Vadim Smirnov

Forum Replies Created

Viewing 15 posts - 1,156 through 1,170 (of 1,419 total)
  • Author
    Posts
  • in reply to: Net frozen after few minutes #6071
    Vadim Smirnov
    Keymaster

      Regarding MTU: As far as I know, windows default MTU for ethernet adapters is 1500. I always attach a 20 bytes key to outgoing UDP packets.
      Can I conclude from this that I might have a problem only with packets whose total length is 1480 bytes or more ?

      Yes, you will have problems with packets which size is equal or close (so you don’t have 20 bytes in reserve) to MTU. There is a special API in WinpkFilter SetMTUDecrement. In your case if maximum size of the attached data is 20 bytes so you should call SetMTUDecrement with 20 as a parameter, please note that this API adds a driver specific value into the registry and requires reboot to take an effect (driver reads this value from the registry during start up).

      Can I catch packets that are directed either to 127.0.0.1 or to the local IP ? are those packets passed down the TCP stack or are they redirected by Windows back to the application at higher levels ?

      Packets directed to 127.x.x.x or local IP never reach NDIS level and processed internally by TCP/IP. However, these data can be intercepted at the TDI level http://www.ntkernel.com/w&p.php?id=8 and http://www.ntkernel.com/w&p.php?id=24

      in reply to: Net frozen after few minutes #6069
      Vadim Smirnov
      Keymaster

        Just thought to mentioned that I’m using the runtime libraries that are available at the web site (hxxp://www.ntoskrnl.com/downloads/winpkflt_rtx86.zip).

        These binaries have no limitations.

        Well, first of all I would start this application under debugger and check where it stops (or what is it doing) when network is frozen. Since this is a packet filtering application the network freeze can be easily caused by application hang (some dead lock or endless loop).

        Also, I think it is important to mention that you should set MTU decrement if you are attaching additional data to the packets to the maximum size of the attached data. The total size of the ethernet frame should not exceeed 1514 bytes. I can’t see from your code if any length checks are implemented.

        in reply to: Install IM Driver on x64 system #6066
        Vadim Smirnov
        Keymaster

          snetcfg.exe -l ndisrd.inf -m ndisrd_m.inf -c s -i nt_ndisrd

          in reply to: LHmon problems #6060
          Vadim Smirnov
          Keymaster

            First of all the trial version on site is limited to capture 100 packets per boot.

            If you are using full registered version then have you tried to run Local Host Monitor application on that system? If it works fine then the problem is relative to your code (and to advise anything I have to see more than one line), if it also does not intercept packets then it is probably driver relative. Please clarify.

            in reply to: Packet Content #6058
            Vadim Smirnov
            Keymaster

              Not sure what exactly code you need, but this question was already discussed here http://www.ntkernel.com/forum/viewtopic.php?t=19 along with some code postings.

              in reply to: port redirection #6053
              Vadim Smirnov
              Keymaster

                That can be a problem, dynamic hooking into system stack (with dynamically loadable NDIS IM driver under Windows 2000+ and dynamic hooking driver for earlier Windows versions) can be implemented bu it less reliable and more complex than static (in case of IM driver reboot still can be required in some cases).

                in reply to: Packet Content #6056
                Vadim Smirnov
                Keymaster

                  How can I do the same ?

                  Packet data follow the packet header.

                  If I change the data and recalculate the chksum; what special care does the code have to take ?

                  If you don’t modify packet length then checksums (IP/TCP/UDP) recalculation is enough. If you do modify packet length (an example change “sex” to “fofo”) for TCP protocol you also have to care about Sequence and Acknowledgement numbers.

                  in reply to: SERVICE_SYSTEM_START vs SERVICE_DEMAND_START #6054
                  Vadim Smirnov
                  Keymaster

                    А эти данные из перехваченных send’ов у тебя каким-то образом обрабатываются или ждут до лучших времен пока стартанет ответственное за их обработку приложение?

                    Если ждут то причина понятна, сеть фактически заморожена отсюда и тормоза… Если обрабатываются то причину искать нужно в чем-то еще, если при высокой сетевой загрузке твой драйвер не дает тормозов то и на старте системы не должен.

                    in reply to: port redirection #6051
                    Vadim Smirnov
                    Keymaster

                      is it possible to get that port redirect dynamically upon startup of “my_app”?

                      WinpkFilter driver should be installed on the system before hand. But in any case you start filtering/redirecting packets only when your application is active and stop this when your application is terminated. So the answer is YES.

                      in reply to: port redirection #6049
                      Vadim Smirnov
                      Keymaster

                        is there a chance to configure windows’ firewall to redirect data sent from an external interface to port 25 to our port 10025?

                        Windows built-in firewall does not support port redirecting services.

