SerpentFly, I've noticed a discrepancy in packet structuring that I need your opinion on.
I've found a difference between what's reported in the IP header field for datagram length(at IP header offset position 2, 3) and the total length of the physical IP datagram(and total length of the packet, in bytes), as returned in the _INTERMEDIATE_BUFFER.m_Length field.
I have confirmed that for some IP packets, _INTERMEDIATE_BUFFER.m_Length returns a value greater than a packet length computed using the IP header datagram length field, i.e. TotalPacketLength = EthHeaderLength + IPDatagramLength.
For example, and I'm talking Base10 integers, after I read a suspect IP packet, INTERMEDIATE_BUFFER.m_Length = 60 bytes, which would mean an IP datagram length of 60 - 14 = 46 bytes, since the ethernet header length is always 14 bytes. However, the IP header datagram length field, read directly from the _INTERMEDIATE_BUFFER.m_IBuffer field, at offset position 17, says 40 bytes. This means that the length of the packet reported by _INTERMEDIATE_BUFFER.m_Length is 6 larger than what the actual packet bytes say it is. A call to ReadPacket() is padding the returned bytes with 6 additional null bytes, in this scenario.
I've confirmed that if I use the _INTERMEDIATE_BUFFER.m_Length as the actual packet length(60 bytes), and adjust the IP datagram length field up to 46 bytes, recompute IP and TCP checksums, and pass this adjusted packet on, that the packet is invalid to the requesting application.
If I use the smaller packet length as reported in the physical bytes, then it's valid to the the requesting application. The application is expecting 54 bytes in the packet, not 60 bytes as indicated by _INTERMEDIATE_BUFFER.m_Length.
I have WinpkFilter 220.127.116.11 installed on a VMware instance of WinXPSP3.
My question to you is, for IP packets, should I always use the IP header datagram length field to determine the total length of the packet, i.e. TotalPacketLength = EthHeaderLength + IPDatagramLength? Or, should the _INTERMEDIATE_BUFFER.m_Length field be the "word of God" on total packet length? The answer here is important to for the DPI Proxy I'm developing, as I need to have accurate info about actual payload length and content.
I hope I've been clear. Thanks in advance for your advice.
Last edited by cozmik on Mon Jan 05, 2009 5:07 am, edited 1 time in total.