[joe7dust]

3 Desktops all running Windows XP SP3
2 of them are HP Pavilions, mine is custom built with ASUS mobo

I've been through 6 different routers of 3 different brands and styles, because it SEEMS like a router issue but it simply cannot be after that many replacements.

Usually we have these 3 IP addy's:
192.168.1.2
192.168.1.3
192.168.1.4

When everything is fine, the default gateway is 192.168.1.1

At random moments ranging from an hour to a week, one of the computers will suddenly have a new default gateway. It is usually something strange and last time it was 15.14.56.1

NOTE: This can happen on any one of the PCs, seemingly at random.

When this happens the PC with the bad gateway cannot access the interent, but can ping all other computers on the network at <1ms each. However, if you ping it from another PC on the network its a bit high like 10-13ms

The way I "fix" it is by doing 'ipconfig /release' on each machine, unplugging all cables from the router, power cycling the router and connecting 1 PC at a time in the order of which we need internet access the most. (because sometimes only 2 can connect)

This problem does not occur when only 2 PCs are connected to the router.

I have disabled wireless for the purposes of troubleshooting and it still happens.

I have heard of this problem with Vista specifically, and in that case there is a registry fix related to DHCP / router interactions. I have not heard of it with XP.'

Also, please note this can happen at ANY time. Since it doesn't just happen when turning 1 machine on/off or release/new or plug/unplug cables that may rule out some simpler issues.

 

[johnwill]

This is like nothing I've ever heard of for Vista, or any other version of Windows.


Please supply the following info, exact make and models of the equipment please.

Name of your ISP (Internet Service Provider).
Make and exact model of the broadband modem.
Make and exact model and hardware version of the router (if a separate unit).
Model numbers can usually be obtained from the label on the device.
Connection type, wired or wireless.
If wireless, encryption used, (none, WEP, WPA, or WPA2)
Version and patch level of Windows on all affected machines, i.e. XP (Home or Pro), SP1-SP2-SP3, Vista (Home, Business, Ultimate), etc.
The Internet Browser in use, IE, Firefox, Opera, etc.




Please give an exact description of your problem symptoms, including the exact text of any error messages.

• If you're using a wireless connection, have you tried a direct connection with a cable to see if that changes the symptoms?
• For wireless issues, have you disabled all encryption on the router to see if you can connect that way?
• Have you connected directly to the broadband modem to see if this is a router or modem/ISP issue?
• If there are other computers on the same network, are they experiencing the same issue, or do they function normally?

For the computer with the "strange" gateway, then again after restarting and fixing the issue, from the same computer, please post this.



Hold the Windows key and press R, then type CMD (COMMAND for W98/WME) to open a command prompt:

Type the following commands on separate lines, following each one with the Enter key:

PING 206.190.60.37

PING yahoo.com

NBTSTAT -n

IPCONFIG /ALL

Right click in the command window and choose Select All, then hit Enter.
Paste the results in a message here.

If you are on a machine with no network connection, use a floppy, USB disk, or a CD-RW disk to transfer a text file with the information to allow pasting it here.

 

[joe7dust]

ISP: Timewarner
SBV5222 Surfboard Digital Voice Modem by Motorola
Netgear WGR614 v7 router (wireless disabled to troubleshoot, still happens)

You can safely rule out the router & modem imo, I tried 3 modem/router combos from them and then insisted on seperate devices so they gave us a standalone modem and I have tried 2 routers with it, this netgear they gave and a Dynex from Best Buy.

I use firefox, but much of my troubleshooting is spent tooling around in the command prompt so I don't think the browser needs to be considered either.

Next time this happens I will get the nbtstat & etc. info you requested. By the way, what is the difference between NETSTAT and NBSTAT? I had never heard of NBSTAT before your post.

 

[grue155]

Do you have any HP devices on your LAN, like a printer or an all-in-one?

The IP address 15.14.56.1 is in the hp.com address space. There could be some UPnP setting mixup that an HP device is redirecting the router gateway address.

To confirm the router is getting changed, the quick fix is to turn off UPnP on the router. And probably just for good measure, change the admin password needed to log into the router.

If the change occurs again, then log into the router, and see what the router says it has for a gateway address.

If the change seems to have been fixed, then there is some configuration changes to make in your HP device. Assuming that you have one.

 

[joe7dust]

@grue155 You are the 2nd person to suggest that, but no there are only the 2 HP Pavilions. I have a Canon printer that is offline most of the time and that's it as far as printers in the household. *edit* I take that back, I just noticed that 3 different printers are showing on one of the workgroup computers, and 1 printer on another computer even though there are no physical printers there. This is very strange, worth looking into, and likely the source of our problem.

