Vadim Smirnov

Forum Replies Created

Viewing 15 posts - 661 through 675 (of 1,496 total)
  • Author
    Posts
  • in reply to: MSVC 2012/ 2010 #7152
    Vadim Smirnov
    Keymaster

      The problem caused by -DUNICODE compiler switch. If you want your project to use UNICODE then you have to recompile ndisapi.dll as UNICODE either. For backward compatibility with earlier versions of Windows ndisapi.dll distributed within WinpkFilter package is built as multibyte.

      in reply to: NtKernel filter best performance for reinjecting traffic #7153
      Vadim Smirnov
      Keymaster

        ReadPackets/SendPacketsToXXX were added to reduce number of user/kernel context switches and thus increase the performance.

        The easiest approach would be processing packets one by one in one thread, however, if you use multiply threads for and still want to take an advantage of SendPacketsToXXX API calls I would keep an internal queue of packets for each network interface which are ready to send to driver (actually two queues, one for outgoing and one for incoming packets). Queue should be sent to driver on one of two events:
        1) Queue size reached its “immediate sent” size
        2) Timeout occurs

        Size and timeout should be dynamic parameters adjusted depending on the amount of packets you get from the driver. E.g. the faster you read packets from the driver the less the timeout.

        in reply to: STATIC FILTER using VB #7148
        Vadim Smirnov
        Keymaster

          Yes, Windows 2000 is supported, although the driver installed for that OS is different from the one used for XP or Vista and later.

          If you can collect the crash dump (kernel or full) we could check what has happened. I suspect this could we a sort of software conflict if you have firewalling/AV software installed.

          in reply to: STATIC FILTER using VB #7146
          Vadim Smirnov
          Keymaster

            Hi,

            I nearly have no experience in VB, but there is a C sample filter.cpp which has a scenario to redirect only DNS packets for processing by WinpkFilter application.

            This sample scenario can be easily modified to intercept only DNS queries destined to local DNS server this way:


            pFilters->m_TableSize = 2;


            // 1. Incoming DNS requests filter: REDIRECT IN UDP packets with destination PORT 53
            // Common values
            pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters
            pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
            pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_REDIRECT;
            pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE;

            // Network layer filter
            pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4;
            pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
            pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_UDP;

            // Transport layer filter
            pFilters->m_StaticFilters[0].m_TransportFilter.m_dwUnionSelector = TCPUDP;
            pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_SRC_PORT;
            pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 53; // DNS
            pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 53;

            //***************************************************************************************
            // 2. Pass all packets (skipped by previous filters) without processing in user mode
            // Common values
            pFilters->m_StaticFilters[1].m_Adapter.QuadPart = 0; // applied to all adapters
            pFilters->m_StaticFilters[1].m_ValidFields = 0;
            pFilters->m_StaticFilters[1].m_FilterAction = FILTER_PACKET_PASS;
            pFilters->m_StaticFilters[1].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE | PACKET_FLAG_ON_SEND;

            break;

            The filter you showed in your initial post should select only outgoing DNS queries, not incoming ones.

            in reply to: Winpk filter on Windows 7 #7138
            Vadim Smirnov
            Keymaster

              From what I can see WinpkFilter is installed and works. An example these are definitely your ICMP PING packets:

              9 – MSTCP –> Interface
              Packet size = 74
              Source MAC: C0A8010CC0A8
              Destination MAC: 000080016CC3

              8 – Interface –> MSTCP
              Packet size = 74
              Source MAC: C0A80102C0A8
              Destination MAC: 0000800164E8

              But for some reason packet is not correctly parsed by passthru sample. This may be caused by version mismatch between driver and passthru application (INTERMEDIATE_BUFFER structure was changed several times in last versions and it is important to use driver and application built on the same common.h).

              in reply to: Static filter table – netbios traffic is redirected always #7143
              Vadim Smirnov
              Keymaster

                If you look at the filter.cpp sample you can find the scenario which redirects only DNS packets to user mode and passes any other packets. Filters are defined as the following:

                //**************************************************************************************
                // 1. Outgoing DNS requests filter: REDIRECT OUT UDP packets with destination PORT 53
                // Common values
                pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters
                pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
                pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_REDIRECT;
                pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_SEND;

                // Network layer filter
                pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4;
                pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
                pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_UDP;

                // Transport layer filter
                pFilters->m_StaticFilters[0].m_TransportFilter.m_dwUnionSelector = TCPUDP;
                pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_DEST_PORT;
                pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 53; // DNS
                pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 53;

