Forum Replies Created
-
Posts
-
может ли происходить такое из-за того, что реальный отправляемый пакет отличается по длине от исходного?
Нет, скорее уж потому что ты каким-то образом поломал оригинальный пакет… Падает то система на освобождении оригинального пакета…
Где-то что-то сделано неверно, но вот что и где…
please do not say me though the winpkfilter data. How can i handle that though the gernal ip-header or tcp-header?
You can try to match Ethernet/IP address information (an example, source MAC == local NIC MAC ==> outgoing), but this does not give any guarantee because it is possible to send an arbitrary packet on the network.
pIpHeader->ip_len is in network byte order, so it should be:
DWORD dwDataLength = ntohs(pIpHeader->ip_len) - ( pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);Can winpkfilter be used to send packet as if it is coming from remote PC ( internet remote host like yahoo ? )
Sure. The easiest way for you to start is take and parse the normally received packet (intercepted from the network). You can do it with one of the network sniffers (like Network Monitor or Ethereal). Then just build your own packet with WinpkFilter on the same way. Of course it requires some understanding of how TCP/IP works..
Drivers are not displayed in Task Manager which shows only user mode processes. You can see services associated with the virtual NIC’s (like in case with VMware), but not the drivers themselves.
Sending modified packet does not differ from sending unmodified one, however take care to recalculate packet checksums.
Судя пр крашу пакет переданный в NdisMSendComplete уже не валиден. Какой статус был возвращен из MiniportSend? Используется ли MiniportSendPackets?
Вряд ли кто-то сможет что-либо по этому отписать, поскольку неясно даже где и с каким кодом падает. Хотя бы выход с !analyze-v запостил…
Тема с TCPSendData раскрыта тут http://www.ntkernel.com/w&p.php?id=17
Эту функцию нужно перехватывать дополнительно.
In common the order of network adapters reported by WinpkFilter is not permanent. Network adapters are added into the list in the order of their initialization by the system, in most cases it is always the same for the particular system, but it is not guaranteed to be.
It is better to identify network interfaces by their internal names instead of the index in the network adapters list.
UPDATE 1: It appears the problem is related to the Firewall with Hamachi. Is there a way to totally exclude filtering on a specific interface? I configured all to rules to be binded to the real interface and the Hamachi virtual nic is set to “Low Level Security” but I think we should have another option for “Disable Filtering on this Interface” (or kind of). Thanks!
The conflict between low level network software is quite possible. By default NeT Firewall intercepts all network adapters bound to TCP/IP and this can’t be change through the management console. It would require rebuilding NeT Firewall driver with a special check on Hamachi network interface.
I will check what really happens with Hamachi once I have some spare time.
WinpkFilter 3.0.4 released. This service release includes:
1) Compatibility fixes in WinpkFilter API DLL and drivers
2) x64 driver support for 32 bit code running in WOW64. This feature should be useful for developers whose development tools does not include x64 native compiler. An example, Delphi 32-bit application can work with WinpkFilter driver on Windows x64.
3) Kernel level filters. You can load a filter table into WinpkFilter driver which defines rules for packet pass, block or redirect_and_ process by your application. This may seriously improve perfomance.
4) C# interface and samplesImportant note:
For Windows Vista and later versions of the Windows family of operating systems, kernel-mode software must have a digital signature to load on x64-based computer systems. WinpkFilter drivers are not signed and in order to test them on Vista x64 you should press F8 during system boot and choose Disable Driver Signature Enforcement option. For the commercial software you’d have to obtain Code Signing certificate from Verysign or another Certificate Authority authorized by Microsoft.If you are eligible for a free update, please send the following details to [email protected] to receive an update instruction:
1. Your order ID.
2. An approximate date of purchasing.If I use this code and trace it using packet sniffer it sends the packets. I am sending the packet to local PC itself. But in the sniffed packet I see Frame check sequence error. Will it create any problem. Can u please tell me why the error occurring ? And what I am missing here ?
The code above initializes only Ethernet header and sets next protocol as IP without initializing the IP header. This may cause sniffers to show this packet as a bogus one.
