WinPkFilter/Wireshark(WinPcap)

Home Forums Discussions General Discussion WinPkFilter/Wireshark(WinPcap)

This topic contains 2 replies, has 2 voices, and was last updated by  luzl 5 months, 1 week ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #9316

    luzl
    Participant

    Hi Everyone, need help on this issue.

    With WinPkFilter Sample,
    Filter <ifindex> 1 (1 – Redirect only IPv4 DNS packets for processing in user mode.)
    When Wireshark is not running, we got two packets printed (one reqest and one response). But, once Wireshark is running, we got 256 packets printed.

    It is very important for us to have both WinPkFilter and WinPcap working at the same time. Any help will be greatly appreciated.

    #9317

    Vadim Smirnov
    Moderator

    If you look at those packets closer then you will notice that TTL for each fllowed duplicated packet is decremented. Without going deep into details this behaviour is caused by single interface IP routing combined with loopback packet indications (required by Winpcap to collect packets). And thus there are several ways to fix it.

    1) You can disable IP routing feature on the host by going to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key and changing IPEnableRouter from 1 to 0. IP routing feature is required only for the Internet Gateway sample and it is enabled only if you install this sample. If you don’t need it for smething else then it is safe to disable.

    2) You can drop re-routed packets in WinpkFilter application.

    3) WinpkFilter has some filter flags to prevent loopback packet indications which are normally used in promiscuous mode. I have to check if these flags are applicable to this situation with single interface routing but this is another possible approach – just filter these packets out on the driver level.

    #9318

    luzl
    Participant

    1) You can disable IP routing feature on the host by going to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key and changing IPEnableRouter from 1 to 0. IP routing feature is required only for the Internet Gateway sample and it is enabled only if you install this sample. If you don’t need it for smething else then it is safe to disable.

    Yes, it works this way. Thanks.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.