WinPkFilter/Wireshark(WinPcap)

Home Forums Discussions General Discussion WinPkFilter/Wireshark(WinPcap)

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #9316
    luzl
    Participant

    Hi Everyone, need help on this issue.

    With WinPkFilter Sample,
    Filter <ifindex> 1 (1 – Redirect only IPv4 DNS packets for processing in user mode.)
    When Wireshark is not running, we got two packets printed (one reqest and one response). But, once Wireshark is running, we got 256 packets printed.

    It is very important for us to have both WinPkFilter and WinPcap working at the same time. Any help will be greatly appreciated.

    #9317
    Vadim Smirnov
    Moderator

    If you look at those packets closer then you will notice that TTL for each fllowed duplicated packet is decremented. Without going deep into details this behaviour is caused by single interface IP routing combined with loopback packet indications (required by Winpcap to collect packets). And thus there are several ways to fix it.

    1) You can disable IP routing feature on the host by going to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key and changing IPEnableRouter from 1 to 0. IP routing feature is required only for the Internet Gateway sample and it is enabled only if you install this sample. If you don’t need it for smething else then it is safe to disable.

    2) You can drop re-routed packets in WinpkFilter application.

    3) WinpkFilter has some filter flags to prevent loopback packet indications which are normally used in promiscuous mode. I have to check if these flags are applicable to this situation with single interface routing but this is another possible approach – just filter these packets out on the driver level.

    #9318
    luzl
    Participant

    1) You can disable IP routing feature on the host by going to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key and changing IPEnableRouter from 1 to 0. IP routing feature is required only for the Internet Gateway sample and it is enabled only if you install this sample. If you don’t need it for smething else then it is safe to disable.

    Yes, it works this way. Thanks.

    #11228
    Zyxel
    Participant

    Vadim,

    Did you ever investigate your solution #3 further?

    Why is this problem with double indications happening anyway?
    Where in the driver hierarchy, is the WinPkFlt LWF driver positioned in relation to the current Wireshark’s NPCAP driver ?

    Is the WinPkFlt LWF driver always BELOW* the Wireshark’s NPCAP driver …or is their relationship affected by their order of installation ?

    Is there a diagram of WinPkFlt LWF and NPCAP driver and these pesky NDIS loopbacks anywhere to elucidate all of this ?

    * BELOW = closer to the NDIS miniport (adapter driver).

Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.