                        does anyone have an idea how to solve this EXCEPT using custom LSP/TDI/NDIS drivers?

                        Regretfully there is no other way. You can use WinpkFilter library (http://www.ntkernel.com/w&p.php?id=7) to implement port redirector solution though.

                        in reply to: Simple tiny Firewall #6047
                        Vadim Smirnov
                        Keymaster

                          can I paste a link here that would be for a Simple Stupid Firewall that I made using winpkfilter example (PacketSniffer and PassThru)

                          Sure, you can.

                          Vadim Smirnov
                          Keymaster

                            SmartFirewall is an earlier version of NeT Firewall.

                            in reply to: OID_802_3_XMIT_ONE_COLLISION #5973
                            Vadim Smirnov
                            Keymaster

                              Проблема в том, что это драйвер-фильтр

                              В смысле Intermediate?

                              Где можно выполнять запросы OID, в OnSend, OnReceive, OnInitialize, OnHalt?

                              В общем случае запросы можно делать как только нижележащий драйвер готов их обрабатывать и до того как он перестает это делать (то есть OnInitialize и OnHalt использовать пожалуй не очень разумно).

                              В общем случае нужно следить только за IRQL “Callers of NdisRequest can be running at IRQL <= DISPATCH_LEVEL" и руководстоваться тем когда эта самая статистика нужна.

                              in reply to: Modify TTL of the packets #6000
                              Vadim Smirnov
                              Keymaster

                                Anyway, is it ok to have an Article on the subject we treat here with my Application as a solution and a link to the WinpkFilter run-time libraries that are presented on

                                http://www.ntkernel.com/w&p.php?id=7

                                or it is in violation of the license agreement?

                                It is OK to do so. Good luck with your article and hope you will post a link to it here. If you are interested we can also publish it on this web-site.

                                in reply to: I have some question about web redirection. #6040
                                Vadim Smirnov
                                Keymaster

                                  This is TCP checksum in C, I suppose you should be able to translate to Delphi


                                  //
                                  // Function recalculates TCP checksum
                                  //
                                  VOID
                                  RecalculateTCPChecksum (
                                  PINTERMEDIATE_BUFFER pPacket
                                  )
                                  {
                                  tcphdr_ptr pTcpHeader = NULL;
                                  unsigned short word16, padd = 0;
                                  unsigned int i, sum = 0;
                                  PUCHAR buff;
                                  DWORD dwTcpLen;

                                  iphdr_ptr pIpHeader = (iphdr_ptr)&pPacket->m_IBuffer[sizeof(ether_header)];

                                  // Sanity check
                                  if (pIpHeader->ip_p == IPPROTO_TCP)
                                  {
                                  pTcpHeader = (tcphdr_ptr)(((PUCHAR)pIpHeader) + sizeof(DWORD)*pIpHeader->ip_hl);
                                  }
                                  else
                                  return;

                                  dwTcpLen = ntohs(pIpHeader->ip_len) - pIpHeader->ip_hl*4;//pPacket->m_Length - ((PUCHAR)(pTcpHeader) - pPacket->m_IBuffer);

                                  if ( (dwTcpLen/2)*2 != dwTcpLen )
                                  {
                                  padd=1;
                                  pPacket->m_IBuffer[dwTcpLen + pIpHeader->ip_hl*4 + sizeof(ether_header)] = 0;
                                  }

                                  buff = (PUCHAR)pTcpHeader;
                                  pTcpHeader->th_sum = 0;

                                  // make 16 bit words out of every two adjacent 8 bit words and
                                  // calculate the sum of all 16 vit words
                                  for (i=0; i< dwTcpLen+padd; i=i+2){
                                  word16 =((buff<<8)&0xFF00)+(buff[i+1]&0xFF);
                                  sum = sum + (unsigned long)word16;
                                  }

                                  // add the TCP pseudo header which contains:
                                  // the IP source and destination addresses,

                                  sum = sum + ntohs(pIpHeader->ip_src.S_un.S_un_w.s_w1) + ntohs(pIpHeader->ip_src.S_un.S_un_w.s_w2);
                                  sum = sum + ntohs(pIpHeader->ip_dst.S_un.S_un_w.s_w1) + ntohs(pIpHeader->ip_dst.S_un.S_un_w.s_w2);

                                  // the protocol number and the length of the TCP packet
                                  sum = sum + IPPROTO_TCP + (unsigned short)dwTcpLen;

                                  // keep only the last 16 bits of the 32 bit calculated sum and add the carries
                                  while (sum>>16)
                                  sum = (sum & 0xFFFF)+(sum >> 16);

                                  // Take the one's complement of sum
                                  sum = ~sum;

                                  pTcpHeader->th_sum = htons((unsigned short)sum);
                                  }
                                Viewing 15 posts - 1,156 through 1,170 (of 1,419 total)