Home › Forums › Discussions › General › TCP/IP Hook – Traffic observing for all IP’s
- This topic has 12 replies, 3 voices, and was last updated 17 years, 2 months ago by Vadim Smirnov.
-
AuthorPosts
-
August 2, 2007 at 8:37 pm #5120
Hello,
nice to find that forum π
My Question:
I want observing my tcp/ip input and output on a specific port. If a ip fetched more than 2 mb a day, i want to deny that connection.Can anyone help me(tell me how:)) to handle that kind of feature?
Maybe there are sample-codes? π
August 4, 2007 at 10:46 am #6387No help? Maybe anyone can give me some links to that topic? π
August 4, 2007 at 11:24 am #6388Well, basically you can use WinpkFilter for parsing packets and blocking once quota exceeded.
Alternatively you can create you own own driver for this. Here depending of the exact requirement you have several options like LSP, TDI filter, NDIS IM, NDIS hooking, WFP…
August 4, 2007 at 4:57 pm #6389Big thanks for your statement. Do you have some some codes (or links) to one or some of it?
August 4, 2007 at 5:23 pm #6390Okay, i’ve found some docus for winpkFilter:
http://www.ntoskrnl.com/wpfk-help/_openfilterdriver.htmCan someone say me which headers are necessary? (where can i download these?)
August 5, 2007 at 9:27 am #6391Can someone say me which headers are necessary? (where can i download these?)
August 5, 2007 at 7:22 pm #6392Wow big thanks. π
August 5, 2007 at 7:48 pm #6393I tried to compile the MVC++ Sample Source-Code:
But i still geht current error:
1>Compiling...
1>PacketSniffer.cpp
1>StdAfx.cpp
1>Generating Code...
1>Compiling manifest to resources...
1>Linking...
1>PacketSniffer.obj : error LNK2019: unresolved external symbol "__declspec(dllimport) public: __thiscall CNdisApi::CNdisApi(wchar_t const *)" (__imp_??0CNdisApi@@QAE@PB_W@Z) referenced in function "void __cdecl `dynamic initializer for 'api''(void)" (??__Eapi@@YAXXZ)
I’ve added the ndisapi.lib and the DLL is in the right directory π
PS: I solved that problem – you have to change the “Character Set” in the project settings. π
August 5, 2007 at 8:21 pm #6394Now i’ve tested the software…. and i have to say its a very good software, good job π
How can i filter packages from port 123 and how can i block it (that these packages do not archive its destination program?)
August 6, 2007 at 8:52 am #6395The code below tracks incoming HTTP packets (port 80) and blocks if finds a particular string pattern in the packet. This is a simple sample for porno filter or URL blocking, you should be able easily adopt it for you needs:
/*************************************************************************/
/* Copyright (c) 2000-2007 NT Kernel Resources. */
/* All Rights Reserved. */
/* http://www.ntkernel.com */
/* ndisrd@ntkernel.com */
/* */
/* Module Name: wwwcensor.cpp */
/* */
/* Abstract: Defines the entry point for the console application */
/* */
/*************************************************************************/
#include "stdafx.h"
USHORT ntohs( USHORT netshort )
{
PUCHAR pBuffer;
USHORT nResult;
nResult = 0;
pBuffer = (PUCHAR )&netshort;
nResult = ( (pBuffer[ 0 ] << 8) & 0xFF00 )
| ( pBuffer[ 1 ] & 0x00FF );
return( nResult );
}
#define htons ntohs
int main(int argc, char* argv[])
{
TCP_AdapterList AdList;
CNdisApi api;
ETH_REQUEST Request;
INTERMEDIATE_BUFFER PacketBuffer;
ether_header_ptr pEthHeader = NULL;
iphdr_ptr pIpHeader = NULL;
tcphdr_ptr pTcpHeader = NULL;
HANDLE hEvent[256];
DWORD dwAdIndex = 0;
char szTempString[1500];
char szPattern[256];
BOOL bDrop = FALSE;
if (argc < 2)
{
printf ("Command line syntax:ntwwwcensor.exe pattern ntpattern - phrase or word to block HTTP packets with.n");
return 0;
}
if(!api.IsDriverLoaded())
{
printf ("Driver not installed on this system of failed to load.n");
return 0;
}
if ( strlen(argv[1]) > 255 )
{
printf ("Pattern is too,long, please use one with maximum of 255 characters.n");
return 0;
}
//
// Get pattern in upper case
//
ZeroMemory ( szPattern, 256 );
strcpy ( szPattern, argv[1] );
for ( unsigned i = 0; i < strlen (szPattern); ++i )
{
if (isalpha(((UCHAR)szPattern)))
szPattern = (char)toupper((UCHAR)szPattern);
}
//
// Get system installed network interfaces
//
api.GetTcpipBoundAdaptersInfo ( &AdList );
//
// Initialize common ADAPTER_MODE structure (all network interfaces will operate in the same mode)
//
ADAPTER_MODE Mode;
Mode.dwFlags = MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL;
//
// Create notification events and initialize the driver to pass packets thru us
