Anton

Forum Replies Created

Viewing 15 posts - 1 through 15 (of 24 total)
  • Author
    Posts
  • in reply to: Network adapter type – Local Network Monitor API #6980

    Anton
    Participant

    Hi.

    You can use IPHelper API to query all the installed network adapters and NICs’ ip addresses. Then you can use this information to identify NIC by local ip address.

    Best Regards,
    Anton.

    in reply to: Problems with CLhmonApi redirect #6915

    Anton
    Participant

    >I tries the redir sample which comes with the local network monitor api.
    >Is it possible to redirect a http requeest e.g. to google to my server?
    >I want to redirect requests to blocked domain names to my little web server which will send a block page.

    redir is a basic sample. For example: redir * 0.0.0.0 80 your_server_ip your_server_port will redirect all local http requests to your private web server.

    in production solution you need to analyze destination ip address and substitute it with your server address for blocked domains.

    >I tried the sample but even with telnet I do not get a connection. Any idea? Or is the local network api the >wrong lib?

    Can you, please, provide the command line for redir sample and for telnet program.

    in reply to: Need log format for Local Network Monitor #6831

    Anton
    Participant

    Dave,

    Local Network Monitor uses the following format for packets logging:

    50 19:57:07:167 ICQ.exe:3084 Completion 8A2229B0 Connection TCP Send 127.0.0.1:6754 127.0.0.1:33333 TDI_SUCCESS 16
    Packet data:
    00002A 02 4D 71 00 0A 00 01 00 06 00 00 00 00 00 06 *.Mq…………

    51 19:57:07:276 ICQ.exe:3084 Completion 875F7D00 Connection TCP Disconnect 10.30.18.221:6733 92.241.170.164:80 TDI_SUCCESS 16
    DisconnectFlags:=00000000
    Timeout = 0 ms
    52 19:57:07:276 ICQ.exe:3084 Origination 875F7D00 Connection TCP Close socket 10.30.18.221:6733 92.241.170.164:80 TDI_SUCCESS 0
    53 19:57:07:276 ICQ.exe:3084 Origination 879A5940 Address TCP Close socket 0.0.0.0:6733 0.0.0.0:0 TDI_SUCCESS 0
    54 19:57:07:307 ICQ.exe:3084 Completion 8A2229B0 Connection TCP Recv 127.0.0.1:6754 127.0.0.1:33333 TDI_MORE_PROCESSING 0

    Regards,
    Anton.

    in reply to: Local Network Monitor API doesnt capture ICMP on 2008×64 #6723

    Anton
    Participant

    Hi,

    > The Monitor sample included does not capture packets sent to/from ping.exe on windows server 2008 x64 but does on windows XP SP3!

    Yes, it’s limitation for Vistaw2k8. Unfortunatly ICMP can’t be caught on tdi level for these platforms.

    > On this subject, the PROTOCOL enumeration in nttdiapi.cs has only 23 members, however the GetProtocolName function in Monitor.cs lists every protocol.

    PROTOCOL enumeration contains protocols defined in winsock2.h (ws2def.h). Example shows all the possible protocols.

    > Given that PROTOCOL_ANY is 0 but the iana shows 0 is asigned to HOPOPT,

    0 = HOPOPT (IPv6 Hop-by-Hop Option) for IPv6
    0 = IP (Any IP protocol) for IPv4

    Nttdiapi works for ipv4 only and doesn’t support ipv6.

    > what are the valid values for m_Protocol in FILTER_INFO and what are the possible values returned in a LOG_INFO?

    Valid protocol number for ipv4.

    =Anton.

    in reply to: Why would GetWaitEvent not return a handle? #6722

    Anton
    Participant

    Hi,

    It looks like an error in GetWaitEvent declaration for C#.
    Should return int.

    We’ll fix it into the next update.

    Thank you for feedback.
    =Anton.

    in reply to: DllImport & SetLastError in C# #6721

    Anton
    Participant

    Hi,

    Yes, you are right.

    =Anton.

    in reply to: Local network monitor api Linking problem #6583

    Anton
    Participant

    Hi,

    Please, provide us what the VS version do you use? Did you try to build release or debug configuration? LNM API run-time version doesn’t provide the debug libraries versions. This may be the issue.

    Regards,
    NT Kernel Resources Team.

    in reply to: Local Network Monitor API and BSOD #6581

    Anton
    Participant

    Hi,

    It’s really disappointing bug in NtTdiDr driver. We’ll fix it asap.
    Thank you for your feedback.

