Home › Forums › Discussions › Support › kernel mode = yes, Application mode = ?
- This topic has 5 replies, 2 voices, and was last updated 20 years, 5 months ago by Vadim Smirnov.
-
AuthorPosts
-
August 10, 2004 at 3:48 pm #4864
A few quick questions:
I understand winPKfilter can operate at both kernel and user modes. I understand the kernel mode, however user mode confuses me. Does this mean the mode in which you use the dll (ie. high level commands/interface to the DLL) or application level filtering of packets (ie. access to the destination application of the packets).
I ask this is as I would like access to packets at both a low level (MSTCP) so I can read headers (IP/port/protocol) and raw binary data, and at an application level (like personal firewalls) so that I can know the application the packet is heading to.
Thanks in advance, Pete.
August 11, 2004 at 10:23 am #5596WinpkFilter allows you implementing packet filtering technologies in both user or kernel mode (the one you choose depends from your expirience and requirements). But this is packet level filtering (it is not possible to determine application context on the NDIS level). For application level filtering you would need LSP or TDI filter.
August 11, 2004 at 11:51 am #5597Is it possible to use both packet level and application level filtering with in the same program ie. inspect packet using winPKfilter then a LSP/TDI filter?
Does your company provide a application level filter?
Thanks for your swift reply. Pete.
August 11, 2004 at 12:28 pm #5598Is it possible to use both packet level and application level filtering with in the same program ie. inspect packet using winPKfilter then a LSP/TDI filter?
Yes, sure.
Does your company provide a application level filter?
We provide localhost monitor API, which is TDI filter for Windows NT/2000/XP/2003. LSP sample is avalaible as a part of MSDN. Simple TDI filter for Windows 9x can be found in the VTOOLSD samples (from Compuware).
August 11, 2004 at 3:03 pm #5599Thank-you for your reply. I have winPKfilter capturing packets (displaying MAC addresses etc.). I dont see any way to get the headers/protocol of the packets for inspection, i assume you put the packets in to some data structure.
Is there any other help or code examples because looking throught the forum I see refrences to code like:
pIPHeader: TIPHeaderPtr;
pTCPHeader: TTCPHeaderPtr;
Which i dont see in the help file. Do you get additional help when you purchase the product? (i am using demo at the moment – umm time to reset the computer again 🙂
Cheers Pete.
August 12, 2004 at 8:20 am #5600What environment do you use for the development? There is a C header file iphlp.h which has some sample protocol header definitions (IP header, TCP header, UDP header and etc…). If you are using Delphi then you can use the ones below:
TIPHeaderPtr = ^TIPHeader;
TIPHeader = packed record
VerLen: Byte; //HL
TOS: Byte;
TotalLen: Word;
Identifer: Word;
FragOffsets: Word;
TTL: Byte;
Protocol: Byte;
CheckSum: Word;
SourceIp: DWORD;
DestIp: DWORD;
// Options: DWORD;
end;
TTCPHeaderPtr = ^TTCPHeader;
TTCPHeader = packed record
SourcePort:Word;
DestPort:Word;
SequenceNumber:DWord;
AcknowledgementNumber:DWord;
Offset:Byte; //only left 4 bits. Header length in 32-bit segments
Flags:Byte;
Window:Word;
Checksum:Word; //includes speudo header instead of TCP header.
UrgentPointer:Word;
end;
pTCPData: PChar;And probably it makes sense for you to look at this topic:
http://ntkernel.com/forum/viewtopic.php?t=114We are trying to provide as good support as we can 🙄
-
AuthorPosts
- You must be logged in to reply to this topic.