//
for (dwAdIndex = 0; dwAdIndex < AdList.m_nAdapterCount; ++dwAdIndex)
{
hEvent[dwAdIndex] = CreateEvent(NULL, TRUE, FALSE, NULL);
if (!hEvent[dwAdIndex])
{
printf("Failed to create notification event for network interface n");
return 0;
}
Mode.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];
//
// Set MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL for the network interface
//
api.SetAdapterMode(&Mode);
//
// Set packet notification event for the network interface
//
api.SetPacketEvent((HANDLE)AdList.m_nAdapterHandle[dwAdIndex], hEvent[dwAdIndex]);
}
// Initialize common part of ETH_REQUEST
ZeroMemory ( &Request, sizeof(ETH_REQUEST) );
ZeroMemory ( &PacketBuffer, sizeof(INTERMEDIATE_BUFFER) );
Request.EthPacket.Buffer = &PacketBuffer;
//
// Go into the endless loop (this is just a sample application)
//
while (TRUE)
{
//
// Wait before any of the interfaces is ready to indicate the packet
//
dwAdIndex = WaitForMultipleObjects ( AdList.m_nAdapterCount, hEvent, FALSE, INFINITE ) - WAIT_OBJECT_0;
//
// Reset signalled event
//
ResetEvent(hEvent[dwAdIndex]);
//
// Complete initialization of ETH_REQUEST
//
Request.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];
//
// Read packet from the interface until there are any
//
while(api.ReadPacket(&Request))
{
//
// Get Ethernet header
//
pEthHeader = (ether_header_ptr)PacketBuffer.m_IBuffer;
//
// Check if Ethernet frame contains IP packet
//
if(ntohs(pEthHeader->h_proto) == ETH_P_IP)
{
//
// Get IP header
//
pIpHeader = (iphdr_ptr)(pEthHeader + 1);
//
// Check if IP packet contains TCP packet
//
if (pIpHeader->ip_p == IPPROTO_TCP)
{
//
// Get TCP header pointer
//
pTcpHeader = (tcphdr_ptr)((PUCHAR)pIpHeader + pIpHeader->ip_hl*4);
//
// Check if this HTTP packet (destined to remote system port 80, or received from it)
//
if (((pTcpHeader->th_dport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))||
((pTcpHeader->th_sport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE)))
{
//
// Get data size in the packet and pointer to the data
//
DWORD dwDataLength = PacketBuffer.m_Length - (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
PCHAR pData = (PCHAR)pEthHeader + (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
// If packet contains any data - process it
if (dwDataLength)
{
//
// Copy packet payload into the temporary string, replace all 0 bytes with 0x20, convert string to upper case and place at the end
//
memcpy (szTempString, pData, dwDataLength);
for (unsigned t = 0; t < dwDataLength; ++t)
{
if (szTempString[t] == 0)
szTempString[t] = 0x20;
if (isalpha((UCHAR)szTempString[t]))
szTempString[t] = (char)toupper((UCHAR)szTempString[t]);
}
szTempString[dwDataLength] = 0;
//
// Check if this packet payload contains user supplied pattern in ASCII code
//
if (strstr ( szTempString, szPattern ))
bDrop = TRUE;
}
}
}
}
if(bDrop)
{
printf ("TCP %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d pattern found & packet dropped n",
pIpHeader->ip_src.S_un.S_un_b.s_b1, pIpHeader->ip_src.S_un.S_un_b.s_b2, pIpHeader->ip_src.S_un.S_un_b.s_b3, pIpHeader->ip_src.S_un.S_un_b.s_b4, ntohs(pTcpHeader->th_sport),
pIpHeader->ip_dst.S_un.S_un_b.s_b1, pIpHeader->ip_dst.S_un.S_un_b.s_b2, pIpHeader->ip_dst.S_un.S_un_b.s_b3, pIpHeader->ip_dst.S_un.S_un_b.s_b4, ntohs (pTcpHeader->th_dport));
bDrop = FALSE;
}
else
if (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND)
{
// Place packet on the network interface
api.SendPacketToAdapter(&Request);
}
else
{
// Indicate packet to MSTCP
api.SendPacketToMstcp(&Request);
}
}
}
return 0;
}
August 6, 2007 at 10:04 am #6396Wow – Big thanks for help!!!! π
September 9, 2007 at 11:11 pm #6397Trying to create reverse decision based on this example:
permit only several URL’s. But without success.
Some packets are still blocked even for permitted pattern.
Can you help to understand needed approach?
September 10, 2007 at 5:30 pm #6398The sample above is good for blocking undesired content (not only URL’s). So I don’t think it is applicable for the reversed solution.
Basically you have several possibilities:
1) Allow only those IP’s which host permitted URL’s. If outgoing HTTP packet (with destination port 80) is destined to the IP address not in the list then just drop it.
2) Parse outgoing DNS packets and allow only those queries which are allowed in your URL list.
3) Parse HTTP GET request for each outgoing HTTP packet and match URL against your URL list. -
AuthorPosts
- You must be logged in to reply to this topic.