Query on Filtering Capabilities in Windows Packet Filter API

Home Forums Discussions Support Query on Filtering Capabilities in Windows Packet Filter API

Tagged: ,

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • October 31, 2024 at 9:22 am #13918
    ocante
    Participant

      Dear Support Team

      I am currently testing the “Windows Packet Filter” API to develop a network sniffer application, and I would like to inquire about the filtering options available.

      Specifically, I would like to know if it is possible to set up a filter (e.g., ip=172.31.* and tcp.dstport==80) to process only packets that match this criterion. The goal is to streamline packet capture by focusing exclusively on packets meeting specific IP and port conditions.

      Could you please confirm if such filtering capabilities are supported directly within the API? If so, any additional guidance or code examples on setting this up would be greatly appreciated.

      Thank you for your assistance.

      Best regards,

      Olivier CANTE

      October 31, 2024 at 9:32 am #13919
      Vadim Smirnov
      Keymaster

        Dear Olivier,

        Yes, the Windows Packet Filter (WinpkFilter) API indeed supports advanced filtering capabilities that can be utilized to process packets meeting specific IP and port conditions. This can be achieved using WinpkFilter’s built-in static filters, which provide control over which packets are captured or redirected for user-mode processing based on defined criteria.

        To streamline packet capture for specific conditions (such as ip=172.31.* and tcp.dstport==80), you can use static filters to target only the packets that match your designated IP range and port number. An example demonstrating basic static filter usage can be found here.

        Please feel free to reach out for more examples or further guidance.

        Best regards,
        Vadim

        October 31, 2024 at 10:27 am #13920
        ocante
        Participant

          Vadim

          Is it possible to set a filter to capture only TCP packets in the connection and disconnection phases (SYN, SYN ACK, RST, FIN)?

          Best regards,

          Olivier

          October 31, 2024 at 10:59 am #13923
          Vadim Smirnov
          Keymaster

            Hello Olivier,

            Yes, flags are supported. Please see the definition of the TCP filter below. Note that it’s an exact match, so you may need multiple filters to cover all desired flag combinations for SYN, SYN-ACK, RST, and FIN.

            
/**
* @brief TCPUDP_FILTER structure is used to set the TCP/UDP filter for the network adapter.
*
* @param m_ValidFields This field stores the valid fields flags. These flags determine which fields in the structure are valid. The flags
* can be a combination of the following values: TCPUDP_SRC_PORT, TCPUDP_DEST_PORT, TCPUDP_TCP_FLAGS.
* @param m_SourcePort This field is a PORT_RANGE structure that stores the source port range for the filter.
* @param m_DestPort This field is a PORT_RANGE structure that stores the destination port range for the filter.
* @param m_TCPFlags This field stores the TCP flags for the filter. It is an unsigned char representing the TCP flags combination.
*/
typedef struct _TCPUDP_FILTER
{
#define TCPUDP_SRC_PORT 0x00000001
#define TCPUDP_DEST_PORT 0x00000002
#define TCPUDP_TCP_FLAGS 0x00000004
DWORD m_ValidFields; // Specifies which of the fields below contain valid values and should be matched against the packet
PORT_RANGE m_SourcePort; // Source port
PORT_RANGE m_DestPort; // Destination port
unsigned char m_TCPFlags; // TCP flags combination
unsigned char Padding[3];
} TCPUDP_FILTER, * PTCPUDP_FILTER;

            

// 4.3 Check TCP flags
if (pFilter->m_Filter.m_TransportFilter.m_TcpUdp.m_ValidFields & TCPUDP_TCP_FLAGS)
{
if (pTcpHdr->th_flags != pFilter->m_Filter.m_TransportFilter.m_TcpUdp.m_TCPFlags)
{
dwFilterIndex++;
pFilter = (PSTATIC_FILTER_LIST_ITEM)pFilter->m_qLink.Flink;
continue;
}
}
            November 4, 2024 at 8:51 am #13930
            ocante
            Participant

              Hi Vadim

              I want to capture the traffic on several network interfaces. Can I do this in N threads running in parallel with a single instance of CNdisApi, each thread calling Read in a loop on N separate instances of ETH_REQUEST?

              Another question: I want to know the timestamp of captured packets. Does the api allow me to do this? If not, can I assume that the timestamp at the time of the Read call is the timestamp of the packet?

              Translated with DeepL.com (free version)

              November 4, 2024 at 9:37 am #13932
              ocante
              Participant

                Vadim,

                It seems that you need to create as many instances of CNdisApi as there are network interfaces. Can you confirm this?

                Regards,

                Olivier

                November 4, 2024 at 11:51 am #13934
                Vadim Smirnov
                Keymaster

                  Olivier,

                  Yes, you can use a single instance of CNdisApi. Please refer to the dual_packet_filter class, which demonstrates how two threads can operate across two network interfaces.

                  Additionally, you can assume the timestamp when the Read call occurs, with some level of precision. For higher accuracy, minor driver modifications would be needed; for example, the reserved bytes in INTERMEDIATE_BUFFER could be used to store more precise timestamps.

                • Author
                  Posts
                Viewing 7 posts - 1 through 7 (of 7 total)
                • You must be logged in to reply to this topic.