@johnwill

*edit* Look at the reply above to grue, I just discovered some very useful information I think.

Tonight I had a Pentium II on the network via CAT-5 to demo its amazing web browsing abilities to a buyer *grin*. I tried to get my PC online via a USB wireless card (only 1 ethernet jack in the room) so that I'd have Skype access on my PC while demoing the vintage PC. I was unable to get it to /renew, I had to use the wireless networks GUI and it would take a very long time (like a minute) then it would always get the bad gateway even after like 5 tries so I gave up.

All that was to setup the fact that the logs I am about to show you are atypical. Usually only the gateway is bad but for some reason even after powercycling the router and re-disabling the wireless I also was getting fake IP addresses.

Also, I was following your instructions from memory so you'll see I ran way more nbtstat commands than you requested just to cover all the bases. Sorry for the wall of text.

My PC

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection 3:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 0.0.0.0
        Subnet Mask . . . . . . . . . . . : 0.0.0.0
        Default Gateway . . . . . . . . . :

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection 3:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 0.0.0.0
        Subnet Mask . . . . . . . . . . . : 0.0.0.0
        Default Gateway . . . . . . . . . :

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection 3:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 15.14.56.7
        Subnet Mask . . . . . . . . . . . : 255.255.248.0
        Default Gateway . . . . . . . . . : 15.14.56.1

D:\Documents and Settings\Administrator>ipconfig/release

Windows IP Configuration

No operation can be performed on Local Area Connection 5 while it has its media
disconnected.

Ethernet adapter Local Area Connection 5:

        Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection 3:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 0.0.0.0
        Subnet Mask . . . . . . . . . . . : 0.0.0.0
        Default Gateway . . . . . . . . . :

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Media State . . . . . . . . . . . : Media disconnected

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection 3:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 0.0.0.0
        Subnet Mask . . . . . . . . . . . : 0.0.0.0
        Default Gateway . . . . . . . . . :

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection 3:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 0.0.0.0
        Subnet Mask . . . . . . . . . . . : 0.0.0.0
        Default Gateway . . . . . . . . . :

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Media State . . . . . . . . . . . : Media disconnected

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 0.0.0.0
        Subnet Mask . . . . . . . . . . . : 0.0.0.0
        Default Gateway . . . . . . . . . :

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 15.14.56.181
        Subnet Mask . . . . . . . . . . . : 255.255.248.0
        Default Gateway . . . . . . . . . :

D:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 15.14.56.181
        Subnet Mask . . . . . . . . . . . : 255.255.248.0
        Default Gateway . . . . . . . . . : 15.14.56.1

D:\Documents and Settings\Administrator>ping www.yahoo.com
Ping request could not find host www.yahoo.com. Please check the name and try ag
ain.

D:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : JOE
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 5:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Marvell Yukon 88E8001/8003/8010 PCI
Gigabit Ethernet Controller
        Physical Address. . . . . . . . . : 00-13-D4-7B-6F-EF
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 15.14.56.181
        Subnet Mask . . . . . . . . . . . : 255.255.248.0
        Default Gateway . . . . . . . . . : 15.14.56.1
        DHCP Server . . . . . . . . . . . : 15.14.56.1
        DNS Servers . . . . . . . . . . . : 69.42.88.21
                                            69.42.88.22
        Lease Obtained. . . . . . . . . . : Sunday, May 17, 2009 10:21:53 PM
        Lease Expires . . . . . . . . . . : Sunday, May 17, 2009 11:21:53 PM

D:\Documents and Settings\Administrator>nbstat
'nbstat' is not recognized as an internal or external command,
operable program or batch file.

D:\Documents and Settings\Administrator>nbtstat

Displays protocol statistics and current TCP/IP connections using NBT
(NetBIOS over TCP/IP).

NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n]
        [-r] [-R] [-RR] [-s] [-S] [interval] ]

  -a   (adapter status) Lists the remote machine's name table given its name
  -A   (Adapter status) Lists the remote machine's name table given its
                        IP address.
  -c   (cache)          Lists NBT's cache of remote [machine] names and their IP
 addresses
  -n   (names)          Lists local NetBIOS names.
  -r   (resolved)       Lists names resolved by broadcast and via WINS
  -R   (Reload)         Purges and reloads the remote cache name table
  -S   (Sessions)       Lists sessions table with the destination IP addresses
  -s   (sessions)       Lists sessions table converting destination IP
                        addresses to computer NETBIOS names.
  -RR  (ReleaseRefresh) Sends Name Release packets to WINS and then, starts Refr
esh

  RemoteName   Remote host machine name.
  IP address   Dotted decimal representation of the IP address.
  interval     Redisplays selected statistics, pausing interval seconds
               between each display. Press Ctrl+C to stop redisplaying
               statistics.


