Forum Replies Created
-
Posts
-
Problem solved. When I upgraded to 3.2.3, the helper file “ndisapi.dll” did not get upgraded.
J.A. Coutts
Now I am completely baffled. I transferred the program to Win 8.1, and the filter table loads just fine. Don’t know if it works yet, but at least it loads. The only difference between the 2 machines is that the Vista machine is a 32 bit OS and the Win 8.1 is 64 bit.
J.A. Coutts
So I did a memory dump on the Filter Table and mapped it out:
Filter Table:
02 00 00 00 – Table Size
00 00 00 00 00 00 00 00 – m_Adapter
03 00 00 00 – m_dwDirectionFlags
03 00 00 00 – m_FilterAction
06 00 00 00 – m_ValidFields
00 00 00 00 – m_LastReset
00 00 00 00 00 00 00 00 – m_PacketsIn
00 00 00 00 00 00 00 00 – m_BytesIn
00 00 00 00 00 00 00 00 – m_PacketsOut
00 00 00 00 00 00 00 00 – m_BytesOut (56)
DATA_LINK_LAYER_FILTER
00 00 00 00 – m_dwUnionSelector
ETH_802_3_FILTER
00 00 00 00 – m_ValidFields
00 00 00 00 00 00 – m_SrcAddress
00 00 00 00 00 00 – m_DestAddress
00 00 – m_Protocol
00 00 – Padding (24)
NETWORK_LAYER_FILTER
01 00 00 00 – m_dwUnionSelector
IP_V4_FILTER
04 00 00 00 – m_ValidFields
00 00 00 00 00 00 00 00
00 00 00 00 – m_SrcAddress
00 00 00 00 00 00 00 00
00 00 00 00 – m_DestAddress
11 – m_Protocol
00 00 00 – Padding
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 – Padding (84)
TRANSPORT_LAYER_FILTER
01 00 00 00 – m_dwUnionSelector
TCPUDP_FILTER
02 00 00 00 – m_ValidFields
00 00 – m_StartRange
00 00 – m_EndRange
35 00 – m_StartRange
35 00 – m_EndRange
00 – m_TCPFlags (17)
** 00 00 00 – ? **
00 00 00 00 00 00 00 00 – m_Adapter
03 00 00 00 – m_dwDirectionFlags
01 00 00 00 – m_FilterAction
00 00 00 00 – m_ValidFields
00 00 00 00 – m_LastReset
00 00 00 00 00 00 00 00 – m_PacketsIn
00 00 00 00 00 00 00 00 – m_BytesIn
00 00 00 00 00 00 00 00 – m_PacketsOut
00 00 00 00 00 00 00 00 – m_BytesOut (56)
DATA_LINK_LAYER_FILTER
00 00 00 00 – m_dwUnionSelector
ETH_802_3_FILTER
00 00 00 00 – m_ValidFields
00 00 00 00 00 00 – m_SrcAddress
00 00 00 00 00 00 – m_DestAddress
00 00 – m_Protocol
00 00 – Padding (24)
NETWORK_LAYER_FILTER
00 00 00 00 – m_dwUnionSelector
IP_V4_FILTER
00 00 00 00 – m_ValidFields
00 00 00 00 00 00 00
00 00 00 00 – m_SrcAddress
00 00 00 00 00 00 00
00 00 00 00 – m_DestAddress
00 – m_Protocol
00 00 00 – Padding
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 – Padding (84)
TRANSPORT_LAYER_FILTER
00 00 00 00 – m_dwUnionSelector
TCPUDP_FILTER
00 00 00 00 – m_ValidFields
00 00 – m_StartRange
00 00 – m_EndRange
00 00 – m_StartRange
00 00 – m_EndRange
00 – m_TCPFlags (17)
00 00 00 – ?
00 00 00 00 00 00 00 00 – m_Adapter
00 00 00 00 – m_dwDirectionFlags
00 00 00 00 – m_FilterAction
00 00 00 00 – m_ValidFields
00 00 00 00 – m_LastReset
00 00 00 00 00 00 00 00 – m_PacketsIn
00 00 00 00 00 00 00 00 – m_BytesIn
00 00 00 00 00 00 00 00 – m_PacketsOut
00 00 00 00 00 00 00 00 – m_BytesOut (56)
DATA_LINK_LAYER_FILTER
00 00 00 00 – m_dwUnionSelector
ETH_802_3_FILTER
00 00 00 00 – m_ValidFields
00 00 00 00 00 00 – m_SrcAddress
00 00 00 00 00 00 – m_DestAddress
00 00 – m_Protocol
00 00 – Padding (24)
NETWORK_LAYER_FILTER
00 00 00 00 – m_dwUnionSelector
IP_V4_FILTER
00 00 00 00 – m_ValidFields
00 00 00 00 00 00 00 00
00 00 00 00 – m_SrcAddress
00 00 00 00 00 00 00 00
00 00 00 00 – m_DestAddress
00 – m_Protocol
00 00 00 – Padding
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 – Padding (84)
TRANSPORT_LAYER_FILTER
00 00 00 00 – m_dwUnionSelector
TCPUDP_FILTER
00 00 00 00 – m_ValidFields
00 00 – m_StartRange
00 00 – m_EndRange
00
Total Bytes (547)
The individual Static Filters each reported the correct length (181), and the table itself with space allocated for 3 Static Filters reported the correct length (547). But the second filter was installed on a word boundary leaving 3 extra bytes between the first and second static filters.Could this be causing the failure to install the filter table?
J.A. Coutts
Sorry for the delay in responding, but I have trying to resolve cryptography issues on Win 8.1 with Microsoft.
I am using VB6. VB.net is not flexible enough for my purposes.
