Forum Replies Created
-
AuthorPosts
-
а в “железных” маршрутизаторах типа циски используется такой же алгоритм?
Что там в сиске, не знает никто кроме разработчиков сиски.
есть ли оценки его эффективности?
Тут есть какая-то теория:
http://www.lan2net.ru/shaper.shtmlОбычно делается очередь пакетов (размер ограничен разумеется), пакеты из очереди выталкиваются в соответствии с установленой скоростью. В случае переполнения очереди пакеты начинают отбрасываться. Цепляться для выталкивания пакетов нужно к таймеру (на случай если долго нет новых пакетов) и событиям прихода новых пакетов (таймер может срабатывать довольно редко по сравнению с приходом пакетов), высчитываем время с последнего события и передаем столько пакетов сколько пролезло бы по установленному каналу за прошедшее время.
Is source code license the only way to do that?
Developer License is enough, since it already includes custom build it won’t be a problem to change one additional constant.
Hi,
Standard build of WinpkFilter operates with 1514 bytes frames only. It simply forbids usage of larger frame size by intercepting some requests from the protocls to network card driver.
However if there is a requirement to suppport larger frame size then drivers can be easily rebuilded (by changing few constants).
I do understand. But what about Vista?
In addition to NDIS hooking and IM drivers Vista is expected to introduce new packet filtering capabilities (Windows Packet Filtering framework). So in general there will be even more options.
Process context is not available at the NDIS level where WinpkFilter works. In order to determine the packet associated process you should obtain the current connections table on some way (TDI filter, LSP and some other less popular ways) and match packet to the process using address/port information.
Usually, firewall is a combination of NDIS level filter (packet firewall) and application level filter (application/desktop firewall).
Hope it helps
Hmm, I don’t see the problem but what is the sense to modify TTL in the incoming packet?
You can download some code playing with TTL (and some other fields of the packet) from here http://www.xakep.ru/post/29448/safenat.zip I think it should be a good reference.
Windows XP belongs to NT family (Windows NT 3.51 – Windows NT 4.0 – Windows 2000 – Windows XP – Windows 2003).
May be your professor meaned Windows ME?
Well, I have not checked how EAPoL is realized in Windows, the general situation is the following.
WinpkFilter works between systems installed protocol drivers (base x86 NDIS-hook version under TCP/IP only but can be easily extended) and network adapters. So if “Layer 2 Packet” are generated by protocol driver then it is possible to intercept, if not (packet generated by network card driver) then there is no way…
Why is that? It still seems like it is running and blocking, but nevertheless it is a concern that the service is not staying running.
NTKernelService is only responsible for loading firewall settings into the driver during system start up. After doing this NTKernelService exits (in order to decrease consumed system resources). It is not necessary to have it running.
How do I get only pop3/smtp packets using winpkfilter?
You will get all packets with WinpkFilter but you can selectively process SMTP/POP3 packets. In order to implement this you have to parse packet headers (Ethernet, IP, TCP) and check source/destination ports for SMTP/POP3 ones (25/110).
How do I decode raw packets to see the content? Where may I find more VB examples of using that?
In C parsing is easy (typecasting to structures):
pEthHeader = (ether_header*)PacketBuffer.m_IBuffer;
if ( ntohs(pEthHeader->h_proto) == ETH_P_IP )
{
pIpHeader = (iphdr*)(PacketBuffer.m_IBuffer + ETHER_HEADER_LENGTH);
if (pIpHeader->ip_p == IPPROTO_TCP)
{
// This is TCP packet, get TCP header pointer
pTcpHeader = (tcphdr*)(((PUCHAR)pIpHeader) + sizeof(DWORD)*pIpHeader->ip_hl);
....I’m not a VB expert but getting Ethernet header is shown in WinpkFilter VB samples, getting other headers should be very similar.
what is actually a custom build?An API to do a special issue?
In general it is a special build generated for the Developer license licensees with customized names (and internal version resources information) for drivers and devices. It also may include some functional changes, but this is discussed individually.
Опять рекомендую обратить внимание на полученный NDIS_STATUS? Это вполне может быть NDIS_STATUS_NOT_SUPPORTED…
А какой статус (NDIS_STATUS) возвращается? Нижележащий драйвер сетевой карты может просто не поддерживать этот OID…
The WinpkFilter library you mentioned, is it free or do I have to purchase it? Is it the free downloadable ndisapi.dll ?
WinpkFilter is free for non-commercial use and available for download from here (http://www.ntkernel.com/w&p.php?id=7). Package includes drivers(ndisrd.sys/ndisrd.vxd), API DLL (ndisapi.dll) and several simple samples.
If you register WinpkFilter (any type of subscription starting from 95$) you also get access to the Internet Gateway source code (http://www.ntkernel.com/w&p.php?id=31) which implements NAT and gives a good clue to how to redirect packets.
Some code samples can be also found by looking through this forum. I can also C&P a redirect relative portion of code from NeT Firewall source, but it may appear a bit difficult to understand.
-
AuthorPosts