D:\Documents and Settings\Administrator>nbtstat -a

Local Area Connection 5:
Node IpAddress: [15.14.56.181] Scope Id: []


Displays protocol statistics and current TCP/IP connections using NBT
(NetBIOS over TCP/IP).

NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n]
        [-r] [-R] [-RR] [-s] [-S] [interval] ]

  -a   (adapter status) Lists the remote machine's name table given its name
  -A   (Adapter status) Lists the remote machine's name table given its
                        IP address.
  -c   (cache)          Lists NBT's cache of remote [machine] names and their IP
 addresses
  -n   (names)          Lists local NetBIOS names.
  -r   (resolved)       Lists names resolved by broadcast and via WINS
  -R   (Reload)         Purges and reloads the remote cache name table
  -S   (Sessions)       Lists sessions table with the destination IP addresses
  -s   (sessions)       Lists sessions table converting destination IP
                        addresses to computer NETBIOS names.
  -RR  (ReleaseRefresh) Sends Name Release packets to WINS and then, starts Refr
esh

  RemoteName   Remote host machine name.
  IP address   Dotted decimal representation of the IP address.
  interval     Redisplays selected statistics, pausing interval seconds
               between each display. Press Ctrl+C to stop redisplaying
               statistics.


D:\Documents and Settings\Administrator>nbtstat -r

    NetBIOS Names Resolution and Registration Statistics
    ----------------------------------------------------

    Resolved By Broadcast     = 0
    Resolved By Name Server   = 0

    Registered By Broadcast   = 31
    Registered By Name Server = 0

D:\Documents and Settings\Administrator>nbtstat -c

Local Area Connection 5:
Node IpAddress: [15.14.56.181] Scope Id: []

    No names in cache

D:\Documents and Settings\Administrator>nbtstat -n

Local Area Connection 5:
Node IpAddress: [15.14.56.181] Scope Id: []

                NetBIOS Local Name Table

       Name               Type         Status
    ---------------------------------------------
    JOE            <00>  UNIQUE      Registered
    JOE            <20>  UNIQUE      Registered
    MSHOME         <00>  GROUP       Registered
    MSHOME         <1E>  GROUP       Registered
    MSHOME         <1D>  UNIQUE      Registered
    ..__MSBROWSE__.<01>  GROUP       Registered

D:\Documents and Settings\Administrator>nbtstat -S

Local Area Connection 5:
Node IpAddress: [15.14.56.181] Scope Id: []

    No Connections

D:\Documents and Settings\Administrator>nbtstat -s

Local Area Connection 5:
Node IpAddress: [15.14.56.181] Scope Id: []

    No Connections

D:\Documents and Settings\Administrator>nbtstat -R
    Successful purge and preload of the NBT Remote Cache Name Table.

D:\Documents and Settings\Administrator>

Roommate #1

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\HP_Administrator>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : your-4dacd0ea75
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
        Physical Address. . . . . . . . . : 00-18-F3-E7-8D-25
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.5
        Subnet Mask . . . . . . . . . . . : 255.255.248.0
        Default Gateway . . . . . . . . . : 15.14.56.1
        DHCP Server . . . . . . . . . . . : 15.14.56.1
        DNS Servers . . . . . . . . . . . : 85.255.112.174
                                            85.255.112.71
        Lease Obtained. . . . . . . . . . : Sunday, May 17, 2009 10:26:29 PM
        Lease Expires . . . . . . . . . . : Sunday, May 17, 2009 11:26:29 PM

Ethernet adapter Bluetooth Network Connection:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Bluetooth Device (Personal Area Netw
ork)
        Physical Address. . . . . . . . . : 00-0D-3A-A7-E1-F3

C:\Documents and Settings\HP_Administrator>nbtstat -c

Local Area Connection:
Node IpAddress: [192.168.1.5] Scope Id: []

    No names in cache

Bluetooth Network Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

    No names in cache

C:\Documents and Settings\HP_Administrator>nbtstat -n

Local Area Connection:
Node IpAddress: [192.168.1.5] Scope Id: []

