Home › Forums › Discussions › Support › Filtering by protocol using STATIC_FILTER structure
Tagged: staticfilter
- This topic has 7 replies, 2 voices, and was last updated 4 years ago by Vadim Smirnov.
-
AuthorPosts
-
January 11, 2021 at 8:01 pm #11451
It is possible to filter by protocol (TCP/UDP/ICMP) the packets using the STATIC_FILTER structure without defining the range of ports or IPs?
I tried to add a filter with the following parameters but did not redirect any packet.
Example:sf->m_dwDirectionFlags = MSTCP_FLAG_SENT_TUNNEL sf->m_FilterAction = FILTER_PACKET_REDIRECT; sf->m_ValidFields = NETWORK_LAYER_VALID; sf->m_NetworkFilter.m_dwUnionSelector = IPV4; sf->m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL; sf->m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_TCP;
And added another filter to action ‘pass’ the other packets.
It is mandatory to use other fields than IP_V4_FILTER_PROTOCOL in order to work?
January 11, 2021 at 8:12 pm #11452Yes, it is possible. As an example you can check the 3rd scenario in filter.cpp:
//************************************************************************************** // 1. Block all ICMP packets // Common values pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID; pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_DROP; pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_SEND | PACKET_FLAG_ON_RECEIVE; // Network layer filter pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4; pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL; pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_ICMP;
Please note, that in you code you use incorrect value for m_dwDirectionFlags
January 12, 2021 at 10:29 am #11453I sent the wrong parameter in m_dwDirectionFlags.
This is the first filter, to capture only outbound TCP:
m_Adapter.QuadPart = 0;
m_ValidFields = NETWORK_LAYER_VALID;
m_FilterAction = FILTER_PACKET_REDIRECT;
m_dwDirectionFlags = PACKET_FLAG_ON_SEND;m_NetworkFilter.m_dwUnionSelector = IPV4;
m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_TCP;Then the second pass the other packets:
m_Adapter.QuadPart = 0;
m_dwDirectionFlags = PACKET_FLAG_ON_SEND;
m_FilterAction = FILTER_PACKET_PASS;This combination is not working, I need to change the approach and filter the ICMP and UDP in order to capture TCP?
January 12, 2021 at 12:45 pm #11455What do you mean “is not working”?
If the table you load into the driver is equivalent to the following:
// Common values pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID; pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_REDIRECT; pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_SEND; // Network layer filter pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4; pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL; pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_TCP; pFilters->m_StaticFilters[1].m_Adapter.QuadPart = 0; // applied to all adapters pFilters->m_StaticFilters[1].m_ValidFields = 0; pFilters->m_StaticFilters[1].m_FilterAction = FILTER_PACKET_PASS; pFilters->m_StaticFilters[1].m_dwDirectionFlags = PACKET_FLAG_ON_SEND;
Then it should redirect outgoing TCP packets into the user mode, pass any other outgoing packets (except TCP) over and redirect ALL incoming packets into the user mode.
January 12, 2021 at 1:19 pm #11456It is not possible to instantiate more than one CNdisApi class to apply different filters for each protocol? Using only the filter as you said worked well for TCP.
January 12, 2021 at 3:32 pm #11457Standard driver build supports only one packet filter table and is supposed to be used from one user mode process. You can use multiply CNdisApi instances but setting the new filter table will override the previously loaded one. So you are supposed to collect all required filters into the single table.
However, there is also a multiply layers driver build available to winpkfilter customers which supports multiply packet filter tables (one per filter layer) which can be used from several application as long as they use different layers.
January 12, 2021 at 4:34 pm #11458Oh, I see. This is the behavior that I getting here.
Regarding the multiply layers driver. When you refer to the layers, are you referring to the layer defined in the STATIC_FILTER structure (DATALINK, NETWORK, TRANSPORT) or the multiple STATIC_FILTERS for each CNdisApi instance without override?
Using different layers for each application, both of them cannot intercept the same packet?
January 12, 2021 at 10:13 pm #11459In this context above the layer is the driver level abstraction associated with FILE_OBJECT (CNdisApi object) with independent static filters table, packets queue and etc..
Using different layers for each application, both of them cannot intercept the same packet?
They can if packet was not previously dropped by upper (for outgoing packets) or lower (for incoming packets) layers.
Layers architecture allows to share single driver between several different packet filter applications.
-
AuthorPosts
- You must be logged in to reply to this topic.