    Regards,
    NT Kernel Resources Team.

    in reply to: Network Monitor API synchronization #6425

    Anton
    Participant

    Look’s like you missed something… Please, send me your sources to anton@ntkernel.com

    in reply to: Network Monitor API synchronization #6423

    Anton
    Participant

    Hi,

    >1. Does all log entries read by ReadLog are automatically removed from driver’s
    >queue? If not, then how to synchronize user-mode log entries purging (after they’ve
    >been read) with kernel mode log filling and not to delete unread entries?

    Yes, driver removes log entries automatically

    >2. I found FLT_ACTION_NOTIFY filter action flag which is not described in help file
    >at all.

    FLT_ACTION_NOTIFY is not used now.

    >3. I want to make simplified version of Network Monitor App (traffic monitor): I don’t
    >need to capture data itself, I need only to know data size >(PLOG_INFO->m_FullDataLength). So data logging shown in “Monitor” example app
    >is redundant. What methods(calls) should I use?

    It’s not possible with the current api. Driver always logs request’s data. You should modify driver sources for capturing without data.

    Regards
    Anton.

    in reply to: Where is the packet from #6198

    Anton
    Participant

    These messages are system TDI-level messages wrappers. All messages have TDI_EVENT_TYPE enumeration type and defined in includecommon.h. Message can be reported before it was processed by TCPIP stack (request origination) and after it was processed by TCPIP stack (request completion).

    In your case tdi messages mean:
    Message #=1
    Create Address object on IP-address 120.0.0.1:2298
    Protocol TCP, process name thunderbird.exe, process id 2180

    Message #=2
    Create connection endpoint
    Protocol TCP, process name thunderbird.exe, process id 2180

    Message #=3
    Bind connection endpoint to address object
    Protocol TCP, process name thunderbird.exe, process id 2180

    Message #=4
    Create the second connection endpoint
    Protocol TCP, process name thunderbird.exe, process id 2180

    Message #=5
    Bind the second connection endpoint to address object
    Protocol TCP, process name thunderbird.exe, process id 2180

    Message #=16
    The incoming connection request from 127.0.0.1:2299 to 127.0.0.1:2298
    Protocol TCP, process name thunderbird.exe, process id 2180

    Message #=17
    Accept the incoming connection request from 127.0.0.1:2299 to 127.0.0.1:2298
    Protocol TCP, process name thunderbird.exe, process id 2180

    You can use TDI_EVT_CONNECT and TDI_EVT_INCOMING_CONNECTION events to store connection information into the connection table and TDI_EVT_DISCONNECT, TDI_EVT_INCOMING_DISCONNECT to remove it.

    in reply to: TDI logger #6130

    Anton
    Participant

    Thanks for your feed back.
    The nearest Local Host Monitor API version (2.0) will contain the fitering rules support.
    The interactive network requests filtring and the conntections tables are in our plans for the next releases.

    in reply to: Problem with driver compilation using ddkbuild #6078

    Anton
    Participant

    Take a look at MS$ sample in DDK
    WINDDK3790srcgeneraltoaster

    in reply to: Communicate over UDP from the driver #6065

    Anton
    Participant

    Для работы с сетевыми пакетами используется Transport Driver Interface. Почитать про него можно в ddk, а примеры использования есть в driver studio или вот здесь http://www.rootkit.com/newsread.php?newsid=416

    in reply to: Problem with Objects Manager! #6059

    Anton
    Participant

    Some standard windows object, like files, devices, etc. have the Size field at the begining of the structure.
    dt -bv nt!_FILE_OBJECT ff4dcd20
    struct _FILE_OBJECT, 27 elements, 0x70 bytes
    +0x000 Type : 5
    +0x002 Size : 112
    ……
    Size value is equal to the object Body size in bytes.

    The dispatcher objects, like events, mutants, etc., have Header.Size field at the begining of the structure.
    dt -bv nt!_KEVENT ff4d6ee8
    struct _KEVENT, 1 elements, 0x10 bytes
    +0x000 Header : struct _DISPATCHER_HEADER, 10 elements, 0x10 bytes
    +0x000 Type : 0x1 ”
    +0x001 Absolute : 0x2 ”
    +0x001 NpxIrql : 0x2 ”
    +0x002 Size : 0x4 ”
    …..
    Size value is equal to the object Body size in DWORDS.

    Unfortunately, this rule can’t be applied to the regitsry keys, window stations and desktops.

Viewing 15 posts - 1 through 15 (of 24 total)