                NetBIOS Local Name Table

       Name               Type         Status
    ---------------------------------------------
    YOUR-4DACD0EA75<00>  UNIQUE      Registered
    YOUR-4DACD0EA75<20>  UNIQUE      Registered
    MSHOME         <00>  GROUP       Registered
    MSHOME         <1E>  GROUP       Registered
    MSHOME         <1D>  UNIQUE      Registered
    ..__MSBROWSE__.<01>  GROUP       Registered

Bluetooth Network Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

    No names in cache

C:\Documents and Settings\HP_Administrator>nbtstat -r

    NetBIOS Names Resolution and Registration Statistics
    ----------------------------------------------------

    Resolved By Broadcast     = 912
    Resolved By Name Server   = 0

    Registered By Broadcast   = 142
    Registered By Name Server = 0

    NetBIOS Names Resolved By Broadcast
---------------------------------------------
           JMULLINS
           JMULLINS
           JMULLINS
           JMULLINS       <00>
           JOE
           JOE
           JMULLINS
           JOE            <00>

C:\Documents and Settings\HP_Administrator>nbtstat -s

Local Area Connection:
Node IpAddress: [192.168.1.5] Scope Id: []

    No Connections

Bluetooth Network Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

    No Connections

C:\Documents and Settings\HP_Administrator>nbtstat -S

Local Area Connection:
Node IpAddress: [192.168.1.5] Scope Id: []

    No Connections

Bluetooth Network Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

    No Connections

C:\Documents and Settings\HP_Administrator>nbtstat -R
    Successful purge and preload of the NBT Remote Cache Name Table.

C:\Documents and Settings\HP_Administrator>nbtstat

Displays protocol statistics and current TCP/IP connections using NBT
(NetBIOS over TCP/IP).

NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n]
        [-r] [-R] [-RR] [-s] [-S] [interval] ]

  -a   (adapter status) Lists the remote machine's name table given its name
  -A   (Adapter status) Lists the remote machine's name table given its
                        IP address.
  -c   (cache)          Lists NBT's cache of remote [machine] names and their IP
 addresses
  -n   (names)          Lists local NetBIOS names.
  -r   (resolved)       Lists names resolved by broadcast and via WINS
  -R   (Reload)         Purges and reloads the remote cache name table
  -S   (Sessions)       Lists sessions table with the destination IP addresses
  -s   (sessions)       Lists sessions table converting destination IP
                        addresses to computer NETBIOS names.
  -RR  (ReleaseRefresh) Sends Name Release packets to WINS and then, starts Refr
esh

  RemoteName   Remote host machine name.
  IP address   Dotted decimal representation of the IP address.
  interval     Redisplays selected statistics, pausing interval seconds
               between each display. Press Ctrl+C to stop redisplaying
               statistics.


C:\Documents and Settings\HP_Administrator>nbtstat -RR
    The NetBIOS names registered by this computer have been refreshed.


C:\Documents and Settings\HP_Administrator>

C:\Documents and Settings\HP_Administrator>

Roommate #2

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\HP_Administrator>ipconfig/all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : jmullins
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
        Physical Address. . . . . . . . . : 00-18-F3-37-76-F5
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.3
        Subnet Mask . . . . . . . . . . . : 255.255.248.0
        Default Gateway . . . . . . . . . : 15.14.56.1
        DHCP Server . . . . . . . . . . . : 15.14.56.1
        DNS Servers . . . . . . . . . . . : 69.42.88.21
                                            69.42.88.22
        Lease Obtained. . . . . . . . . . : Sunday, May 17, 2009 10:26:29 PM
        Lease Expires . . . . . . . . . . : Sunday, May 17, 2009 11:26:29 PM

C:\Documents and Settings\HP_Administrator>nbtstat -c

Local Area Connection:
Node IpAddress: [192.168.1.3] Scope Id: []

                  NetBIOS Remote Cache Name Table

        Name              Type       Host Address    Life [sec]
    ------------------------------------------------------------
    YOUR-4DACD0EA75<20>  UNIQUE          192.168.1.5         602

C:\Documents and Settings\HP_Administrator>nbtstat -n

Local Area Connection:
Node IpAddress: [192.168.1.3] Scope Id: []

                NetBIOS Local Name Table

       Name               Type         Status
    ---------------------------------------------
    JMULLINS       <00>  UNIQUE      Registered
    JMULLINS       <20>  UNIQUE      Registered
    MSHOME         <00>  GROUP       Registered
    MSHOME         <1E>  GROUP       Registered

C:\Documents and Settings\HP_Administrator>nbtstat -s

Local Area Connection:
Node IpAddress: [192.168.1.3] Scope Id: []

    No Connections

C:\Documents and Settings\HP_Administrator>nbtstat -S

Local Area Connection:
Node IpAddress: [192.168.1.3] Scope Id: []

