Forum Replies Created
-
Posts
-
I know at least several widely used software products which use LNM engine. At least one of them is used for database monitoring. So I would say this is realistic.
Try using Local Network Monitor to avoid the possibility that you use incorrect filters combination.
I can see only two possibilities:
1) Incorrect set of filters loaded
2) Software conflict with some third party firewall applicationIt is difficult to say what was the exact reason. To avoid software conflict possibility I would recommend running the same configuration on the freshly installed OS without firewall/anti virus software because the last one can include own TDI filter which interfere LNM.
DWORD is defined as unsigned long which is a different type than unsigned int. Although both types has the same implementation (32 bit unsigned value) in MS Windows compiler generates an error.
You have two options to resolve this:
1) Change your thread function definition
2) Explicitly type cast the function pointerIm installing driver with snetcfg with ndisrd.inf and ndisrd_m.inf parameters but im using ndis hooking driver with delphi
NDIS hooking driver must be installed by adding registry entries, not by using snetcfg and INF files created for NDIS IM variant of the driver. Doing like you do would cause unpredictable behavior of the system. At least driver won’t work correctly if installed this way. So probably you use NDIS IM driver, not NDIS hooking one.
I used 3.0.2.1 version of ndisrd.sys
It is recommended to update to 3.0.4. NDIS IM driver included in 3..0.2 had some known problems with loopback packets processing and could be a reason of the BSOD mentioned.
I dont know another way of installing driver. I tried to write values into registery with my own installer, I got some errors on different machines with windows xp. How can I do clear install hooking driver automatically? Is there another script or etc? like snet cfg
I can send you a NSIS installer script for the latest build of winpkfilter for the reference if you want.
В описании WinpkFilter указано, что можно использовать RAW IOCTLs в своем драйвере. А есть ли пример драйвера?
Использовать можно, но никто еще, насколько я знаю, так не делал. Обычно клиенты либо не хотят лезть в ядро и делают все в user space, либо переделывают исходный драйвер (все варианты драйвера разделяют общий сегмент кода относящийся к обработке пакетов, все изменения достаточно вносить в него). В общем-то возможность использования IOCTL интерфейса из ядра упомянута скорее для полноты картины, отдельного примера использования нет.
Какая примерно будет разница по производительности если использовать RAW IOCTLs либо встраиваться прямо в драйвер WinpkFilter?
Оценок не делалось, но накладные расходы при использовании IOCTL интерфейса довольно значительны. В качестве альтернативы, можно было бы экспортировать набор функций из winpkfilter драйвера и предусмотреть регистрацию callback функций – это работало бы быстрее. Но опять же, поскольку никто подобной возможностью не интересовался (дополнительный функционал обычно добавляется по востребованности), она не была добавлена.
Hi,
Thank you for reporting this. I’ve got a few questions:
1) WinpkFilter NDIS hooking variant is installed directly through the registry. snetcfg is only applicable to NDIS IM variant of WinpkFilter. Which driver have actually used?
2) What version of WinpkFilter have you used? Prior 3.0.4 WinpkFilter NDIS IM driver may have meet problems with loopback packets processing which would cause the similar crash. This was fixed in 3.0.4.
3) What Windows version have you used? I’ve quickly tested Windows XP 32 bit with IPX installed and have not noticed problems with both NDIS IM and NDIS hooking drivers.
4) If you have any firewall(even integrated with AV)/VPN software installed then please let us know the name and the version, since this can be a software driver conflict.
SetHwPacketFilter выставляет аппаратный фильтр на сетевой карте, наиболее часто встречающийся пример это перевод сетевого интерфейса в promiscuous mode. То есть прямого отношения к фрагментированным пакетам эта ф-ция не имеет.
Что значит “имеющимся функциями фильтрации, работать с фрагментированными пакетами” мне непонятно. С фрагментированными IP пакетами можно работать точно так же как и с любыми другими.
WinpkFilter получает ethernet фреймы до TCP/IP стека (который осуществляет сборку фрагментов), поэтому если из сети приходят фрагментированные пакеты, то и winpkfilter покажет именно их, а не собранный IP пакет.
What Visual Basic do you actually use? The samples were created for Visual Basic 6, so if you are using them under Visual Basic .NET then then the behavior can be different. An example managed memory can’t be directly passed to driver.
For the legacy NT driver you could use HAL routines to reconfigure your device, for PnP driver you better stick with PnP manager. This paper should be of some help to understand the difference: http://www.hollistech.com/Resources/Misc%20art … usdata.doc
What do excatly mean under “order”? I would not recommend to edit network configuration through the registry, however VirtNet can be found in the registry like any other network interface.
how works the winpkfilter, for setting up the SEND / Received message?
If packet comes from the network it is marked as ON_RECEIVE and ON_SEND otherwise.
and what do you think, how many packets are an overflow from the local mac if i capture theses by it
Sorry, I don’t understand the question, could you clarify?
2.x firewall service loaded only filters and adapter modes, new features like port mappings were not supported. It was fixed in 3.x
Loading the following filter will force all UDP packets to pass without processing in user mode, all other packets will be redirected for processing to user mode.
// Common values
pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters
pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID;
pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_PASS;
pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_SEND | PACKET_FLAG_ON_RECEIVE;
// Network layer filter
pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_UDP;Refer “filter” sample for the general filters usage.
