How do I interpret this Sygate Personal Firewall traffic log?
Daily, I see hundreds of blocked incoming requests from NDISUIO.SYS. After googling for the keywords, I'm *still* almost as confused as I was before. The googling showed that the incoming requests are from something called a wireless zero configuration (yes, I am using a wireless card on Windows XP). My basic home network has a NAT router and only one WinXP computer which is set up to be wireless.
What confuses me is the Sygate Personal Firewall blocked traffic log shows certain patterns, namely that these NDIS User Mode IO driver requests come from a variety of "Remote Host" IP addresses & a variety of "Remote Port" and "Local Port" addresses but always with the same "Remote MAC". I'm having trouble making any sense of this data.
A typical blocked traffic log line (out of hundreds daily) would be:
Action = Blocked (note it always reports blocked) Severity = 10 (the severity is always the same) Direction = Incoming (the direction is always the same) Protocol = UDP (most are UDP but many are ICMP if that matters) Remote Host = 196.206.235.196 (many different IP addresses are found) Remote MAC = 00-80-C8-A0-43-9B (this is always the same remote mac) Remote Port = 63875 (other ports show eg 11, 5093, 1900, 53, 137, etc) Local Host = 192.168.0.10 (only a few ip addresses show up here) Local MAC = 00-0D-60-34-5A-23 (only this & FF-FF-FF-FF-FF-FF show up) Local Port = 15744 (other ports show up eg 2049, 1032, 137, 138, etc) Application Name = C:\\WINDOWS\\system32\\DRIVERS\\ndisuio.sys (always same)
Searching the registry I see NDIS Usermode I/O Protocol is found in HKLM\\SYSTEM\\ControlSet001\\Services\\Ndisuio (and others)
Based on my googling, this ndisuio.sys file seems it might be related to the Nortel Extranet Access Protocol which reminded me that years ago a Nortel VPN program was installed but there is no vestige of it in the Windows XP Add and Remove Programs or in the Program Files directory so it must have been deleted long ago.
A reverse IP search of each of the suspect addresses doesn't tell me much.
What confuses me the most is that the googling says ndisuio.sys is for wireless and it should not be blocked but I see no ill effects when I set my Sygate Personal Firewall to automatically block it. The windows xp machine and the wireless networking seems to be working just fine even with all these requests blocked.
Can someone help me understand what the purpose of this driver is and how to stop it from making incoming requests hundreds of times a day?
Should I just deleted the HKLM\\SYSTEM\\ControlSet001\\Services\\Ndisuio and related lines in the windows registry?
Should I just delete the C:\\WINDOWS\\system32\\DRIVERS\\ndisuio.sys file?
I'd prefer to understand at least a little bit about what's going on before getting itchy fingers to delete the registry and file. Any ideas?