-1

We have a machine controller running Microchip firmware worked 100% with LINUX computers for 14 years via LAN (eth0). Now have requirement to run using Windows 7. Unfortunately Windows sends out a whole heap of gratuitous requests on a regular basis. Eventually these crash the microcontroller. I've been through the loop of disabling LLMNR, IGMP, SSDP, Routing, IPV6, ARP & NBT-NS. Helped but not solved. If I could stop the svchost requests it would help since the ARP requests don't seem to be an issue.

EDIT: svchost disabled :o)) "Disable Active Internet Probing (NCSI) in Windows"

{Frame       Time Date                               Time Offset          Process Name            Source                       Destination              Protocal     Description
1   10:59:48 14/08/2017 12.3275999                          NetmonFilter    NetmonFilter:Updated Capture Filter: None   
2   10:59:48 14/08/2017 12.3275999                          NetworkInfoEx   NetworkInfoEx:Network info for , Network Adapter Count = 1  
3   10:59:48 14/08/2017 12.3275999          192.168.1.20    192.168.1.6 ARP ARP:Request, 192.168.1.20 asks for 192.168.1.6  
4   10:59:48 14/08/2017 12.3282422          192.168.1.6 192.168.1.20    ARP ARP:Response, 192.168.1.6 at 00-04-A3-00-A9-F9  
5   10:59:49 14/08/2017 12.4985887          0.0.0.0     192.168.1.20     ARP    ARP:Request, 0.0.0.0 asks for 192.168.1.20  
6   10:59:49 14/08/2017 12.4986781          192.168.1.20    224.0.0.22      IGMP    IGMP:IGMPv3 Membership Report   {IPv4:1}
7   10:59:49 14/08/2017 12.4992127          192.168.1.6 0.0.0.0     ARP ARP:Response, 192.168.1.6 at 00-04-A3-00-A9-F9  
8   10:59:49 14/08/2017 12.9986822          192.168.1.20    224.0.0.22      IGMP    IGMP:IGMPv3 Membership Report   {IPv4:1}
9   10:59:50 14/08/2017 13.4986212          0.0.0.0     192.168.1.20    ARP ARP:Request, 0.0.0.0 asks for 192.168.1.20  
10  10:59:50 14/08/2017 13.4992550          192.168.1.6 0.0.0.0     ARP ARP:Response, 192.168.1.6 at 00-04-A3-00-A9-F9  
11  10:59:51 14/08/2017 14.4986969          0.0.0.0     192.168.1.20    ARP ARP:Request, 0.0.0.0 asks for 192.168.1.20  
12  10:59:51 14/08/2017 14.4994162          92.168.1.6      0.0.0.0     ARP ARP:Response, 192.168.1.6 at 00-04-A3-00-A9-F9  
13  10:59:52 14/08/2017 15.5147308          192.168.1.20    192.168.1.6 ARP ARP:Request, 192.168.1.20 asks for 192.168.1.6  
14  10:59:52 14/08/2017 15.5153513          192.168.1.6 192.168.1.20    ARP ARP:Response, 192.168.1.6 at 00-04-A3-00-A9-F9  
15  10:59:52 14/08/2017 15.5396148          192.168.1.20    192.168.1.6 ARP ARP:Request, 192.168.1.20 asks for 192.168.1.6  
16  10:59:52 14/08/2017 15.5402584          192.168.1.6 192.168.1.20    ARP ARP:Response, 192.168.1.6 at 00-04-A3-00-A9-F9  
17  10:59:52 14/08/2017 15.5528560          192.168.1.20    192.168.1.6 ARP ARP:Request, 192.168.1.20 asks for 192.168.1.6  
18  10:59:52 14/08/2017 15.5535065          192.168.1.6 192.168.1.20    ARP ARP:Response, 192.168.1.6 at 00-04-A3-00-A9-F9  
19  10:59:56 14/08/2017 19.5214914  svchost.exe 192.168.1.20    88.221.254.123  TCP TCP:Flags=......S., SrcPort=54230, DstPort=HTTP(80), PayloadLen=0, Seq=4050891366, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192  {TCP:3, IPv4:2}
20  10:59:56 14/08/2017 19.5223390  svchost.exe 88.221.254.123  192.168.1.20    TCP TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=54230, PayloadLen=0, Seq=0, Ack=4050891367, Win=4096 ( Scale factor not supported ) = 4096    {TCP:3, IPv4:2}
21  10:59:56 14/08/2017 19.5223857  svchost.exe 192.168.1.20    88.221.254.123  TCP TCP:Flags=...A...., SrcPort=54230, DstPort=HTTP(80), PayloadLen=0, Seq=4050891367, Ack=1, Win=17520 (scale factor 0x0) = 17520  {TCP:3, IPv4:2}
22  10:59:56 14/08/2017 19.5226940  svchost.exe 192.168.1.20    88.221.254.123  HTTP    HTTP:Request, GET /ncsi.txt     {HTTP:4, TCP:3, IPv4:2}
23  10:59:56 14/08/2017 19.8278302  svchost.exe 192.168.1.20    88.221.254.123  TCP TCP:[ReTransmit #22]Flags=...AP..., SrcPort=54230, DstPort=HTTP(80), PayloadLen=97, Seq=4050891367 - 4050891464, Ack=1, Win=17520 (scale factor 0x0) = 17520    {TCP:3, IPv4:2}
24  10:59:56 14/08/2017 20.4281386  svchost.exe 192.168.1.20    88.221.254.123  TCP TCP:[ReTransmit #22]Flags=...AP..., SrcPort=54230, DstPort=HTTP(80), PayloadLen=97, Seq=4050891367 - 4050891464, Ack=1, Win=17520 (scale factor 0x0) = 17520    {TCP:3, IPv4:2}
25  10:59:58 14/08/2017 21.6281447  svchost.exe 192.168.1.20    88.221.254.123  TCP TCP:[ReTransmit #22]Flags=...AP..., SrcPort=54230, DstPort=HTTP(80), PayloadLen=97, Seq=4050891367 - 4050891464, Ack=1, Win=17520 (scale factor 0x0) = 17520    {TCP:3, IPv4:2}
26  10:59:59 14/08/2017 22.8281828  svchost.exe 192.168.1.20    88.221.254.123  TCP TCP:[ReTransmit #22]Flags=...AP..., SrcPort=54230, DstPort=HTTP(80), PayloadLen=97, Seq=4050891367 - 4050891464, Ack=1, Win=17520 (scale factor 0x0) = 17520    {TCP:3, IPv4:2}
27  11:00:00 14/08/2017 24.0282154  svchost.exe 192.168.1.20    88.221.254.123  TCP TCP:[ReTransmit #22]Flags=...AP..., SrcPort=54230, DstPort=HTTP(80), PayloadLen=97, Seq=4050891367 - 4050891464, Ack=1, Win=17520 (scale factor 0x0) = 17520    {TCP:3, IPv4:2}
28  11:00:01 14/08/2017 24.9982180          192.168.1.20    192.168.1.6 ARP ARP:Request, 192.168.1.20 asks for 192.168.1.6  
29  11:00:01 14/08/2017 24.9988881          192.168.1.6 192.168.1.20    ARP ARP:Response, 192.168.1.6 at 00-04-A3-00-A9-F9  
30  11:00:02 14/08/2017 26.4282788  svchost.exe 192.168.1.20    88.221.254.123  TCP TCP:[ReTransmit #22]Flags=...AP..., SrcPort=54230, DstPort=HTTP(80), PayloadLen=97, Seq=4050891367 - 4050891464, Ack=1, Win=17520 (scale factor 0x0) = 17520    {TCP:3, IPv4:2}
31  11:00:07 14/08/2017 31.2258517  svchost.exe 192.168.1.20    88.221.254.123  TCP TCP:[ReTransmit #22]Flags=...AP..., SrcPort=54230, DstPort=HTTP(80), PayloadLen=97, Seq=4050891367 - 4050891464, Ack=1, Win=17520 (scale factor 0x0) = 17520    {TCP:3, IPv4:2}
32  11:00:17 14/08/2017 40.8293165  svchost.exe 192.168.1.20    88.221.254.123  TCP TCP:Flags=...A.R.., SrcPort=54230, DstPort=HTTP(80), PayloadLen=0, Seq=4050891464, Ack=1, Win=0 (scale factor 0x0) = 0  {TCP:3, IPv4:2}
Ron Maupin
  • 3,158
  • 1
  • 11
  • 16
P.Holmes
  • 1
  • 1
  • 1
    Cool story, bro. Did you have a question? This looks like a statement. – joeqwerty Aug 14 '17 at 11:59
  • I will never understand why anyone would ever use Windows in critical operations and this is one example. – Rob Aug 14 '17 at 12:21
  • 1
    @Rob I will never understand why people makes sweeping generalized statements about things like this, but this is yet another example... – Mark Henderson Aug 14 '17 at 13:19
  • If a microcontroller crashes because it can't handle some ARP requests, I really don't see how putting the blame on Windows is valid. – Mark Henderson Aug 14 '17 at 13:20
  • Windows has grown increasingly chatty but the _volume_ of that traffic is still quite low, so it shouldn't hurt. However, Rob does have a point - I would definitely separate Windows boxes and production equipment into different network segments. – Zac67 Aug 14 '17 at 13:25

