Forum Replies Created
-
Posts
-
how works the winpkfilter, for setting up the SEND / Received message?
If packet comes from the network it is marked as ON_RECEIVE and ON_SEND otherwise.
and what do you think, how many packets are an overflow from the local mac if i capture theses by it
Sorry, I don’t understand the question, could you clarify?
2.x firewall service loaded only filters and adapter modes, new features like port mappings were not supported. It was fixed in 3.x
Loading the following filter will force all UDP packets to pass without processing in user mode, all other packets will be redirected for processing to user mode.
// Common values
pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters
pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID;
pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_PASS;
pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_SEND | PACKET_FLAG_ON_RECEIVE;
// Network layer filter
pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_UDP;Refer “filter” sample for the general filters usage.
Can UDP packets pass without entering winpk filter?
No, unless you have loaded a filter to pass UDP packets without user-mode processing.
Can I do it using winpkfilter ? If yes how can I do that ?
You can. Just set IP/TCP headers as I have set Ethernet header in the sample above. The actual values of IP/TCP headers depend from the packet you intend to form.
pavankvnaidu posted a sample where he tries to initialize IP and UDP headers, you have to do the similar job.
Actually that depends on how you do copy data. If, an example, you have VirtNet NIC with IP address 192.168.1.101 and send ping packets on it:
ping 192.168.1.101 -t
Then actually non of the ping echo packet ever really reach the NIC, all data sent/received to/from local interfaces are processed inside TCP/IP. So no real network usage….
может ли происходить такое из-за того, что реальный отправляемый пакет отличается по длине от исходного?
Нет, скорее уж потому что ты каким-то образом поломал оригинальный пакет… Падает то система на освобождении оригинального пакета…
Где-то что-то сделано неверно, но вот что и где…
please do not say me though the winpkfilter data. How can i handle that though the gernal ip-header or tcp-header?
You can try to match Ethernet/IP address information (an example, source MAC == local NIC MAC ==> outgoing), but this does not give any guarantee because it is possible to send an arbitrary packet on the network.
pIpHeader->ip_len is in network byte order, so it should be:
DWORD dwDataLength = ntohs(pIpHeader->ip_len) - ( pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);Can winpkfilter be used to send packet as if it is coming from remote PC ( internet remote host like yahoo ? )
Sure. The easiest way for you to start is take and parse the normally received packet (intercepted from the network). You can do it with one of the network sniffers (like Network Monitor or Ethereal). Then just build your own packet with WinpkFilter on the same way. Of course it requires some understanding of how TCP/IP works..
Drivers are not displayed in Task Manager which shows only user mode processes. You can see services associated with the virtual NIC’s (like in case with VMware), but not the drivers themselves.
Sending modified packet does not differ from sending unmodified one, however take care to recalculate packet checksums.
Судя пр крашу пакет переданный в NdisMSendComplete уже не валиден. Какой статус был возвращен из MiniportSend? Используется ли MiniportSendPackets?
Вряд ли кто-то сможет что-либо по этому отписать, поскольку неясно даже где и с каким кодом падает. Хотя бы выход с !analyze-v запостил…
