Forum Replies Created
-
Posts
-
By the way, VirtualBox packet duplication issue it had in the past:
I was not able to reproduce packet duplication with enabling routing and even installing the VirtualBox. However, can you try to uncheck VirtualBox Bridge Networking Driver and see if packet duplication still takes place?
In the past I have observed packet duplication when working over my version of Ethernet Bridge based on NDIS IM driver. In order to get brdged to the real network NDIS IM driver has to place the real network interface into the promicsuous mode in order to be able to get packets destined to Ethernet address different from the NIC hardware address. So you have the cocktail of routing and bridging in the promiscuous mode on your system and adding one extra binding into the configuration (like LWF filter driver) in theory may cause packet duplication. So it makes sense to remove Virtual Box Network bridging from the configuration to see if there is any difference.
All instances are removed from both WindowsINF and WindowsSystem32DriverStoreFileRepository using the pnputil.exe shipped with Windows, and verified through Windows Explorer and grep utilities. I’ve seen this on the Asus mentioned above, and a Virtual Machine running under Virtual Box.
After you think that you have uninstalled and removed WinpkFilter driver I would also check if registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesndisrd still exists. Sometimes uninstall does not remove this key.
What OS have you been testing with? Have you any other low level network components installed besides WinpkFilter LWF? Are you able to reproduce the problem with basic samples like passthru?
Internet Gateway is a very draft sample application which includes some relatively complex advanced functionalities (NAT, routing capabilites). It may be some kind of bug in the Internet Gateway itself. Thats why it would be good to know if this problem is reproducible with a very simple test application like passthru. If passthru works fine then this is probably Internet Gateway issue, otherwise this is something about network configuration or drivers conflict.
I have performed a quick test of WinpkFilter 3.0.8 LWF driver on the fresh copy of Windows 7 x64. Besides WinpkFilter only Wireshark was installed. System was connected to the Internet through the LAN network adapter.
I have not noticed any dulicated packets neither in normal or even in promiscuous mode. So the issue is probably caused by your software or hardware configuration.
From my previous expirience duplicated packets are usually caused by incorrect loopback indicated packets processing. It is like packet is sent by filter or protocol driver to the network interface is indicated back (as it would be received from the network) to all other bindings (protocol or filter drivers). Normally it does not cause any real problems, however if you have several third party network components installed on your system (like an example NAT with single NIC routing feature) it may cause some unexpected behaviour. An example, single NIC routing NAT may reroute the loopback packet back into the network thus causing it being indicated back to all other bindings once again. This may even cause nearly endless loop until TTL expire.
In trying to switch to the IM driver to see if it yields the same issues, I’m not able to successfully install it. I’m getting error code 0x80070436 when running snetcfg, indicating “The name is already in use as either a service name or a service display name.” I’ve uninstalled the LWF drivers with snetcfg, and used pnputil to clear out all the LWF instances in the driver store. It seems to still have a reference to the LWF driver and won’t let me install the IM driver since it has the same name.
Try to remove cached INF/PNF files from WIndowsINF folder.
To understand what happens I have need to reproduce your problem so I have several questions:
1) Could you please describe your software/hardware configuration?
2) What tool have you used to capture the traffic? Have you expirienced this with your own application only or standard utilities shipped with WinpkFilter behaves the same?
3) Have you used promiscuous mode?А что такое “просто пакет”? WinpkFilter позволяет послать любой произвольный массив байт в сеть или вверх к TCP/IP. Главное правильно инициализировать буфер, длину пакета и адаптер.
Ну и на всякий случай нужно отметить, что произвольный массив байт небезопасно посылать на NDISWANIP, поскольку часть MAC адреса используется как индекс WAN соединения.
Besides, when we use WinpkFilter to access ppip media type devices, it seems the devices are unable to connect to the internet. Does WinpkFilter block the usage of ppip devices?
ppip is supported by NDIS 6.0 LWF WinpkFilter driver. NDIS 5.0 IM driver won’t see ppip devices.
There are no known problems with ppip devices and all samples including Internet Gateway succesfully work with this media type. However, you must be aware that ppip is a little different from ethernet an example, and your application must be aware about it.
Using 127.XXX.XXX.XXX for redirection is senseless because in Windows such packets never reach NDIS level. You should use local real IP address instead.
Using NDIS hooking approach on x64 systems is far more complex than on x86 because NDIS image is protected by PatchGuard. In general it is possible to disable PatchGuard, but IMHO it is too deep and complicated hack into the system to be used in production environment.
There are more and more devices (4G or 3G broadband USB stick) coming out with different types and I want to let WinPkFilter to see the packets from them.
These devices normally has wan or ethernet (if vendor provides ethernet emulation software) media type. Since Windows 7 new media type was added (Mobile Brodband stack) named ppip. All these media types are supported by WinpkFilter drivers.
I can set up as “no lower” type in filtermediatype but that will filter all the devices which I prefer not doing. Any idea what I can do?
Yes, thats right, installing on nolower media type does not have much sense. The only real world case is supporting filtering over VMWare virtual network interfaces. If VMWare adapters is a “must have” requirement I would find to find a workaround for it, may be change VMWare adapter media type to ethernet.
If I want to update the filter intermediate driver, do I have to delete all the cached inf/pnf files?
The only way to update an NDIS IM driver is to remove the old NetService and install the new version of the NetService. NetCfg does not do ‘updates’ for NetService entries. If INF files specifies a newer version of driver it should work as expected. Earlier if driver is already installed you could just replace the driver binary and reboot, however I’m not sure if it will succesfully deal with driver signing requirements as CAT file also changed.
WinpkFilter 3.0.8 released. This update introduces NDIS 6.0 LightWeight Filter driver to be replace NDIS 5.0 IM driver for Windows Vista/7.
If you are eligible for a free update, please send the following details to [email protected] tо receive an update instruction:
1) Your order ID.
2) An approximate date of purchasing.Внимательно читайте описание протокола TCP, например если пакет был уменьшен, то приемник ACK-нет меньшим сегментом и отправитель будет пересылать хвостик пакета до тех пор пока не получит подтверждение.И наоборот, если пакет увеличен то приемник ACK-нет большим значением чем ожидает отправитель. Принцип понятен?
