TCP/IP Hook – Traffic observing for all IP’s

Home Forums Discussions General TCP/IP Hook – Traffic observing for all IP’s

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #5120
    kf
    Participant

      Hello,

      nice to find that forum πŸ™‚

      My Question:
      I want observing my tcp/ip input and output on a specific port. If a ip fetched more than 2 mb a day, i want to deny that connection.

      Can anyone help me(tell me how:)) to handle that kind of feature?

      Maybe there are sample-codes? πŸ™„

      #6387
      kf
      Participant

        No help? Maybe anyone can give me some links to that topic? πŸ™„

        #6388
        Vadim Smirnov
        Keymaster

          Well, basically you can use WinpkFilter for parsing packets and blocking once quota exceeded.

          Alternatively you can create you own own driver for this. Here depending of the exact requirement you have several options like LSP, TDI filter, NDIS IM, NDIS hooking, WFP…

          #6389
          kf
          Participant

            Big thanks for your statement. Do you have some some codes (or links) to one or some of it?

            #6390
            kf
            Participant

              Okay, i’ve found some docus for winpkFilter:
              http://www.ntoskrnl.com/wpfk-help/_openfilterdriver.htm

              Can someone say me which headers are necessary? (where can i download these?)

              #6391
              Vadim Smirnov
              Keymaster

                Can someone say me which headers are necessary? (where can i download these?)

                http://www.ntkernel.com/w&p.php?id=7

                #6392
                kf
                Participant

                  Wow big thanks. πŸ˜€

                  #6393
                  kf
                  Participant

                    I tried to compile the MVC++ Sample Source-Code:

                    But i still geht current error:


                    1>Compiling...
                    1>PacketSniffer.cpp
                    1>StdAfx.cpp
                    1>Generating Code...
                    1>Compiling manifest to resources...
                    1>Linking...
                    1>PacketSniffer.obj : error LNK2019: unresolved external symbol "__declspec(dllimport) public: __thiscall CNdisApi::CNdisApi(wchar_t const *)" (__imp_??0CNdisApi@@QAE@PB_W@Z) referenced in function "void __cdecl `dynamic initializer for 'api''(void)" (??__Eapi@@YAXXZ)

                    I’ve added the ndisapi.lib and the DLL is in the right directory πŸ™„

                    PS: I solved that problem – you have to change the “Character Set” in the project settings. πŸ™‚

                    #6394
                    kf
                    Participant

                      Now i’ve tested the software…. and i have to say its a very good software, good job πŸ™‚

                      How can i filter packages from port 123 and how can i block it (that these packages do not archive its destination program?)

                      #6395
                      Vadim Smirnov
                      Keymaster

                        The code below tracks incoming HTTP packets (port 80) and blocks if finds a particular string pattern in the packet. This is a simple sample for porno filter or URL blocking, you should be able easily adopt it for you needs:


                        /*************************************************************************/
                        /* Copyright (c) 2000-2007 NT Kernel Resources. */
                        /* All Rights Reserved. */
                        /* http://www.ntkernel.com */
                        /* ndisrd@ntkernel.com */
                        /* */
                        /* Module Name: wwwcensor.cpp */
                        /* */
                        /* Abstract: Defines the entry point for the console application */
                        /* */
                        /*************************************************************************/

                        #include "stdafx.h"

                        USHORT ntohs( USHORT netshort )
                        {
                        PUCHAR pBuffer;
                        USHORT nResult;

                        nResult = 0;
                        pBuffer = (PUCHAR )&netshort;

                        nResult = ( (pBuffer[ 0 ] << 8) & 0xFF00 )
                        | ( pBuffer[ 1 ] & 0x00FF );

                        return( nResult );
                        }

                        #define htons ntohs

                        int main(int argc, char* argv[])
                        {
                        TCP_AdapterList AdList;
                        CNdisApi api;
                        ETH_REQUEST Request;
                        INTERMEDIATE_BUFFER PacketBuffer;
                        ether_header_ptr pEthHeader = NULL;
                        iphdr_ptr pIpHeader = NULL;
                        tcphdr_ptr pTcpHeader = NULL;
                        HANDLE hEvent[256];
                        DWORD dwAdIndex = 0;
                        char szTempString[1500];
                        char szPattern[256];
                        BOOL bDrop = FALSE;


                        if (argc < 2)
                        {
                        printf ("Command line syntax:ntwwwcensor.exe pattern ntpattern - phrase or word to block HTTP packets with.n");
                        return 0;
                        }

                        if(!api.IsDriverLoaded())
                        {
                        printf ("Driver not installed on this system of failed to load.n");
                        return 0;
                        }

                        if ( strlen(argv[1]) > 255 )
                        {
                        printf ("Pattern is too,long, please use one with maximum of 255 characters.n");
                        return 0;
                        }

                        //
                        // Get pattern in upper case
                        //
                        ZeroMemory ( szPattern, 256 );
                        strcpy ( szPattern, argv[1] );
                        for ( unsigned i = 0; i < strlen (szPattern); ++i )
                        {
                        if (isalpha(((UCHAR)szPattern)))
                        szPattern
                        = (char)toupper((UCHAR)szPattern);
                        }

                        //
                        // Get system installed network interfaces
                        //
                        api.GetTcpipBoundAdaptersInfo ( &AdList );

                        //
                        // Initialize common ADAPTER_MODE structure (all network interfaces will operate in the same mode)
                        //
                        ADAPTER_MODE Mode;
                        Mode.dwFlags = MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL;

                        //
                        // Create notification events and initialize the driver to pass packets thru us
                        //
                        for (dwAdIndex = 0; dwAdIndex < AdList.m_nAdapterCount; ++dwAdIndex)
                        {
                        hEvent[dwAdIndex] = CreateEvent(NULL, TRUE, FALSE, NULL);

