Vadim Smirnov

Forum Replies Created

Viewing 15 posts - 1,156 through 1,170 (of 1,391 total)
  • Author
    Posts
  • in reply to: ndis-based nat + shaper #6019
    Vadim Smirnov
    Keymaster

      а в “железных” маршрутизаторах типа циски используется такой же алгоритм?

      Что там в сиске, не знает никто кроме разработчиков сиски.

      есть ли оценки его эффективности?

      Тут есть какая-то теория:
      http://www.lan2net.ru/shaper.shtml

      in reply to: ndis-based nat + shaper #6017
      Vadim Smirnov
      Keymaster

        Обычно делается очередь пакетов (размер ограничен разумеется), пакеты из очереди выталкиваются в соответствии с установленой скоростью. В случае переполнения очереди пакеты начинают отбрасываться. Цепляться для выталкивания пакетов нужно к таймеру (на случай если долго нет новых пакетов) и событиям прихода новых пакетов (таймер может срабатывать довольно редко по сравнению с приходом пакетов), высчитываем время с последнего события и передаем столько пакетов сколько пролезло бы по установленному каналу за прошедшее время.

        in reply to: Ethernet frames larger than 1514 bytes #6013
        Vadim Smirnov
        Keymaster

          Is source code license the only way to do that?

          Developer License is enough, since it already includes custom build it won’t be a problem to change one additional constant.

          in reply to: Ethernet frames larger than 1514 bytes #6011
          Vadim Smirnov
          Keymaster

            Hi,

            Standard build of WinpkFilter operates with 1514 bytes frames only. It simply forbids usage of larger frame size by intercepting some requests from the protocls to network card driver.

            However if there is a requirement to suppport larger frame size then drivers can be easily rebuilded (by changing few constants).

            in reply to: WinpktFilter hooking vs intermediate driver #5964
            Vadim Smirnov
            Keymaster

              I do understand. But what about Vista?

              In addition to NDIS hooking and IM drivers Vista is expected to introduce new packet filtering capabilities (Windows Packet Filtering framework). So in general there will be even more options.

              in reply to: Process ID #6009
              Vadim Smirnov
              Keymaster

                Process context is not available at the NDIS level where WinpkFilter works. In order to determine the packet associated process you should obtain the current connections table on some way (TDI filter, LSP and some other less popular ways) and match packet to the process using address/port information.

                Usually, firewall is a combination of NDIS level filter (packet firewall) and application level filter (application/desktop firewall).

                Hope it helps

                in reply to: Modify TTL of the packets #5993
                Vadim Smirnov
                Keymaster

                  Hmm, I don’t see the problem but what is the sense to modify TTL in the incoming packet?

                  You can download some code playing with TTL (and some other fields of the packet) from here http://www.xakep.ru/post/29448/safenat.zip I think it should be a good reference.

                  in reply to: windows XP on top of NT kernel #5989
                  Vadim Smirnov
                  Keymaster

                    Windows XP belongs to NT family (Windows NT 3.51 – Windows NT 4.0 – Windows 2000 – Windows XP – Windows 2003).

                    May be your professor meaned Windows ME?

                    in reply to: WinPkFilter can filter EAPoL packet ? #5983
                    Vadim Smirnov
                    Keymaster

                      Well, I have not checked how EAPoL is realized in Windows, the general situation is the following.

                      WinpkFilter works between systems installed protocol drivers (base x86 NDIS-hook version under TCP/IP only but can be easily extended) and network adapters. So if “Layer 2 Packet” are generated by protocol driver then it is possible to intercept, if not (packet generated by network card driver) then there is no way…

                      in reply to: Question about Net Firewall #5984
                      Vadim Smirnov
                      Keymaster

                        Why is that? It still seems like it is running and blocking, but nevertheless it is a concern that the service is not staying running.

                        NTKernelService is only responsible for loading firewall settings into the driver during system start up. After doing this NTKernelService exits (in order to decrease consumed system resources). It is not necessary to have it running.

                        in reply to: build a antispam/firewall #5981
                        Vadim Smirnov
                        Keymaster

                          How do I get only pop3/smtp packets using winpkfilter?

                          You will get all packets with WinpkFilter but you can selectively process SMTP/POP3 packets. In order to implement this you have to parse packet headers (Ethernet, IP, TCP) and check source/destination ports for SMTP/POP3 ones (25/110).

                          How do I decode raw packets to see the content? Where may I find more VB examples of using that?

                          In C parsing is easy (typecasting to structures):

                          pEthHeader = (ether_header*)PacketBuffer.m_IBuffer;

                          if ( ntohs(pEthHeader->h_proto) == ETH_P_IP )
                          {
                          pIpHeader = (iphdr*)(PacketBuffer.m_IBuffer + ETHER_HEADER_LENGTH);
                          if (pIpHeader->ip_p == IPPROTO_TCP)
                          {
                          // This is TCP packet, get TCP header pointer
                          pTcpHeader = (tcphdr*)(((PUCHAR)pIpHeader) + sizeof(DWORD)*pIpHeader->ip_hl);
                          ....

                          I’m not a VB expert but getting Ethernet header is shown in WinpkFilter VB samples, getting other headers should be very similar.

                          in reply to: Custom build #5942
                          Vadim Smirnov
                          Keymaster

                            what is actually a custom build?An API to do a special issue?

                            In general it is a special build generated for the Developer license licensees with customized names (and internal version resources information) for drivers and devices. It also may include some functional changes, but this is discussed individually.

                            in reply to: DDK -> NDIS -> OID #5975
                            Vadim Smirnov
                            Keymaster

                              Опять рекомендую обратить внимание на полученный NDIS_STATUS? Это вполне может быть NDIS_STATUS_NOT_SUPPORTED…

                              in reply to: OID_802_3_XMIT_ONE_COLLISION #5971
                              Vadim Smirnov
                              Keymaster

                                А какой статус (NDIS_STATUS) возвращается? Нижележащий драйвер сетевой карты может просто не поддерживать этот OID…

                                in reply to: Redirection (Gateway) #5967
                                Vadim Smirnov
                                Keymaster

                                  The WinpkFilter library you mentioned, is it free or do I have to purchase it? Is it the free downloadable ndisapi.dll ?

                                  WinpkFilter is free for non-commercial use and available for download from here (http://www.ntkernel.com/w&p.php?id=7). Package includes drivers(ndisrd.sys/ndisrd.vxd), API DLL (ndisapi.dll) and several simple samples.

                                  If you register WinpkFilter (any type of subscription starting from 95$) you also get access to the Internet Gateway source code (http://www.ntkernel.com/w&p.php?id=31) which implements NAT and gives a good clue to how to redirect packets.

                                  Some code samples can be also found by looking through this forum. I can also C&P a redirect relative portion of code from NeT Firewall source, but it may appear a bit difficult to understand.

                                Viewing 15 posts - 1,156 through 1,170 (of 1,391 total)