TCP/IP Hook – Traffic observing for all IP’s

Home Forums Discussions General Discussion TCP/IP Hook – Traffic observing for all IP’s

This topic contains 12 replies, has 3 voices, and was last updated by  Vadim Smirnov 10 years, 2 months ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #5120

    kf
    Participant

    Hello,

    nice to find that forum 🙂

    My Question:
    I want observing my tcp/ip input and output on a specific port. If a ip fetched more than 2 mb a day, i want to deny that connection.

    Can anyone help me(tell me how:)) to handle that kind of feature?

    Maybe there are sample-codes? 🙄

    #6387

    kf
    Participant

    No help? Maybe anyone can give me some links to that topic? 🙄

    #6388

    Vadim Smirnov
    Moderator

    Well, basically you can use WinpkFilter for parsing packets and blocking once quota exceeded.

    Alternatively you can create you own own driver for this. Here depending of the exact requirement you have several options like LSP, TDI filter, NDIS IM, NDIS hooking, WFP…

    #6389

    kf
    Participant

    Big thanks for your statement. Do you have some some codes (or links) to one or some of it?

    #6390

    kf
    Participant

    Okay, i’ve found some docus for winpkFilter:
    http://www.ntoskrnl.com/wpfk-help/_openfilterdriver.htm

    Can someone say me which headers are necessary? (where can i download these?)

    #6391

    Vadim Smirnov
    Moderator

    Can someone say me which headers are necessary? (where can i download these?)

    http://www.ntkernel.com/w&p.php?id=7

    #6392

    kf
    Participant

    Wow big thanks. 😀

    #6393

    kf
    Participant

    I tried to compile the MVC++ Sample Source-Code:

    But i still geht current error:


    1>Compiling...
    1>PacketSniffer.cpp
    1>StdAfx.cpp
    1>Generating Code...
    1>Compiling manifest to resources...
    1>Linking...
    1>PacketSniffer.obj : error LNK2019: unresolved external symbol "__declspec(dllimport) public: __thiscall CNdisApi::CNdisApi(wchar_t const *)" (__imp_??0CNdisApi@@QAE@PB_W@Z) referenced in function "void __cdecl `dynamic initializer for 'api''(void)" (??__Eapi@@YAXXZ)

    I’ve added the ndisapi.lib and the DLL is in the right directory 🙄

    PS: I solved that problem – you have to change the “Character Set” in the project settings. 🙂

    #6394

    kf
    Participant

    Now i’ve tested the software…. and i have to say its a very good software, good job 🙂

    How can i filter packages from port 123 and how can i block it (that these packages do not archive its destination program?)

    #6395

    Vadim Smirnov
    Moderator

    The code below tracks incoming HTTP packets (port 80) and blocks if finds a particular string pattern in the packet. This is a simple sample for porno filter or URL blocking, you should be able easily adopt it for you needs:


    /*************************************************************************/
    /* Copyright (c) 2000-2007 NT Kernel Resources. */
    /* All Rights Reserved. */
    /* http://www.ntkernel.com */
    /* ndisrd@ntkernel.com */
    /* */
    /* Module Name: wwwcensor.cpp */
    /* */
    /* Abstract: Defines the entry point for the console application */
    /* */
    /*************************************************************************/

    #include "stdafx.h"

    USHORT ntohs( USHORT netshort )
    {
    PUCHAR pBuffer;
    USHORT nResult;

    nResult = 0;
    pBuffer = (PUCHAR )&netshort;

    nResult = ( (pBuffer[ 0 ] < < 8) & 0xFF00 )
    | ( pBuffer[ 1 ] & 0x00FF );

    return( nResult );
    }

    #define htons ntohs

    int main(int argc, char* argv[])
    {
    TCP_AdapterList AdList;
    CNdisApi api;
    ETH_REQUEST Request;
    INTERMEDIATE_BUFFER PacketBuffer;
    ether_header_ptr pEthHeader = NULL;
    iphdr_ptr pIpHeader = NULL;
    tcphdr_ptr pTcpHeader = NULL;
    HANDLE hEvent[256];
    DWORD dwAdIndex = 0;
    char szTempString[1500];
    char szPattern[256];
    BOOL bDrop = FALSE;


    if (argc < 2)
    {
    printf ("Command line syntax:ntwwwcensor.exe pattern ntpattern - phrase or word to block HTTP packets with.n");
    return 0;
    }

    if(!api.IsDriverLoaded())
    {
    printf ("Driver not installed on this system of failed to load.n");
    return 0;
    }

    if ( strlen(argv[1]) > 255 )
    {
    printf ("Pattern is too,long, please use one with maximum of 255 characters.n");
    return 0;
    }

    //
    // Get pattern in upper case
    //
    ZeroMemory ( szPattern, 256 );
    strcpy ( szPattern, argv[1] );
    for ( unsigned i = 0; i < strlen (szPattern); ++i )
    {
    if (isalpha(((UCHAR)szPattern)))
    szPattern
    = (char)toupper((UCHAR)szPattern);
    }

    //
    // Get system installed network interfaces
    //
    api.GetTcpipBoundAdaptersInfo ( &AdList );

    //
    // Initialize common ADAPTER_MODE structure (all network interfaces will operate in the same mode)
    //
    ADAPTER_MODE Mode;
    Mode.dwFlags = MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL;

