kernel mode = yes, Application mode = ?

Home Forums Discussions Support Portal kernel mode = yes, Application mode = ?

This topic contains 5 replies, has 2 voices, and was last updated by  Vadim Smirnov 13 years, 4 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #4864

    peterpiper
    Participant

    A few quick questions:

    I understand winPKfilter can operate at both kernel and user modes. I understand the kernel mode, however user mode confuses me. Does this mean the mode in which you use the dll (ie. high level commands/interface to the DLL) or application level filtering of packets (ie. access to the destination application of the packets).

    I ask this is as I would like access to packets at both a low level (MSTCP) so I can read headers (IP/port/protocol) and raw binary data, and at an application level (like personal firewalls) so that I can know the application the packet is heading to.

    Thanks in advance, Pete.

    #5596

    Vadim Smirnov
    Moderator

    WinpkFilter allows you implementing packet filtering technologies in both user or kernel mode (the one you choose depends from your expirience and requirements). But this is packet level filtering (it is not possible to determine application context on the NDIS level). For application level filtering you would need LSP or TDI filter.

    #5597

    peterpiper
    Participant

    Is it possible to use both packet level and application level filtering with in the same program ie. inspect packet using winPKfilter then a LSP/TDI filter?

    Does your company provide a application level filter?

    Thanks for your swift reply. Pete.

    #5598

    Vadim Smirnov
    Moderator

    Is it possible to use both packet level and application level filtering with in the same program ie. inspect packet using winPKfilter then a LSP/TDI filter?

    Yes, sure.

    Does your company provide a application level filter?

    We provide localhost monitor API, which is TDI filter for Windows NT/2000/XP/2003. LSP sample is avalaible as a part of MSDN. Simple TDI filter for Windows 9x can be found in the VTOOLSD samples (from Compuware).

    #5599

    peterpiper
    Participant

    Thank-you for your reply. I have winPKfilter capturing packets (displaying MAC addresses etc.). I dont see any way to get the headers/protocol of the packets for inspection, i assume you put the packets in to some data structure.

    Is there any other help or code examples because looking throught the forum I see refrences to code like:


    pIPHeader: TIPHeaderPtr;
    pTCPHeader: TTCPHeaderPtr;

    Which i dont see in the help file. Do you get additional help when you purchase the product? (i am using demo at the moment – umm time to reset the computer again 🙂

    Cheers Pete.

    #5600

    Vadim Smirnov
    Moderator

    What environment do you use for the development? There is a C header file iphlp.h which has some sample protocol header definitions (IP header, TCP header, UDP header and etc…). If you are using Delphi then you can use the ones below:

    TIPHeaderPtr = ^TIPHeader;
    TIPHeader = packed record
    VerLen: Byte; //HL
    TOS: Byte;
    TotalLen: Word;
    Identifer: Word;
    FragOffsets: Word;
    TTL: Byte;
    Protocol: Byte;
    CheckSum: Word;
    SourceIp: DWORD;
    DestIp: DWORD;
    // Options: DWORD;
    end;

    TTCPHeaderPtr = ^TTCPHeader;
    TTCPHeader = packed record
    SourcePort:Word;
    DestPort:Word;
    SequenceNumber:DWord;
    AcknowledgementNumber:DWord;
    Offset:Byte; //only left 4 bits. Header length in 32-bit segments
    Flags:Byte;
    Window:Word;
    Checksum:Word; //includes speudo header instead of TCP header.
    UrgentPointer:Word;
    end;

    pTCPData: PChar;

    And probably it makes sense for you to look at this topic:
    http://ntkernel.com/forum/viewtopic.php?t=114

    We are trying to provide as good support as we can 🙄

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.