    No Connections

C:\Documents and Settings\HP_Administrator>nbtstat -r

    NetBIOS Names Resolution and Registration Statistics
    ----------------------------------------------------

    Resolved By Broadcast     = 39
    Resolved By Name Server   = 0

    Registered By Broadcast   = 38
    Registered By Name Server = 0

    NetBIOS Names Resolved By Broadcast
---------------------------------------------
           YOUR-4DACD0EA75<00>
           JOE
           JOE            <00>
           JOE
           JOE
           JOE
           JOE            <00>
           JOE

C:\Documents and Settings\HP_Administrator>nbtstat -R
    Successful purge and preload of the NBT Remote Cache Name Table.

C:\Documents and Settings\HP_Administrator>nbtstat -RR
    Failed Release and Refresh of Registered names
    Please retry after 2 minutes

C:\Documents and Settings\HP_Administrator>nbtstat

Displays protocol statistics and current TCP/IP connections using NBT
(NetBIOS over TCP/IP).

NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n]
        [-r] [-R] [-RR] [-s] [-S] [interval] ]

  -a   (adapter status) Lists the remote machine's name table given its name
  -A   (Adapter status) Lists the remote machine's name table given its
                        IP address.
  -c   (cache)          Lists NBT's cache of remote [machine] names and their IP
 addresses
  -n   (names)          Lists local NetBIOS names.
  -r   (resolved)       Lists names resolved by broadcast and via WINS
  -R   (Reload)         Purges and reloads the remote cache name table
  -S   (Sessions)       Lists sessions table with the destination IP addresses
  -s   (sessions)       Lists sessions table converting destination IP
                        addresses to computer NETBIOS names.
  -RR  (ReleaseRefresh) Sends Name Release packets to WINS and then, starts Refr
esh

  RemoteName   Remote host machine name.
  IP address   Dotted decimal representation of the IP address.
  interval     Redisplays selected statistics, pausing interval seconds
               between each display. Press Ctrl+C to stop redisplaying
               statistics.


C:\Documents and Settings\HP_Administrator>time
The current time is: 22:38:58.14
Enter the new time:

C:\Documents and Settings\HP_Administrator>date
The current date is: Sun 05/17/2009
Enter the new date: (mm-dd-yy)

C:\Documents and Settings\HP_Administrator>

 

[grue155]

A question then, what does the router think is the default gateway? That may be on it's status screen, or you may have to log into the router to find out.

Edit: Another question. The next time this happens, run this from a command prompt on the PC with the bad gateway:

netstat -ano

and post the output from netstat here.

 

[joe7dust]

I've deleted a total of 6 devices listed in printers & faxes that didn't physically exist. I fully expect the problem to be fixed now, but only time will tell. Thanks to everyone that contributed.

I don't see "default gateway" on the router page but here's what I got:

Internet Port
MAC Address 	00:18:4D:7D:45:B9
IP Address 	76.187.124.70
DHCP 	DHCPClient
IP Subnet Mask 	255.255.240.0
Domain Name Server
	24.93.41.127
24.93.41.128
 
LAN Port
MAC Address 	00:18:4D:7D:45:B8
IP Address 	192.168.1.1
DHCP 	ON
IP Subnet Mask 	255.255.255.0

 

[grue155]

Looks like we may have cross posted. See my edited post above for a netstat query.

I've done a quick eyeball on the Netgear router. It looks like the gateway detail is on the Connection Status page in the Maintenance category.

 

[joe7dust]

It looks like the issue is still here, I enabled the wireless again and my roommates iPhone got this crap:

IP Address 15.14.56.99
Subnet Mask 255.255.248.0
Router 15.14.56.1

****!

Anyways, here is the info from my router:

IP Address 76.187.124.70
Subnet Mask 255.255.240.0
Default Gateway 76.187.112.1
DHCP Server 10.7.192.1
DNS Server 24.93.41.127
24.93.41.128
Lease Obtained 0 days,17 hrs,52 minutes
Lease Expires 0 days,17 hrs,43 minutes

I will do netstat -ano when it happens on a PC

 

[joe7dust]

I decided to break it on purpose, what I did was just released my ip and renewed it. In order to fix it so I could post this I had to release it again, unplug a roommates PC, and powercycle the router, renew on mine.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

D:\Documents and Settings\Administrator>ipconfig/release

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 0.0.0.0
        Subnet Mask . . . . . . . . . . . : 0.0.0.0
        Default Gateway . . . . . . . . . :