                        if (!hEvent[dwAdIndex])
                        {
                        printf("Failed to create notification event for network interface n");
                        return 0;
                        }

                        Mode.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];

                        //
                        // Set MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL for the network interface
                        //
                        api.SetAdapterMode(&Mode);

                        //
                        // Set packet notification event for the network interface
                        //
                        api.SetPacketEvent((HANDLE)AdList.m_nAdapterHandle[dwAdIndex], hEvent[dwAdIndex]);
                        }


                        // Initialize common part of ETH_REQUEST
                        ZeroMemory ( &Request, sizeof(ETH_REQUEST) );
                        ZeroMemory ( &PacketBuffer, sizeof(INTERMEDIATE_BUFFER) );
                        Request.EthPacket.Buffer = &PacketBuffer;

                        //
                        // Go into the endless loop (this is just a sample application)
                        //
                        while (TRUE)
                        {
                        //
                        // Wait before any of the interfaces is ready to indicate the packet
                        //
                        dwAdIndex = WaitForMultipleObjects ( AdList.m_nAdapterCount, hEvent, FALSE, INFINITE ) - WAIT_OBJECT_0;

                        //
                        // Reset signalled event
                        //
                        ResetEvent(hEvent[dwAdIndex]);

                        //
                        // Complete initialization of ETH_REQUEST
                        //

                        Request.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];

                        //
                        // Read packet from the interface until there are any
                        //
                        while(api.ReadPacket(&Request))
                        {
                        //
                        // Get Ethernet header
                        //
                        pEthHeader = (ether_header_ptr)PacketBuffer.m_IBuffer;

                        //
                        // Check if Ethernet frame contains IP packet
                        //
                        if(ntohs(pEthHeader->h_proto) == ETH_P_IP)
                        {
                        //
                        // Get IP header
                        //
                        pIpHeader = (iphdr_ptr)(pEthHeader + 1);

                        //
                        // Check if IP packet contains TCP packet
                        //
                        if (pIpHeader->ip_p == IPPROTO_TCP)
                        {
                        //
                        // Get TCP header pointer
                        //
                        pTcpHeader = (tcphdr_ptr)((PUCHAR)pIpHeader + pIpHeader->ip_hl*4);

                        //
                        // Check if this HTTP packet (destined to remote system port 80, or received from it)
                        //

                        if (((pTcpHeader->th_dport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))||
                        ((pTcpHeader->th_sport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE)))
                        {
                        //
                        // Get data size in the packet and pointer to the data
                        //

                        DWORD dwDataLength = PacketBuffer.m_Length - (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
                        PCHAR pData = (PCHAR)pEthHeader + (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);

                        // If packet contains any data - process it
                        if (dwDataLength)
                        {
                        //
                        // Copy packet payload into the temporary string, replace all 0 bytes with 0x20, convert string to upper case and place at the end
                        //
                        memcpy (szTempString, pData, dwDataLength);
                        for (unsigned t = 0; t < dwDataLength; ++t)
                        {
                        if (szTempString[t] == 0)
                        szTempString[t] = 0x20;

                        if (isalpha((UCHAR)szTempString[t]))
                        szTempString[t] = (char)toupper((UCHAR)szTempString[t]);
                        }
                        szTempString[dwDataLength] = 0;

                        //
                        // Check if this packet payload contains user supplied pattern in ASCII code
                        //

                        if (strstr ( szTempString, szPattern ))
                        bDrop = TRUE;
                        }
                        }

                        }
                        }

                        if(bDrop)
                        {
                        printf ("TCP %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d pattern found & packet dropped n",
                        pIpHeader->ip_src.S_un.S_un_b.s_b1, pIpHeader->ip_src.S_un.S_un_b.s_b2, pIpHeader->ip_src.S_un.S_un_b.s_b3, pIpHeader->ip_src.S_un.S_un_b.s_b4, ntohs(pTcpHeader->th_sport),
                        pIpHeader->ip_dst.S_un.S_un_b.s_b1, pIpHeader->ip_dst.S_un.S_un_b.s_b2, pIpHeader->ip_dst.S_un.S_un_b.s_b3, pIpHeader->ip_dst.S_un.S_un_b.s_b4, ntohs (pTcpHeader->th_dport));
                        bDrop = FALSE;
                        }
                        else
                        if (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND)
                        {
                        // Place packet on the network interface
                        api.SendPacketToAdapter(&Request);
                        }
                        else
                        {
                        // Indicate packet to MSTCP
                        api.SendPacketToMstcp(&Request);
                        }
                        }

                        }

                        return 0;
                        }

                        #6396
                        kf
                        Participant

                          Wow – Big thanks for help!!!! πŸ˜›

                          #6397
                          shaman
                          Participant

                            Trying to create reverse decision based on this example:

                            permit only several URL’s. But without success.

                            Some packets are still blocked even for permitted pattern.

                            Can you help to understand needed approach?

                            #6398
                            Vadim Smirnov
                            Keymaster

                              The sample above is good for blocking undesired content (not only URL’s). So I don’t think it is applicable for the reversed solution.

                              Basically you have several possibilities:

                              1) Allow only those IP’s which host permitted URL’s. If outgoing HTTP packet (with destination port 80) is destined to the IP address not in the list then just drop it.
                              2) Parse outgoing DNS packets and allow only those queries which are allowed in your URL list.
                              3) Parse HTTP GET request for each outgoing HTTP packet and match URL against your URL list.

                            Viewing 13 posts - 1 through 13 (of 13 total)
                            • You must be logged in to reply to this topic.