WFilter. Then it will not be over blocked.



Check this blog topic: http://blog.imfirewall.us/How+To+Block+TeamViewer+On+My+Network+Using+WFilter.aspx

I made the suggested change and initially it appeared to work.



However I recently enabled the High filtering to do some more testing of the https and TeamViewer stopped working. Once I returned to the Default policy TeamViewer resumed working. So there is more to this.

You need to check "Real-time blocking" to get the blocking reason. Then modify your blocking policy to make it work.

It's reported as unknown (and I'm blocking unknown). So presumably I need wireshark to run a trace. Are the instructions self-explanatory or is there a procedure that you would prefer me to follow?

I've installed Wireshark. To obtain details on the 'unknown' traffic being reported by WFilter should I just run a trace and send it to you?



Or are there some filters that I can apply?



Is it possible for me to do some of the analysis?



I ran a trace on the internal NIC for 1 minute and the size of the capture file is 800K.