D:\Documents and Settings\Administrator>ipconfig/renew

Windows IP Configuration


Ethernet adapter Local Area Connection 5:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.4
        Subnet Mask . . . . . . . . . . . : 255.255.248.0
        Default Gateway . . . . . . . . . : 15.14.56.1

D:\Documents and Settings\Administrator>netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       1128
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       1028
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       1128
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:21692          0.0.0.0:0              LISTENING       1128
  TCP    127.0.0.1:1025         0.0.0.0:0              LISTENING       1316
  TCP    127.0.0.1:1099         127.0.0.1:1100         ESTABLISHED     3180
  TCP    127.0.0.1:1100         127.0.0.1:1099         ESTABLISHED     3180
  TCP    127.0.0.1:1101         127.0.0.1:1102         ESTABLISHED     3180
  TCP    127.0.0.1:1102         127.0.0.1:1101         ESTABLISHED     3180
  TCP    192.168.1.4:139        0.0.0.0:0              LISTENING       4
  UDP    0.0.0.0:443            *:*                                    1128
  UDP    0.0.0.0:445            *:*                                    4
  UDP    0.0.0.0:500            *:*                                    820
  UDP    0.0.0.0:4500           *:*                                    820
  UDP    0.0.0.0:21692          *:*                                    1128
  UDP    127.0.0.1:123          *:*                                    1068
  UDP    127.0.0.1:1026         *:*                                    1128
  UDP    127.0.0.1:1900         *:*                                    1344
  UDP    127.0.0.1:2019         *:*                                    1068
  UDP    127.0.0.1:2021         *:*                                    1068
  UDP    192.168.1.4:123        *:*                                    1068
  UDP    192.168.1.4:137        *:*                                    4
  UDP    192.168.1.4:138        *:*                                    4
  UDP    192.168.1.4:1900       *:*                                    1344
  UDP    192.168.1.4:2018       *:*                                    1068

D:\Documents and Settings\Administrator>

 

[grue155]

Definitely not a problem with your router. It looks more like a second DHCP server on your LAN that is giving out bad addresses.

To find out, it's going to be necessary to look at the packets on your LAN. But to do that, we first need to stablize one of your PC's so it can reliably get stuff from the Internet. That means giving that PC a static IP address.

Click Start -> Control Panel, and then open Network Connections. On your wired LAN connection, right click to get to properties. Then highlight Internet Protocol, and click Properties. Choose "Use the following address", and fill in the usual LAN address of that PC (like 192.168.1.2, for example). The subnet mask is 255.255.255.0, and the gateway is 192.168.1.1, which is your router. It'd be a good idea to also set the DNS server addresses to match what the router is using: 24.93.41.127 and 24.93.41.128.

That PC should now be able to get to the Internet with no problem.

Now to get some tools: download the network monitor Wireshark, from www.wireshark.org.

When you have installed Wireshark, its time to do a packet capture. To do that, on the toolbar at the top, select Capture -> Interfaces, choose your wired LAN connection, and click start. Wireshark will now show you what is going on with your LAN traffic.

DHCP traffic is made up of UDP packets using ports 67 and 68. I'm expecting that you will see a bunch of these. Even if you don't, the traffic that Wireshark is recording may be useful.

Collect a few thousand packets (which may be a few seconds to a few minutes, depending). Then stop the capture, on the toolbar Capture -> Stop.

Save the capture data, File -> SaveAs, some filename with the default pcap file format. Since the forum won't allow pcap files to be posted, you'll have to zip the file, then post the zip. I'll look at the capture file, and see what sense I can make of it.

I'm well past the end of my day here, so I'll have to do any followup tomorrow.

 

[joe7dust]

First off let me commend you on your efforts. This is quite possibly the best service I've ever received in any support forum, anywhere, ever. I have also learned a lot, and want to learn more. I sat staring at the packets coming in trying to decipher it all, and some of it made sense; a lot of it did not. Like conspiracy? Googling conspiracy + wireshark didn't even show an answer in the first few hits.

If you have the time to explain what you were looking for in NBTSTAT and how you use the pcap file as well I would appreciate it. I just started a pc repair business on craigslist and its networking issues I have problems with the most. Especially Vista as I think it is a hunk of crap and don't use it personally. This really is my personal network though, I wouldn't feel comfortable having you work on something I was getting paid for by a customer. (well I guess not uncomfortable if you were fine with it, but I'd imagine at some point you would feel used and lose interest in helping me)

At any rate, this is an excellent opportunity for me to expand my techguy knowledge.

