- This topic has 17 replies, 3 voices, and was last updated 11 years, 11 months ago by
.
-
Posts
-
I am trying out the new Lightweight FIlter drivers. After starting a packet capture session through the driver, all internet connectivity was lost. Stopping the packet capture, internet traffic was still not working. During this time, Wireshark showed an excessive amount of traffic. Filtering for ICMP packets and doing a single ping to the local gateway (‘ping 192.168.202.1 -n 1’), Wireshark showed 8 packets being transmitted when only 2 should have been observed. After disabling the lightweight filter driver from the network adapter, network traffic returned to normal, and the same ping command generated the normal 2 packets. Reenabling the lightweight filter driver on the adapter, packet duplication returned and network traffic became unreliable at best.
Is there any debugging information I can get to figure out why this was happening? This happens intermittently, so I’d like to be prepared to capture as much data as possible the next time this occurs. I did just install the hotfix at http://support.microsoft.com/kb/2482122 after seeing bluescreens when waking up from sleep. Not sure if this issue and that hotfix are related.
In trying to switch to the IM driver to see if it yields the same issues, I’m not able to successfully install it. I’m getting error code 0x80070436 when running snetcfg, indicating “The name is already in use as either a service name or a service display name.” I’ve uninstalled the LWF drivers with snetcfg, and used pnputil to clear out all the LWF instances in the driver store. It seems to still have a reference to the LWF driver and won’t let me install the IM driver since it has the same name.
To understand what happens I have need to reproduce your problem so I have several questions:
1) Could you please describe your software/hardware configuration?
2) What tool have you used to capture the traffic? Have you expirienced this with your own application only or standard utilities shipped with WinpkFilter behaves the same?
3) Have you used promiscuous mode?In trying to switch to the IM driver to see if it yields the same issues, I’m not able to successfully install it. I’m getting error code 0x80070436 when running snetcfg, indicating “The name is already in use as either a service name or a service display name.” I’ve uninstalled the LWF drivers with snetcfg, and used pnputil to clear out all the LWF instances in the driver store. It seems to still have a reference to the LWF driver and won’t let me install the IM driver since it has the same name.
Try to remove cached INF/PNF files from WIndowsINF folder.
I have performed a quick test of WinpkFilter 3.0.8 LWF driver on the fresh copy of Windows 7 x64. Besides WinpkFilter only Wireshark was installed. System was connected to the Internet through the LAN network adapter.
I have not noticed any dulicated packets neither in normal or even in promiscuous mode. So the issue is probably caused by your software or hardware configuration.
From my previous expirience duplicated packets are usually caused by incorrect loopback indicated packets processing. It is like packet is sent by filter or protocol driver to the network interface is indicated back (as it would be received from the network) to all other bindings (protocol or filter drivers). Normally it does not cause any real problems, however if you have several third party network components installed on your system (like an example NAT with single NIC routing feature) it may cause some unexpected behaviour. An example, single NIC routing NAT may reroute the loopback packet back into the network thus causing it being indicated back to all other bindings once again. This may even cause nearly endless loop until TTL expire.
@SerpentFly wrote:
1) Could you please describe your software/hardware configuration?
This has been seen on two different laptops. 1, and Asus with an Atheros AR9285 wifi card and JMicrom Gigabit ethernet card. The other a Gateway with an Atheros AR5B92 wfi card and Broadcom Gigabit ethernet card.
@SerpentFly wrote:2) What tool have you used to capture the traffic?
Wireshark was used to verify traffic before, during, and after application execution.
@SerpentFly wrote:Have you expirienced this with your own application only or standard utilities shipped with WinpkFilter behaves the same?
It was experienced with our own application based off an older version of the Internet Gateway example application. The same application with a year old (forget the version number, but I can find it if needed) version of the IM driver did not exhibit this behavior. It was also seen using the current version of the Internet Gateway example application. Machines were rebooted between application executions (Internet Gateway was run on a fresh boot without running our own application). The problem persists after stopping either application until the LWF driver is disable on the adapter.
During this state, running a series of pings would result in some pings showing successful, some showing TTL exceeded, others showing general failure messages.@SerpentFly wrote:
3) Have you used promiscuous mode?
I have not set promiscuous mode.
@SerpentFly wrote:
Try to remove cached INF/PNF files from WIndowsINF folder.
All instances are removed from both WindowsINF and WindowsSystem32DriverStoreFileRepository using the pnputil.exe shipped with Windows, and verified through Windows Explorer and grep utilities. I’ve seen this on the Asus mentioned above, and a Virtual Machine running under Virtual Box.
What OS have you been testing with? Have you any other low level network components installed besides WinpkFilter LWF? Are you able to reproduce the problem with basic samples like passthru?
Internet Gateway is a very draft sample application which includes some relatively complex advanced functionalities (NAT, routing capabilites). It may be some kind of bug in the Internet Gateway itself. Thats why it would be good to know if this problem is reproducible with a very simple test application like passthru. If passthru works fine then this is probably Internet Gateway issue, otherwise this is something about network configuration or drivers conflict.