1 Answers1

1

Generally, a network device should cope with gratuitious traffic, but there are various approaches other than trying to shut down that traffic on the clients. The client approach is time-consuming and prone to requiring further interventions when anything changes. The network approaches target the source of the problem (the machine controller) and are permanent:

  1. Put the device on a network (segment) of its own. This will cleanly eliminate all broadcast traffic. You can also very easily limit access to the device by a filtering router/firewall. The new network segment/subnet can be a dedicated router port, a switch connected to the router port or a VLAN.

  2. Put the device on a switch capable of using ACLs and filter all unwanted traffic on the port level. Most probably, you'll want to allow just a few source IP or MAC addresses and drop all others.

  3. Some switches support a "protected port" feature where you can restrict the port of the machine controller to communicate only with the port(s) required.

Zac67
  • 8,639
  • 2
  • 10
  • 28
  • That's some aggressive response guys. joqwerty - OK, yes. Is a question, how to disable all this spurious traffic. – P.Holmes Aug 14 '17 at 15:53
  • Rob, I clearly didn't use basic enough language for you. The microcontroller has its OS in firmware - there are not a few around the world so upgrading isn't pragmatic. Why Windows? $$s, that's why. @Zac67 - nice idea and it's certainly worth looking at but not sure my networking experience is up to it. Thanks for the constructive pointers. – P.Holmes Aug 14 '17 at 16:00