Back to the topic at hand though, something strange just happened. I went to release/renew on another PC that was not running wireshark to ensure that the problem happened during packet capture but it did not. This could be because 1 of the 3 PCs was set to static ip and that alone is enough to fix my problem. (I've never had my issue when only 2 PCs were connected to the router)

Another strange bit, I went to set it back to dynamic ip but it acts as if it were never changed. What I mean is it was already set to dynamic and I'm sure it was the same exact place where I had set it to static. I tried to release and it said "not allowable in this state" as you would expect from a static setup.

So... to sum up what I'm getting at here. The pcap file may not even have what you need within it. I was unable to force the problem to occur as I intended to help you help me. And... now I have this other strange problem with having a static ip that I can't change. (unless it fixes itself after a reboot)

The good news is though you may be right about setting up a static network as the easiest solution. One of my roommates does have quite a lot of wireless stuff and friends that bring over their devices though, I'm sure he'd be very annoyed if we went that route. Not to mention I have no clue how to set an iPhone or similar to have a static IP at yet still able to pick up some quick wi-fi at Starbuck's or wherever.

 

[joe7dust]

whoops here's the file, was too big for the forums

http://uploading.com/files/162DP27N/joe7dust.zip.html

 

[grue155]

I got the capture file. Thank you. You have a busy LAN there :smile:. It's going to take me a little while to go thru the detail. Just to confirm, you made the capture on the PC at 192.168.1.3. I'm presuming the iPhone was at 1.5, and another PC is active at 1.4. That's the assumptions I made when I was doing the quick eyeball check on the capture.

Re your LAN, as an alternative to setting up a static network, is set up a double-router configuration. You may have enough hardware on hand to do that. You keep your present Internet router. But each PC gets its own private router, and that private router is what connects to your existing Internet router. As a diagram, it looks like this:

Internet
|
Netgear router
|
+----- router ----- PC1
|
+----- router ----- PC2
|
+----- router ----- PC3

What this does, is isolate the PCs from each other, and each gets to keep dynamic addressing as provided by their own private router. That may isolate the immediate problem also. If it does, then there is a good chance that at least one of the PCs has a malware infection that is hosting a rogue DHCP server. A simpler check is to have one PC turned off, and see if the problem disappears, which you've already kind of mentioned, just not in those terms.

Netstat is a TCP/IP tool that reports which ports are open, and the connection status. NBTstat is the Netbios version of Netstat, and reports information about what Windows networking is doing. The information in those reports puts some meaning behind the connections (what process, app is running, etc etc) to say "does this make sense?" The pcap capture file gives the same network information, in down to the bit detail, but no application process details. The tools combined give mutual context, like a really big cross reference.

If you want some conspiracy reading, I'll point you to two fairly recent SANS postings about rogue DHCP servers. One here, and one here. Both of these describe DNS server changes, but other variants play games with gateway addresses. Based on things so far, I can't tell if there is simply a misconfiguration, or a more serious problem. Digging into the capture file may tell more. :grin:

 

[joe7dust]

The two articles you linked are interesting and informative, but I think you misunderstood what I meant by conspiracy. That was listed in the description of some of the packets: "conspiracy". Just an example of one of the things I didn't get. I was able to find out what ACK is, but didn't see anything about this.

I don't have the extra hardware to easily setup the configuration you suggested, so I think static IPs will be my choice if you can't solve the DHCP problem.

 

[grue155]

Yup, my misunderstanding Nature of the dayjob, keeping all the boxes reasonably secure. Well, kind of. So far. :grin:

Static addrressing will work, but it isn't really a solution, as whatever the cause of the problem is still there, and may come back to bite in other ways. But, as a step to getting the problem fixed, then static is a way to go.

I've looked thru the capture file, and have a few items for you.

First, machine 1.3 seems to have some problem computing TCP packet checksums. Wireshark displays these packets in a black line, and the capture file has a lot of black, as you probably noticed. The thing to check, is the ethernet port configuration options. It's back to the Network Connections page, and the LAN connection properties. Next to the hardware description there is a Configure button. Click the button, and you'll get to driver properties. On the Advanced tab, usually, there is a list of driver specific properties. One of these will say something like "Checksum Offload". Whatever value it has now, needs to be opposite of what it is. probably marked as enabled, and needs to be disabled. Then Wireshark will show green lines in place of black lines, and be a whole lot easier to read.

Second. I don't know if this is relevant or not, but machine 1.3 has an Internet accessible server at TCP port 21692. Not very much traffic either, and the packets are small, in the 40 to 50 byte range. Wireshark doesn't recognize the packet type, and that is unusual. If you know what this is, fine and it's not something to dig into. If you don't know what this is, then it's going to be pick-and-shovel time.