                //****************************************************************************************
                // 2. Incoming DNS responses filter: REDIRECT IN UDP packets with source PORT 53
                // Common values
                pFilters->m_StaticFilters[1].m_Adapter.QuadPart = 0; // applied to all adapters
                pFilters->m_StaticFilters[1].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
                pFilters->m_StaticFilters[1].m_FilterAction = FILTER_PACKET_REDIRECT;
                pFilters->m_StaticFilters[1].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE;

                // Network layer filter
                pFilters->m_StaticFilters[1].m_NetworkFilter.m_dwUnionSelector = IPV4;
                pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
                pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_UDP;

                // Transport layer filter
                pFilters->m_StaticFilters[1].m_TransportFilter.m_dwUnionSelector = TCPUDP;
                pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_SRC_PORT;
                pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_StartRange = 53; // DNS
                pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_EndRange = 53;

                //***************************************************************************************
                // 3. Pass all packets (skipped by previous filters) without processing in user mode
                // Common values
                pFilters->m_StaticFilters[2].m_Adapter.QuadPart = 0; // applied to all adapters
                pFilters->m_StaticFilters[2].m_ValidFields = 0;
                pFilters->m_StaticFilters[2].m_FilterAction = FILTER_PACKET_PASS;
                pFilters->m_StaticFilters[2].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE | PACKET_FLAG_ON_SEND;

                break;

                Does this sample work for you?

                Vadim Smirnov
                Keymaster

                  Hi Ghita,

                  I can’t see the filters you have set, but I suspect that your filters for blocking TCP/UDP may be destination IP/MAC address specfic and therefore broadcast/multicast packets get passed (they have special broadcast/multicast MAC and IP adresses).

                  Hope it helps…

                  in reply to: PSTATIC_FILTER_TABLE blocks DNS traffic #7133
                  Vadim Smirnov
                  Keymaster

                    Thank you for the update. I’m glad that you have resolved the issue.

                    in reply to: Winpk filter on Windows 7 #7136
                    Vadim Smirnov
                    Keymaster

                      Could you provide more details?
                      1) ListAdapters output.
                      2) PassThru output. For this test ping one of other notebooks.
                      3) IPCONFIG output.

                      We are not aware about any issues with Windows 7, so it must be something about your configuration or usage.

                      in reply to: PSTATIC_FILTER_TABLE blocks DNS traffic #7131
                      Vadim Smirnov
                      Keymaster

                        To resolve an issue with DNS you can change all your filters from blocking to redirect and check filter ID in the DNS packets. So you can identify filter which selects DNS packets.

                        in reply to: PSTATIC_FILTER_TABLE blocks DNS traffic #7127
                        Vadim Smirnov
                        Keymaster

                          From what I can see filter 2 is supposed to block incoming packets on local port 80. If this is what you want to do and still incoming packets on port port 80 are not blocked then there is only one possibility – these packets are passed by filter 1.

                          in reply to: PSTATIC_FILTER_TABLE blocks DNS traffic #7128
                          Vadim Smirnov
                          Keymaster

                            I don’t have the filters code under hand at the moment but for the second filter I would add that it should be applied to TCP protocol.

                            in reply to: Winpk filter missing or failed to load #7126
                            Vadim Smirnov
                            Keymaster

                              Please clarify, are using an application build on top of WinpkFilter driver and this application reports that driver is missing?

                              in reply to: WinpkFilter news/updates. #5516
                              Vadim Smirnov
                              Keymaster

                                Windows Packet Filter Kit 3.1.3 released:
                                – Changed approach to disable TCP task offload in NDIS LWF. Previous method had some known issues.

                                If you are eligible for a free update, please send the following details to [email protected] tо receive an update instruction:

                                1) Your order ID.
                                2) An approximate date of purchasing.

                                in reply to: Winpkfilter with IPSecVPN #7125
                                Vadim Smirnov
                                Keymaster

                                  I’m not familier with IPSECVPN software you use, but yes, there are two possibilities:

                                  1) IPSEC driver above WinpkFilter: in this case instead normal TCP/IP packets (all or only part of them depending on IPSEC policy) you intercept encrypted IPSEC packets. I’m not sure how your WinpkFilter software would deal with these packets (tries to tunnel or ignores).
                                  2) IPSEC driver below WinpkFilter: in this case your UDP tunnel packets can be encrypted by IPSEC driver (depending on the policy).

                                  I would check what packet you get in your WinpkFilter software and check what packet go out on the network media with network sniffer to discover the details.

                                Viewing 15 posts - 661 through 675 (of 1,496 total)