    //
    // Create notification events and initialize the driver to pass packets thru us
    //
    for (dwAdIndex = 0; dwAdIndex < AdList.m_nAdapterCount; ++dwAdIndex)
    {
    hEvent[dwAdIndex] = CreateEvent(NULL, TRUE, FALSE, NULL);

    if (!hEvent[dwAdIndex])
    {
    printf("Failed to create notification event for network interface n");
    return 0;
    }

    Mode.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];

    //
    // Set MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL for the network interface
    //
    api.SetAdapterMode(&Mode);

    //
    // Set packet notification event for the network interface
    //
    api.SetPacketEvent((HANDLE)AdList.m_nAdapterHandle[dwAdIndex], hEvent[dwAdIndex]);
    }


    // Initialize common part of ETH_REQUEST
    ZeroMemory ( &Request, sizeof(ETH_REQUEST) );
    ZeroMemory ( &PacketBuffer, sizeof(INTERMEDIATE_BUFFER) );
    Request.EthPacket.Buffer = &PacketBuffer;

    //
    // Go into the endless loop (this is just a sample application)
    //
    while (TRUE)
    {
    //
    // Wait before any of the interfaces is ready to indicate the packet
    //
    dwAdIndex = WaitForMultipleObjects ( AdList.m_nAdapterCount, hEvent, FALSE, INFINITE ) - WAIT_OBJECT_0;

    //
    // Reset signalled event
    //
    ResetEvent(hEvent[dwAdIndex]);

    //
    // Complete initialization of ETH_REQUEST
    //

    Request.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];

    //
    // Read packet from the interface until there are any
    //
    while(api.ReadPacket(&Request))
    {
    //
    // Get Ethernet header
    //
    pEthHeader = (ether_header_ptr)PacketBuffer.m_IBuffer;

    //
    // Check if Ethernet frame contains IP packet
    //
    if(ntohs(pEthHeader->h_proto) == ETH_P_IP)
    {
    //
    // Get IP header
    //
    pIpHeader = (iphdr_ptr)(pEthHeader + 1);

    //
    // Check if IP packet contains TCP packet
    //
    if (pIpHeader->ip_p == IPPROTO_TCP)
    {
    //
    // Get TCP header pointer
    //
    pTcpHeader = (tcphdr_ptr)((PUCHAR)pIpHeader + pIpHeader->ip_hl*4);

    //
    // Check if this HTTP packet (destined to remote system port 80, or received from it)
    //

    if (((pTcpHeader->th_dport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))||
    ((pTcpHeader->th_sport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE)))
    {
    //
    // Get data size in the packet and pointer to the data
    //

    DWORD dwDataLength = PacketBuffer.m_Length - (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
    PCHAR pData = (PCHAR)pEthHeader + (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);

    // If packet contains any data - process it
    if (dwDataLength)
    {
    //
    // Copy packet payload into the temporary string, replace all 0 bytes with 0x20, convert string to upper case and place at the end
    //
    memcpy (szTempString, pData, dwDataLength);
    for (unsigned t = 0; t < dwDataLength; ++t)
    {
    if (szTempString[t] == 0)
    szTempString[t] = 0x20;

    if (isalpha((UCHAR)szTempString[t]))
    szTempString[t] = (char)toupper((UCHAR)szTempString[t]);
    }
    szTempString[dwDataLength] = 0;

    //
    // Check if this packet payload contains user supplied pattern in ASCII code
    //

    if (strstr ( szTempString, szPattern ))
    bDrop = TRUE;
    }
    }

    }
    }

    if(bDrop)
    {
    printf ("TCP %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d pattern found & packet dropped n",
    pIpHeader->ip_src.S_un.S_un_b.s_b1, pIpHeader->ip_src.S_un.S_un_b.s_b2, pIpHeader->ip_src.S_un.S_un_b.s_b3, pIpHeader->ip_src.S_un.S_un_b.s_b4, ntohs(pTcpHeader->th_sport),
    pIpHeader->ip_dst.S_un.S_un_b.s_b1, pIpHeader->ip_dst.S_un.S_un_b.s_b2, pIpHeader->ip_dst.S_un.S_un_b.s_b3, pIpHeader->ip_dst.S_un.S_un_b.s_b4, ntohs (pTcpHeader->th_dport));
    bDrop = FALSE;
    }
    else
    if (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND)
    {
    // Place packet on the network interface
    api.SendPacketToAdapter(&Request);
    }
    else
    {
    // Indicate packet to MSTCP
    api.SendPacketToMstcp(&Request);
    }
    }

    }

    return 0;
    }

    #6396

    kf
    Participant

    Wow – Big thanks for help!!!! 😛

    #6397

    shaman
    Participant

    Trying to create reverse decision based on this example:

    permit only several URL’s. But without success.

    Some packets are still blocked even for permitted pattern.

    Can you help to understand needed approach?

    #6398

    Vadim Smirnov
    Moderator

    The sample above is good for blocking undesired content (not only URL’s). So I don’t think it is applicable for the reversed solution.

    Basically you have several possibilities:

    1) Allow only those IP’s which host permitted URL’s. If outgoing HTTP packet (with destination port 80) is destined to the IP address not in the list then just drop it.
    2) Parse outgoing DNS packets and allow only those queries which are allowed in your URL list.
    3) Parse HTTP GET request for each outgoing HTTP packet and match URL against your URL list.

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.