J.A. Coutts
Thanks SerpentFly. I had 184. Since all the other elements seemed to be adjusted on 4 byte boundaries, I assumed that TCPUDP_FILTER was as well. Unfortunately, after removing the 3 byte padding to get 181 bytes, the static filter will still not load. Here is what I have got.
Code:Public Type STATIC_FILTER
m_Adapter As ULARGE_INTEGER ‘(8)Adapter handle extended to 64 bit size for structure compatibility across x64 and x86
m_dwDirectionFlags As Long ‘(4)PACKET_FLAG_ON_SEND or/and PACKET_FLAG_ON_RECEIVE
m_FilterAction As Long ‘(4)FILTER_PACKET_XXX
m_ValidFields As Long ‘(4)Specifies which of the fileds below contain valid values and should be matched against the packet‘Statistics for the filter
m_LastReset As Long ‘(4)Time of the last counters reset (in seconds passed since 1 Jan 1980)
m_PacketsIn As ULARGE_INTEGER ‘(8)Incoming packets passed through this filter
m_BytesIn As ULARGE_INTEGER ‘(8)Incoming bytes passed through this filter
m_PacketsOut As ULARGE_INTEGER ‘(8)Outgoing packets passed through this filter
m_BytesOut As ULARGE_INTEGER ‘(8)Outgoing bytes passed through this filterm_DataLinkFilter As DATA_LINK_LAYER_FILTER ‘(24)
m_NetworkFilter As NETWORK_LAYER_FILTER ‘(84)
m_TransportFilter As TRANSPORT_LAYER_FILTER ‘(17)
End Type ‘(181)J.A. Coutts
I am using Visual Basic, so I have to convert C++ code. Knowing what the correct length is will make it easier for me to figure out if I have converted correctly.
J.A. Coutts
I finally got around to looking at this issue, and I have located the problem with the filter. In VB, the lower array boundary defaults to 0, unless the programmer specifically sets the lower boundary to 1 with the Option Base Statement in each and every module. The VB example “modDecl_Ndisapi.bas” defines the Type IP_V4_FILTER as:
Public Type IP_V4_FILTER
m_ValidFields As Long
m_SrcAddress As IP_ADDRESS_V4
m_DestAddress As IP_ADDRESS_V4
m_Protocol As Byte
Padding(3) As Byte
End TypeBecause the lower limit is zero, “Padding” is defined as a 4 byte array. It should be defined as:
Public Type IP_V4_FILTER
m_ValidFields As Long
m_SrcAddress As IP_ADDRESS_V4
m_DestAddress As IP_ADDRESS_V4
m_Protocol As Byte
Padding(1 To 3) As Byte
End TypeThe same is true of Type ETH_802_3_FILTER:
Public Type ETH_802_3_FILTER
m_ValidFields As Long
m_SrcAddress(1 To ETHER_ADDR_LENGTH) As Byte
m_DestAddress(1 To ETHER_ADDR_LENGTH) As Byte
m_Protocol As Integer
Padding As Integer
End TypeThe end result was that each filter was 3 bytes too long (119 instead of 116).
J.A. Coutts
Sorry it took so long to reply, but this server is remote and the guy on the other end is not that technical. It turns out that the problem was with an incompatible or corrupt version of IPHLPAPI.DLL. I had to wait for the other guy to be available, because when I tried to do it remotely I would lose connectivity.
Thanks
J.A. Coutts
Thank you for the reply SerpentFly. I used Outbound DNS for the initial testing, but converted it to Inbound DNS for the final product, both with the same results. It will do for now until I can figure it out.
But I ran into another problem (server crashed) when I attempted to move it to a Server 2000. Server 2000 is not specifically listed as a supported OS, but the driver loaded without a problem and it is of the same vintage as XP/2000. Is it supported?
J.A. Coutts
Promiscuous mode was causing me some problems, but unfortunately my filtering code is still not filtering anything.
Let me supply a little more info. Our DNS server is being used as an attack vector against a number of Chinese servers. I needed a quick and dirty solution to eliminate repetitive DNS requests, and indeed I have achieved that. But I believe that it would be more efficient if I only had to process incoming DNS queries.
Any help would be appreciated.
J.A. Coutts
All attempts to get the service to reactivate itself failed. All attempts to get the restart service option to do the job resulted in a hung service manager thread with a status of “Stopping”. In order to restart an application, I would normally pass control and a handle to a second program or script to kill the application, wait an appropriate period, restart the application, and then kill the second application itself. Being a service, this approach was not too appealing, but the following code did the job after it detected no ethernet traffic:
Service1.Connect ‘This command stops the service?
Shell (“net start ServiceName”) ‘This command starts the service!
The System event log shows the service being stopped and then started with the same time stamp. 2 seconds later, my own log file shows the service actually being started. This is the first time I have ever got an application to restart itself, and I can’t explain how or why.I put in an idle counter (Approx. 50 seconds) and logged the results to file. The counter was reset every time an Ethernet packet was received. What I discovered was that after a wake up from an S3 sleep mode, the “Do While ReadPacket(nHandle, Request)” never returned a true value, and the counter kept incrementing. Is there a work around available for this?
Second problem resolved. Changed:
Filename = WinDir & “system32logfilesDNS” & Format(Date$, (“yyyymmdd”)) & “.log”
to
Filename = WinDir & “system32logfilesDNS” & Year(Now) & Month(Now) & Day(Now) & “.log”
and month/day reversal when running the service disappeared.Thank you SerpentFly;
I have used this technique without a problem on XP, but Microsoft has completely rewritten the TCP/IP stack software and added support for IPv6. It is NDISWANIPV6 that seems to be causing the problem. It can take up a different position without even logging off (i.e. when waking up).
J.A. Coutts