All instances are removed from both WindowsINF and WindowsSystem32DriverStoreFileRepository using the pnputil.exe shipped with Windows, and verified through Windows Explorer and grep utilities. I’ve seen this on the Asus mentioned above, and a Virtual Machine running under Virtual Box.
After you think that you have uninstalled and removed WinpkFilter driver I would also check if registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesndisrd still exists. Sometimes uninstall does not remove this key.
On the duplicate packets issue, I’ve been able to recreate this without calling down to the LWF driver. Calling EnableRouter (http://msdn.microsoft.com/en-us/library/aa365896%28v=vs.85%29.aspx) triggers duplicate packets on interfaces with the LWF driver attached. The following C# console app calls EnableRouter and UnenableRouter to demonstrate this.
using System;
using System.Runtime.InteropServices;
namespace TestEnableRouter
{
class Program
{
static void Main(string[] args)
{
string input="";
while (true)
{
Console.WriteLine("Pressto enable router, 'q' to quit");
input= Console.ReadLine();
if (!String.IsNullOrEmpty(input)) break;
EnableRouter();
Console.WriteLine("Pressto disable router, 'q' to quit");
input = Console.ReadLine();
if (!String.IsNullOrEmpty(input)) break;
UnenableRouter(ref overlapped, IntPtr.Zero);
}
}
static bool routing = false;
static OVERLAPPED overlapped;
static void EnableRouter()
{
try
{
OVERLAPPED overlapped = new OVERLAPPED();
overlapped.Internal = 0;
overlapped.InternalHigh = 0;
overlapped.Offset = 0;
overlapped.OffsetHigh = 0;
overlapped.Pointer = IntPtr.Zero;
overlapped.hEvent = CreateEvent(IntPtr.Zero, false, false, null); ;
Console.WriteLine("calling EnableRouter");
//Console.WriteLine("calling EnableRouter");
int feedback = EnableRouter(IntPtr.Zero, ref overlapped);
//Console.WriteLine("finished EnableRouter");
Console.WriteLine("finished EnableRouter");
if (feedback != 997) //ERROR_IO_PENDING means success, apparently
{
Console.WriteLine("IP FORWARDING: EnableRouter returned " + feedback);
}
}
catch (Exception e)
{
Console.WriteLine("IP FORWARDING: SetupFirewallAndRouting");
Console.WriteLine(e.ToString());
}
}
[StructLayout(LayoutKind.Explicit, Size = 20)]
public struct OVERLAPPED
{
[FieldOffset(0)]
public uint Internal;
[FieldOffset(4)]
public uint InternalHigh;
[FieldOffset(8)]
public uint Offset;
[FieldOffset(12)]
public uint OffsetHigh;
[FieldOffset(8)]
public IntPtr Pointer;
[FieldOffset(16)]
public IntPtr hEvent;
};
[DllImport("kernel32.dll")]
static extern IntPtr CreateEvent(IntPtr lpEventAttributes, bool bManualReset, bool bInitialState, string lpName);
[System.Runtime.InteropServices.DllImport("iphlpapi.dll")]
public static extern int EnableRouter(IntPtr hndref, ref OVERLAPPED pOverlapped);
[System.Runtime.InteropServices.DllImport("iphlpapi.dll")]
public static extern int UnenableRouter(ref OVERLAPPED pOverlapped, IntPtr lpdwEnableCount);
}
}
I think I can move forward without calling this function, but it does seem to be a regression from earlier driver version.
On the unable to switch from LWF to IM driver issue, it seems I still had a registry entry from an older customized IM driver with the same service name for the IM driver that was blocking it. After clearing it out (may have needed a reboot in there too) I am able to switch between IM and LWF. Thanks for the info, I’ll make sure to double check these keys are cleared out.
I’ve been testing on Windows 7. I have VirtualBox installed, which installs a VirtualBox Bridged Networking Driver, which I believe is an IM driver.
I was not able to reproduce packet duplication with enabling routing and even installing the VirtualBox. However, can you try to uncheck VirtualBox Bridge Networking Driver and see if packet duplication still takes place?
In the past I have observed packet duplication when working over my version of Ethernet Bridge based on NDIS IM driver. In order to get brdged to the real network NDIS IM driver has to place the real network interface into the promicsuous mode in order to be able to get packets destined to Ethernet address different from the NIC hardware address. So you have the cocktail of routing and bridging in the promiscuous mode on your system and adding one extra binding into the configuration (like LWF filter driver) in theory may cause packet duplication. So it makes sense to remove Virtual Box Network bridging from the configuration to see if there is any difference.
By the way, VirtualBox packet duplication issue it had in the past:
Dear
I have the same issue. I am working on windows 7.
on my laptop and another pc (both windows 7 64 bits) we have duplicate packets. (4 packet is sent instead of every packet and on each duplicate I can see the ttl that is decreased by one ).
but on some other laptops and pcs, (all windows 7 but not sure which one is 64 bit) there is no problem.I have vmware installed.
bests and looking forward for you reply.
- You must be logged in to reply to this topic.