Home › Forums › Discussions › Support › STATIC FILTER using VB
- This topic has 7 replies, 2 voices, and was last updated 11 years, 1 month ago by couttsj.
-
AuthorPosts
-
October 17, 2013 at 11:07 pm #5394
I have a working DNS monitoring program using WinpkFilter. It presently analyzes every packet and breaks down and records only outbound DNS traffic. In an attempt to make it more efficient, I tried converting your “C” code example to VB.
Code:Dim pFilters As STATIC_FILTER_TABLE
pFilters.m_TableSize = 2
‘ 1. Outgoing DNS requests filter: REDIRECT OUT UDP packets with destination PORT 53
‘ Common values
pFilters.m_StaticFilters(0).m_Adapter.High = 0 ‘applied to all adapters
pFilters.m_StaticFilters(0).m_Adapter.Low = 0 ‘applied to all adapters
pFilters.m_StaticFilters(0).m_ValidFields = NETWORK_LAYER_VALID + TRANSPORT_LAYER_VALID
pFilters.m_StaticFilters(0).m_FilterAction = FILTER_PACKET_REDIRECT
pFilters.m_StaticFilters(0).m_dwDirectionFlags = PACKET_FLAG_ON_SEND‘ Network layer filter
pFilters.m_StaticFilters(0).m_NetworkFilter.m_dwUnionSelector = IPV4
pFilters.m_StaticFilters(0).m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL
pFilters.m_StaticFilters(0).m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_UDP‘ Transport layer filter
pFilters.m_StaticFilters(0).m_TransportFilter.m_dwUnionSelector = TCPUDP
pFilters.m_StaticFilters(0).m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_DST_PORT
pFilters.m_StaticFilters(0).m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 53 ‘ DNS
pFilters.m_StaticFilters(0).m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 53‘2. Pass all packets (skipped by previous filters) without processing in user mode
‘ Common values
pFilters.m_StaticFilters(1).m_Adapter.High = 0 ‘applied to all adapters
pFilters.m_StaticFilters(1).m_Adapter.Low = 0 ‘applied to all adapters
pFilters.m_StaticFilters(1).m_ValidFields = 0
pFilters.m_StaticFilters(1).m_FilterAction = FILTER_PACKET_PASS
pFilters.m_StaticFilters(1).m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE + PACKET_FLAG_ON_SEND
SetPacketFilterTable nHandle, pFiltersIt doesn’t give me any errors, but it also doesn’t filter out any traffic. What am I doing wrong?
J.A. Coutts
October 18, 2013 at 3:54 pm #7144I forgot that I was operating in promiscuous mode, and I suspect that is the problem.
J.A. Coutts
October 23, 2013 at 4:56 am #7145Promiscuous mode was causing me some problems, but unfortunately my filtering code is still not filtering anything.
Let me supply a little more info. Our DNS server is being used as an attack vector against a number of Chinese servers. I needed a quick and dirty solution to eliminate repetitive DNS requests, and indeed I have achieved that. But I believe that it would be more efficient if I only had to process incoming DNS queries.
Any help would be appreciated.
J.A. Coutts
October 23, 2013 at 7:06 pm #7146Hi,
I nearly have no experience in VB, but there is a C sample filter.cpp which has a scenario to redirect only DNS packets for processing by WinpkFilter application.
This sample scenario can be easily modified to intercept only DNS queries destined to local DNS server this way:
pFilters->m_TableSize = 2;
// 1. Incoming DNS requests filter: REDIRECT IN UDP packets with destination PORT 53
// Common values
pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters
pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_REDIRECT;
pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE;
// Network layer filter
pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_UDP;
// Transport layer filter
pFilters->m_StaticFilters[0].m_TransportFilter.m_dwUnionSelector = TCPUDP;
pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_SRC_PORT;
pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 53; // DNS
pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 53;
//***************************************************************************************
// 2. Pass all packets (skipped by previous filters) without processing in user mode
// Common values
pFilters->m_StaticFilters[1].m_Adapter.QuadPart = 0; // applied to all adapters
pFilters->m_StaticFilters[1].m_ValidFields = 0;
pFilters->m_StaticFilters[1].m_FilterAction = FILTER_PACKET_PASS;
pFilters->m_StaticFilters[1].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE | PACKET_FLAG_ON_SEND;
break;
The filter you showed in your initial post should select only outgoing DNS queries, not incoming ones.
October 24, 2013 at 4:01 am #7147Thank you for the reply SerpentFly. I used Outbound DNS for the initial testing, but converted it to Inbound DNS for the final product, both with the same results. It will do for now until I can figure it out.
But I ran into another problem (server crashed) when I attempted to move it to a Server 2000. Server 2000 is not specifically listed as a supported OS, but the driver loaded without a problem and it is of the same vintage as XP/2000. Is it supported?
J.A. Coutts
October 24, 2013 at 10:51 am #7148Yes, Windows 2000 is supported, although the driver installed for that OS is different from the one used for XP or Vista and later.
If you can collect the crash dump (kernel or full) we could check what has happened. I suspect this could we a sort of software conflict if you have firewalling/AV software installed.
October 28, 2013 at 7:10 pm #7149Sorry it took so long to reply, but this server is remote and the guy on the other end is not that technical. It turns out that the problem was with an incompatible or corrupt version of IPHLPAPI.DLL. I had to wait for the other guy to be available, because when I tried to do it remotely I would lose connectivity.
Thanks
J.A. Coutts
November 4, 2013 at 10:25 pm #7150I finally got around to looking at this issue, and I have located the problem with the filter. In VB, the lower array boundary defaults to 0, unless the programmer specifically sets the lower boundary to 1 with the Option Base Statement in each and every module. The VB example “modDecl_Ndisapi.bas” defines the Type IP_V4_FILTER as:
Public Type IP_V4_FILTER
m_ValidFields As Long
m_SrcAddress As IP_ADDRESS_V4
m_DestAddress As IP_ADDRESS_V4
m_Protocol As Byte
Padding(3) As Byte
End TypeBecause the lower limit is zero, “Padding” is defined as a 4 byte array. It should be defined as:
Public Type IP_V4_FILTER
m_ValidFields As Long
m_SrcAddress As IP_ADDRESS_V4
m_DestAddress As IP_ADDRESS_V4
m_Protocol As Byte
Padding(1 To 3) As Byte
End TypeThe same is true of Type ETH_802_3_FILTER:
Public Type ETH_802_3_FILTER
m_ValidFields As Long
m_SrcAddress(1 To ETHER_ADDR_LENGTH) As Byte
m_DestAddress(1 To ETHER_ADDR_LENGTH) As Byte
m_Protocol As Integer
Padding As Integer
End TypeThe end result was that each filter was 3 bytes too long (119 instead of 116).
J.A. Coutts
-
AuthorPosts
- You must be logged in to reply to this topic.