Third. To me, this is unusual, but I don't deal that much with Windows networking, so this could be in realm of normal, as Microsoft considers normal. Machines 1.2 and 1.3 are logging into each other at about 12 minute intervals, and installing printers (I think) or otherwise checking print queues and checking domain definitions. Example in the capture is frames 123 thru 142 (machine 1.3 talking to 1.2), and frames 102 to 120 (machine 1.3 talking to machine 1.4)

To see the Windows networking traffic a bit more clearly, I used this filter in Wireshark:

ip.addr == 192.168.1.2/24 and tcp and not ( tcp.port == 80 or tcp.port == 443 )

I'm hoping that this is simply some printer driver configuration thing. It also probably has nothing to do with changing gateway addresses. It just strikes me as being very atypical.

A way perhaps to force that DHCP, or whatever it is, is to have Wireshark running when the iPhone comes on the LAN. Wireshark won't see the full packet exchange, but it will see the DHCP broadcast traffic and ARP exchange. That might tell some more details. Another idea is simply to reboot one of the other PCs with a capture running to get the same kind of information.

 

[joe7dust]

1.3 is mine, and no I am not running a server as far as I know. The thing about the printers may just be normal activity when windows "file & printer" sharing is enabled. I removed all items in "printers & faxes" from all machines except the one that actually exists which is my Canon printer.

When my roommate stumbles in from the bar here in a second, I will nab his iPhone and run wireshark before trying to connect it. Also will make sure to change that setting so there are less black lines.

*edit* is it possible the server thing you mentioned is Skype? I know it does periodic internet activity to keep my VoIP service running and address book up to date.

*edit2* I found "TCP/UDP Checksum Offload (IPv4)" and changed it from ON to OFF. What have I done? lol

 

[joe7dust]

OK here's some good bit of info. I had the iPhone grab the fake info and "forget this network" twice just for good measure. You'll see it keeps asking for the bad info over and over.

You can probably ignore packets 1000-5000 as much of this was me searching the net for how to set an iPhone to static ip, then for some reason setting the static ip didn't stick the first THREE TIMES. But now it seems to be finally working and will hopefully stick with that IP.

Do you know how I can make it so that it still joins other networks out of the house?

http://uploading.com/files/NZBFZF7C/joe7dust-2.pcap.html

 

[grue155]

Got the new capture file. And a first eyeball check is showing a DHCP server running on machine 1.2 (frame 53, 169, and 228 among others). And the DNS addresses in part of the DHCP setup belong to an ISP in New York state. In an earlier post, you said your ISP is TimeWarner. Just based on this, I'd say that machine 1.2 has a problem.

On your machine 1.3, I'd like to get a handle on what that server process is, to have some idea of what that first capture file is trying to tell me. Running "netstat -ano" from a command prompt would be the place to start.

On machine 1.2, running "netstat -ano" would be a first check to see what is running on that box.

I may have some more questions for you after I get a chance to sit back and go thru the new capture file in more detail.

And thank you for the checksum change, the screen is showing a lot more green.

 

[grue155]

I've looked thru the new capture file in a little more depth. Not really anything that much different from the earlier capture. Machine 1.3 is still showing traffic on port 21692. Use this as a filter in Wireshark to see the traffic:

tcp.port == 21692 or udp.port == 21692

The IP addresses are kind of all over the place, and are to individual users. A couple of the addresses that I checked showed them to be DSL and cable modem users. And some on the other side of the planet. I'm not familiar with the details of how Skype works, but this doesn't sound like a protocol that makes sense for that service.

And to home in on the DHCP traffic, use this filter:

udp.port == 67 or udp.port == 68

and you'll see the traffic in sequence. Looking at the timestamps, machine 1.2 is coming in about 1 millisecond ahead of the router. All it takes...

Depending on what firewalls are installed on the machines, you may be able to use firewall rules to recognize only your router as a DHCP server. If your firewall allows custom rules, and can sequence those rules in a particular order, then this will work. Windows Firewall can't do this, but Comodo and some others can.

The firewall rules are:

allow UDP in from 192.168.1.1 src-port 67 to ip-any dst-port 68
block UDP in from ip-any src-port 67 to ip-any dst-port 68

You can put these rules on machines 1.3 and 1.4 so they will listen only to the router for DHCP address assignments. That doesn't help the iPhone any, however. The alternative is static addressing. Until such time as that DHCP server in machine 1.2 gets removed.

Nope, sorry, I'm not up on iPhone configuration details. I'm still hoping to upgrade to a quill pen.