Tagged: Windows packet filter
November 30, 2021 at 11:55 am #11948
is it possible determine source/target app of catched packet(s)?
Any sample? In .Net :]
JerryNovember 30, 2021 at 12:18 pm #11949
The only sample which demonstrates process lookup (using IP Helper API) is Socksify, and it is in C++:
However, it is not a big deal to integrate process_lookup.h into .NET C++/CLI mixed class library (ndisapi.net) and use it there.November 30, 2021 at 3:22 pm #11950
thanks for quick answer!
You show me direction, very appreciated.
Integration anything to mentioned class is out of my skills, C++ is dark side :]
Waiting for ndisapi.net upgrade ;]
JerryNovember 30, 2021 at 3:49 pm #11951
The only thing you need is a couple of IPHELPER API functions, GetExtendedTcpTable and GetExtendedUdpTable. Then just match IP/port information against information extracted from the packet.
If you need to do that in C# then here is the sample code https://www.codeproject.com/Articles/14423/Getting-the-active-TCP-UDP-connections-using-the-GDecember 25, 2021 at 4:07 pm #12011
i’m little bit experimented with GetExtendedTcpTable / GetExtendedUdpTable. After decoding packet with PacketDotNet library, I check this packet in proper table. Working good, no performanece issue (tested with torrent client running :-).
Two problems (now):
Short livetime of endpoint in table – solved with Event trace monitor and delaying remove endpoint from another endpoint table..
But a huge number of packets are not found in table – probably correct endpoint is not created yet… And because torrent/web browser comms contains lot of “short” communications – 2-3 packets, I’m unable identify owning process. Solution with ETW doesnt wotk, because events has 2-3 sec delays…
Any idea? Postpone these (all?) packets? 🙁
My target is:
– store statistic about apps comms
– control this comms by user filter – simple “firewall”
JerryDecember 25, 2021 at 8:54 pm #12012
You should consider one thing about GetExtendedTcpTable / GetExtendedUdpTable. These functions return you only connections available to the application (more precisely, to the user running the application). It is not a problem if you run as a service under LocalSystem account, but if you execute it under standard user account, you won’t see processes from other users (and services).December 26, 2021 at 10:04 am #12013
I’m not sure with this…
My app runs with admin privileges under standard account and I see endpoints for svchost (Local service/SYSTEM acc), Idle process, System process and so on…December 26, 2021 at 10:36 am #12014
sorry, my mistake – wrong ip conversion to uint32.
most of unidentified packets was with ip starting with 128 and higher…
let’s go investigate rest of unidentified packets 🙂
- You must be logged in to reply to this topic.